diff --git a/elastic/security/challenges/security-indexing-querying.json b/elastic/security/challenges/security-indexing-querying.json index 5aeb6de60..9e844ad12 100644 --- a/elastic/security/challenges/security-indexing-querying.json +++ b/elastic/security/challenges/security-indexing-querying.json @@ -31,6 +31,9 @@ "operation-type": "composite", "param-source": "workflow-selector", "workflow": {{workflow | tojson }}, + {% if p_index_mode == "logsdb" %} + "workflows-folder": "workflows-logsdb", + {% endif %} "task-offset": {{ loop.index }}, "request-params": {{ query_request_params | default({}) | tojson(indent=2) }} }, diff --git a/elastic/security/tasks/index-setup.json b/elastic/security/tasks/index-setup.json index 16f9d7cba..ff4becbdb 100644 --- a/elastic/security/tasks/index-setup.json +++ b/elastic/security/tasks/index-setup.json @@ -6,6 +6,7 @@ "param-source": "add-track-path" } }, +{%- if lifecycle == "ilm" or (not lifecycle and build_flavor != "serverless") %} { "name": "insert-ilm", "tags": ["setup"], @@ -14,6 +15,7 @@ "param-source": "add-track-path" } }, +{%- endif -%} { "name": "delete-all-datastreams", "tags": ["setup"], diff --git a/elastic/security/templates/composable/security-metricbeat.json b/elastic/security/templates/composable/security-metricbeat.json index ba5edaf65..2f63b1955 100644 --- a/elastic/security/templates/composable/security-metricbeat.json +++ b/elastic/security/templates/composable/security-metricbeat.json @@ -14208,7 +14208,9 @@ } }, "message" : { + {% if index_mode != "logsdb" %} "copy_to" : "message", + {% endif %} "norms" : false, "type" : "text" }, diff --git a/elastic/security/track.json b/elastic/security/track.json index dc27a5567..f776c1e4b 100644 --- a/elastic/security/track.json +++ b/elastic/security/track.json @@ -3,12 +3,13 @@ {% set p_corpora_uri_base = (corpora_uri_base | default("https://rally-tracks.elastic.co")) %} {% set p_query_workflows = (query_workflows | default(["hosts", "overview", "network"])) %} {% set p_num_query_workflows = p_query_workflows | length %} +{% set p_workflow_folder = workflow_folder | default('workflows') %} {% set p_workflow_time_interval = (workflow_time_interval | default(30)) %} {% set p_user_workflow_time = p_workflow_time_interval * p_num_query_workflows %} {% set p_bulk_indexing_clients = (bulk_indexing_clients | default(8))%} {% set p_number_of_shards = (number_of_shards | default(1)) %} {% set p_number_of_replicas = (number_of_replicas | default(1)) %} -{% set p_skip_fleet_globals = (skip_fleet_globals | default(false) ) %} +{% set p_skip_delete_component_template = (skip_delete_component_template | default(false) ) %} {% set p_integration_ratios = (integration_ratios | default({ "auditbeat": { "corpora": { @@ -50,6 +51,7 @@ "wait-for-status": "{{ wait_for_status | default('green') }}", "force-data-generation": {{ force_data_generation | default(false) | tojson }}, "detailed-results": {{ detailed_results | default(false) | tojson }}, + "workflow-folder": {{ p_workflow_folder | default('workflows') | tojson }}, "workflow-target": "{{ p_integration_ratios.keys() | list | join('-*,') ~ '-*' }}", "number-of-workflows": {{ p_num_query_workflows }}, "raw-data-volume-per-day": "{{ raw_data_volume_per_day | default('0.1GB') }}", @@ -101,7 +103,7 @@ "name": "track-custom-mappings", "template": "./templates/component/track-custom-mappings.json" }, - {% if p_skip_fleet_globals == false %} + {% if p_skip_delete_component_template == false %} { "name": ".fleet_agent_id_verification-1", "template": "./templates/component/.fleet_agent_id_verification-1.json", @@ -121,11 +123,13 @@ "name": "logs-endpoint.events.file@mappings", "template": "./templates/component/logs-endpoint.events.file@mappings.json" }, + {% if p_skip_delete_component_template == false %} { "name": "logs-endpoint.events.file@package", "template": "./templates/component/logs-endpoint.events.file@package.json", "template-path": "component_template" }, + {% endif %} { "name": "logs-endpoint.events.file@settings", "template": "./templates/component/logs-endpoint.events.file@settings.json" diff --git a/elastic/security/workflows-logsdb/hosts/1.json b/elastic/security/workflows-logsdb/hosts/1.json new file mode 100644 index 000000000..55439a783 --- /dev/null +++ b/elastic/security/workflows-logsdb/hosts/1.json @@ -0,0 +1,985 @@ +{ + "name": "/app/security/*?{query}", + "id": "Opening the `Hosts` dashboard with a timespan set to `Today`", + "requests": [ + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.17639500000000002 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - hosts - 1.1", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true" + }, + "body": { + "docvalue_fields": [ + { + "field": "@metadata.beat" + }, + { + "field": "@metadata.type" + }, + { + "field": "@metadata.version" + }, + { + "field": "@timestamp" + }, + { + "field": "agent.agent_id" + }, + { + "field": "agent.build.original" + }, + { + "field": "agent.ephemeral_id" + }, + { + "field": "agent.hostname" + }, + { + "field": "agent.id" + }, + { + "field": "agent.name" + }, + { + "field": "agent.type" + }, + { + "field": "agent.version" + }, + { + "field": "as.number" + }, + { + "field": "as.organization.name" + }, + { + "field": "auditd.data.a0" + }, + { + "field": "auditd.data.a1" + }, + { + "field": "auditd.data.a2" + }, + { + "field": "auditd.data.a3" + }, + { + "field": "auditd.data.a[0-3]" + }, + { + "field": "auditd.data.acct" + }, + { + "field": "auditd.data.acl" + }, + { + "field": "auditd.data.action" + }, + { + "field": "auditd.data.added" + }, + { + "field": "auditd.data.addr" + }, + { + "field": "auditd.data.apparmor" + }, + { + "field": "auditd.data.arch" + }, + { + "field": "auditd.data.arg" + }, + { + "field": "auditd.data.argc" + }, + { + "field": "auditd.data.audit_backlog_limit" + }, + { + "field": "auditd.data.audit_backlog_wait_time" + }, + { + "field": "auditd.data.audit_enabled" + }, + { + "field": "auditd.data.audit_failure" + }, + { + "field": "auditd.data.auid" + }, + { + "field": "auditd.data.banners" + }, + { + "field": "auditd.data.bool" + }, + { + "field": "auditd.data.bus" + }, + { + "field": "auditd.data.cap_fe" + }, + { + "field": "auditd.data.cap_fi" + }, + { + "field": "auditd.data.cap_fp" + }, + { + "field": "auditd.data.cap_fver" + }, + { + "field": "auditd.data.cap_pe" + }, + { + "field": "auditd.data.cap_pi" + }, + { + "field": "auditd.data.cap_pp" + }, + { + "field": "auditd.data.capability" + }, + { + "field": "auditd.data.capname" + }, + { + "field": "auditd.data.cgroup" + }, + { + "field": "auditd.data.changed" + }, + { + "field": "auditd.data.cipher" + }, + { + "field": "auditd.data.class" + }, + { + "field": "auditd.data.cmd" + }, + { + "field": "auditd.data.code" + }, + { + "field": "auditd.data.compat" + }, + { + "field": "auditd.data.daddr" + }, + { + "field": "auditd.data.data" + }, + { + "field": "auditd.data.default-context" + }, + { + "field": "auditd.data.device" + }, + { + "field": "auditd.data.dir" + }, + { + "field": "auditd.data.direction" + }, + { + "field": "auditd.data.dmac" + }, + { + "field": "auditd.data.dport" + }, + { + "field": "auditd.data.enforcing" + }, + { + "field": "auditd.data.entries" + }, + { + "field": "auditd.data.exit" + }, + { + "field": "auditd.data.fam" + }, + { + "field": "auditd.data.family" + }, + { + "field": "auditd.data.fd" + }, + { + "field": "auditd.data.fe" + }, + { + "field": "auditd.data.feature" + }, + { + "field": "auditd.data.fi" + }, + { + "field": "auditd.data.file" + }, + { + "field": "auditd.data.flags" + }, + { + "field": "auditd.data.format" + }, + { + "field": "auditd.data.fp" + }, + { + "field": "auditd.data.fver" + }, + { + "field": "auditd.data.grantors" + }, + { + "field": "auditd.data.grp" + }, + { + "field": "auditd.data.hook" + }, + { + "field": "auditd.data.hostname" + }, + { + "field": "auditd.data.icmp_type" + }, + { + "field": "auditd.data.id" + }, + { + "field": "auditd.data.igid" + }, + { + "field": "auditd.data.img-ctx" + }, + { + "field": "auditd.data.inif" + }, + { + "field": "auditd.data.ino" + }, + { + "field": "auditd.data.inode_gid" + }, + { + "field": "auditd.data.inode_uid" + }, + { + "field": "auditd.data.invalid_context" + }, + { + "field": "auditd.data.ioctlcmd" + }, + { + "field": "auditd.data.ip" + }, + { + "field": "auditd.data.ipid" + }, + { + "field": "auditd.data.ipx-net" + }, + { + "field": "auditd.data.items" + }, + { + "field": "auditd.data.iuid" + }, + { + "field": "auditd.data.kernel" + }, + { + "field": "auditd.data.kind" + }, + { + "field": "auditd.data.ksize" + }, + { + "field": "auditd.data.laddr" + }, + { + "field": "auditd.data.len" + }, + { + "field": "auditd.data.list" + }, + { + "field": "auditd.data.lport" + } + ], + "query": { + "match_all": {} + }, + "_source": [ + "@timestamp" + ], + "size": 1, + "sort": [ + { + "@timestamp": { + "order": "desc" + } + } + ] + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.176845 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - hosts- 1.2", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true" + }, + "body": { + "aggregations": { + "hosts": { + "cardinality": { + "field": "host.name" + } + }, + "hosts_histogram": { + "auto_date_histogram": { + "field": "@timestamp", + "buckets": 6 + }, + "aggs": { + "count": { + "cardinality": { + "field": "host.name" + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T05:00:00.000Z", + "lte": "2022-02-05T04:59:59.999Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.177153 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - hosts- 1.3", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true" + }, + "body": { + "aggs": { + "authentication_success": { + "filter": { + "term": { + "event.outcome": "success" + } + } + }, + "authentication_success_histogram": { + "auto_date_histogram": { + "field": "@timestamp", + "buckets": 6 + }, + "aggs": { + "count": { + "filter": { + "term": { + "event.outcome": "success" + } + } + } + } + }, + "authentication_failure": { + "filter": { + "term": { + "event.outcome": "failure" + } + } + }, + "authentication_failure_histogram": { + "auto_date_histogram": { + "field": "@timestamp", + "buckets": 6 + }, + "aggs": { + "count": { + "filter": { + "term": { + "event.outcome": "failure" + } + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "event.category": "authentication" + } + } + ] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T05:00:00.000Z", + "lte": "2022-02-05T04:59:59.999Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.177427 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - hosts- 1.4", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true" + }, + "body": { + "aggregations": { + "unique_source_ips": { + "cardinality": { + "field": "source.ip" + } + }, + "unique_source_ips_histogram": { + "auto_date_histogram": { + "field": "@timestamp", + "buckets": 6 + }, + "aggs": { + "count": { + "cardinality": { + "field": "source.ip" + } + } + } + }, + "unique_destination_ips": { + "cardinality": { + "field": "destination.ip" + } + }, + "unique_destination_ips_histogram": { + "auto_date_histogram": { + "field": "@timestamp", + "buckets": 6 + }, + "aggs": { + "count": { + "cardinality": { + "field": "destination.ip" + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T05:00:00.000Z", + "lte": "2022-02-05T04:59:59.999Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.177762 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - hosts - 1.5", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true" + }, + "body": { + "docvalue_fields": [ + { + "field": "@metadata.beat" + }, + { + "field": "@metadata.type" + }, + { + "field": "@metadata.version" + }, + { + "field": "@timestamp" + }, + { + "field": "agent.agent_id" + }, + { + "field": "agent.build.original" + }, + { + "field": "agent.ephemeral_id" + }, + { + "field": "agent.hostname" + }, + { + "field": "agent.id" + }, + { + "field": "agent.name" + }, + { + "field": "agent.type" + }, + { + "field": "agent.version" + }, + { + "field": "as.number" + }, + { + "field": "as.organization.name" + }, + { + "field": "auditd.data.a0" + }, + { + "field": "auditd.data.a1" + }, + { + "field": "auditd.data.a2" + }, + { + "field": "auditd.data.a3" + }, + { + "field": "auditd.data.a[0-3]" + }, + { + "field": "auditd.data.acct" + }, + { + "field": "auditd.data.acl" + }, + { + "field": "auditd.data.action" + }, + { + "field": "auditd.data.added" + }, + { + "field": "auditd.data.addr" + }, + { + "field": "auditd.data.apparmor" + }, + { + "field": "auditd.data.arch" + }, + { + "field": "auditd.data.arg" + }, + { + "field": "auditd.data.argc" + }, + { + "field": "auditd.data.audit_backlog_limit" + }, + { + "field": "auditd.data.audit_backlog_wait_time" + }, + { + "field": "auditd.data.audit_enabled" + }, + { + "field": "auditd.data.audit_failure" + }, + { + "field": "auditd.data.auid" + }, + { + "field": "auditd.data.banners" + }, + { + "field": "auditd.data.bool" + }, + { + "field": "auditd.data.bus" + }, + { + "field": "auditd.data.cap_fe" + }, + { + "field": "auditd.data.cap_fi" + }, + { + "field": "auditd.data.cap_fp" + }, + { + "field": "auditd.data.cap_fver" + }, + { + "field": "auditd.data.cap_pe" + }, + { + "field": "auditd.data.cap_pi" + }, + { + "field": "auditd.data.cap_pp" + }, + { + "field": "auditd.data.capability" + }, + { + "field": "auditd.data.capname" + }, + { + "field": "auditd.data.cgroup" + }, + { + "field": "auditd.data.changed" + }, + { + "field": "auditd.data.cipher" + }, + { + "field": "auditd.data.class" + }, + { + "field": "auditd.data.cmd" + }, + { + "field": "auditd.data.code" + }, + { + "field": "auditd.data.compat" + }, + { + "field": "auditd.data.daddr" + }, + { + "field": "auditd.data.data" + }, + { + "field": "auditd.data.default-context" + }, + { + "field": "auditd.data.device" + }, + { + "field": "auditd.data.dir" + }, + { + "field": "auditd.data.direction" + }, + { + "field": "auditd.data.dmac" + }, + { + "field": "auditd.data.dport" + }, + { + "field": "auditd.data.enforcing" + }, + { + "field": "auditd.data.entries" + }, + { + "field": "auditd.data.exit" + }, + { + "field": "auditd.data.fam" + }, + { + "field": "auditd.data.family" + }, + { + "field": "auditd.data.fd" + }, + { + "field": "auditd.data.fe" + }, + { + "field": "auditd.data.feature" + }, + { + "field": "auditd.data.fi" + }, + { + "field": "auditd.data.file" + }, + { + "field": "auditd.data.flags" + }, + { + "field": "auditd.data.format" + }, + { + "field": "auditd.data.fp" + }, + { + "field": "auditd.data.fver" + }, + { + "field": "auditd.data.grantors" + }, + { + "field": "auditd.data.grp" + }, + { + "field": "auditd.data.hook" + }, + { + "field": "auditd.data.hostname" + }, + { + "field": "auditd.data.icmp_type" + }, + { + "field": "auditd.data.id" + }, + { + "field": "auditd.data.igid" + }, + { + "field": "auditd.data.img-ctx" + }, + { + "field": "auditd.data.inif" + }, + { + "field": "auditd.data.ino" + }, + { + "field": "auditd.data.inode_gid" + }, + { + "field": "auditd.data.inode_uid" + }, + { + "field": "auditd.data.invalid_context" + }, + { + "field": "auditd.data.ioctlcmd" + }, + { + "field": "auditd.data.ip" + }, + { + "field": "auditd.data.ipid" + }, + { + "field": "auditd.data.ipx-net" + }, + { + "field": "auditd.data.items" + }, + { + "field": "auditd.data.iuid" + }, + { + "field": "auditd.data.kernel" + }, + { + "field": "auditd.data.kind" + }, + { + "field": "auditd.data.ksize" + }, + { + "field": "auditd.data.laddr" + }, + { + "field": "auditd.data.len" + }, + { + "field": "auditd.data.list" + }, + { + "field": "auditd.data.lport" + } + ], + "aggregations": { + "host_count": { + "cardinality": { + "field": "host.name" + } + }, + "host_data": { + "terms": { + "size": 10, + "field": "host.name", + "order": { + "lastSeen": "desc" + } + }, + "aggs": { + "lastSeen": { + "max": { + "field": "@timestamp" + } + }, + "os": { + "top_hits": { + "size": 1, + "sort": [ + { + "@timestamp": { + "order": "desc" + } + } + ], + "_source": { + "includes": [ + "host.os.*" + ] + } + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T05:00:00.000Z", + "lte": "2022-02-05T04:59:59.999Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + } + ] +} \ No newline at end of file diff --git a/elastic/security/workflows-logsdb/hosts/10.json b/elastic/security/workflows-logsdb/hosts/10.json new file mode 100644 index 000000000..77b1b7ccb --- /dev/null +++ b/elastic/security/workflows-logsdb/hosts/10.json @@ -0,0 +1,1447 @@ +{ + "name": "/app/security/*?{query}", + "id": "Open `External alerts` sub-tab", + "requests": [ + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.15404900000000002 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - hosts - 10.1", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "true", + "allow_no_indices": "true" + }, + "body": { + "aggregations": { + "alertsGroup": { + "terms": { + "field": "event.module", + "missing": "All others", + "order": { + "_count": "desc" + }, + "size": 10 + }, + "aggs": { + "alerts": { + "date_histogram": { + "field": "@timestamp", + "fixed_interval": "112500ms", + "min_doc_count": 0, + "extended_bounds": { + "min": 1643986800000, + "max": 1643990400000 + } + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [ + { + "bool": { + "filter": [ + { + "bool": { + "should": [ + { + "exists": { + "field": "host.name" + } + } + ], + "minimum_should_match": 1 + } + } + ] + } + } + ], + "should": [], + "must_not": [] + } + }, + { + "bool": { + "filter": [ + { + "bool": { + "should": [ + { + "match": { + "event.kind": "alert" + } + } + ], + "minimum_should_match": 1 + } + } + ] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.154792 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - hosts - 10.2", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "true", + "allow_no_indices": "true" + }, + "body": { + "docvalue_fields": [ + { + "field": "@metadata.beat" + }, + { + "field": "@metadata.type" + }, + { + "field": "@metadata.version" + }, + { + "field": "@timestamp" + }, + { + "field": "agent.agent_id" + }, + { + "field": "agent.build.original" + }, + { + "field": "agent.ephemeral_id" + }, + { + "field": "agent.hostname" + }, + { + "field": "agent.id" + }, + { + "field": "agent.name" + }, + { + "field": "agent.type" + }, + { + "field": "agent.version" + }, + { + "field": "as.number" + }, + { + "field": "as.organization.name" + }, + { + "field": "auditd.data.a0" + }, + { + "field": "auditd.data.a1" + }, + { + "field": "auditd.data.a2" + }, + { + "field": "auditd.data.a3" + }, + { + "field": "auditd.data.a[0-3]" + }, + { + "field": "auditd.data.acct" + }, + { + "field": "auditd.data.acl" + }, + { + "field": "auditd.data.action" + }, + { + "field": "auditd.data.added" + }, + { + "field": "auditd.data.addr" + }, + { + "field": "auditd.data.apparmor" + }, + { + "field": "auditd.data.arch" + }, + { + "field": "auditd.data.arg" + }, + { + "field": "auditd.data.argc" + }, + { + "field": "auditd.data.audit_backlog_limit" + }, + { + "field": "auditd.data.audit_backlog_wait_time" + }, + { + "field": "auditd.data.audit_enabled" + }, + { + "field": "auditd.data.audit_failure" + }, + { + "field": "auditd.data.auid" + }, + { + "field": "auditd.data.banners" + }, + { + "field": "auditd.data.bool" + }, + { + "field": "auditd.data.bus" + }, + { + "field": "auditd.data.cap_fe" + }, + { + "field": "auditd.data.cap_fi" + }, + { + "field": "auditd.data.cap_fp" + }, + { + "field": "auditd.data.cap_fver" + }, + { + "field": "auditd.data.cap_pe" + }, + { + "field": "auditd.data.cap_pi" + }, + { + "field": "auditd.data.cap_pp" + }, + { + "field": "auditd.data.capability" + }, + { + "field": "auditd.data.capname" + }, + { + "field": "auditd.data.cgroup" + }, + { + "field": "auditd.data.changed" + }, + { + "field": "auditd.data.cipher" + }, + { + "field": "auditd.data.class" + }, + { + "field": "auditd.data.cmd" + }, + { + "field": "auditd.data.code" + }, + { + "field": "auditd.data.compat" + }, + { + "field": "auditd.data.daddr" + }, + { + "field": "auditd.data.data" + }, + { + "field": "auditd.data.default-context" + }, + { + "field": "auditd.data.device" + }, + { + "field": "auditd.data.dir" + }, + { + "field": "auditd.data.direction" + }, + { + "field": "auditd.data.dmac" + }, + { + "field": "auditd.data.dport" + }, + { + "field": "auditd.data.enforcing" + }, + { + "field": "auditd.data.entries" + }, + { + "field": "auditd.data.exit" + }, + { + "field": "auditd.data.fam" + }, + { + "field": "auditd.data.family" + }, + { + "field": "auditd.data.fd" + }, + { + "field": "auditd.data.fe" + }, + { + "field": "auditd.data.feature" + }, + { + "field": "auditd.data.fi" + }, + { + "field": "auditd.data.file" + }, + { + "field": "auditd.data.flags" + }, + { + "field": "auditd.data.format" + }, + { + "field": "auditd.data.fp" + }, + { + "field": "auditd.data.fver" + }, + { + "field": "auditd.data.grantors" + }, + { + "field": "auditd.data.grp" + }, + { + "field": "auditd.data.hook" + }, + { + "field": "auditd.data.hostname" + }, + { + "field": "auditd.data.icmp_type" + }, + { + "field": "auditd.data.id" + }, + { + "field": "auditd.data.igid" + }, + { + "field": "auditd.data.img-ctx" + }, + { + "field": "auditd.data.inif" + }, + { + "field": "auditd.data.ino" + }, + { + "field": "auditd.data.inode_gid" + }, + { + "field": "auditd.data.inode_uid" + }, + { + "field": "auditd.data.invalid_context" + }, + { + "field": "auditd.data.ioctlcmd" + }, + { + "field": "auditd.data.ip" + }, + { + "field": "auditd.data.ipid" + }, + { + "field": "auditd.data.ipx-net" + }, + { + "field": "auditd.data.items" + }, + { + "field": "auditd.data.iuid" + }, + { + "field": "auditd.data.kernel" + }, + { + "field": "auditd.data.kind" + }, + { + "field": "auditd.data.ksize" + }, + { + "field": "auditd.data.laddr" + }, + { + "field": "auditd.data.len" + }, + { + "field": "auditd.data.list" + }, + { + "field": "auditd.data.lport" + } + ], + "aggregations": { + "producers": { + "terms": { + "field": "kibana.alert.rule.producer", + "exclude": [ + "alerts" + ] + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [ + { + "bool": { + "filter": [ + { + "bool": { + "should": [ + { + "match": { + "event.kind": "alert" + } + } + ], + "minimum_should_match": 1 + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "bool": { + "should": [ + { + "exists": { + "field": "host.name" + } + } + ], + "minimum_should_match": 1 + } + } + ] + } + } + ], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + }, + { + "match_all": {} + } + ] + } + }, + "from": 0, + "size": 25, + "track_total_hits": true, + "sort": [ + { + "@timestamp": { + "order": "desc", + "unmapped_type": "date" + } + } + ], + "fields": [ + { + "field": "@timestamp", + "include_unmapped": true + }, + { + "field": "event.module", + "include_unmapped": true + }, + { + "field": "event.dataset", + "include_unmapped": true + }, + { + "field": "event.category", + "include_unmapped": true + }, + { + "field": "event.severity", + "include_unmapped": true + }, + { + "field": "observer.name", + "include_unmapped": true + }, + { + "field": "host.name", + "include_unmapped": true + }, + { + "field": "kubernetes.event.message", + "include_unmapped": true + }, + { + "field": "agent.id", + "include_unmapped": true + }, + { + "field": "agent.type", + "include_unmapped": true + }, + { + "field": "kibana.alert.rule.consumer", + "include_unmapped": true + }, + { + "field": "signal.status", + "include_unmapped": true + }, + { + "field": "signal.group.id", + "include_unmapped": true + }, + { + "field": "signal.original_time", + "include_unmapped": true + }, + { + "field": "signal.reason", + "include_unmapped": true + }, + { + "field": "signal.rule.filters", + "include_unmapped": true + }, + { + "field": "signal.rule.from", + "include_unmapped": true + }, + { + "field": "signal.rule.language", + "include_unmapped": true + }, + { + "field": "signal.rule.query", + "include_unmapped": true + }, + { + "field": "signal.rule.name", + "include_unmapped": true + }, + { + "field": "signal.rule.to", + "include_unmapped": true + }, + { + "field": "signal.rule.id", + "include_unmapped": true + }, + { + "field": "signal.rule.index", + "include_unmapped": true + }, + { + "field": "signal.rule.type", + "include_unmapped": true + }, + { + "field": "signal.original_event.kind", + "include_unmapped": true + }, + { + "field": "signal.original_event.module", + "include_unmapped": true + }, + { + "field": "signal.rule.version", + "include_unmapped": true + }, + { + "field": "signal.rule.severity", + "include_unmapped": true + }, + { + "field": "signal.rule.risk_score", + "include_unmapped": true + }, + { + "field": "signal.threshold_result", + "include_unmapped": true + }, + { + "field": "event.code", + "include_unmapped": true + }, + { + "field": "event.action", + "include_unmapped": true + }, + { + "field": "user.name", + "include_unmapped": true + }, + { + "field": "source.ip", + "include_unmapped": true + }, + { + "field": "destination.ip", + "include_unmapped": true + }, + { + "field": "system.auth.ssh.signature", + "include_unmapped": true + }, + { + "field": "system.auth.ssh.method", + "include_unmapped": true + }, + { + "field": "system.audit.package.arch", + "include_unmapped": true + }, + { + "field": "system.audit.package.entity_id", + "include_unmapped": true + }, + { + "field": "system.audit.package.name", + "include_unmapped": true + }, + { + "field": "system.audit.package.size", + "include_unmapped": true + }, + { + "field": "system.audit.package.summary", + "include_unmapped": true + }, + { + "field": "system.audit.package.version", + "include_unmapped": true + }, + { + "field": "event.created", + "include_unmapped": true + }, + { + "field": "event.duration", + "include_unmapped": true + }, + { + "field": "event.end", + "include_unmapped": true + }, + { + "field": "event.hash", + "include_unmapped": true + }, + { + "field": "event.id", + "include_unmapped": true + }, + { + "field": "event.kind", + "include_unmapped": true + }, + { + "field": "event.original", + "include_unmapped": true + }, + { + "field": "event.outcome", + "include_unmapped": true + }, + { + "field": "event.risk_score", + "include_unmapped": true + }, + { + "field": "event.risk_score_norm", + "include_unmapped": true + }, + { + "field": "event.start", + "include_unmapped": true + }, + { + "field": "event.timezone", + "include_unmapped": true + }, + { + "field": "event.type", + "include_unmapped": true + }, + { + "field": "auditd.result", + "include_unmapped": true + }, + { + "field": "auditd.session", + "include_unmapped": true + }, + { + "field": "auditd.data.acct", + "include_unmapped": true + }, + { + "field": "auditd.data.terminal", + "include_unmapped": true + }, + { + "field": "auditd.data.op", + "include_unmapped": true + }, + { + "field": "auditd.summary.actor.primary", + "include_unmapped": true + }, + { + "field": "auditd.summary.actor.secondary", + "include_unmapped": true + }, + { + "field": "auditd.summary.object.primary", + "include_unmapped": true + }, + { + "field": "auditd.summary.object.secondary", + "include_unmapped": true + }, + { + "field": "auditd.summary.object.type", + "include_unmapped": true + }, + { + "field": "auditd.summary.how", + "include_unmapped": true + }, + { + "field": "auditd.summary.message_type", + "include_unmapped": true + }, + { + "field": "auditd.summary.sequence", + "include_unmapped": true + }, + { + "field": "file.Ext.original.path", + "include_unmapped": true + }, + { + "field": "file.name", + "include_unmapped": true + }, + { + "field": "file.target_path", + "include_unmapped": true + }, + { + "field": "file.extension", + "include_unmapped": true + }, + { + "field": "file.type", + "include_unmapped": true + }, + { + "field": "file.device", + "include_unmapped": true + }, + { + "field": "file.inode", + "include_unmapped": true + }, + { + "field": "file.uid", + "include_unmapped": true + }, + { + "field": "file.owner", + "include_unmapped": true + }, + { + "field": "file.gid", + "include_unmapped": true + }, + { + "field": "file.group", + "include_unmapped": true + }, + { + "field": "file.mode", + "include_unmapped": true + }, + { + "field": "file.size", + "include_unmapped": true + }, + { + "field": "file.mtime", + "include_unmapped": true + }, + { + "field": "file.ctime", + "include_unmapped": true + }, + { + "field": "file.path", + "include_unmapped": true + }, + { + "field": "file.Ext.code_signature", + "include_unmapped": true + }, + { + "field": "file.Ext.code_signature.subject_name", + "include_unmapped": true + }, + { + "field": "file.Ext.code_signature.trusted", + "include_unmapped": true + }, + { + "field": "file.hash.sha256", + "include_unmapped": true + }, + { + "field": "host.os.family", + "include_unmapped": true + }, + { + "field": "host.id", + "include_unmapped": true + }, + { + "field": "host.ip", + "include_unmapped": true + }, + { + "field": "registry.key", + "include_unmapped": true + }, + { + "field": "registry.path", + "include_unmapped": true + }, + { + "field": "rule.reference", + "include_unmapped": true + }, + { + "field": "source.bytes", + "include_unmapped": true + }, + { + "field": "source.packets", + "include_unmapped": true + }, + { + "field": "source.port", + "include_unmapped": true + }, + { + "field": "source.geo.continent_name", + "include_unmapped": true + }, + { + "field": "source.geo.country_name", + "include_unmapped": true + }, + { + "field": "source.geo.country_iso_code", + "include_unmapped": true + }, + { + "field": "source.geo.city_name", + "include_unmapped": true + }, + { + "field": "source.geo.region_iso_code", + "include_unmapped": true + }, + { + "field": "source.geo.region_name", + "include_unmapped": true + }, + { + "field": "destination.bytes", + "include_unmapped": true + }, + { + "field": "destination.packets", + "include_unmapped": true + }, + { + "field": "destination.port", + "include_unmapped": true + }, + { + "field": "destination.geo.continent_name", + "include_unmapped": true + }, + { + "field": "destination.geo.country_name", + "include_unmapped": true + }, + { + "field": "destination.geo.country_iso_code", + "include_unmapped": true + }, + { + "field": "destination.geo.city_name", + "include_unmapped": true + }, + { + "field": "destination.geo.region_iso_code", + "include_unmapped": true + }, + { + "field": "destination.geo.region_name", + "include_unmapped": true + }, + { + "field": "dns.question.name", + "include_unmapped": true + }, + { + "field": "dns.question.type", + "include_unmapped": true + }, + { + "field": "dns.resolved_ip", + "include_unmapped": true + }, + { + "field": "dns.response_code", + "include_unmapped": true + }, + { + "field": "endgame.exit_code", + "include_unmapped": true + }, + { + "field": "endgame.file_name", + "include_unmapped": true + }, + { + "field": "endgame.file_path", + "include_unmapped": true + }, + { + "field": "endgame.logon_type", + "include_unmapped": true + }, + { + "field": "endgame.parent_process_name", + "include_unmapped": true + }, + { + "field": "endgame.pid", + "include_unmapped": true + }, + { + "field": "endgame.process_name", + "include_unmapped": true + }, + { + "field": "endgame.subject_domain_name", + "include_unmapped": true + }, + { + "field": "endgame.subject_logon_id", + "include_unmapped": true + }, + { + "field": "endgame.subject_user_name", + "include_unmapped": true + }, + { + "field": "endgame.target_domain_name", + "include_unmapped": true + }, + { + "field": "endgame.target_logon_id", + "include_unmapped": true + }, + { + "field": "endgame.target_user_name", + "include_unmapped": true + }, + { + "field": "signal.rule.saved_id", + "include_unmapped": true + }, + { + "field": "signal.rule.timeline_id", + "include_unmapped": true + }, + { + "field": "signal.rule.timeline_title", + "include_unmapped": true + }, + { + "field": "signal.rule.output_index", + "include_unmapped": true + }, + { + "field": "signal.rule.note", + "include_unmapped": true + }, + { + "field": "signal.rule.threshold", + "include_unmapped": true + }, + { + "field": "signal.rule.exceptions_list", + "include_unmapped": true + }, + { + "field": "signal.rule.building_block_type", + "include_unmapped": true + }, + { + "field": "suricata.eve.proto", + "include_unmapped": true + }, + { + "field": "suricata.eve.flow_id", + "include_unmapped": true + }, + { + "field": "suricata.eve.alert.signature", + "include_unmapped": true + }, + { + "field": "suricata.eve.alert.signature_id", + "include_unmapped": true + }, + { + "field": "network.bytes", + "include_unmapped": true + }, + { + "field": "network.community_id", + "include_unmapped": true + }, + { + "field": "network.direction", + "include_unmapped": true + }, + { + "field": "network.packets", + "include_unmapped": true + }, + { + "field": "network.protocol", + "include_unmapped": true + }, + { + "field": "network.transport", + "include_unmapped": true + }, + { + "field": "http.version", + "include_unmapped": true + }, + { + "field": "http.request.method", + "include_unmapped": true + }, + { + "field": "http.request.body.bytes", + "include_unmapped": true + }, + { + "field": "http.request.body.content", + "include_unmapped": true + }, + { + "field": "http.request.referrer", + "include_unmapped": true + }, + { + "field": "http.response.status_code", + "include_unmapped": true + }, + { + "field": "http.response.body.bytes", + "include_unmapped": true + }, + { + "field": "http.response.body.content", + "include_unmapped": true + }, + { + "field": "tls.client_certificate.fingerprint.sha1", + "include_unmapped": true + }, + { + "field": "tls.fingerprints.ja3.hash", + "include_unmapped": true + }, + { + "field": "tls.server_certificate.fingerprint.sha1", + "include_unmapped": true + }, + { + "field": "user.domain", + "include_unmapped": true + }, + { + "field": "winlog.event_id", + "include_unmapped": true + }, + { + "field": "process.exit_code", + "include_unmapped": true + }, + { + "field": "process.hash.md5", + "include_unmapped": true + }, + { + "field": "process.hash.sha1", + "include_unmapped": true + }, + { + "field": "process.hash.sha256", + "include_unmapped": true + }, + { + "field": "process.parent.name", + "include_unmapped": true + }, + { + "field": "process.parent.pid", + "include_unmapped": true + }, + { + "field": "process.pid", + "include_unmapped": true + }, + { + "field": "process.name", + "include_unmapped": true + }, + { + "field": "process.ppid", + "include_unmapped": true + }, + { + "field": "process.args", + "include_unmapped": true + }, + { + "field": "process.entity_id", + "include_unmapped": true + }, + { + "field": "process.executable", + "include_unmapped": true + }, + { + "field": "process.title", + "include_unmapped": true + }, + { + "field": "process.working_directory", + "include_unmapped": true + }, + { + "field": "zeek.session_id", + "include_unmapped": true + }, + { + "field": "zeek.connection.local_resp", + "include_unmapped": true + }, + { + "field": "zeek.connection.local_orig", + "include_unmapped": true + }, + { + "field": "zeek.connection.missed_bytes", + "include_unmapped": true + }, + { + "field": "zeek.connection.state", + "include_unmapped": true + }, + { + "field": "zeek.connection.history", + "include_unmapped": true + }, + { + "field": "zeek.notice.suppress_for", + "include_unmapped": true + }, + { + "field": "zeek.notice.msg", + "include_unmapped": true + }, + { + "field": "zeek.notice.note", + "include_unmapped": true + }, + { + "field": "zeek.notice.sub", + "include_unmapped": true + }, + { + "field": "zeek.notice.dst", + "include_unmapped": true + }, + { + "field": "zeek.notice.dropped", + "include_unmapped": true + }, + { + "field": "zeek.notice.peer_descr", + "include_unmapped": true + }, + { + "field": "zeek.dns.AA", + "include_unmapped": true + }, + { + "field": "zeek.dns.qclass_name", + "include_unmapped": true + }, + { + "field": "zeek.dns.RD", + "include_unmapped": true + }, + { + "field": "zeek.dns.qtype_name", + "include_unmapped": true + }, + { + "field": "zeek.dns.qtype", + "include_unmapped": true + }, + { + "field": "zeek.dns.query", + "include_unmapped": true + }, + { + "field": "zeek.dns.trans_id", + "include_unmapped": true + }, + { + "field": "zeek.dns.qclass", + "include_unmapped": true + }, + { + "field": "zeek.dns.RA", + "include_unmapped": true + }, + { + "field": "zeek.dns.TC", + "include_unmapped": true + }, + { + "field": "zeek.http.resp_mime_types", + "include_unmapped": true + }, + { + "field": "zeek.http.trans_depth", + "include_unmapped": true + }, + { + "field": "zeek.http.status_msg", + "include_unmapped": true + }, + { + "field": "zeek.http.resp_fuids", + "include_unmapped": true + }, + { + "field": "zeek.http.tags", + "include_unmapped": true + }, + { + "field": "zeek.files.session_ids", + "include_unmapped": true + }, + { + "field": "zeek.files.timedout", + "include_unmapped": true + }, + { + "field": "zeek.files.local_orig", + "include_unmapped": true + }, + { + "field": "zeek.files.tx_host", + "include_unmapped": true + }, + { + "field": "zeek.files.source", + "include_unmapped": true + }, + { + "field": "zeek.files.is_orig", + "include_unmapped": true + }, + { + "field": "zeek.files.overflow_bytes", + "include_unmapped": true + }, + { + "field": "zeek.files.sha1", + "include_unmapped": true + }, + { + "field": "zeek.files.duration", + "include_unmapped": true + }, + { + "field": "zeek.files.depth", + "include_unmapped": true + }, + { + "field": "zeek.files.analyzers", + "include_unmapped": true + }, + { + "field": "zeek.files.mime_type", + "include_unmapped": true + }, + { + "field": "zeek.files.rx_host", + "include_unmapped": true + }, + { + "field": "zeek.files.total_bytes", + "include_unmapped": true + }, + { + "field": "zeek.files.fuid", + "include_unmapped": true + }, + { + "field": "zeek.files.seen_bytes", + "include_unmapped": true + }, + { + "field": "zeek.files.missing_bytes", + "include_unmapped": true + }, + { + "field": "zeek.files.md5", + "include_unmapped": true + }, + { + "field": "zeek.ssl.cipher", + "include_unmapped": true + }, + { + "field": "zeek.ssl.established", + "include_unmapped": true + }, + { + "field": "zeek.ssl.resumed", + "include_unmapped": true + }, + { + "field": "zeek.ssl.version", + "include_unmapped": true + }, + { + "field": "threat.enrichments.matched.atomic", + "include_unmapped": true + }, + { + "field": "threat.enrichments.matched.field", + "include_unmapped": true + }, + { + "field": "threat.enrichments.matched.type", + "include_unmapped": true + }, + { + "field": "threat.enrichments.indicator.reference", + "include_unmapped": true + }, + { + "field": "threat.enrichments.indicator.provider", + "include_unmapped": true + } + ], + "_source": [ + "signal.*" + ] + } + } + ] + } + ] +} \ No newline at end of file diff --git a/elastic/security/workflows-logsdb/hosts/2.json b/elastic/security/workflows-logsdb/hosts/2.json new file mode 100644 index 000000000..4d394b1ed --- /dev/null +++ b/elastic/security/workflows-logsdb/hosts/2.json @@ -0,0 +1,989 @@ +{ + "name": "/app/security/*?{query}", + "id": "Set the time range to `now-24hr` to `now`", + "requests": [ + { + "stream": [ + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.217204 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - hosts - 2.1", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true" + }, + "body": { + "docvalue_fields": [ + { + "field": "@metadata.beat" + }, + { + "field": "@metadata.type" + }, + { + "field": "@metadata.version" + }, + { + "field": "@timestamp" + }, + { + "field": "agent.agent_id" + }, + { + "field": "agent.build.original" + }, + { + "field": "agent.ephemeral_id" + }, + { + "field": "agent.hostname" + }, + { + "field": "agent.id" + }, + { + "field": "agent.name" + }, + { + "field": "agent.type" + }, + { + "field": "agent.version" + }, + { + "field": "as.number" + }, + { + "field": "as.organization.name" + }, + { + "field": "auditd.data.a0" + }, + { + "field": "auditd.data.a1" + }, + { + "field": "auditd.data.a2" + }, + { + "field": "auditd.data.a3" + }, + { + "field": "auditd.data.a[0-3]" + }, + { + "field": "auditd.data.acct" + }, + { + "field": "auditd.data.acl" + }, + { + "field": "auditd.data.action" + }, + { + "field": "auditd.data.added" + }, + { + "field": "auditd.data.addr" + }, + { + "field": "auditd.data.apparmor" + }, + { + "field": "auditd.data.arch" + }, + { + "field": "auditd.data.arg" + }, + { + "field": "auditd.data.argc" + }, + { + "field": "auditd.data.audit_backlog_limit" + }, + { + "field": "auditd.data.audit_backlog_wait_time" + }, + { + "field": "auditd.data.audit_enabled" + }, + { + "field": "auditd.data.audit_failure" + }, + { + "field": "auditd.data.auid" + }, + { + "field": "auditd.data.banners" + }, + { + "field": "auditd.data.bool" + }, + { + "field": "auditd.data.bus" + }, + { + "field": "auditd.data.cap_fe" + }, + { + "field": "auditd.data.cap_fi" + }, + { + "field": "auditd.data.cap_fp" + }, + { + "field": "auditd.data.cap_fver" + }, + { + "field": "auditd.data.cap_pe" + }, + { + "field": "auditd.data.cap_pi" + }, + { + "field": "auditd.data.cap_pp" + }, + { + "field": "auditd.data.capability" + }, + { + "field": "auditd.data.capname" + }, + { + "field": "auditd.data.cgroup" + }, + { + "field": "auditd.data.changed" + }, + { + "field": "auditd.data.cipher" + }, + { + "field": "auditd.data.class" + }, + { + "field": "auditd.data.cmd" + }, + { + "field": "auditd.data.code" + }, + { + "field": "auditd.data.compat" + }, + { + "field": "auditd.data.daddr" + }, + { + "field": "auditd.data.data" + }, + { + "field": "auditd.data.default-context" + }, + { + "field": "auditd.data.device" + }, + { + "field": "auditd.data.dir" + }, + { + "field": "auditd.data.direction" + }, + { + "field": "auditd.data.dmac" + }, + { + "field": "auditd.data.dport" + }, + { + "field": "auditd.data.enforcing" + }, + { + "field": "auditd.data.entries" + }, + { + "field": "auditd.data.exit" + }, + { + "field": "auditd.data.fam" + }, + { + "field": "auditd.data.family" + }, + { + "field": "auditd.data.fd" + }, + { + "field": "auditd.data.fe" + }, + { + "field": "auditd.data.feature" + }, + { + "field": "auditd.data.fi" + }, + { + "field": "auditd.data.file" + }, + { + "field": "auditd.data.flags" + }, + { + "field": "auditd.data.format" + }, + { + "field": "auditd.data.fp" + }, + { + "field": "auditd.data.fver" + }, + { + "field": "auditd.data.grantors" + }, + { + "field": "auditd.data.grp" + }, + { + "field": "auditd.data.hook" + }, + { + "field": "auditd.data.hostname" + }, + { + "field": "auditd.data.icmp_type" + }, + { + "field": "auditd.data.id" + }, + { + "field": "auditd.data.igid" + }, + { + "field": "auditd.data.img-ctx" + }, + { + "field": "auditd.data.inif" + }, + { + "field": "auditd.data.ino" + }, + { + "field": "auditd.data.inode_gid" + }, + { + "field": "auditd.data.inode_uid" + }, + { + "field": "auditd.data.invalid_context" + }, + { + "field": "auditd.data.ioctlcmd" + }, + { + "field": "auditd.data.ip" + }, + { + "field": "auditd.data.ipid" + }, + { + "field": "auditd.data.ipx-net" + }, + { + "field": "auditd.data.items" + }, + { + "field": "auditd.data.iuid" + }, + { + "field": "auditd.data.kernel" + }, + { + "field": "auditd.data.kind" + }, + { + "field": "auditd.data.ksize" + }, + { + "field": "auditd.data.laddr" + }, + { + "field": "auditd.data.len" + }, + { + "field": "auditd.data.list" + }, + { + "field": "auditd.data.lport" + } + ], + "query": { + "match_all": {} + }, + "_source": [ + "@timestamp" + ], + "size": 1, + "sort": [ + { + "@timestamp": { + "order": "desc" + } + } + ] + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.21879200000000001 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - hosts - 2.2", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true" + }, + "body": { + "aggregations": { + "hosts": { + "cardinality": { + "field": "host.name" + } + }, + "hosts_histogram": { + "auto_date_histogram": { + "field": "@timestamp", + "buckets": 6 + }, + "aggs": { + "count": { + "cardinality": { + "field": "host.name" + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-03T16:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.22086699999999998 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - hosts - 2.3", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true" + }, + "body": { + "aggs": { + "authentication_success": { + "filter": { + "term": { + "event.outcome": "success" + } + } + }, + "authentication_success_histogram": { + "auto_date_histogram": { + "field": "@timestamp", + "buckets": 6 + }, + "aggs": { + "count": { + "filter": { + "term": { + "event.outcome": "success" + } + } + } + } + }, + "authentication_failure": { + "filter": { + "term": { + "event.outcome": "failure" + } + } + }, + "authentication_failure_histogram": { + "auto_date_histogram": { + "field": "@timestamp", + "buckets": 6 + }, + "aggs": { + "count": { + "filter": { + "term": { + "event.outcome": "failure" + } + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "event.category": "authentication" + } + } + ] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-03T16:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.22239599999999998 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - hosts - 2.4", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true" + }, + "body": { + "aggregations": { + "unique_source_ips": { + "cardinality": { + "field": "source.ip" + } + }, + "unique_source_ips_histogram": { + "auto_date_histogram": { + "field": "@timestamp", + "buckets": 6 + }, + "aggs": { + "count": { + "cardinality": { + "field": "source.ip" + } + } + } + }, + "unique_destination_ips": { + "cardinality": { + "field": "destination.ip" + } + }, + "unique_destination_ips_histogram": { + "auto_date_histogram": { + "field": "@timestamp", + "buckets": 6 + }, + "aggs": { + "count": { + "cardinality": { + "field": "destination.ip" + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-03T16:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.223879 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - hosts - 2.5", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true" + }, + "body": { + "docvalue_fields": [ + { + "field": "@metadata.beat" + }, + { + "field": "@metadata.type" + }, + { + "field": "@metadata.version" + }, + { + "field": "@timestamp" + }, + { + "field": "agent.agent_id" + }, + { + "field": "agent.build.original" + }, + { + "field": "agent.ephemeral_id" + }, + { + "field": "agent.hostname" + }, + { + "field": "agent.id" + }, + { + "field": "agent.name" + }, + { + "field": "agent.type" + }, + { + "field": "agent.version" + }, + { + "field": "as.number" + }, + { + "field": "as.organization.name" + }, + { + "field": "auditd.data.a0" + }, + { + "field": "auditd.data.a1" + }, + { + "field": "auditd.data.a2" + }, + { + "field": "auditd.data.a3" + }, + { + "field": "auditd.data.a[0-3]" + }, + { + "field": "auditd.data.acct" + }, + { + "field": "auditd.data.acl" + }, + { + "field": "auditd.data.action" + }, + { + "field": "auditd.data.added" + }, + { + "field": "auditd.data.addr" + }, + { + "field": "auditd.data.apparmor" + }, + { + "field": "auditd.data.arch" + }, + { + "field": "auditd.data.arg" + }, + { + "field": "auditd.data.argc" + }, + { + "field": "auditd.data.audit_backlog_limit" + }, + { + "field": "auditd.data.audit_backlog_wait_time" + }, + { + "field": "auditd.data.audit_enabled" + }, + { + "field": "auditd.data.audit_failure" + }, + { + "field": "auditd.data.auid" + }, + { + "field": "auditd.data.banners" + }, + { + "field": "auditd.data.bool" + }, + { + "field": "auditd.data.bus" + }, + { + "field": "auditd.data.cap_fe" + }, + { + "field": "auditd.data.cap_fi" + }, + { + "field": "auditd.data.cap_fp" + }, + { + "field": "auditd.data.cap_fver" + }, + { + "field": "auditd.data.cap_pe" + }, + { + "field": "auditd.data.cap_pi" + }, + { + "field": "auditd.data.cap_pp" + }, + { + "field": "auditd.data.capability" + }, + { + "field": "auditd.data.capname" + }, + { + "field": "auditd.data.cgroup" + }, + { + "field": "auditd.data.changed" + }, + { + "field": "auditd.data.cipher" + }, + { + "field": "auditd.data.class" + }, + { + "field": "auditd.data.cmd" + }, + { + "field": "auditd.data.code" + }, + { + "field": "auditd.data.compat" + }, + { + "field": "auditd.data.daddr" + }, + { + "field": "auditd.data.data" + }, + { + "field": "auditd.data.default-context" + }, + { + "field": "auditd.data.device" + }, + { + "field": "auditd.data.dir" + }, + { + "field": "auditd.data.direction" + }, + { + "field": "auditd.data.dmac" + }, + { + "field": "auditd.data.dport" + }, + { + "field": "auditd.data.enforcing" + }, + { + "field": "auditd.data.entries" + }, + { + "field": "auditd.data.exit" + }, + { + "field": "auditd.data.fam" + }, + { + "field": "auditd.data.family" + }, + { + "field": "auditd.data.fd" + }, + { + "field": "auditd.data.fe" + }, + { + "field": "auditd.data.feature" + }, + { + "field": "auditd.data.fi" + }, + { + "field": "auditd.data.file" + }, + { + "field": "auditd.data.flags" + }, + { + "field": "auditd.data.format" + }, + { + "field": "auditd.data.fp" + }, + { + "field": "auditd.data.fver" + }, + { + "field": "auditd.data.grantors" + }, + { + "field": "auditd.data.grp" + }, + { + "field": "auditd.data.hook" + }, + { + "field": "auditd.data.hostname" + }, + { + "field": "auditd.data.icmp_type" + }, + { + "field": "auditd.data.id" + }, + { + "field": "auditd.data.igid" + }, + { + "field": "auditd.data.img-ctx" + }, + { + "field": "auditd.data.inif" + }, + { + "field": "auditd.data.ino" + }, + { + "field": "auditd.data.inode_gid" + }, + { + "field": "auditd.data.inode_uid" + }, + { + "field": "auditd.data.invalid_context" + }, + { + "field": "auditd.data.ioctlcmd" + }, + { + "field": "auditd.data.ip" + }, + { + "field": "auditd.data.ipid" + }, + { + "field": "auditd.data.ipx-net" + }, + { + "field": "auditd.data.items" + }, + { + "field": "auditd.data.iuid" + }, + { + "field": "auditd.data.kernel" + }, + { + "field": "auditd.data.kind" + }, + { + "field": "auditd.data.ksize" + }, + { + "field": "auditd.data.laddr" + }, + { + "field": "auditd.data.len" + }, + { + "field": "auditd.data.list" + }, + { + "field": "auditd.data.lport" + } + ], + "aggregations": { + "host_count": { + "cardinality": { + "field": "host.name" + } + }, + "host_data": { + "terms": { + "size": 10, + "field": "host.name", + "order": { + "lastSeen": "desc" + } + }, + "aggs": { + "lastSeen": { + "max": { + "field": "@timestamp" + } + }, + "os": { + "top_hits": { + "size": 1, + "sort": [ + { + "@timestamp": { + "order": "desc" + } + } + ], + "_source": { + "includes": [ + "host.os.*" + ] + } + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-03T16:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + } + ] + } + ] +} \ No newline at end of file diff --git a/elastic/security/workflows-logsdb/hosts/3.json b/elastic/security/workflows-logsdb/hosts/3.json new file mode 100644 index 000000000..5b57a2c1b --- /dev/null +++ b/elastic/security/workflows-logsdb/hosts/3.json @@ -0,0 +1,647 @@ +{ + "name": "POST /internal/bsearch", + "id": "Set the time range to `now-8hr` to `now`", + "requests": [ + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.184662 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - hosts - 3.1", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true" + }, + "body": { + "aggregations": { + "hosts": { + "cardinality": { + "field": "host.name" + } + }, + "hosts_histogram": { + "auto_date_histogram": { + "field": "@timestamp", + "buckets": 6 + }, + "aggs": { + "count": { + "cardinality": { + "field": "host.name" + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T08:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.185242 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - hosts - 3.2", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true" + }, + "body": { + "aggs": { + "authentication_success": { + "filter": { + "term": { + "event.outcome": "success" + } + } + }, + "authentication_success_histogram": { + "auto_date_histogram": { + "field": "@timestamp", + "buckets": 6 + }, + "aggs": { + "count": { + "filter": { + "term": { + "event.outcome": "success" + } + } + } + } + }, + "authentication_failure": { + "filter": { + "term": { + "event.outcome": "failure" + } + } + }, + "authentication_failure_histogram": { + "auto_date_histogram": { + "field": "@timestamp", + "buckets": 6 + }, + "aggs": { + "count": { + "filter": { + "term": { + "event.outcome": "failure" + } + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "event.category": "authentication" + } + } + ] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T08:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.185644 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - hosts - 3.3", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true" + }, + "body": { + "aggregations": { + "unique_source_ips": { + "cardinality": { + "field": "source.ip" + } + }, + "unique_source_ips_histogram": { + "auto_date_histogram": { + "field": "@timestamp", + "buckets": 6 + }, + "aggs": { + "count": { + "cardinality": { + "field": "source.ip" + } + } + } + }, + "unique_destination_ips": { + "cardinality": { + "field": "destination.ip" + } + }, + "unique_destination_ips_histogram": { + "auto_date_histogram": { + "field": "@timestamp", + "buckets": 6 + }, + "aggs": { + "count": { + "cardinality": { + "field": "destination.ip" + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T08:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.18615299999999999 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - hosts - 3.4", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true" + }, + "body": { + "docvalue_fields": [ + { + "field": "@metadata.beat" + }, + { + "field": "@metadata.type" + }, + { + "field": "@metadata.version" + }, + { + "field": "@timestamp" + }, + { + "field": "agent.agent_id" + }, + { + "field": "agent.build.original" + }, + { + "field": "agent.ephemeral_id" + }, + { + "field": "agent.hostname" + }, + { + "field": "agent.id" + }, + { + "field": "agent.name" + }, + { + "field": "agent.type" + }, + { + "field": "agent.version" + }, + { + "field": "as.number" + }, + { + "field": "as.organization.name" + }, + { + "field": "auditd.data.a0" + }, + { + "field": "auditd.data.a1" + }, + { + "field": "auditd.data.a2" + }, + { + "field": "auditd.data.a3" + }, + { + "field": "auditd.data.a[0-3]" + }, + { + "field": "auditd.data.acct" + }, + { + "field": "auditd.data.acl" + }, + { + "field": "auditd.data.action" + }, + { + "field": "auditd.data.added" + }, + { + "field": "auditd.data.addr" + }, + { + "field": "auditd.data.apparmor" + }, + { + "field": "auditd.data.arch" + }, + { + "field": "auditd.data.arg" + }, + { + "field": "auditd.data.argc" + }, + { + "field": "auditd.data.audit_backlog_limit" + }, + { + "field": "auditd.data.audit_backlog_wait_time" + }, + { + "field": "auditd.data.audit_enabled" + }, + { + "field": "auditd.data.audit_failure" + }, + { + "field": "auditd.data.auid" + }, + { + "field": "auditd.data.banners" + }, + { + "field": "auditd.data.bool" + }, + { + "field": "auditd.data.bus" + }, + { + "field": "auditd.data.cap_fe" + }, + { + "field": "auditd.data.cap_fi" + }, + { + "field": "auditd.data.cap_fp" + }, + { + "field": "auditd.data.cap_fver" + }, + { + "field": "auditd.data.cap_pe" + }, + { + "field": "auditd.data.cap_pi" + }, + { + "field": "auditd.data.cap_pp" + }, + { + "field": "auditd.data.capability" + }, + { + "field": "auditd.data.capname" + }, + { + "field": "auditd.data.cgroup" + }, + { + "field": "auditd.data.changed" + }, + { + "field": "auditd.data.cipher" + }, + { + "field": "auditd.data.class" + }, + { + "field": "auditd.data.cmd" + }, + { + "field": "auditd.data.code" + }, + { + "field": "auditd.data.compat" + }, + { + "field": "auditd.data.daddr" + }, + { + "field": "auditd.data.data" + }, + { + "field": "auditd.data.default-context" + }, + { + "field": "auditd.data.device" + }, + { + "field": "auditd.data.dir" + }, + { + "field": "auditd.data.direction" + }, + { + "field": "auditd.data.dmac" + }, + { + "field": "auditd.data.dport" + }, + { + "field": "auditd.data.enforcing" + }, + { + "field": "auditd.data.entries" + }, + { + "field": "auditd.data.exit" + }, + { + "field": "auditd.data.fam" + }, + { + "field": "auditd.data.family" + }, + { + "field": "auditd.data.fd" + }, + { + "field": "auditd.data.fe" + }, + { + "field": "auditd.data.feature" + }, + { + "field": "auditd.data.fi" + }, + { + "field": "auditd.data.file" + }, + { + "field": "auditd.data.flags" + }, + { + "field": "auditd.data.format" + }, + { + "field": "auditd.data.fp" + }, + { + "field": "auditd.data.fver" + }, + { + "field": "auditd.data.grantors" + }, + { + "field": "auditd.data.grp" + }, + { + "field": "auditd.data.hook" + }, + { + "field": "auditd.data.hostname" + }, + { + "field": "auditd.data.icmp_type" + }, + { + "field": "auditd.data.id" + }, + { + "field": "auditd.data.igid" + }, + { + "field": "auditd.data.img-ctx" + }, + { + "field": "auditd.data.inif" + }, + { + "field": "auditd.data.ino" + }, + { + "field": "auditd.data.inode_gid" + }, + { + "field": "auditd.data.inode_uid" + }, + { + "field": "auditd.data.invalid_context" + }, + { + "field": "auditd.data.ioctlcmd" + }, + { + "field": "auditd.data.ip" + }, + { + "field": "auditd.data.ipid" + }, + { + "field": "auditd.data.ipx-net" + }, + { + "field": "auditd.data.items" + }, + { + "field": "auditd.data.iuid" + }, + { + "field": "auditd.data.kernel" + }, + { + "field": "auditd.data.kind" + }, + { + "field": "auditd.data.ksize" + }, + { + "field": "auditd.data.laddr" + }, + { + "field": "auditd.data.len" + }, + { + "field": "auditd.data.list" + }, + { + "field": "auditd.data.lport" + } + ], + "aggregations": { + "host_count": { + "cardinality": { + "field": "host.name" + } + }, + "host_data": { + "terms": { + "size": 10, + "field": "host.name", + "order": { + "lastSeen": "desc" + } + }, + "aggs": { + "lastSeen": { + "max": { + "field": "@timestamp" + } + }, + "os": { + "top_hits": { + "size": 1, + "sort": [ + { + "@timestamp": { + "order": "desc" + } + } + ], + "_source": { + "includes": [ + "host.os.*" + ] + } + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T08:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + } + ] +} \ No newline at end of file diff --git a/elastic/security/workflows-logsdb/hosts/4.json b/elastic/security/workflows-logsdb/hosts/4.json new file mode 100644 index 000000000..a0cddcbb5 --- /dev/null +++ b/elastic/security/workflows-logsdb/hosts/4.json @@ -0,0 +1,647 @@ +{ + "name": "POST /internal/bsearch", + "id": "Set the time range to `now-1hr` to `now`", + "requests": [ + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.196652 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - hosts - 4.1", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true" + }, + "body": { + "aggregations": { + "hosts": { + "cardinality": { + "field": "host.name" + } + }, + "hosts_histogram": { + "auto_date_histogram": { + "field": "@timestamp", + "buckets": 6 + }, + "aggs": { + "count": { + "cardinality": { + "field": "host.name" + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.19705799999999998 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - hosts - 4.2", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true" + }, + "body": { + "aggs": { + "authentication_success": { + "filter": { + "term": { + "event.outcome": "success" + } + } + }, + "authentication_success_histogram": { + "auto_date_histogram": { + "field": "@timestamp", + "buckets": 6 + }, + "aggs": { + "count": { + "filter": { + "term": { + "event.outcome": "success" + } + } + } + } + }, + "authentication_failure": { + "filter": { + "term": { + "event.outcome": "failure" + } + } + }, + "authentication_failure_histogram": { + "auto_date_histogram": { + "field": "@timestamp", + "buckets": 6 + }, + "aggs": { + "count": { + "filter": { + "term": { + "event.outcome": "failure" + } + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "event.category": "authentication" + } + } + ] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.19733799999999999 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - hosts - 4.3", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true" + }, + "body": { + "aggregations": { + "unique_source_ips": { + "cardinality": { + "field": "source.ip" + } + }, + "unique_source_ips_histogram": { + "auto_date_histogram": { + "field": "@timestamp", + "buckets": 6 + }, + "aggs": { + "count": { + "cardinality": { + "field": "source.ip" + } + } + } + }, + "unique_destination_ips": { + "cardinality": { + "field": "destination.ip" + } + }, + "unique_destination_ips_histogram": { + "auto_date_histogram": { + "field": "@timestamp", + "buckets": 6 + }, + "aggs": { + "count": { + "cardinality": { + "field": "destination.ip" + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.197617 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - hosts - 4.4", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true" + }, + "body": { + "docvalue_fields": [ + { + "field": "@metadata.beat" + }, + { + "field": "@metadata.type" + }, + { + "field": "@metadata.version" + }, + { + "field": "@timestamp" + }, + { + "field": "agent.agent_id" + }, + { + "field": "agent.build.original" + }, + { + "field": "agent.ephemeral_id" + }, + { + "field": "agent.hostname" + }, + { + "field": "agent.id" + }, + { + "field": "agent.name" + }, + { + "field": "agent.type" + }, + { + "field": "agent.version" + }, + { + "field": "as.number" + }, + { + "field": "as.organization.name" + }, + { + "field": "auditd.data.a0" + }, + { + "field": "auditd.data.a1" + }, + { + "field": "auditd.data.a2" + }, + { + "field": "auditd.data.a3" + }, + { + "field": "auditd.data.a[0-3]" + }, + { + "field": "auditd.data.acct" + }, + { + "field": "auditd.data.acl" + }, + { + "field": "auditd.data.action" + }, + { + "field": "auditd.data.added" + }, + { + "field": "auditd.data.addr" + }, + { + "field": "auditd.data.apparmor" + }, + { + "field": "auditd.data.arch" + }, + { + "field": "auditd.data.arg" + }, + { + "field": "auditd.data.argc" + }, + { + "field": "auditd.data.audit_backlog_limit" + }, + { + "field": "auditd.data.audit_backlog_wait_time" + }, + { + "field": "auditd.data.audit_enabled" + }, + { + "field": "auditd.data.audit_failure" + }, + { + "field": "auditd.data.auid" + }, + { + "field": "auditd.data.banners" + }, + { + "field": "auditd.data.bool" + }, + { + "field": "auditd.data.bus" + }, + { + "field": "auditd.data.cap_fe" + }, + { + "field": "auditd.data.cap_fi" + }, + { + "field": "auditd.data.cap_fp" + }, + { + "field": "auditd.data.cap_fver" + }, + { + "field": "auditd.data.cap_pe" + }, + { + "field": "auditd.data.cap_pi" + }, + { + "field": "auditd.data.cap_pp" + }, + { + "field": "auditd.data.capability" + }, + { + "field": "auditd.data.capname" + }, + { + "field": "auditd.data.cgroup" + }, + { + "field": "auditd.data.changed" + }, + { + "field": "auditd.data.cipher" + }, + { + "field": "auditd.data.class" + }, + { + "field": "auditd.data.cmd" + }, + { + "field": "auditd.data.code" + }, + { + "field": "auditd.data.compat" + }, + { + "field": "auditd.data.daddr" + }, + { + "field": "auditd.data.data" + }, + { + "field": "auditd.data.default-context" + }, + { + "field": "auditd.data.device" + }, + { + "field": "auditd.data.dir" + }, + { + "field": "auditd.data.direction" + }, + { + "field": "auditd.data.dmac" + }, + { + "field": "auditd.data.dport" + }, + { + "field": "auditd.data.enforcing" + }, + { + "field": "auditd.data.entries" + }, + { + "field": "auditd.data.exit" + }, + { + "field": "auditd.data.fam" + }, + { + "field": "auditd.data.family" + }, + { + "field": "auditd.data.fd" + }, + { + "field": "auditd.data.fe" + }, + { + "field": "auditd.data.feature" + }, + { + "field": "auditd.data.fi" + }, + { + "field": "auditd.data.file" + }, + { + "field": "auditd.data.flags" + }, + { + "field": "auditd.data.format" + }, + { + "field": "auditd.data.fp" + }, + { + "field": "auditd.data.fver" + }, + { + "field": "auditd.data.grantors" + }, + { + "field": "auditd.data.grp" + }, + { + "field": "auditd.data.hook" + }, + { + "field": "auditd.data.hostname" + }, + { + "field": "auditd.data.icmp_type" + }, + { + "field": "auditd.data.id" + }, + { + "field": "auditd.data.igid" + }, + { + "field": "auditd.data.img-ctx" + }, + { + "field": "auditd.data.inif" + }, + { + "field": "auditd.data.ino" + }, + { + "field": "auditd.data.inode_gid" + }, + { + "field": "auditd.data.inode_uid" + }, + { + "field": "auditd.data.invalid_context" + }, + { + "field": "auditd.data.ioctlcmd" + }, + { + "field": "auditd.data.ip" + }, + { + "field": "auditd.data.ipid" + }, + { + "field": "auditd.data.ipx-net" + }, + { + "field": "auditd.data.items" + }, + { + "field": "auditd.data.iuid" + }, + { + "field": "auditd.data.kernel" + }, + { + "field": "auditd.data.kind" + }, + { + "field": "auditd.data.ksize" + }, + { + "field": "auditd.data.laddr" + }, + { + "field": "auditd.data.len" + }, + { + "field": "auditd.data.list" + }, + { + "field": "auditd.data.lport" + } + ], + "aggregations": { + "host_count": { + "cardinality": { + "field": "host.name" + } + }, + "host_data": { + "terms": { + "size": 10, + "field": "host.name", + "order": { + "lastSeen": "desc" + } + }, + "aggs": { + "lastSeen": { + "max": { + "field": "@timestamp" + } + }, + "os": { + "top_hits": { + "size": 1, + "sort": [ + { + "@timestamp": { + "order": "desc" + } + } + ], + "_source": { + "includes": [ + "host.os.*" + ] + } + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + } + ] +} \ No newline at end of file diff --git a/elastic/security/workflows-logsdb/hosts/5.json b/elastic/security/workflows-logsdb/hosts/5.json new file mode 100644 index 000000000..9d5697696 --- /dev/null +++ b/elastic/security/workflows-logsdb/hosts/5.json @@ -0,0 +1,511 @@ +{ + "name": "/app/security/*?{query}", + "id": "Open `Authentications` sub-tab", + "requests": [ + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.173644 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - hosts - 5.1", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "true", + "allow_no_indices": "true" + }, + "body": { + "aggregations": { + "eventActionGroup": { + "terms": { + "field": "event.outcome", + "include": [ + "success", + "failure" + ], + "order": { + "_count": "desc" + }, + "size": 2 + }, + "aggs": { + "events": { + "date_histogram": { + "field": "@timestamp", + "fixed_interval": "112500ms", + "min_doc_count": 0, + "extended_bounds": { + "min": 1643986800000, + "max": 1643990400000 + } + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "bool": { + "must": [ + { + "term": { + "event.category": "authentication" + } + } + ] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.174209 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - hosts - 5.2", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true" + }, + "body": { + "docvalue_fields": [ + { + "field": "@metadata.beat" + }, + { + "field": "@metadata.type" + }, + { + "field": "@metadata.version" + }, + { + "field": "@timestamp" + }, + { + "field": "agent.agent_id" + }, + { + "field": "agent.build.original" + }, + { + "field": "agent.ephemeral_id" + }, + { + "field": "agent.hostname" + }, + { + "field": "agent.id" + }, + { + "field": "agent.name" + }, + { + "field": "agent.type" + }, + { + "field": "agent.version" + }, + { + "field": "as.number" + }, + { + "field": "as.organization.name" + }, + { + "field": "auditd.data.a0" + }, + { + "field": "auditd.data.a1" + }, + { + "field": "auditd.data.a2" + }, + { + "field": "auditd.data.a3" + }, + { + "field": "auditd.data.a[0-3]" + }, + { + "field": "auditd.data.acct" + }, + { + "field": "auditd.data.acl" + }, + { + "field": "auditd.data.action" + }, + { + "field": "auditd.data.added" + }, + { + "field": "auditd.data.addr" + }, + { + "field": "auditd.data.apparmor" + }, + { + "field": "auditd.data.arch" + }, + { + "field": "auditd.data.arg" + }, + { + "field": "auditd.data.argc" + }, + { + "field": "auditd.data.audit_backlog_limit" + }, + { + "field": "auditd.data.audit_backlog_wait_time" + }, + { + "field": "auditd.data.audit_enabled" + }, + { + "field": "auditd.data.audit_failure" + }, + { + "field": "auditd.data.auid" + }, + { + "field": "auditd.data.banners" + }, + { + "field": "auditd.data.bool" + }, + { + "field": "auditd.data.bus" + }, + { + "field": "auditd.data.cap_fe" + }, + { + "field": "auditd.data.cap_fi" + }, + { + "field": "auditd.data.cap_fp" + }, + { + "field": "auditd.data.cap_fver" + }, + { + "field": "auditd.data.cap_pe" + }, + { + "field": "auditd.data.cap_pi" + }, + { + "field": "auditd.data.cap_pp" + }, + { + "field": "auditd.data.capability" + }, + { + "field": "auditd.data.capname" + }, + { + "field": "auditd.data.cgroup" + }, + { + "field": "auditd.data.changed" + }, + { + "field": "auditd.data.cipher" + }, + { + "field": "auditd.data.class" + }, + { + "field": "auditd.data.cmd" + }, + { + "field": "auditd.data.code" + }, + { + "field": "auditd.data.compat" + }, + { + "field": "auditd.data.daddr" + }, + { + "field": "auditd.data.data" + }, + { + "field": "auditd.data.default-context" + }, + { + "field": "auditd.data.device" + }, + { + "field": "auditd.data.dir" + }, + { + "field": "auditd.data.direction" + }, + { + "field": "auditd.data.dmac" + }, + { + "field": "auditd.data.dport" + }, + { + "field": "auditd.data.enforcing" + }, + { + "field": "auditd.data.entries" + }, + { + "field": "auditd.data.exit" + }, + { + "field": "auditd.data.fam" + }, + { + "field": "auditd.data.family" + }, + { + "field": "auditd.data.fd" + }, + { + "field": "auditd.data.fe" + }, + { + "field": "auditd.data.feature" + }, + { + "field": "auditd.data.fi" + }, + { + "field": "auditd.data.file" + }, + { + "field": "auditd.data.flags" + }, + { + "field": "auditd.data.format" + }, + { + "field": "auditd.data.fp" + }, + { + "field": "auditd.data.fver" + }, + { + "field": "auditd.data.grantors" + }, + { + "field": "auditd.data.grp" + }, + { + "field": "auditd.data.hook" + }, + { + "field": "auditd.data.hostname" + }, + { + "field": "auditd.data.icmp_type" + }, + { + "field": "auditd.data.id" + }, + { + "field": "auditd.data.igid" + }, + { + "field": "auditd.data.img-ctx" + }, + { + "field": "auditd.data.inif" + }, + { + "field": "auditd.data.ino" + }, + { + "field": "auditd.data.inode_gid" + }, + { + "field": "auditd.data.inode_uid" + }, + { + "field": "auditd.data.invalid_context" + }, + { + "field": "auditd.data.ioctlcmd" + }, + { + "field": "auditd.data.ip" + }, + { + "field": "auditd.data.ipid" + }, + { + "field": "auditd.data.ipx-net" + }, + { + "field": "auditd.data.items" + }, + { + "field": "auditd.data.iuid" + }, + { + "field": "auditd.data.kernel" + }, + { + "field": "auditd.data.kind" + }, + { + "field": "auditd.data.ksize" + }, + { + "field": "auditd.data.laddr" + }, + { + "field": "auditd.data.len" + }, + { + "field": "auditd.data.list" + }, + { + "field": "auditd.data.lport" + } + ], + "aggregations": { + "user_count": { + "cardinality": { + "field": "user.name" + } + }, + "group_by_users": { + "terms": { + "size": 10, + "field": "user.name", + "order": [ + { + "successes.doc_count": "desc" + }, + { + "failures.doc_count": "desc" + } + ] + }, + "aggs": { + "failures": { + "filter": { + "term": { + "event.outcome": "failure" + } + }, + "aggs": { + "lastFailure": { + "top_hits": { + "size": 1, + "_source": [], + "sort": [ + { + "@timestamp": { + "order": "desc" + } + } + ] + } + } + } + }, + "successes": { + "filter": { + "term": { + "event.outcome": "success" + } + }, + "aggs": { + "lastSuccess": { + "top_hits": { + "size": 1, + "_source": [], + "sort": [ + { + "@timestamp": { + "order": "desc" + } + } + ] + } + } + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "term": { + "event.category": "authentication" + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + } + ] +} \ No newline at end of file diff --git a/elastic/security/workflows-logsdb/hosts/6.json b/elastic/security/workflows-logsdb/hosts/6.json new file mode 100644 index 000000000..fbfaf26a6 --- /dev/null +++ b/elastic/security/workflows-logsdb/hosts/6.json @@ -0,0 +1,224 @@ +{ + "name": "/app/security/*?{query}", + "id": "Open `Uncommon processes` sub-tab", + "requests": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.171241 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - hosts - 6.1", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true", + "size": "0" + }, + "body": { + "aggregations": { + "process_count": { + "cardinality": { + "field": "process.name" + } + }, + "group_by_process": { + "terms": { + "size": 10, + "field": "process.name", + "order": [ + { + "host_count": "asc" + }, + { + "_count": "asc" + }, + { + "_key": "asc" + } + ] + }, + "aggregations": { + "process": { + "top_hits": { + "size": 1, + "sort": [ + { + "@timestamp": { + "order": "desc" + } + } + ], + "_source": [ + "process.args", + "process.name", + "user.id", + "user.name" + ] + } + }, + "host_count": { + "cardinality": { + "field": "host.name" + } + }, + "hosts": { + "terms": { + "field": "host.name" + }, + "aggregations": { + "host": { + "top_hits": { + "size": 1, + "_source": [] + } + } + } + } + } + } + }, + "query": { + "bool": { + "should": [ + { + "bool": { + "filter": [ + { + "term": { + "agent.type": "auditbeat" + } + }, + { + "term": { + "event.module": "auditd" + } + }, + { + "term": { + "event.action": "executed" + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "agent.type": "auditbeat" + } + }, + { + "term": { + "event.module": "system" + } + }, + { + "term": { + "event.dataset": "process" + } + }, + { + "term": { + "event.action": "process_started" + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "agent.type": "winlogbeat" + } + }, + { + "term": { + "event.code": "4688" + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "winlog.event_id": 1 + } + }, + { + "term": { + "winlog.channel": "Microsoft-Windows-Sysmon/Operational" + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "event.type": "process_start" + } + }, + { + "term": { + "event.category": "process" + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "event.category": "process" + } + }, + { + "term": { + "event.type": "start" + } + } + ] + } + } + ], + "minimum_should_match": 1, + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + } + } + } + ] +} \ No newline at end of file diff --git a/elastic/security/workflows-logsdb/hosts/7.json b/elastic/security/workflows-logsdb/hosts/7.json new file mode 100644 index 000000000..7d0b58d48 --- /dev/null +++ b/elastic/security/workflows-logsdb/hosts/7.json @@ -0,0 +1,96 @@ +{ + "name": "/app/security/*?{query}", + "id": "Open `Anomalies` sub-tab", + "requests": [ + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 1.630714 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - hosts - 7.1", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "true", + "allow_no_indices": "true" + }, + "body": { + "aggs": { + "anomalyActionGroup": { + "terms": { + "field": "job_id", + "order": { + "_count": "desc" + }, + "size": 10 + }, + "aggs": { + "anomalies": { + "date_histogram": { + "field": "timestamp", + "fixed_interval": "112500ms", + "min_doc_count": 0, + "extended_bounds": { + "min": 1643986800000, + "max": 1643990400000 + } + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [ + { + "bool": { + "should": [], + "minimum_should_match": 1 + } + }, + { + "match_phrase": { + "result_type": "record" + } + }, + null, + { + "range": { + "record_score": { + "gte": 50 + } + } + } + ], + "should": [], + "must_not": [] + } + }, + { + "range": { + "timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + } + ] +} \ No newline at end of file diff --git a/elastic/security/workflows-logsdb/hosts/8.json b/elastic/security/workflows-logsdb/hosts/8.json new file mode 100644 index 000000000..dfc41fa7f --- /dev/null +++ b/elastic/security/workflows-logsdb/hosts/8.json @@ -0,0 +1,1365 @@ +{ + "name": "/app/security/*?{query}", + "id": "Open `Events` sub-tab", + "requests": [ + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.483325 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - hosts - 8.1", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "true", + "allow_no_indices": "true" + }, + "body": { + "aggregations": { + "eventActionGroup": { + "terms": { + "field": "event.action", + "missing": "All others", + "order": { + "_count": "desc" + }, + "size": 10 + }, + "aggs": { + "events": { + "date_histogram": { + "field": "@timestamp", + "fixed_interval": "112500ms", + "min_doc_count": 0, + "extended_bounds": { + "min": 1643986800000, + "max": 1643990400000 + } + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.484995 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - hosts - 8.2", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "true", + "allow_no_indices": "true" + }, + "body": { + "docvalue_fields": [ + { + "field": "@metadata.beat" + }, + { + "field": "@metadata.type" + }, + { + "field": "@metadata.version" + }, + { + "field": "@timestamp" + }, + { + "field": "agent.agent_id" + }, + { + "field": "agent.build.original" + }, + { + "field": "agent.ephemeral_id" + }, + { + "field": "agent.hostname" + }, + { + "field": "agent.id" + }, + { + "field": "agent.name" + }, + { + "field": "agent.type" + }, + { + "field": "agent.version" + }, + { + "field": "as.number" + }, + { + "field": "as.organization.name" + }, + { + "field": "auditd.data.a0" + }, + { + "field": "auditd.data.a1" + }, + { + "field": "auditd.data.a2" + }, + { + "field": "auditd.data.a3" + }, + { + "field": "auditd.data.a[0-3]" + }, + { + "field": "auditd.data.acct" + }, + { + "field": "auditd.data.acl" + }, + { + "field": "auditd.data.action" + }, + { + "field": "auditd.data.added" + }, + { + "field": "auditd.data.addr" + }, + { + "field": "auditd.data.apparmor" + }, + { + "field": "auditd.data.arch" + }, + { + "field": "auditd.data.arg" + }, + { + "field": "auditd.data.argc" + }, + { + "field": "auditd.data.audit_backlog_limit" + }, + { + "field": "auditd.data.audit_backlog_wait_time" + }, + { + "field": "auditd.data.audit_enabled" + }, + { + "field": "auditd.data.audit_failure" + }, + { + "field": "auditd.data.auid" + }, + { + "field": "auditd.data.banners" + }, + { + "field": "auditd.data.bool" + }, + { + "field": "auditd.data.bus" + }, + { + "field": "auditd.data.cap_fe" + }, + { + "field": "auditd.data.cap_fi" + }, + { + "field": "auditd.data.cap_fp" + }, + { + "field": "auditd.data.cap_fver" + }, + { + "field": "auditd.data.cap_pe" + }, + { + "field": "auditd.data.cap_pi" + }, + { + "field": "auditd.data.cap_pp" + }, + { + "field": "auditd.data.capability" + }, + { + "field": "auditd.data.capname" + }, + { + "field": "auditd.data.cgroup" + }, + { + "field": "auditd.data.changed" + }, + { + "field": "auditd.data.cipher" + }, + { + "field": "auditd.data.class" + }, + { + "field": "auditd.data.cmd" + }, + { + "field": "auditd.data.code" + }, + { + "field": "auditd.data.compat" + }, + { + "field": "auditd.data.daddr" + }, + { + "field": "auditd.data.data" + }, + { + "field": "auditd.data.default-context" + }, + { + "field": "auditd.data.device" + }, + { + "field": "auditd.data.dir" + }, + { + "field": "auditd.data.direction" + }, + { + "field": "auditd.data.dmac" + }, + { + "field": "auditd.data.dport" + }, + { + "field": "auditd.data.enforcing" + }, + { + "field": "auditd.data.entries" + }, + { + "field": "auditd.data.exit" + }, + { + "field": "auditd.data.fam" + }, + { + "field": "auditd.data.family" + }, + { + "field": "auditd.data.fd" + }, + { + "field": "auditd.data.fe" + }, + { + "field": "auditd.data.feature" + }, + { + "field": "auditd.data.fi" + }, + { + "field": "auditd.data.file" + }, + { + "field": "auditd.data.flags" + }, + { + "field": "auditd.data.format" + }, + { + "field": "auditd.data.fp" + }, + { + "field": "auditd.data.fver" + }, + { + "field": "auditd.data.grantors" + }, + { + "field": "auditd.data.grp" + }, + { + "field": "auditd.data.hook" + }, + { + "field": "auditd.data.hostname" + }, + { + "field": "auditd.data.icmp_type" + }, + { + "field": "auditd.data.id" + }, + { + "field": "auditd.data.igid" + }, + { + "field": "auditd.data.img-ctx" + }, + { + "field": "auditd.data.inif" + }, + { + "field": "auditd.data.ino" + }, + { + "field": "auditd.data.inode_gid" + }, + { + "field": "auditd.data.inode_uid" + }, + { + "field": "auditd.data.invalid_context" + }, + { + "field": "auditd.data.ioctlcmd" + }, + { + "field": "auditd.data.ip" + }, + { + "field": "auditd.data.ipid" + }, + { + "field": "auditd.data.ipx-net" + }, + { + "field": "auditd.data.items" + }, + { + "field": "auditd.data.iuid" + }, + { + "field": "auditd.data.kernel" + }, + { + "field": "auditd.data.kind" + }, + { + "field": "auditd.data.ksize" + }, + { + "field": "auditd.data.laddr" + }, + { + "field": "auditd.data.len" + }, + { + "field": "auditd.data.list" + }, + { + "field": "auditd.data.lport" + } + ], + "aggregations": { + "producers": { + "terms": { + "field": "kibana.alert.rule.producer", + "exclude": [ + "alerts" + ] + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + }, + { + "match_all": {} + } + ] + } + }, + "from": 0, + "size": 100, + "track_total_hits": true, + "sort": [ + { + "@timestamp": { + "order": "desc", + "unmapped_type": "date" + } + } + ], + "fields": [ + { + "field": "@timestamp", + "include_unmapped": true + }, + { + "field": "kubernetes.event.message", + "include_unmapped": true + }, + { + "field": "host.name", + "include_unmapped": true + }, + { + "field": "event.module", + "include_unmapped": true + }, + { + "field": "event.dataset", + "include_unmapped": true + }, + { + "field": "event.action", + "include_unmapped": true + }, + { + "field": "user.name", + "include_unmapped": true + }, + { + "field": "source.ip", + "include_unmapped": true + }, + { + "field": "destination.ip", + "include_unmapped": true + }, + { + "field": "kibana.alert.rule.consumer", + "include_unmapped": true + }, + { + "field": "signal.status", + "include_unmapped": true + }, + { + "field": "signal.group.id", + "include_unmapped": true + }, + { + "field": "signal.original_time", + "include_unmapped": true + }, + { + "field": "signal.reason", + "include_unmapped": true + }, + { + "field": "signal.rule.filters", + "include_unmapped": true + }, + { + "field": "signal.rule.from", + "include_unmapped": true + }, + { + "field": "signal.rule.language", + "include_unmapped": true + }, + { + "field": "signal.rule.query", + "include_unmapped": true + }, + { + "field": "signal.rule.name", + "include_unmapped": true + }, + { + "field": "signal.rule.to", + "include_unmapped": true + }, + { + "field": "signal.rule.id", + "include_unmapped": true + }, + { + "field": "signal.rule.index", + "include_unmapped": true + }, + { + "field": "signal.rule.type", + "include_unmapped": true + }, + { + "field": "signal.original_event.kind", + "include_unmapped": true + }, + { + "field": "signal.original_event.module", + "include_unmapped": true + }, + { + "field": "signal.rule.version", + "include_unmapped": true + }, + { + "field": "signal.rule.severity", + "include_unmapped": true + }, + { + "field": "signal.rule.risk_score", + "include_unmapped": true + }, + { + "field": "signal.threshold_result", + "include_unmapped": true + }, + { + "field": "event.code", + "include_unmapped": true + }, + { + "field": "event.category", + "include_unmapped": true + }, + { + "field": "system.auth.ssh.signature", + "include_unmapped": true + }, + { + "field": "system.auth.ssh.method", + "include_unmapped": true + }, + { + "field": "system.audit.package.arch", + "include_unmapped": true + }, + { + "field": "system.audit.package.entity_id", + "include_unmapped": true + }, + { + "field": "system.audit.package.name", + "include_unmapped": true + }, + { + "field": "system.audit.package.size", + "include_unmapped": true + }, + { + "field": "system.audit.package.summary", + "include_unmapped": true + }, + { + "field": "system.audit.package.version", + "include_unmapped": true + }, + { + "field": "event.created", + "include_unmapped": true + }, + { + "field": "event.duration", + "include_unmapped": true + }, + { + "field": "event.end", + "include_unmapped": true + }, + { + "field": "event.hash", + "include_unmapped": true + }, + { + "field": "event.id", + "include_unmapped": true + }, + { + "field": "event.kind", + "include_unmapped": true + }, + { + "field": "event.original", + "include_unmapped": true + }, + { + "field": "event.outcome", + "include_unmapped": true + }, + { + "field": "event.risk_score", + "include_unmapped": true + }, + { + "field": "event.risk_score_norm", + "include_unmapped": true + }, + { + "field": "event.severity", + "include_unmapped": true + }, + { + "field": "event.start", + "include_unmapped": true + }, + { + "field": "event.timezone", + "include_unmapped": true + }, + { + "field": "event.type", + "include_unmapped": true + }, + { + "field": "agent.type", + "include_unmapped": true + }, + { + "field": "auditd.result", + "include_unmapped": true + }, + { + "field": "auditd.session", + "include_unmapped": true + }, + { + "field": "auditd.data.acct", + "include_unmapped": true + }, + { + "field": "auditd.data.terminal", + "include_unmapped": true + }, + { + "field": "auditd.data.op", + "include_unmapped": true + }, + { + "field": "auditd.summary.actor.primary", + "include_unmapped": true + }, + { + "field": "auditd.summary.actor.secondary", + "include_unmapped": true + }, + { + "field": "auditd.summary.object.primary", + "include_unmapped": true + }, + { + "field": "auditd.summary.object.secondary", + "include_unmapped": true + }, + { + "field": "auditd.summary.object.type", + "include_unmapped": true + }, + { + "field": "auditd.summary.how", + "include_unmapped": true + }, + { + "field": "auditd.summary.message_type", + "include_unmapped": true + }, + { + "field": "auditd.summary.sequence", + "include_unmapped": true + }, + { + "field": "file.Ext.original.path", + "include_unmapped": true + }, + { + "field": "file.name", + "include_unmapped": true + }, + { + "field": "file.target_path", + "include_unmapped": true + }, + { + "field": "file.extension", + "include_unmapped": true + }, + { + "field": "file.type", + "include_unmapped": true + }, + { + "field": "file.device", + "include_unmapped": true + }, + { + "field": "file.inode", + "include_unmapped": true + }, + { + "field": "file.uid", + "include_unmapped": true + }, + { + "field": "file.owner", + "include_unmapped": true + }, + { + "field": "file.gid", + "include_unmapped": true + }, + { + "field": "file.group", + "include_unmapped": true + }, + { + "field": "file.mode", + "include_unmapped": true + }, + { + "field": "file.size", + "include_unmapped": true + }, + { + "field": "file.mtime", + "include_unmapped": true + }, + { + "field": "file.ctime", + "include_unmapped": true + }, + { + "field": "file.path", + "include_unmapped": true + }, + { + "field": "file.Ext.code_signature", + "include_unmapped": true + }, + { + "field": "file.Ext.code_signature.subject_name", + "include_unmapped": true + }, + { + "field": "file.Ext.code_signature.trusted", + "include_unmapped": true + }, + { + "field": "file.hash.sha256", + "include_unmapped": true + }, + { + "field": "host.os.family", + "include_unmapped": true + }, + { + "field": "host.id", + "include_unmapped": true + }, + { + "field": "host.ip", + "include_unmapped": true + }, + { + "field": "registry.key", + "include_unmapped": true + }, + { + "field": "registry.path", + "include_unmapped": true + }, + { + "field": "rule.reference", + "include_unmapped": true + }, + { + "field": "source.bytes", + "include_unmapped": true + }, + { + "field": "source.packets", + "include_unmapped": true + }, + { + "field": "source.port", + "include_unmapped": true + }, + { + "field": "source.geo.continent_name", + "include_unmapped": true + }, + { + "field": "source.geo.country_name", + "include_unmapped": true + }, + { + "field": "source.geo.country_iso_code", + "include_unmapped": true + }, + { + "field": "source.geo.city_name", + "include_unmapped": true + }, + { + "field": "source.geo.region_iso_code", + "include_unmapped": true + }, + { + "field": "source.geo.region_name", + "include_unmapped": true + }, + { + "field": "destination.bytes", + "include_unmapped": true + }, + { + "field": "destination.packets", + "include_unmapped": true + }, + { + "field": "destination.port", + "include_unmapped": true + }, + { + "field": "destination.geo.continent_name", + "include_unmapped": true + }, + { + "field": "destination.geo.country_name", + "include_unmapped": true + }, + { + "field": "destination.geo.country_iso_code", + "include_unmapped": true + }, + { + "field": "destination.geo.city_name", + "include_unmapped": true + }, + { + "field": "destination.geo.region_iso_code", + "include_unmapped": true + }, + { + "field": "destination.geo.region_name", + "include_unmapped": true + }, + { + "field": "dns.question.name", + "include_unmapped": true + }, + { + "field": "dns.question.type", + "include_unmapped": true + }, + { + "field": "dns.resolved_ip", + "include_unmapped": true + }, + { + "field": "dns.response_code", + "include_unmapped": true + }, + { + "field": "endgame.exit_code", + "include_unmapped": true + }, + { + "field": "endgame.file_name", + "include_unmapped": true + }, + { + "field": "endgame.file_path", + "include_unmapped": true + }, + { + "field": "endgame.logon_type", + "include_unmapped": true + }, + { + "field": "endgame.parent_process_name", + "include_unmapped": true + }, + { + "field": "endgame.pid", + "include_unmapped": true + }, + { + "field": "endgame.process_name", + "include_unmapped": true + }, + { + "field": "endgame.subject_domain_name", + "include_unmapped": true + }, + { + "field": "endgame.subject_logon_id", + "include_unmapped": true + }, + { + "field": "endgame.subject_user_name", + "include_unmapped": true + }, + { + "field": "endgame.target_domain_name", + "include_unmapped": true + }, + { + "field": "endgame.target_logon_id", + "include_unmapped": true + }, + { + "field": "endgame.target_user_name", + "include_unmapped": true + }, + { + "field": "signal.rule.saved_id", + "include_unmapped": true + }, + { + "field": "signal.rule.timeline_id", + "include_unmapped": true + }, + { + "field": "signal.rule.timeline_title", + "include_unmapped": true + }, + { + "field": "signal.rule.output_index", + "include_unmapped": true + }, + { + "field": "signal.rule.note", + "include_unmapped": true + }, + { + "field": "signal.rule.threshold", + "include_unmapped": true + }, + { + "field": "signal.rule.exceptions_list", + "include_unmapped": true + }, + { + "field": "signal.rule.building_block_type", + "include_unmapped": true + }, + { + "field": "suricata.eve.proto", + "include_unmapped": true + }, + { + "field": "suricata.eve.flow_id", + "include_unmapped": true + }, + { + "field": "suricata.eve.alert.signature", + "include_unmapped": true + }, + { + "field": "suricata.eve.alert.signature_id", + "include_unmapped": true + }, + { + "field": "network.bytes", + "include_unmapped": true + }, + { + "field": "network.community_id", + "include_unmapped": true + }, + { + "field": "network.direction", + "include_unmapped": true + }, + { + "field": "network.packets", + "include_unmapped": true + }, + { + "field": "network.protocol", + "include_unmapped": true + }, + { + "field": "network.transport", + "include_unmapped": true + }, + { + "field": "http.version", + "include_unmapped": true + }, + { + "field": "http.request.method", + "include_unmapped": true + }, + { + "field": "http.request.body.bytes", + "include_unmapped": true + }, + { + "field": "http.request.body.content", + "include_unmapped": true + }, + { + "field": "http.request.referrer", + "include_unmapped": true + }, + { + "field": "http.response.status_code", + "include_unmapped": true + }, + { + "field": "http.response.body.bytes", + "include_unmapped": true + }, + { + "field": "http.response.body.content", + "include_unmapped": true + }, + { + "field": "tls.client_certificate.fingerprint.sha1", + "include_unmapped": true + }, + { + "field": "tls.fingerprints.ja3.hash", + "include_unmapped": true + }, + { + "field": "tls.server_certificate.fingerprint.sha1", + "include_unmapped": true + }, + { + "field": "user.domain", + "include_unmapped": true + }, + { + "field": "winlog.event_id", + "include_unmapped": true + }, + { + "field": "process.exit_code", + "include_unmapped": true + }, + { + "field": "process.hash.md5", + "include_unmapped": true + }, + { + "field": "process.hash.sha1", + "include_unmapped": true + }, + { + "field": "process.hash.sha256", + "include_unmapped": true + }, + { + "field": "process.parent.name", + "include_unmapped": true + }, + { + "field": "process.parent.pid", + "include_unmapped": true + }, + { + "field": "process.pid", + "include_unmapped": true + }, + { + "field": "process.name", + "include_unmapped": true + }, + { + "field": "process.ppid", + "include_unmapped": true + }, + { + "field": "process.args", + "include_unmapped": true + }, + { + "field": "process.entity_id", + "include_unmapped": true + }, + { + "field": "process.executable", + "include_unmapped": true + }, + { + "field": "process.title", + "include_unmapped": true + }, + { + "field": "process.working_directory", + "include_unmapped": true + }, + { + "field": "zeek.session_id", + "include_unmapped": true + }, + { + "field": "zeek.connection.local_resp", + "include_unmapped": true + }, + { + "field": "zeek.connection.local_orig", + "include_unmapped": true + }, + { + "field": "zeek.connection.missed_bytes", + "include_unmapped": true + }, + { + "field": "zeek.connection.state", + "include_unmapped": true + }, + { + "field": "zeek.connection.history", + "include_unmapped": true + }, + { + "field": "zeek.notice.suppress_for", + "include_unmapped": true + }, + { + "field": "zeek.notice.msg", + "include_unmapped": true + }, + { + "field": "zeek.notice.note", + "include_unmapped": true + }, + { + "field": "zeek.notice.sub", + "include_unmapped": true + }, + { + "field": "zeek.notice.dst", + "include_unmapped": true + }, + { + "field": "zeek.notice.dropped", + "include_unmapped": true + }, + { + "field": "zeek.notice.peer_descr", + "include_unmapped": true + }, + { + "field": "zeek.dns.AA", + "include_unmapped": true + }, + { + "field": "zeek.dns.qclass_name", + "include_unmapped": true + }, + { + "field": "zeek.dns.RD", + "include_unmapped": true + }, + { + "field": "zeek.dns.qtype_name", + "include_unmapped": true + }, + { + "field": "zeek.dns.qtype", + "include_unmapped": true + }, + { + "field": "zeek.dns.query", + "include_unmapped": true + }, + { + "field": "zeek.dns.trans_id", + "include_unmapped": true + }, + { + "field": "zeek.dns.qclass", + "include_unmapped": true + }, + { + "field": "zeek.dns.RA", + "include_unmapped": true + }, + { + "field": "zeek.dns.TC", + "include_unmapped": true + }, + { + "field": "zeek.http.resp_mime_types", + "include_unmapped": true + }, + { + "field": "zeek.http.trans_depth", + "include_unmapped": true + }, + { + "field": "zeek.http.status_msg", + "include_unmapped": true + }, + { + "field": "zeek.http.resp_fuids", + "include_unmapped": true + }, + { + "field": "zeek.http.tags", + "include_unmapped": true + }, + { + "field": "zeek.files.session_ids", + "include_unmapped": true + }, + { + "field": "zeek.files.timedout", + "include_unmapped": true + }, + { + "field": "zeek.files.local_orig", + "include_unmapped": true + }, + { + "field": "zeek.files.tx_host", + "include_unmapped": true + }, + { + "field": "zeek.files.source", + "include_unmapped": true + }, + { + "field": "zeek.files.is_orig", + "include_unmapped": true + }, + { + "field": "zeek.files.overflow_bytes", + "include_unmapped": true + }, + { + "field": "zeek.files.sha1", + "include_unmapped": true + }, + { + "field": "zeek.files.duration", + "include_unmapped": true + }, + { + "field": "zeek.files.depth", + "include_unmapped": true + }, + { + "field": "zeek.files.analyzers", + "include_unmapped": true + }, + { + "field": "zeek.files.mime_type", + "include_unmapped": true + }, + { + "field": "zeek.files.rx_host", + "include_unmapped": true + }, + { + "field": "zeek.files.total_bytes", + "include_unmapped": true + }, + { + "field": "zeek.files.fuid", + "include_unmapped": true + }, + { + "field": "zeek.files.seen_bytes", + "include_unmapped": true + }, + { + "field": "zeek.files.missing_bytes", + "include_unmapped": true + }, + { + "field": "zeek.files.md5", + "include_unmapped": true + }, + { + "field": "zeek.ssl.cipher", + "include_unmapped": true + }, + { + "field": "zeek.ssl.established", + "include_unmapped": true + }, + { + "field": "zeek.ssl.resumed", + "include_unmapped": true + }, + { + "field": "zeek.ssl.version", + "include_unmapped": true + }, + { + "field": "threat.enrichments.matched.atomic", + "include_unmapped": true + }, + { + "field": "threat.enrichments.matched.field", + "include_unmapped": true + }, + { + "field": "threat.enrichments.matched.type", + "include_unmapped": true + }, + { + "field": "threat.enrichments.indicator.reference", + "include_unmapped": true + }, + { + "field": "threat.enrichments.indicator.provider", + "include_unmapped": true + } + ], + "_source": [ + "signal.*" + ] + } + } + ] + } + ] +} \ No newline at end of file diff --git a/elastic/security/workflows-logsdb/hosts/9.json b/elastic/security/workflows-logsdb/hosts/9.json new file mode 100644 index 000000000..2f639c006 --- /dev/null +++ b/elastic/security/workflows-logsdb/hosts/9.json @@ -0,0 +1,1294 @@ +{ + "name": "POST /internal/bsearch", + "id": "Change number of events displayed to `25`", + "requests": [ + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.191965 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - hosts - 9.1", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "true", + "allow_no_indices": "true" + }, + "body": { + "docvalue_fields": [ + { + "field": "@metadata.beat" + }, + { + "field": "@metadata.type" + }, + { + "field": "@metadata.version" + }, + { + "field": "@timestamp" + }, + { + "field": "agent.agent_id" + }, + { + "field": "agent.build.original" + }, + { + "field": "agent.ephemeral_id" + }, + { + "field": "agent.hostname" + }, + { + "field": "agent.id" + }, + { + "field": "agent.name" + }, + { + "field": "agent.type" + }, + { + "field": "agent.version" + }, + { + "field": "as.number" + }, + { + "field": "as.organization.name" + }, + { + "field": "auditd.data.a0" + }, + { + "field": "auditd.data.a1" + }, + { + "field": "auditd.data.a2" + }, + { + "field": "auditd.data.a3" + }, + { + "field": "auditd.data.a[0-3]" + }, + { + "field": "auditd.data.acct" + }, + { + "field": "auditd.data.acl" + }, + { + "field": "auditd.data.action" + }, + { + "field": "auditd.data.added" + }, + { + "field": "auditd.data.addr" + }, + { + "field": "auditd.data.apparmor" + }, + { + "field": "auditd.data.arch" + }, + { + "field": "auditd.data.arg" + }, + { + "field": "auditd.data.argc" + }, + { + "field": "auditd.data.audit_backlog_limit" + }, + { + "field": "auditd.data.audit_backlog_wait_time" + }, + { + "field": "auditd.data.audit_enabled" + }, + { + "field": "auditd.data.audit_failure" + }, + { + "field": "auditd.data.auid" + }, + { + "field": "auditd.data.banners" + }, + { + "field": "auditd.data.bool" + }, + { + "field": "auditd.data.bus" + }, + { + "field": "auditd.data.cap_fe" + }, + { + "field": "auditd.data.cap_fi" + }, + { + "field": "auditd.data.cap_fp" + }, + { + "field": "auditd.data.cap_fver" + }, + { + "field": "auditd.data.cap_pe" + }, + { + "field": "auditd.data.cap_pi" + }, + { + "field": "auditd.data.cap_pp" + }, + { + "field": "auditd.data.capability" + }, + { + "field": "auditd.data.capname" + }, + { + "field": "auditd.data.cgroup" + }, + { + "field": "auditd.data.changed" + }, + { + "field": "auditd.data.cipher" + }, + { + "field": "auditd.data.class" + }, + { + "field": "auditd.data.cmd" + }, + { + "field": "auditd.data.code" + }, + { + "field": "auditd.data.compat" + }, + { + "field": "auditd.data.daddr" + }, + { + "field": "auditd.data.data" + }, + { + "field": "auditd.data.default-context" + }, + { + "field": "auditd.data.device" + }, + { + "field": "auditd.data.dir" + }, + { + "field": "auditd.data.direction" + }, + { + "field": "auditd.data.dmac" + }, + { + "field": "auditd.data.dport" + }, + { + "field": "auditd.data.enforcing" + }, + { + "field": "auditd.data.entries" + }, + { + "field": "auditd.data.exit" + }, + { + "field": "auditd.data.fam" + }, + { + "field": "auditd.data.family" + }, + { + "field": "auditd.data.fd" + }, + { + "field": "auditd.data.fe" + }, + { + "field": "auditd.data.feature" + }, + { + "field": "auditd.data.fi" + }, + { + "field": "auditd.data.file" + }, + { + "field": "auditd.data.flags" + }, + { + "field": "auditd.data.format" + }, + { + "field": "auditd.data.fp" + }, + { + "field": "auditd.data.fver" + }, + { + "field": "auditd.data.grantors" + }, + { + "field": "auditd.data.grp" + }, + { + "field": "auditd.data.hook" + }, + { + "field": "auditd.data.hostname" + }, + { + "field": "auditd.data.icmp_type" + }, + { + "field": "auditd.data.id" + }, + { + "field": "auditd.data.igid" + }, + { + "field": "auditd.data.img-ctx" + }, + { + "field": "auditd.data.inif" + }, + { + "field": "auditd.data.ino" + }, + { + "field": "auditd.data.inode_gid" + }, + { + "field": "auditd.data.inode_uid" + }, + { + "field": "auditd.data.invalid_context" + }, + { + "field": "auditd.data.ioctlcmd" + }, + { + "field": "auditd.data.ip" + }, + { + "field": "auditd.data.ipid" + }, + { + "field": "auditd.data.ipx-net" + }, + { + "field": "auditd.data.items" + }, + { + "field": "auditd.data.iuid" + }, + { + "field": "auditd.data.kernel" + }, + { + "field": "auditd.data.kind" + }, + { + "field": "auditd.data.ksize" + }, + { + "field": "auditd.data.laddr" + }, + { + "field": "auditd.data.len" + }, + { + "field": "auditd.data.list" + }, + { + "field": "auditd.data.lport" + } + ], + "aggregations": { + "producers": { + "terms": { + "field": "kibana.alert.rule.producer", + "exclude": [ + "alerts" + ] + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + }, + { + "match_all": {} + } + ] + } + }, + "from": 0, + "size": 25, + "track_total_hits": true, + "sort": [ + { + "@timestamp": { + "order": "desc", + "unmapped_type": "date" + } + } + ], + "fields": [ + { + "field": "@timestamp", + "include_unmapped": true + }, + { + "field": "kubernetes.event.message", + "include_unmapped": true + }, + { + "field": "host.name", + "include_unmapped": true + }, + { + "field": "event.module", + "include_unmapped": true + }, + { + "field": "event.dataset", + "include_unmapped": true + }, + { + "field": "event.action", + "include_unmapped": true + }, + { + "field": "user.name", + "include_unmapped": true + }, + { + "field": "source.ip", + "include_unmapped": true + }, + { + "field": "destination.ip", + "include_unmapped": true + }, + { + "field": "kibana.alert.rule.consumer", + "include_unmapped": true + }, + { + "field": "signal.status", + "include_unmapped": true + }, + { + "field": "signal.group.id", + "include_unmapped": true + }, + { + "field": "signal.original_time", + "include_unmapped": true + }, + { + "field": "signal.reason", + "include_unmapped": true + }, + { + "field": "signal.rule.filters", + "include_unmapped": true + }, + { + "field": "signal.rule.from", + "include_unmapped": true + }, + { + "field": "signal.rule.language", + "include_unmapped": true + }, + { + "field": "signal.rule.query", + "include_unmapped": true + }, + { + "field": "signal.rule.name", + "include_unmapped": true + }, + { + "field": "signal.rule.to", + "include_unmapped": true + }, + { + "field": "signal.rule.id", + "include_unmapped": true + }, + { + "field": "signal.rule.index", + "include_unmapped": true + }, + { + "field": "signal.rule.type", + "include_unmapped": true + }, + { + "field": "signal.original_event.kind", + "include_unmapped": true + }, + { + "field": "signal.original_event.module", + "include_unmapped": true + }, + { + "field": "signal.rule.version", + "include_unmapped": true + }, + { + "field": "signal.rule.severity", + "include_unmapped": true + }, + { + "field": "signal.rule.risk_score", + "include_unmapped": true + }, + { + "field": "signal.threshold_result", + "include_unmapped": true + }, + { + "field": "event.code", + "include_unmapped": true + }, + { + "field": "event.category", + "include_unmapped": true + }, + { + "field": "system.auth.ssh.signature", + "include_unmapped": true + }, + { + "field": "system.auth.ssh.method", + "include_unmapped": true + }, + { + "field": "system.audit.package.arch", + "include_unmapped": true + }, + { + "field": "system.audit.package.entity_id", + "include_unmapped": true + }, + { + "field": "system.audit.package.name", + "include_unmapped": true + }, + { + "field": "system.audit.package.size", + "include_unmapped": true + }, + { + "field": "system.audit.package.summary", + "include_unmapped": true + }, + { + "field": "system.audit.package.version", + "include_unmapped": true + }, + { + "field": "event.created", + "include_unmapped": true + }, + { + "field": "event.duration", + "include_unmapped": true + }, + { + "field": "event.end", + "include_unmapped": true + }, + { + "field": "event.hash", + "include_unmapped": true + }, + { + "field": "event.id", + "include_unmapped": true + }, + { + "field": "event.kind", + "include_unmapped": true + }, + { + "field": "event.original", + "include_unmapped": true + }, + { + "field": "event.outcome", + "include_unmapped": true + }, + { + "field": "event.risk_score", + "include_unmapped": true + }, + { + "field": "event.risk_score_norm", + "include_unmapped": true + }, + { + "field": "event.severity", + "include_unmapped": true + }, + { + "field": "event.start", + "include_unmapped": true + }, + { + "field": "event.timezone", + "include_unmapped": true + }, + { + "field": "event.type", + "include_unmapped": true + }, + { + "field": "agent.type", + "include_unmapped": true + }, + { + "field": "auditd.result", + "include_unmapped": true + }, + { + "field": "auditd.session", + "include_unmapped": true + }, + { + "field": "auditd.data.acct", + "include_unmapped": true + }, + { + "field": "auditd.data.terminal", + "include_unmapped": true + }, + { + "field": "auditd.data.op", + "include_unmapped": true + }, + { + "field": "auditd.summary.actor.primary", + "include_unmapped": true + }, + { + "field": "auditd.summary.actor.secondary", + "include_unmapped": true + }, + { + "field": "auditd.summary.object.primary", + "include_unmapped": true + }, + { + "field": "auditd.summary.object.secondary", + "include_unmapped": true + }, + { + "field": "auditd.summary.object.type", + "include_unmapped": true + }, + { + "field": "auditd.summary.how", + "include_unmapped": true + }, + { + "field": "auditd.summary.message_type", + "include_unmapped": true + }, + { + "field": "auditd.summary.sequence", + "include_unmapped": true + }, + { + "field": "file.Ext.original.path", + "include_unmapped": true + }, + { + "field": "file.name", + "include_unmapped": true + }, + { + "field": "file.target_path", + "include_unmapped": true + }, + { + "field": "file.extension", + "include_unmapped": true + }, + { + "field": "file.type", + "include_unmapped": true + }, + { + "field": "file.device", + "include_unmapped": true + }, + { + "field": "file.inode", + "include_unmapped": true + }, + { + "field": "file.uid", + "include_unmapped": true + }, + { + "field": "file.owner", + "include_unmapped": true + }, + { + "field": "file.gid", + "include_unmapped": true + }, + { + "field": "file.group", + "include_unmapped": true + }, + { + "field": "file.mode", + "include_unmapped": true + }, + { + "field": "file.size", + "include_unmapped": true + }, + { + "field": "file.mtime", + "include_unmapped": true + }, + { + "field": "file.ctime", + "include_unmapped": true + }, + { + "field": "file.path", + "include_unmapped": true + }, + { + "field": "file.Ext.code_signature", + "include_unmapped": true + }, + { + "field": "file.Ext.code_signature.subject_name", + "include_unmapped": true + }, + { + "field": "file.Ext.code_signature.trusted", + "include_unmapped": true + }, + { + "field": "file.hash.sha256", + "include_unmapped": true + }, + { + "field": "host.os.family", + "include_unmapped": true + }, + { + "field": "host.id", + "include_unmapped": true + }, + { + "field": "host.ip", + "include_unmapped": true + }, + { + "field": "registry.key", + "include_unmapped": true + }, + { + "field": "registry.path", + "include_unmapped": true + }, + { + "field": "rule.reference", + "include_unmapped": true + }, + { + "field": "source.bytes", + "include_unmapped": true + }, + { + "field": "source.packets", + "include_unmapped": true + }, + { + "field": "source.port", + "include_unmapped": true + }, + { + "field": "source.geo.continent_name", + "include_unmapped": true + }, + { + "field": "source.geo.country_name", + "include_unmapped": true + }, + { + "field": "source.geo.country_iso_code", + "include_unmapped": true + }, + { + "field": "source.geo.city_name", + "include_unmapped": true + }, + { + "field": "source.geo.region_iso_code", + "include_unmapped": true + }, + { + "field": "source.geo.region_name", + "include_unmapped": true + }, + { + "field": "destination.bytes", + "include_unmapped": true + }, + { + "field": "destination.packets", + "include_unmapped": true + }, + { + "field": "destination.port", + "include_unmapped": true + }, + { + "field": "destination.geo.continent_name", + "include_unmapped": true + }, + { + "field": "destination.geo.country_name", + "include_unmapped": true + }, + { + "field": "destination.geo.country_iso_code", + "include_unmapped": true + }, + { + "field": "destination.geo.city_name", + "include_unmapped": true + }, + { + "field": "destination.geo.region_iso_code", + "include_unmapped": true + }, + { + "field": "destination.geo.region_name", + "include_unmapped": true + }, + { + "field": "dns.question.name", + "include_unmapped": true + }, + { + "field": "dns.question.type", + "include_unmapped": true + }, + { + "field": "dns.resolved_ip", + "include_unmapped": true + }, + { + "field": "dns.response_code", + "include_unmapped": true + }, + { + "field": "endgame.exit_code", + "include_unmapped": true + }, + { + "field": "endgame.file_name", + "include_unmapped": true + }, + { + "field": "endgame.file_path", + "include_unmapped": true + }, + { + "field": "endgame.logon_type", + "include_unmapped": true + }, + { + "field": "endgame.parent_process_name", + "include_unmapped": true + }, + { + "field": "endgame.pid", + "include_unmapped": true + }, + { + "field": "endgame.process_name", + "include_unmapped": true + }, + { + "field": "endgame.subject_domain_name", + "include_unmapped": true + }, + { + "field": "endgame.subject_logon_id", + "include_unmapped": true + }, + { + "field": "endgame.subject_user_name", + "include_unmapped": true + }, + { + "field": "endgame.target_domain_name", + "include_unmapped": true + }, + { + "field": "endgame.target_logon_id", + "include_unmapped": true + }, + { + "field": "endgame.target_user_name", + "include_unmapped": true + }, + { + "field": "signal.rule.saved_id", + "include_unmapped": true + }, + { + "field": "signal.rule.timeline_id", + "include_unmapped": true + }, + { + "field": "signal.rule.timeline_title", + "include_unmapped": true + }, + { + "field": "signal.rule.output_index", + "include_unmapped": true + }, + { + "field": "signal.rule.note", + "include_unmapped": true + }, + { + "field": "signal.rule.threshold", + "include_unmapped": true + }, + { + "field": "signal.rule.exceptions_list", + "include_unmapped": true + }, + { + "field": "signal.rule.building_block_type", + "include_unmapped": true + }, + { + "field": "suricata.eve.proto", + "include_unmapped": true + }, + { + "field": "suricata.eve.flow_id", + "include_unmapped": true + }, + { + "field": "suricata.eve.alert.signature", + "include_unmapped": true + }, + { + "field": "suricata.eve.alert.signature_id", + "include_unmapped": true + }, + { + "field": "network.bytes", + "include_unmapped": true + }, + { + "field": "network.community_id", + "include_unmapped": true + }, + { + "field": "network.direction", + "include_unmapped": true + }, + { + "field": "network.packets", + "include_unmapped": true + }, + { + "field": "network.protocol", + "include_unmapped": true + }, + { + "field": "network.transport", + "include_unmapped": true + }, + { + "field": "http.version", + "include_unmapped": true + }, + { + "field": "http.request.method", + "include_unmapped": true + }, + { + "field": "http.request.body.bytes", + "include_unmapped": true + }, + { + "field": "http.request.body.content", + "include_unmapped": true + }, + { + "field": "http.request.referrer", + "include_unmapped": true + }, + { + "field": "http.response.status_code", + "include_unmapped": true + }, + { + "field": "http.response.body.bytes", + "include_unmapped": true + }, + { + "field": "http.response.body.content", + "include_unmapped": true + }, + { + "field": "tls.client_certificate.fingerprint.sha1", + "include_unmapped": true + }, + { + "field": "tls.fingerprints.ja3.hash", + "include_unmapped": true + }, + { + "field": "tls.server_certificate.fingerprint.sha1", + "include_unmapped": true + }, + { + "field": "user.domain", + "include_unmapped": true + }, + { + "field": "winlog.event_id", + "include_unmapped": true + }, + { + "field": "process.exit_code", + "include_unmapped": true + }, + { + "field": "process.hash.md5", + "include_unmapped": true + }, + { + "field": "process.hash.sha1", + "include_unmapped": true + }, + { + "field": "process.hash.sha256", + "include_unmapped": true + }, + { + "field": "process.parent.name", + "include_unmapped": true + }, + { + "field": "process.parent.pid", + "include_unmapped": true + }, + { + "field": "process.pid", + "include_unmapped": true + }, + { + "field": "process.name", + "include_unmapped": true + }, + { + "field": "process.ppid", + "include_unmapped": true + }, + { + "field": "process.args", + "include_unmapped": true + }, + { + "field": "process.entity_id", + "include_unmapped": true + }, + { + "field": "process.executable", + "include_unmapped": true + }, + { + "field": "process.title", + "include_unmapped": true + }, + { + "field": "process.working_directory", + "include_unmapped": true + }, + { + "field": "zeek.session_id", + "include_unmapped": true + }, + { + "field": "zeek.connection.local_resp", + "include_unmapped": true + }, + { + "field": "zeek.connection.local_orig", + "include_unmapped": true + }, + { + "field": "zeek.connection.missed_bytes", + "include_unmapped": true + }, + { + "field": "zeek.connection.state", + "include_unmapped": true + }, + { + "field": "zeek.connection.history", + "include_unmapped": true + }, + { + "field": "zeek.notice.suppress_for", + "include_unmapped": true + }, + { + "field": "zeek.notice.msg", + "include_unmapped": true + }, + { + "field": "zeek.notice.note", + "include_unmapped": true + }, + { + "field": "zeek.notice.sub", + "include_unmapped": true + }, + { + "field": "zeek.notice.dst", + "include_unmapped": true + }, + { + "field": "zeek.notice.dropped", + "include_unmapped": true + }, + { + "field": "zeek.notice.peer_descr", + "include_unmapped": true + }, + { + "field": "zeek.dns.AA", + "include_unmapped": true + }, + { + "field": "zeek.dns.qclass_name", + "include_unmapped": true + }, + { + "field": "zeek.dns.RD", + "include_unmapped": true + }, + { + "field": "zeek.dns.qtype_name", + "include_unmapped": true + }, + { + "field": "zeek.dns.qtype", + "include_unmapped": true + }, + { + "field": "zeek.dns.query", + "include_unmapped": true + }, + { + "field": "zeek.dns.trans_id", + "include_unmapped": true + }, + { + "field": "zeek.dns.qclass", + "include_unmapped": true + }, + { + "field": "zeek.dns.RA", + "include_unmapped": true + }, + { + "field": "zeek.dns.TC", + "include_unmapped": true + }, + { + "field": "zeek.http.resp_mime_types", + "include_unmapped": true + }, + { + "field": "zeek.http.trans_depth", + "include_unmapped": true + }, + { + "field": "zeek.http.status_msg", + "include_unmapped": true + }, + { + "field": "zeek.http.resp_fuids", + "include_unmapped": true + }, + { + "field": "zeek.http.tags", + "include_unmapped": true + }, + { + "field": "zeek.files.session_ids", + "include_unmapped": true + }, + { + "field": "zeek.files.timedout", + "include_unmapped": true + }, + { + "field": "zeek.files.local_orig", + "include_unmapped": true + }, + { + "field": "zeek.files.tx_host", + "include_unmapped": true + }, + { + "field": "zeek.files.source", + "include_unmapped": true + }, + { + "field": "zeek.files.is_orig", + "include_unmapped": true + }, + { + "field": "zeek.files.overflow_bytes", + "include_unmapped": true + }, + { + "field": "zeek.files.sha1", + "include_unmapped": true + }, + { + "field": "zeek.files.duration", + "include_unmapped": true + }, + { + "field": "zeek.files.depth", + "include_unmapped": true + }, + { + "field": "zeek.files.analyzers", + "include_unmapped": true + }, + { + "field": "zeek.files.mime_type", + "include_unmapped": true + }, + { + "field": "zeek.files.rx_host", + "include_unmapped": true + }, + { + "field": "zeek.files.total_bytes", + "include_unmapped": true + }, + { + "field": "zeek.files.fuid", + "include_unmapped": true + }, + { + "field": "zeek.files.seen_bytes", + "include_unmapped": true + }, + { + "field": "zeek.files.missing_bytes", + "include_unmapped": true + }, + { + "field": "zeek.files.md5", + "include_unmapped": true + }, + { + "field": "zeek.ssl.cipher", + "include_unmapped": true + }, + { + "field": "zeek.ssl.established", + "include_unmapped": true + }, + { + "field": "zeek.ssl.resumed", + "include_unmapped": true + }, + { + "field": "zeek.ssl.version", + "include_unmapped": true + }, + { + "field": "threat.enrichments.matched.atomic", + "include_unmapped": true + }, + { + "field": "threat.enrichments.matched.field", + "include_unmapped": true + }, + { + "field": "threat.enrichments.matched.type", + "include_unmapped": true + }, + { + "field": "threat.enrichments.indicator.reference", + "include_unmapped": true + }, + { + "field": "threat.enrichments.indicator.provider", + "include_unmapped": true + } + ], + "_source": [ + "signal.*" + ] + } + } + ] + } + ] +} \ No newline at end of file diff --git a/elastic/security/workflows-logsdb/hosts/README.md b/elastic/security/workflows-logsdb/hosts/README.md new file mode 100644 index 000000000..f38f4332e --- /dev/null +++ b/elastic/security/workflows-logsdb/hosts/README.md @@ -0,0 +1,13 @@ +This workflow represents a user using the Hosts dashboard from the Security application in Kibana. +Specifically this involves executing the following steps: + +1. Opening the `Hosts` dashboard with a timespan set to `Today` +2. Set the time range to `now-24hr` to `now` +3. Set the time range to `now-8hr` to `now` +4. Set the time range to `now-1hr` to `now` +5. Open `Authentications` sub-tab +6. Open `Uncommon processes` sub-tab +7. Open `Anomalies` sub-tab +8. Open `Events` sub-tab +9. Change number of events displayed to `25` +10. Open `External alerts` sub-tab diff --git a/elastic/security/workflows-logsdb/network/1.json b/elastic/security/workflows-logsdb/network/1.json new file mode 100644 index 000000000..2a2bcc042 --- /dev/null +++ b/elastic/security/workflows-logsdb/network/1.json @@ -0,0 +1,1497 @@ +{ + "name": "/app/security/*?{query}", + "id": "Opening the `Network` dashboard with a timespan set to `Today`", + "requests": [ + { + "stream": [ + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.22430699999999998 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 1a.1", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true" + }, + "body": { + "docvalue_fields": [ + { + "field": "@metadata.beat" + }, + { + "field": "@metadata.type" + }, + { + "field": "@metadata.version" + }, + { + "field": "@timestamp" + }, + { + "field": "agent.agent_id" + }, + { + "field": "agent.build.original" + }, + { + "field": "agent.ephemeral_id" + }, + { + "field": "agent.hostname" + }, + { + "field": "agent.id" + }, + { + "field": "agent.name" + }, + { + "field": "agent.type" + }, + { + "field": "agent.version" + }, + { + "field": "as.number" + }, + { + "field": "as.organization.name" + }, + { + "field": "auditd.data.a0" + }, + { + "field": "auditd.data.a1" + }, + { + "field": "auditd.data.a2" + }, + { + "field": "auditd.data.a3" + }, + { + "field": "auditd.data.a[0-3]" + }, + { + "field": "auditd.data.acct" + }, + { + "field": "auditd.data.acl" + }, + { + "field": "auditd.data.action" + }, + { + "field": "auditd.data.added" + }, + { + "field": "auditd.data.addr" + }, + { + "field": "auditd.data.apparmor" + }, + { + "field": "auditd.data.arch" + }, + { + "field": "auditd.data.arg" + }, + { + "field": "auditd.data.argc" + }, + { + "field": "auditd.data.audit_backlog_limit" + }, + { + "field": "auditd.data.audit_backlog_wait_time" + }, + { + "field": "auditd.data.audit_enabled" + }, + { + "field": "auditd.data.audit_failure" + }, + { + "field": "auditd.data.auid" + }, + { + "field": "auditd.data.banners" + }, + { + "field": "auditd.data.bool" + }, + { + "field": "auditd.data.bus" + }, + { + "field": "auditd.data.cap_fe" + }, + { + "field": "auditd.data.cap_fi" + }, + { + "field": "auditd.data.cap_fp" + }, + { + "field": "auditd.data.cap_fver" + }, + { + "field": "auditd.data.cap_pe" + }, + { + "field": "auditd.data.cap_pi" + }, + { + "field": "auditd.data.cap_pp" + }, + { + "field": "auditd.data.capability" + }, + { + "field": "auditd.data.capname" + }, + { + "field": "auditd.data.cgroup" + }, + { + "field": "auditd.data.changed" + }, + { + "field": "auditd.data.cipher" + }, + { + "field": "auditd.data.class" + }, + { + "field": "auditd.data.cmd" + }, + { + "field": "auditd.data.code" + }, + { + "field": "auditd.data.compat" + }, + { + "field": "auditd.data.daddr" + }, + { + "field": "auditd.data.data" + }, + { + "field": "auditd.data.default-context" + }, + { + "field": "auditd.data.device" + }, + { + "field": "auditd.data.dir" + }, + { + "field": "auditd.data.direction" + }, + { + "field": "auditd.data.dmac" + }, + { + "field": "auditd.data.dport" + }, + { + "field": "auditd.data.enforcing" + }, + { + "field": "auditd.data.entries" + }, + { + "field": "auditd.data.exit" + }, + { + "field": "auditd.data.fam" + }, + { + "field": "auditd.data.family" + }, + { + "field": "auditd.data.fd" + }, + { + "field": "auditd.data.fe" + }, + { + "field": "auditd.data.feature" + }, + { + "field": "auditd.data.fi" + }, + { + "field": "auditd.data.file" + }, + { + "field": "auditd.data.flags" + }, + { + "field": "auditd.data.format" + }, + { + "field": "auditd.data.fp" + }, + { + "field": "auditd.data.fver" + }, + { + "field": "auditd.data.grantors" + }, + { + "field": "auditd.data.grp" + }, + { + "field": "auditd.data.hook" + }, + { + "field": "auditd.data.hostname" + }, + { + "field": "auditd.data.icmp_type" + }, + { + "field": "auditd.data.id" + }, + { + "field": "auditd.data.igid" + }, + { + "field": "auditd.data.img-ctx" + }, + { + "field": "auditd.data.inif" + }, + { + "field": "auditd.data.ino" + }, + { + "field": "auditd.data.inode_gid" + }, + { + "field": "auditd.data.inode_uid" + }, + { + "field": "auditd.data.invalid_context" + }, + { + "field": "auditd.data.ioctlcmd" + }, + { + "field": "auditd.data.ip" + }, + { + "field": "auditd.data.ipid" + }, + { + "field": "auditd.data.ipx-net" + }, + { + "field": "auditd.data.items" + }, + { + "field": "auditd.data.iuid" + }, + { + "field": "auditd.data.kernel" + }, + { + "field": "auditd.data.kind" + }, + { + "field": "auditd.data.ksize" + }, + { + "field": "auditd.data.laddr" + }, + { + "field": "auditd.data.len" + }, + { + "field": "auditd.data.list" + }, + { + "field": "auditd.data.lport" + } + ], + "query": { + "match_all": {} + }, + "_source": [ + "@timestamp" + ], + "size": 1, + "sort": [ + { + "@timestamp": { + "order": "desc" + } + } + ] + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.225631 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 1a.2", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "true", + "allow_no_indices": "true" + }, + "body": { + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "bool": { + "should": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + } + ], + "minimum_should_match": 1 + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T05:00:00.000Z", + "lte": "2022-02-05T04:59:59.999Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.22732400000000003 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 1a.3", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "true", + "allow_no_indices": "true" + }, + "body": { + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "bool": { + "should": [ + { + "exists": { + "field": "dns.question.name" + } + }, + { + "term": { + "suricata.eve.dns.type": { + "value": "query" + } + } + }, + { + "exists": { + "field": "zeek.dns.query" + } + } + ], + "minimum_should_match": 1 + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T05:00:00.000Z", + "lte": "2022-02-05T04:59:59.999Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.23308 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 1a.4", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true" + }, + "body": { + "aggregations": { + "unique_flow_id": { + "cardinality": { + "field": "network.community_id" + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "bool": { + "should": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + } + ], + "minimum_should_match": 1 + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T05:00:00.000Z", + "lte": "2022-02-05T04:59:59.999Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.234657 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 1a.5", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "true", + "allow_no_indices": "true" + }, + "body": { + "query": { + "bool": { + "filter": [ + { + "bool": { + "should": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + } + ], + "minimum_should_match": 1 + } + }, + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "bool": { + "should": [ + { + "exists": { + "field": "tls.version" + } + }, + { + "exists": { + "field": "suricata.eve.tls.version" + } + }, + { + "exists": { + "field": "zeek.ssl.version" + } + } + ], + "minimum_should_match": 1 + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T05:00:00.000Z", + "lte": "2022-02-05T04:59:59.999Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.235572 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 1a.6", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true" + }, + "body": { + "aggregations": { + "source": { + "filter": { + "bool": { + "should": [ + { + "term": { + "source.ip": "10.0.0.0/8" + } + }, + { + "term": { + "source.ip": "192.168.0.0/16" + } + }, + { + "term": { + "source.ip": "172.16.0.0/12" + } + }, + { + "term": { + "source.ip": "fd00::/8" + } + } + ], + "minimum_should_match": 1 + } + }, + "aggs": { + "unique_private_ips": { + "cardinality": { + "field": "source.ip" + } + }, + "histogram": { + "auto_date_histogram": { + "field": "@timestamp", + "buckets": "6" + }, + "aggs": { + "count": { + "cardinality": { + "field": "source.ip" + } + } + } + } + } + }, + "destination": { + "filter": { + "bool": { + "should": [ + { + "term": { + "destination.ip": "10.0.0.0/8" + } + }, + { + "term": { + "destination.ip": "192.168.0.0/16" + } + }, + { + "term": { + "destination.ip": "172.16.0.0/12" + } + }, + { + "term": { + "destination.ip": "fd00::/8" + } + } + ], + "minimum_should_match": 1 + } + }, + "aggs": { + "unique_private_ips": { + "cardinality": { + "field": "destination.ip" + } + }, + "histogram": { + "auto_date_histogram": { + "field": "@timestamp", + "buckets": "6" + }, + "aggs": { + "count": { + "cardinality": { + "field": "destination.ip" + } + } + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T05:00:00.000Z", + "lte": "2022-02-05T04:59:59.999Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.23802199999999998 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 1a.7", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true", + "size": "0" + }, + "body": { + "aggregations": { + "top_n_flow_count": { + "cardinality": { + "field": "source.ip" + } + }, + "source": { + "terms": { + "field": "source.ip", + "size": 10, + "order": { + "bytes_out": "desc" + } + }, + "aggs": { + "bytes_in": { + "sum": { + "field": "destination.bytes" + } + }, + "bytes_out": { + "sum": { + "field": "source.bytes" + } + }, + "domain": { + "terms": { + "field": "source.domain", + "order": { + "timestamp": "desc" + } + }, + "aggs": { + "timestamp": { + "max": { + "field": "@timestamp" + } + } + } + }, + "location": { + "filter": { + "exists": { + "field": "source.geo" + } + }, + "aggs": { + "top_geo": { + "top_hits": { + "_source": "source.geo.*", + "size": 1 + } + } + } + }, + "autonomous_system": { + "filter": { + "exists": { + "field": "source.as" + } + }, + "aggs": { + "top_as": { + "top_hits": { + "_source": "source.as.*", + "size": 1 + } + } + } + }, + "flows": { + "cardinality": { + "field": "network.community_id" + } + }, + "destination_ips": { + "cardinality": { + "field": "destination.ip" + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T05:00:00.000Z", + "lte": "2022-02-05T04:59:59.999Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + } + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.240708 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 1a.8", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true", + "size": "0" + }, + "body": { + "aggregations": { + "top_n_flow_count": { + "cardinality": { + "field": "destination.ip" + } + }, + "destination": { + "terms": { + "field": "destination.ip", + "size": 10, + "order": { + "bytes_in": "desc" + } + }, + "aggs": { + "bytes_in": { + "sum": { + "field": "source.bytes" + } + }, + "bytes_out": { + "sum": { + "field": "destination.bytes" + } + }, + "domain": { + "terms": { + "field": "destination.domain", + "order": { + "timestamp": "desc" + } + }, + "aggs": { + "timestamp": { + "max": { + "field": "@timestamp" + } + } + } + }, + "location": { + "filter": { + "exists": { + "field": "destination.geo" + } + }, + "aggs": { + "top_geo": { + "top_hits": { + "_source": "destination.geo.*", + "size": 1 + } + } + } + }, + "autonomous_system": { + "filter": { + "exists": { + "field": "destination.as" + } + }, + "aggs": { + "top_as": { + "top_hits": { + "_source": "destination.as.*", + "size": 1 + } + } + } + }, + "flows": { + "cardinality": { + "field": "network.community_id" + } + }, + "source_ips": { + "cardinality": { + "field": "source.ip" + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T05:00:00.000Z", + "lte": "2022-02-05T04:59:59.999Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + } + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.245028 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 1a.9", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true", + "size": "0" + }, + "body": { + "aggregations": { + "top_countries_count": { + "cardinality": { + "field": "source.geo.country_iso_code" + } + }, + "source": { + "terms": { + "field": "source.geo.country_iso_code", + "size": 10, + "order": { + "bytes_out": "desc" + } + }, + "aggs": { + "bytes_in": { + "sum": { + "field": "destination.bytes" + } + }, + "bytes_out": { + "sum": { + "field": "source.bytes" + } + }, + "flows": { + "cardinality": { + "field": "network.community_id" + } + }, + "source_ips": { + "cardinality": { + "field": "source.ip" + } + }, + "destination_ips": { + "cardinality": { + "field": "destination.ip" + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T05:00:00.000Z", + "lte": "2022-02-05T04:59:59.999Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + } + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.252809 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 1a.10", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true", + "size": "0" + }, + "body": { + "aggregations": { + "top_countries_count": { + "cardinality": { + "field": "destination.geo.country_iso_code" + } + }, + "destination": { + "terms": { + "field": "destination.geo.country_iso_code", + "size": 10, + "order": { + "bytes_in": "desc" + } + }, + "aggs": { + "bytes_in": { + "sum": { + "field": "source.bytes" + } + }, + "bytes_out": { + "sum": { + "field": "destination.bytes" + } + }, + "flows": { + "cardinality": { + "field": "network.community_id" + } + }, + "source_ips": { + "cardinality": { + "field": "source.ip" + } + }, + "destination_ips": { + "cardinality": { + "field": "destination.ip" + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T05:00:00.000Z", + "lte": "2022-02-05T04:59:59.999Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + } + } + } + ] + } + ] + }, + { + "stream": [ + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.23286400000000002 + }, + { + "name": "Elasticsearch: POST /logs-*/_async_search - network - 1b.1", + "operation-type": "search", + "index": "logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "preference": "1649684439115" + }, + "body": { + "size": 0, + "aggs": { + "destSplit": { + "terms": { + "script": { + "source": "doc['destination.geo.location'].value.toString()", + "lang": "painless" + }, + "order": { + "_count": "desc" + }, + "size": 100 + }, + "aggs": { + "sourceGrid": { + "geotile_grid": { + "field": "source.geo.location", + "precision": 3, + "size": 500 + }, + "aggs": { + "sourceCentroid": { + "geo_centroid": { + "field": "source.geo.location" + } + }, + "sum_of_source.bytes": { + "sum": { + "field": "source.bytes" + } + }, + "sum_of_destination.bytes": { + "sum": { + "field": "destination.bytes" + } + } + } + } + } + } + }, + "fields": [ + { + "field": "@timestamp", + "format": "date_time" + }, + { + "field": "event.created", + "format": "date_time" + }, + { + "field": "event.ingested", + "format": "date_time" + }, + { + "field": "file.accessed", + "format": "date_time" + }, + { + "field": "file.created", + "format": "date_time" + }, + { + "field": "file.ctime", + "format": "date_time" + }, + { + "field": "file.mtime", + "format": "date_time" + } + ], + "script_fields": {}, + "stored_fields": [ + "*" + ], + "runtime_mappings": {}, + "_source": { + "excludes": [] + }, + "query": { + "bool": { + "must": [], + "filter": [ + { + "bool": { + "must": [ + { + "exists": { + "field": "destination.geo.location" + } + }, + { + "geo_bounding_box": { + "destination.geo.location": { + "top_left": [ + -180, + 87.74251 + ], + "bottom_right": [ + 180, + -87.74251 + ] + } + } + } + ] + } + }, + { + "exists": { + "field": "source.geo.location" + } + } + ], + "should": [], + "must_not": [] + } + } + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.233734 + }, + { + "name": "Elasticsearch: POST /logs-*/_async_search - network - 1b.2", + "operation-type": "search", + "index": "logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "10001", + "preference": "1649684439115" + }, + "body": { + "docvalue_fields": [ + { + "field": "@timestamp", + "format": "epoch_millis" + }, + "source.geo.location" + ], + "size": 10000, + "_source": false, + "script_fields": {}, + "stored_fields": [ + "@timestamp", + "source.geo.location" + ], + "runtime_mappings": {}, + "query": { + "bool": { + "must": [], + "filter": [ + { + "range": { + "@timestamp": { + "format": "strict_date_optional_time", + "gte": "2022-02-04T05:00:00.000Z", + "lte": "2022-02-05T04:59:59.999Z" + } + } + } + ], + "should": [], + "must_not": [] + } + } + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.236037 + }, + { + "name": "Elasticsearch: POST /logs-*/_async_search - network - 1b.3", + "operation-type": "search", + "index": "logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "10001", + "preference": "1649684439115" + }, + "body": { + "docvalue_fields": [ + { + "field": "@timestamp", + "format": "epoch_millis" + }, + "destination.geo.location" + ], + "size": 10000, + "_source": false, + "script_fields": {}, + "stored_fields": [ + "@timestamp", + "destination.geo.location" + ], + "runtime_mappings": {}, + "query": { + "bool": { + "must": [], + "filter": [ + { + "bool": { + "must": [ + { + "exists": { + "field": "destination.geo.location" + } + }, + { + "geo_bounding_box": { + "destination.geo.location": { + "top_left": [ + -180, + 85.05113 + ], + "bottom_right": [ + 180, + -85.05113 + ] + } + } + } + ] + } + }, + { + "range": { + "@timestamp": { + "format": "strict_date_optional_time", + "gte": "2022-02-04T05:00:00.000Z", + "lte": "2022-02-05T04:59:59.999Z" + } + } + } + ], + "should": [], + "must_not": [] + } + } + } + } + ] + } + ] + } + ] +} \ No newline at end of file diff --git a/elastic/security/workflows-logsdb/network/10.json b/elastic/security/workflows-logsdb/network/10.json new file mode 100644 index 000000000..498fcf4ab --- /dev/null +++ b/elastic/security/workflows-logsdb/network/10.json @@ -0,0 +1,108 @@ +{ + "name": "/app/security/*?{query}", + "id": "Open `Anomalies` sub-tab", + "requests": [ + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.513361 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 10.1", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "true", + "allow_no_indices": "true" + }, + "body": { + "aggs": { + "anomalyActionGroup": { + "terms": { + "field": "job_id", + "order": { + "_count": "desc" + }, + "size": 10 + }, + "aggs": { + "anomalies": { + "date_histogram": { + "field": "timestamp", + "fixed_interval": "112500ms", + "min_doc_count": 0, + "extended_bounds": { + "min": 1643986800000, + "max": 1643990400000 + } + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [ + { + "bool": { + "should": [], + "minimum_should_match": 1 + } + }, + { + "match_phrase": { + "result_type": "record" + } + }, + null, + { + "range": { + "record_score": { + "gte": 50 + } + } + } + ], + "should": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + } + ], + "must_not": [], + "minimum_should_match": 1 + } + }, + { + "range": { + "timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + } + ] +} \ No newline at end of file diff --git a/elastic/security/workflows-logsdb/network/11.json b/elastic/security/workflows-logsdb/network/11.json new file mode 100644 index 000000000..a4831a4de --- /dev/null +++ b/elastic/security/workflows-logsdb/network/11.json @@ -0,0 +1,1485 @@ +{ + "name": "/app/security/*?{query}", + "id": "Open `External Alerts` sub-tab", + "requests": [ + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.173328 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 11.1", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "true", + "allow_no_indices": "true" + }, + "body": { + "aggregations": { + "alertsGroup": { + "terms": { + "field": "event.module", + "missing": "All others", + "order": { + "_count": "desc" + }, + "size": 10 + }, + "aggs": { + "alerts": { + "date_histogram": { + "field": "@timestamp", + "fixed_interval": "112500ms", + "min_doc_count": 0, + "extended_bounds": { + "min": 1643986800000, + "max": 1643990400000 + } + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [ + { + "bool": { + "filter": [ + { + "bool": { + "should": [ + { + "bool": { + "should": [ + { + "exists": { + "field": "source.ip" + } + } + ], + "minimum_should_match": 1 + } + }, + { + "bool": { + "should": [ + { + "exists": { + "field": "destination.ip" + } + } + ], + "minimum_should_match": 1 + } + } + ], + "minimum_should_match": 1 + } + } + ] + } + } + ], + "should": [], + "must_not": [] + } + }, + { + "bool": { + "filter": [ + { + "bool": { + "should": [ + { + "match": { + "event.kind": "alert" + } + } + ], + "minimum_should_match": 1 + } + } + ] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.174008 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 11.2", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "true", + "allow_no_indices": "true" + }, + "body": { + "docvalue_fields": [ + { + "field": "@metadata.beat" + }, + { + "field": "@metadata.type" + }, + { + "field": "@metadata.version" + }, + { + "field": "@timestamp" + }, + { + "field": "agent.agent_id" + }, + { + "field": "agent.build.original" + }, + { + "field": "agent.ephemeral_id" + }, + { + "field": "agent.hostname" + }, + { + "field": "agent.id" + }, + { + "field": "agent.name" + }, + { + "field": "agent.type" + }, + { + "field": "agent.version" + }, + { + "field": "as.number" + }, + { + "field": "as.organization.name" + }, + { + "field": "auditd.data.a0" + }, + { + "field": "auditd.data.a1" + }, + { + "field": "auditd.data.a2" + }, + { + "field": "auditd.data.a3" + }, + { + "field": "auditd.data.a[0-3]" + }, + { + "field": "auditd.data.acct" + }, + { + "field": "auditd.data.acl" + }, + { + "field": "auditd.data.action" + }, + { + "field": "auditd.data.added" + }, + { + "field": "auditd.data.addr" + }, + { + "field": "auditd.data.apparmor" + }, + { + "field": "auditd.data.arch" + }, + { + "field": "auditd.data.arg" + }, + { + "field": "auditd.data.argc" + }, + { + "field": "auditd.data.audit_backlog_limit" + }, + { + "field": "auditd.data.audit_backlog_wait_time" + }, + { + "field": "auditd.data.audit_enabled" + }, + { + "field": "auditd.data.audit_failure" + }, + { + "field": "auditd.data.auid" + }, + { + "field": "auditd.data.banners" + }, + { + "field": "auditd.data.bool" + }, + { + "field": "auditd.data.bus" + }, + { + "field": "auditd.data.cap_fe" + }, + { + "field": "auditd.data.cap_fi" + }, + { + "field": "auditd.data.cap_fp" + }, + { + "field": "auditd.data.cap_fver" + }, + { + "field": "auditd.data.cap_pe" + }, + { + "field": "auditd.data.cap_pi" + }, + { + "field": "auditd.data.cap_pp" + }, + { + "field": "auditd.data.capability" + }, + { + "field": "auditd.data.capname" + }, + { + "field": "auditd.data.cgroup" + }, + { + "field": "auditd.data.changed" + }, + { + "field": "auditd.data.cipher" + }, + { + "field": "auditd.data.class" + }, + { + "field": "auditd.data.cmd" + }, + { + "field": "auditd.data.code" + }, + { + "field": "auditd.data.compat" + }, + { + "field": "auditd.data.daddr" + }, + { + "field": "auditd.data.data" + }, + { + "field": "auditd.data.default-context" + }, + { + "field": "auditd.data.device" + }, + { + "field": "auditd.data.dir" + }, + { + "field": "auditd.data.direction" + }, + { + "field": "auditd.data.dmac" + }, + { + "field": "auditd.data.dport" + }, + { + "field": "auditd.data.enforcing" + }, + { + "field": "auditd.data.entries" + }, + { + "field": "auditd.data.exit" + }, + { + "field": "auditd.data.fam" + }, + { + "field": "auditd.data.family" + }, + { + "field": "auditd.data.fd" + }, + { + "field": "auditd.data.fe" + }, + { + "field": "auditd.data.feature" + }, + { + "field": "auditd.data.fi" + }, + { + "field": "auditd.data.file" + }, + { + "field": "auditd.data.flags" + }, + { + "field": "auditd.data.format" + }, + { + "field": "auditd.data.fp" + }, + { + "field": "auditd.data.fver" + }, + { + "field": "auditd.data.grantors" + }, + { + "field": "auditd.data.grp" + }, + { + "field": "auditd.data.hook" + }, + { + "field": "auditd.data.hostname" + }, + { + "field": "auditd.data.icmp_type" + }, + { + "field": "auditd.data.id" + }, + { + "field": "auditd.data.igid" + }, + { + "field": "auditd.data.img-ctx" + }, + { + "field": "auditd.data.inif" + }, + { + "field": "auditd.data.ino" + }, + { + "field": "auditd.data.inode_gid" + }, + { + "field": "auditd.data.inode_uid" + }, + { + "field": "auditd.data.invalid_context" + }, + { + "field": "auditd.data.ioctlcmd" + }, + { + "field": "auditd.data.ip" + }, + { + "field": "auditd.data.ipid" + }, + { + "field": "auditd.data.ipx-net" + }, + { + "field": "auditd.data.items" + }, + { + "field": "auditd.data.iuid" + }, + { + "field": "auditd.data.kernel" + }, + { + "field": "auditd.data.kind" + }, + { + "field": "auditd.data.ksize" + }, + { + "field": "auditd.data.laddr" + }, + { + "field": "auditd.data.len" + }, + { + "field": "auditd.data.list" + }, + { + "field": "auditd.data.lport" + } + ], + "aggregations": { + "producers": { + "terms": { + "field": "kibana.alert.rule.producer", + "exclude": [ + "alerts" + ] + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [ + { + "bool": { + "filter": [ + { + "bool": { + "should": [ + { + "match": { + "event.kind": "alert" + } + } + ], + "minimum_should_match": 1 + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "bool": { + "should": [ + { + "bool": { + "should": [ + { + "exists": { + "field": "source.ip" + } + } + ], + "minimum_should_match": 1 + } + }, + { + "bool": { + "should": [ + { + "exists": { + "field": "destination.ip" + } + } + ], + "minimum_should_match": 1 + } + } + ], + "minimum_should_match": 1 + } + } + ] + } + } + ], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + }, + { + "match_all": {} + } + ] + } + }, + "from": 0, + "size": 25, + "track_total_hits": true, + "sort": [ + { + "@timestamp": { + "order": "desc", + "unmapped_type": "date" + } + } + ], + "fields": [ + { + "field": "@timestamp", + "include_unmapped": true + }, + { + "field": "event.module", + "include_unmapped": true + }, + { + "field": "event.dataset", + "include_unmapped": true + }, + { + "field": "event.category", + "include_unmapped": true + }, + { + "field": "event.severity", + "include_unmapped": true + }, + { + "field": "observer.name", + "include_unmapped": true + }, + { + "field": "host.name", + "include_unmapped": true + }, + { + "field": "kubernetes.event.message", + "include_unmapped": true + }, + { + "field": "agent.id", + "include_unmapped": true + }, + { + "field": "agent.type", + "include_unmapped": true + }, + { + "field": "kibana.alert.rule.consumer", + "include_unmapped": true + }, + { + "field": "signal.status", + "include_unmapped": true + }, + { + "field": "signal.group.id", + "include_unmapped": true + }, + { + "field": "signal.original_time", + "include_unmapped": true + }, + { + "field": "signal.reason", + "include_unmapped": true + }, + { + "field": "signal.rule.filters", + "include_unmapped": true + }, + { + "field": "signal.rule.from", + "include_unmapped": true + }, + { + "field": "signal.rule.language", + "include_unmapped": true + }, + { + "field": "signal.rule.query", + "include_unmapped": true + }, + { + "field": "signal.rule.name", + "include_unmapped": true + }, + { + "field": "signal.rule.to", + "include_unmapped": true + }, + { + "field": "signal.rule.id", + "include_unmapped": true + }, + { + "field": "signal.rule.index", + "include_unmapped": true + }, + { + "field": "signal.rule.type", + "include_unmapped": true + }, + { + "field": "signal.original_event.kind", + "include_unmapped": true + }, + { + "field": "signal.original_event.module", + "include_unmapped": true + }, + { + "field": "signal.rule.version", + "include_unmapped": true + }, + { + "field": "signal.rule.severity", + "include_unmapped": true + }, + { + "field": "signal.rule.risk_score", + "include_unmapped": true + }, + { + "field": "signal.threshold_result", + "include_unmapped": true + }, + { + "field": "event.code", + "include_unmapped": true + }, + { + "field": "event.action", + "include_unmapped": true + }, + { + "field": "user.name", + "include_unmapped": true + }, + { + "field": "source.ip", + "include_unmapped": true + }, + { + "field": "destination.ip", + "include_unmapped": true + }, + { + "field": "system.auth.ssh.signature", + "include_unmapped": true + }, + { + "field": "system.auth.ssh.method", + "include_unmapped": true + }, + { + "field": "system.audit.package.arch", + "include_unmapped": true + }, + { + "field": "system.audit.package.entity_id", + "include_unmapped": true + }, + { + "field": "system.audit.package.name", + "include_unmapped": true + }, + { + "field": "system.audit.package.size", + "include_unmapped": true + }, + { + "field": "system.audit.package.summary", + "include_unmapped": true + }, + { + "field": "system.audit.package.version", + "include_unmapped": true + }, + { + "field": "event.created", + "include_unmapped": true + }, + { + "field": "event.duration", + "include_unmapped": true + }, + { + "field": "event.end", + "include_unmapped": true + }, + { + "field": "event.hash", + "include_unmapped": true + }, + { + "field": "event.id", + "include_unmapped": true + }, + { + "field": "event.kind", + "include_unmapped": true + }, + { + "field": "event.original", + "include_unmapped": true + }, + { + "field": "event.outcome", + "include_unmapped": true + }, + { + "field": "event.risk_score", + "include_unmapped": true + }, + { + "field": "event.risk_score_norm", + "include_unmapped": true + }, + { + "field": "event.start", + "include_unmapped": true + }, + { + "field": "event.timezone", + "include_unmapped": true + }, + { + "field": "event.type", + "include_unmapped": true + }, + { + "field": "auditd.result", + "include_unmapped": true + }, + { + "field": "auditd.session", + "include_unmapped": true + }, + { + "field": "auditd.data.acct", + "include_unmapped": true + }, + { + "field": "auditd.data.terminal", + "include_unmapped": true + }, + { + "field": "auditd.data.op", + "include_unmapped": true + }, + { + "field": "auditd.summary.actor.primary", + "include_unmapped": true + }, + { + "field": "auditd.summary.actor.secondary", + "include_unmapped": true + }, + { + "field": "auditd.summary.object.primary", + "include_unmapped": true + }, + { + "field": "auditd.summary.object.secondary", + "include_unmapped": true + }, + { + "field": "auditd.summary.object.type", + "include_unmapped": true + }, + { + "field": "auditd.summary.how", + "include_unmapped": true + }, + { + "field": "auditd.summary.message_type", + "include_unmapped": true + }, + { + "field": "auditd.summary.sequence", + "include_unmapped": true + }, + { + "field": "file.Ext.original.path", + "include_unmapped": true + }, + { + "field": "file.name", + "include_unmapped": true + }, + { + "field": "file.target_path", + "include_unmapped": true + }, + { + "field": "file.extension", + "include_unmapped": true + }, + { + "field": "file.type", + "include_unmapped": true + }, + { + "field": "file.device", + "include_unmapped": true + }, + { + "field": "file.inode", + "include_unmapped": true + }, + { + "field": "file.uid", + "include_unmapped": true + }, + { + "field": "file.owner", + "include_unmapped": true + }, + { + "field": "file.gid", + "include_unmapped": true + }, + { + "field": "file.group", + "include_unmapped": true + }, + { + "field": "file.mode", + "include_unmapped": true + }, + { + "field": "file.size", + "include_unmapped": true + }, + { + "field": "file.mtime", + "include_unmapped": true + }, + { + "field": "file.ctime", + "include_unmapped": true + }, + { + "field": "file.path", + "include_unmapped": true + }, + { + "field": "file.Ext.code_signature", + "include_unmapped": true + }, + { + "field": "file.Ext.code_signature.subject_name", + "include_unmapped": true + }, + { + "field": "file.Ext.code_signature.trusted", + "include_unmapped": true + }, + { + "field": "file.hash.sha256", + "include_unmapped": true + }, + { + "field": "host.os.family", + "include_unmapped": true + }, + { + "field": "host.id", + "include_unmapped": true + }, + { + "field": "host.ip", + "include_unmapped": true + }, + { + "field": "registry.key", + "include_unmapped": true + }, + { + "field": "registry.path", + "include_unmapped": true + }, + { + "field": "rule.reference", + "include_unmapped": true + }, + { + "field": "source.bytes", + "include_unmapped": true + }, + { + "field": "source.packets", + "include_unmapped": true + }, + { + "field": "source.port", + "include_unmapped": true + }, + { + "field": "source.geo.continent_name", + "include_unmapped": true + }, + { + "field": "source.geo.country_name", + "include_unmapped": true + }, + { + "field": "source.geo.country_iso_code", + "include_unmapped": true + }, + { + "field": "source.geo.city_name", + "include_unmapped": true + }, + { + "field": "source.geo.region_iso_code", + "include_unmapped": true + }, + { + "field": "source.geo.region_name", + "include_unmapped": true + }, + { + "field": "destination.bytes", + "include_unmapped": true + }, + { + "field": "destination.packets", + "include_unmapped": true + }, + { + "field": "destination.port", + "include_unmapped": true + }, + { + "field": "destination.geo.continent_name", + "include_unmapped": true + }, + { + "field": "destination.geo.country_name", + "include_unmapped": true + }, + { + "field": "destination.geo.country_iso_code", + "include_unmapped": true + }, + { + "field": "destination.geo.city_name", + "include_unmapped": true + }, + { + "field": "destination.geo.region_iso_code", + "include_unmapped": true + }, + { + "field": "destination.geo.region_name", + "include_unmapped": true + }, + { + "field": "dns.question.name", + "include_unmapped": true + }, + { + "field": "dns.question.type", + "include_unmapped": true + }, + { + "field": "dns.resolved_ip", + "include_unmapped": true + }, + { + "field": "dns.response_code", + "include_unmapped": true + }, + { + "field": "endgame.exit_code", + "include_unmapped": true + }, + { + "field": "endgame.file_name", + "include_unmapped": true + }, + { + "field": "endgame.file_path", + "include_unmapped": true + }, + { + "field": "endgame.logon_type", + "include_unmapped": true + }, + { + "field": "endgame.parent_process_name", + "include_unmapped": true + }, + { + "field": "endgame.pid", + "include_unmapped": true + }, + { + "field": "endgame.process_name", + "include_unmapped": true + }, + { + "field": "endgame.subject_domain_name", + "include_unmapped": true + }, + { + "field": "endgame.subject_logon_id", + "include_unmapped": true + }, + { + "field": "endgame.subject_user_name", + "include_unmapped": true + }, + { + "field": "endgame.target_domain_name", + "include_unmapped": true + }, + { + "field": "endgame.target_logon_id", + "include_unmapped": true + }, + { + "field": "endgame.target_user_name", + "include_unmapped": true + }, + { + "field": "signal.rule.saved_id", + "include_unmapped": true + }, + { + "field": "signal.rule.timeline_id", + "include_unmapped": true + }, + { + "field": "signal.rule.timeline_title", + "include_unmapped": true + }, + { + "field": "signal.rule.output_index", + "include_unmapped": true + }, + { + "field": "signal.rule.note", + "include_unmapped": true + }, + { + "field": "signal.rule.threshold", + "include_unmapped": true + }, + { + "field": "signal.rule.exceptions_list", + "include_unmapped": true + }, + { + "field": "signal.rule.building_block_type", + "include_unmapped": true + }, + { + "field": "suricata.eve.proto", + "include_unmapped": true + }, + { + "field": "suricata.eve.flow_id", + "include_unmapped": true + }, + { + "field": "suricata.eve.alert.signature", + "include_unmapped": true + }, + { + "field": "suricata.eve.alert.signature_id", + "include_unmapped": true + }, + { + "field": "network.bytes", + "include_unmapped": true + }, + { + "field": "network.community_id", + "include_unmapped": true + }, + { + "field": "network.direction", + "include_unmapped": true + }, + { + "field": "network.packets", + "include_unmapped": true + }, + { + "field": "network.protocol", + "include_unmapped": true + }, + { + "field": "network.transport", + "include_unmapped": true + }, + { + "field": "http.version", + "include_unmapped": true + }, + { + "field": "http.request.method", + "include_unmapped": true + }, + { + "field": "http.request.body.bytes", + "include_unmapped": true + }, + { + "field": "http.request.body.content", + "include_unmapped": true + }, + { + "field": "http.request.referrer", + "include_unmapped": true + }, + { + "field": "http.response.status_code", + "include_unmapped": true + }, + { + "field": "http.response.body.bytes", + "include_unmapped": true + }, + { + "field": "http.response.body.content", + "include_unmapped": true + }, + { + "field": "tls.client_certificate.fingerprint.sha1", + "include_unmapped": true + }, + { + "field": "tls.fingerprints.ja3.hash", + "include_unmapped": true + }, + { + "field": "tls.server_certificate.fingerprint.sha1", + "include_unmapped": true + }, + { + "field": "user.domain", + "include_unmapped": true + }, + { + "field": "winlog.event_id", + "include_unmapped": true + }, + { + "field": "process.exit_code", + "include_unmapped": true + }, + { + "field": "process.hash.md5", + "include_unmapped": true + }, + { + "field": "process.hash.sha1", + "include_unmapped": true + }, + { + "field": "process.hash.sha256", + "include_unmapped": true + }, + { + "field": "process.parent.name", + "include_unmapped": true + }, + { + "field": "process.parent.pid", + "include_unmapped": true + }, + { + "field": "process.pid", + "include_unmapped": true + }, + { + "field": "process.name", + "include_unmapped": true + }, + { + "field": "process.ppid", + "include_unmapped": true + }, + { + "field": "process.args", + "include_unmapped": true + }, + { + "field": "process.entity_id", + "include_unmapped": true + }, + { + "field": "process.executable", + "include_unmapped": true + }, + { + "field": "process.title", + "include_unmapped": true + }, + { + "field": "process.working_directory", + "include_unmapped": true + }, + { + "field": "zeek.session_id", + "include_unmapped": true + }, + { + "field": "zeek.connection.local_resp", + "include_unmapped": true + }, + { + "field": "zeek.connection.local_orig", + "include_unmapped": true + }, + { + "field": "zeek.connection.missed_bytes", + "include_unmapped": true + }, + { + "field": "zeek.connection.state", + "include_unmapped": true + }, + { + "field": "zeek.connection.history", + "include_unmapped": true + }, + { + "field": "zeek.notice.suppress_for", + "include_unmapped": true + }, + { + "field": "zeek.notice.msg", + "include_unmapped": true + }, + { + "field": "zeek.notice.note", + "include_unmapped": true + }, + { + "field": "zeek.notice.sub", + "include_unmapped": true + }, + { + "field": "zeek.notice.dst", + "include_unmapped": true + }, + { + "field": "zeek.notice.dropped", + "include_unmapped": true + }, + { + "field": "zeek.notice.peer_descr", + "include_unmapped": true + }, + { + "field": "zeek.dns.AA", + "include_unmapped": true + }, + { + "field": "zeek.dns.qclass_name", + "include_unmapped": true + }, + { + "field": "zeek.dns.RD", + "include_unmapped": true + }, + { + "field": "zeek.dns.qtype_name", + "include_unmapped": true + }, + { + "field": "zeek.dns.qtype", + "include_unmapped": true + }, + { + "field": "zeek.dns.query", + "include_unmapped": true + }, + { + "field": "zeek.dns.trans_id", + "include_unmapped": true + }, + { + "field": "zeek.dns.qclass", + "include_unmapped": true + }, + { + "field": "zeek.dns.RA", + "include_unmapped": true + }, + { + "field": "zeek.dns.TC", + "include_unmapped": true + }, + { + "field": "zeek.http.resp_mime_types", + "include_unmapped": true + }, + { + "field": "zeek.http.trans_depth", + "include_unmapped": true + }, + { + "field": "zeek.http.status_msg", + "include_unmapped": true + }, + { + "field": "zeek.http.resp_fuids", + "include_unmapped": true + }, + { + "field": "zeek.http.tags", + "include_unmapped": true + }, + { + "field": "zeek.files.session_ids", + "include_unmapped": true + }, + { + "field": "zeek.files.timedout", + "include_unmapped": true + }, + { + "field": "zeek.files.local_orig", + "include_unmapped": true + }, + { + "field": "zeek.files.tx_host", + "include_unmapped": true + }, + { + "field": "zeek.files.source", + "include_unmapped": true + }, + { + "field": "zeek.files.is_orig", + "include_unmapped": true + }, + { + "field": "zeek.files.overflow_bytes", + "include_unmapped": true + }, + { + "field": "zeek.files.sha1", + "include_unmapped": true + }, + { + "field": "zeek.files.duration", + "include_unmapped": true + }, + { + "field": "zeek.files.depth", + "include_unmapped": true + }, + { + "field": "zeek.files.analyzers", + "include_unmapped": true + }, + { + "field": "zeek.files.mime_type", + "include_unmapped": true + }, + { + "field": "zeek.files.rx_host", + "include_unmapped": true + }, + { + "field": "zeek.files.total_bytes", + "include_unmapped": true + }, + { + "field": "zeek.files.fuid", + "include_unmapped": true + }, + { + "field": "zeek.files.seen_bytes", + "include_unmapped": true + }, + { + "field": "zeek.files.missing_bytes", + "include_unmapped": true + }, + { + "field": "zeek.files.md5", + "include_unmapped": true + }, + { + "field": "zeek.ssl.cipher", + "include_unmapped": true + }, + { + "field": "zeek.ssl.established", + "include_unmapped": true + }, + { + "field": "zeek.ssl.resumed", + "include_unmapped": true + }, + { + "field": "zeek.ssl.version", + "include_unmapped": true + }, + { + "field": "threat.enrichments.matched.atomic", + "include_unmapped": true + }, + { + "field": "threat.enrichments.matched.field", + "include_unmapped": true + }, + { + "field": "threat.enrichments.matched.type", + "include_unmapped": true + }, + { + "field": "threat.enrichments.indicator.reference", + "include_unmapped": true + }, + { + "field": "threat.enrichments.indicator.provider", + "include_unmapped": true + } + ], + "_source": [ + "signal.*" + ] + } + } + ] + } + ] +} \ No newline at end of file diff --git a/elastic/security/workflows-logsdb/network/2.json b/elastic/security/workflows-logsdb/network/2.json new file mode 100644 index 000000000..c71b53825 --- /dev/null +++ b/elastic/security/workflows-logsdb/network/2.json @@ -0,0 +1,1015 @@ +{ + "name": "POST /internal/bsearch", + "id": "Set the time range to `now-24hr` to `now`", + "requests": [ + { + "stream": [ + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.179263 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 2.1", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "true", + "allow_no_indices": "true" + }, + "body": { + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "bool": { + "should": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + } + ], + "minimum_should_match": 1 + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-03T16:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.179762 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 2.2", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "true", + "allow_no_indices": "true" + }, + "body": { + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "bool": { + "should": [ + { + "exists": { + "field": "dns.question.name" + } + }, + { + "term": { + "suricata.eve.dns.type": { + "value": "query" + } + } + }, + { + "exists": { + "field": "zeek.dns.query" + } + } + ], + "minimum_should_match": 1 + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-03T16:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.180061 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 2.3", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true" + }, + "body": { + "aggregations": { + "unique_flow_id": { + "cardinality": { + "field": "network.community_id" + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "bool": { + "should": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + } + ], + "minimum_should_match": 1 + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-03T16:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.180302 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 2.4", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "true", + "allow_no_indices": "true" + }, + "body": { + "query": { + "bool": { + "filter": [ + { + "bool": { + "should": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + } + ], + "minimum_should_match": 1 + } + }, + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "bool": { + "should": [ + { + "exists": { + "field": "tls.version" + } + }, + { + "exists": { + "field": "suricata.eve.tls.version" + } + }, + { + "exists": { + "field": "zeek.ssl.version" + } + } + ], + "minimum_should_match": 1 + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-03T16:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.180531 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 2.5", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true" + }, + "body": { + "aggregations": { + "source": { + "filter": { + "bool": { + "should": [ + { + "term": { + "source.ip": "10.0.0.0/8" + } + }, + { + "term": { + "source.ip": "192.168.0.0/16" + } + }, + { + "term": { + "source.ip": "172.16.0.0/12" + } + }, + { + "term": { + "source.ip": "fd00::/8" + } + } + ], + "minimum_should_match": 1 + } + }, + "aggs": { + "unique_private_ips": { + "cardinality": { + "field": "source.ip" + } + }, + "histogram": { + "auto_date_histogram": { + "field": "@timestamp", + "buckets": "6" + }, + "aggs": { + "count": { + "cardinality": { + "field": "source.ip" + } + } + } + } + } + }, + "destination": { + "filter": { + "bool": { + "should": [ + { + "term": { + "destination.ip": "10.0.0.0/8" + } + }, + { + "term": { + "destination.ip": "192.168.0.0/16" + } + }, + { + "term": { + "destination.ip": "172.16.0.0/12" + } + }, + { + "term": { + "destination.ip": "fd00::/8" + } + } + ], + "minimum_should_match": 1 + } + }, + "aggs": { + "unique_private_ips": { + "cardinality": { + "field": "destination.ip" + } + }, + "histogram": { + "auto_date_histogram": { + "field": "@timestamp", + "buckets": "6" + }, + "aggs": { + "count": { + "cardinality": { + "field": "destination.ip" + } + } + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-03T16:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.18077500000000002 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 2.6", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true", + "size": "0" + }, + "body": { + "aggregations": { + "top_n_flow_count": { + "cardinality": { + "field": "source.ip" + } + }, + "source": { + "terms": { + "field": "source.ip", + "size": 10, + "order": { + "bytes_out": "desc" + } + }, + "aggs": { + "bytes_in": { + "sum": { + "field": "destination.bytes" + } + }, + "bytes_out": { + "sum": { + "field": "source.bytes" + } + }, + "domain": { + "terms": { + "field": "source.domain", + "order": { + "timestamp": "desc" + } + }, + "aggs": { + "timestamp": { + "max": { + "field": "@timestamp" + } + } + } + }, + "location": { + "filter": { + "exists": { + "field": "source.geo" + } + }, + "aggs": { + "top_geo": { + "top_hits": { + "_source": "source.geo.*", + "size": 1 + } + } + } + }, + "autonomous_system": { + "filter": { + "exists": { + "field": "source.as" + } + }, + "aggs": { + "top_as": { + "top_hits": { + "_source": "source.as.*", + "size": 1 + } + } + } + }, + "flows": { + "cardinality": { + "field": "network.community_id" + } + }, + "destination_ips": { + "cardinality": { + "field": "destination.ip" + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-03T16:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + } + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.181004 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 2.7", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true", + "size": "0" + }, + "body": { + "aggregations": { + "top_n_flow_count": { + "cardinality": { + "field": "destination.ip" + } + }, + "destination": { + "terms": { + "field": "destination.ip", + "size": 10, + "order": { + "bytes_in": "desc" + } + }, + "aggs": { + "bytes_in": { + "sum": { + "field": "source.bytes" + } + }, + "bytes_out": { + "sum": { + "field": "destination.bytes" + } + }, + "domain": { + "terms": { + "field": "destination.domain", + "order": { + "timestamp": "desc" + } + }, + "aggs": { + "timestamp": { + "max": { + "field": "@timestamp" + } + } + } + }, + "location": { + "filter": { + "exists": { + "field": "destination.geo" + } + }, + "aggs": { + "top_geo": { + "top_hits": { + "_source": "destination.geo.*", + "size": 1 + } + } + } + }, + "autonomous_system": { + "filter": { + "exists": { + "field": "destination.as" + } + }, + "aggs": { + "top_as": { + "top_hits": { + "_source": "destination.as.*", + "size": 1 + } + } + } + }, + "flows": { + "cardinality": { + "field": "network.community_id" + } + }, + "source_ips": { + "cardinality": { + "field": "source.ip" + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-03T16:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + } + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.181228 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 2.8", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true", + "size": "0" + }, + "body": { + "aggregations": { + "top_countries_count": { + "cardinality": { + "field": "source.geo.country_iso_code" + } + }, + "source": { + "terms": { + "field": "source.geo.country_iso_code", + "size": 10, + "order": { + "bytes_out": "desc" + } + }, + "aggs": { + "bytes_in": { + "sum": { + "field": "destination.bytes" + } + }, + "bytes_out": { + "sum": { + "field": "source.bytes" + } + }, + "flows": { + "cardinality": { + "field": "network.community_id" + } + }, + "source_ips": { + "cardinality": { + "field": "source.ip" + } + }, + "destination_ips": { + "cardinality": { + "field": "destination.ip" + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-03T16:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + } + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.181816 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 2.9", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true", + "size": "0" + }, + "body": { + "aggregations": { + "top_countries_count": { + "cardinality": { + "field": "destination.geo.country_iso_code" + } + }, + "destination": { + "terms": { + "field": "destination.geo.country_iso_code", + "size": 10, + "order": { + "bytes_in": "desc" + } + }, + "aggs": { + "bytes_in": { + "sum": { + "field": "source.bytes" + } + }, + "bytes_out": { + "sum": { + "field": "destination.bytes" + } + }, + "flows": { + "cardinality": { + "field": "network.community_id" + } + }, + "source_ips": { + "cardinality": { + "field": "source.ip" + } + }, + "destination_ips": { + "cardinality": { + "field": "destination.ip" + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-03T16:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + } + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.18235200000000001 + }, + { + "name": "Elasticsearch: POST /logs-*/_async_search - network - 2.10", + "operation-type": "search", + "index": "logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "10001", + "preference": "1649684439115" + }, + "body": { + "docvalue_fields": [ + { + "field": "@timestamp", + "format": "epoch_millis" + }, + "source.geo.location" + ], + "size": 10000, + "_source": false, + "script_fields": {}, + "stored_fields": [ + "@timestamp", + "source.geo.location" + ], + "runtime_mappings": {}, + "query": { + "bool": { + "must": [], + "filter": [ + { + "range": { + "@timestamp": { + "format": "strict_date_optional_time", + "gte": "2022-02-03T16:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z" + } + } + } + ], + "should": [], + "must_not": [] + } + } + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.182625 + }, + { + "name": "Elasticsearch: POST /logs-*/_async_search - network - 2.11", + "operation-type": "search", + "index": "logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "10001", + "preference": "1649684439115" + }, + "body": { + "docvalue_fields": [ + { + "field": "@timestamp", + "format": "epoch_millis" + }, + "destination.geo.location" + ], + "size": 10000, + "_source": false, + "script_fields": {}, + "stored_fields": [ + "@timestamp", + "destination.geo.location" + ], + "runtime_mappings": {}, + "query": { + "bool": { + "must": [], + "filter": [ + { + "bool": { + "must": [ + { + "exists": { + "field": "destination.geo.location" + } + }, + { + "geo_bounding_box": { + "destination.geo.location": { + "top_left": [ + -180, + 85.05113 + ], + "bottom_right": [ + 180, + -85.05113 + ] + } + } + } + ] + } + }, + { + "range": { + "@timestamp": { + "format": "strict_date_optional_time", + "gte": "2022-02-03T16:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z" + } + } + } + ], + "should": [], + "must_not": [] + } + } + } + } + ] + } + ] + } + ] +} \ No newline at end of file diff --git a/elastic/security/workflows-logsdb/network/3.json b/elastic/security/workflows-logsdb/network/3.json new file mode 100644 index 000000000..7b8b702cb --- /dev/null +++ b/elastic/security/workflows-logsdb/network/3.json @@ -0,0 +1,1011 @@ +{ + "name": "POST /internal/bsearch", + "id": "Set the time range to `now-8hr` to `now`", + "requests": [ + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.175681 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 3.1", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "true", + "allow_no_indices": "true" + }, + "body": { + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "bool": { + "should": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + } + ], + "minimum_should_match": 1 + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T08:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.176203 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 3.2", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "true", + "allow_no_indices": "true" + }, + "body": { + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "bool": { + "should": [ + { + "exists": { + "field": "dns.question.name" + } + }, + { + "term": { + "suricata.eve.dns.type": { + "value": "query" + } + } + }, + { + "exists": { + "field": "zeek.dns.query" + } + } + ], + "minimum_should_match": 1 + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T08:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.17655 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 3.3", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true" + }, + "body": { + "aggregations": { + "unique_flow_id": { + "cardinality": { + "field": "network.community_id" + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "bool": { + "should": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + } + ], + "minimum_should_match": 1 + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T08:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.176844 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 3.4", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "true", + "allow_no_indices": "true" + }, + "body": { + "query": { + "bool": { + "filter": [ + { + "bool": { + "should": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + } + ], + "minimum_should_match": 1 + } + }, + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "bool": { + "should": [ + { + "exists": { + "field": "tls.version" + } + }, + { + "exists": { + "field": "suricata.eve.tls.version" + } + }, + { + "exists": { + "field": "zeek.ssl.version" + } + } + ], + "minimum_should_match": 1 + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T08:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.177147 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 3.5", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true" + }, + "body": { + "aggregations": { + "source": { + "filter": { + "bool": { + "should": [ + { + "term": { + "source.ip": "10.0.0.0/8" + } + }, + { + "term": { + "source.ip": "192.168.0.0/16" + } + }, + { + "term": { + "source.ip": "172.16.0.0/12" + } + }, + { + "term": { + "source.ip": "fd00::/8" + } + } + ], + "minimum_should_match": 1 + } + }, + "aggs": { + "unique_private_ips": { + "cardinality": { + "field": "source.ip" + } + }, + "histogram": { + "auto_date_histogram": { + "field": "@timestamp", + "buckets": "6" + }, + "aggs": { + "count": { + "cardinality": { + "field": "source.ip" + } + } + } + } + } + }, + "destination": { + "filter": { + "bool": { + "should": [ + { + "term": { + "destination.ip": "10.0.0.0/8" + } + }, + { + "term": { + "destination.ip": "192.168.0.0/16" + } + }, + { + "term": { + "destination.ip": "172.16.0.0/12" + } + }, + { + "term": { + "destination.ip": "fd00::/8" + } + } + ], + "minimum_should_match": 1 + } + }, + "aggs": { + "unique_private_ips": { + "cardinality": { + "field": "destination.ip" + } + }, + "histogram": { + "auto_date_histogram": { + "field": "@timestamp", + "buckets": "6" + }, + "aggs": { + "count": { + "cardinality": { + "field": "destination.ip" + } + } + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T08:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.177647 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 3.6", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true", + "size": "0" + }, + "body": { + "aggregations": { + "top_n_flow_count": { + "cardinality": { + "field": "source.ip" + } + }, + "source": { + "terms": { + "field": "source.ip", + "size": 10, + "order": { + "bytes_out": "desc" + } + }, + "aggs": { + "bytes_in": { + "sum": { + "field": "destination.bytes" + } + }, + "bytes_out": { + "sum": { + "field": "source.bytes" + } + }, + "domain": { + "terms": { + "field": "source.domain", + "order": { + "timestamp": "desc" + } + }, + "aggs": { + "timestamp": { + "max": { + "field": "@timestamp" + } + } + } + }, + "location": { + "filter": { + "exists": { + "field": "source.geo" + } + }, + "aggs": { + "top_geo": { + "top_hits": { + "_source": "source.geo.*", + "size": 1 + } + } + } + }, + "autonomous_system": { + "filter": { + "exists": { + "field": "source.as" + } + }, + "aggs": { + "top_as": { + "top_hits": { + "_source": "source.as.*", + "size": 1 + } + } + } + }, + "flows": { + "cardinality": { + "field": "network.community_id" + } + }, + "destination_ips": { + "cardinality": { + "field": "destination.ip" + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T08:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + } + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.17897 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 3.7", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true", + "size": "0" + }, + "body": { + "aggregations": { + "top_n_flow_count": { + "cardinality": { + "field": "destination.ip" + } + }, + "destination": { + "terms": { + "field": "destination.ip", + "size": 10, + "order": { + "bytes_in": "desc" + } + }, + "aggs": { + "bytes_in": { + "sum": { + "field": "source.bytes" + } + }, + "bytes_out": { + "sum": { + "field": "destination.bytes" + } + }, + "domain": { + "terms": { + "field": "destination.domain", + "order": { + "timestamp": "desc" + } + }, + "aggs": { + "timestamp": { + "max": { + "field": "@timestamp" + } + } + } + }, + "location": { + "filter": { + "exists": { + "field": "destination.geo" + } + }, + "aggs": { + "top_geo": { + "top_hits": { + "_source": "destination.geo.*", + "size": 1 + } + } + } + }, + "autonomous_system": { + "filter": { + "exists": { + "field": "destination.as" + } + }, + "aggs": { + "top_as": { + "top_hits": { + "_source": "destination.as.*", + "size": 1 + } + } + } + }, + "flows": { + "cardinality": { + "field": "network.community_id" + } + }, + "source_ips": { + "cardinality": { + "field": "source.ip" + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T08:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + } + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.179733 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 3.8", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true", + "size": "0" + }, + "body": { + "aggregations": { + "top_countries_count": { + "cardinality": { + "field": "source.geo.country_iso_code" + } + }, + "source": { + "terms": { + "field": "source.geo.country_iso_code", + "size": 10, + "order": { + "bytes_out": "desc" + } + }, + "aggs": { + "bytes_in": { + "sum": { + "field": "destination.bytes" + } + }, + "bytes_out": { + "sum": { + "field": "source.bytes" + } + }, + "flows": { + "cardinality": { + "field": "network.community_id" + } + }, + "source_ips": { + "cardinality": { + "field": "source.ip" + } + }, + "destination_ips": { + "cardinality": { + "field": "destination.ip" + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T08:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + } + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.18079900000000002 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 3.9", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true", + "size": "0" + }, + "body": { + "aggregations": { + "top_countries_count": { + "cardinality": { + "field": "destination.geo.country_iso_code" + } + }, + "destination": { + "terms": { + "field": "destination.geo.country_iso_code", + "size": 10, + "order": { + "bytes_in": "desc" + } + }, + "aggs": { + "bytes_in": { + "sum": { + "field": "source.bytes" + } + }, + "bytes_out": { + "sum": { + "field": "destination.bytes" + } + }, + "flows": { + "cardinality": { + "field": "network.community_id" + } + }, + "source_ips": { + "cardinality": { + "field": "source.ip" + } + }, + "destination_ips": { + "cardinality": { + "field": "destination.ip" + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T08:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + } + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.181727 + }, + { + "name": "Elasticsearch: POST /logs-*/_async_search - network - 3.10", + "operation-type": "search", + "index": "logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "10001", + "preference": "1649684439115" + }, + "body": { + "docvalue_fields": [ + { + "field": "@timestamp", + "format": "epoch_millis" + }, + "source.geo.location" + ], + "size": 10000, + "_source": false, + "script_fields": {}, + "stored_fields": [ + "@timestamp", + "source.geo.location" + ], + "runtime_mappings": {}, + "query": { + "bool": { + "must": [], + "filter": [ + { + "range": { + "@timestamp": { + "format": "strict_date_optional_time", + "gte": "2022-02-04T08:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z" + } + } + } + ], + "should": [], + "must_not": [] + } + } + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.182786 + }, + { + "name": "Elasticsearch: POST /logs-*/_async_search - network - 3.11", + "operation-type": "search", + "index": "logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "10001", + "preference": "1649684439115" + }, + "body": { + "docvalue_fields": [ + { + "field": "@timestamp", + "format": "epoch_millis" + }, + "destination.geo.location" + ], + "size": 10000, + "_source": false, + "script_fields": {}, + "stored_fields": [ + "@timestamp", + "destination.geo.location" + ], + "runtime_mappings": {}, + "query": { + "bool": { + "must": [], + "filter": [ + { + "bool": { + "must": [ + { + "exists": { + "field": "destination.geo.location" + } + }, + { + "geo_bounding_box": { + "destination.geo.location": { + "top_left": [ + -180, + 85.05113 + ], + "bottom_right": [ + 180, + -85.05113 + ] + } + } + } + ] + } + }, + { + "range": { + "@timestamp": { + "format": "strict_date_optional_time", + "gte": "2022-02-04T08:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z" + } + } + } + ], + "should": [], + "must_not": [] + } + } + } + } + ] + } + ] +} \ No newline at end of file diff --git a/elastic/security/workflows-logsdb/network/4.json b/elastic/security/workflows-logsdb/network/4.json new file mode 100644 index 000000000..8fb2453e8 --- /dev/null +++ b/elastic/security/workflows-logsdb/network/4.json @@ -0,0 +1,1015 @@ +{ + "name": "POST /internal/bsearch", + "id": "Set the time range to `now-1hr` to `now`", + "requests": [ + { + "stream": [ + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.8731369999999999 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 4.1", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "true", + "allow_no_indices": "true" + }, + "body": { + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "bool": { + "should": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + } + ], + "minimum_should_match": 1 + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.8737849999999999 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 4.2", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "true", + "allow_no_indices": "true" + }, + "body": { + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "bool": { + "should": [ + { + "exists": { + "field": "dns.question.name" + } + }, + { + "term": { + "suricata.eve.dns.type": { + "value": "query" + } + } + }, + { + "exists": { + "field": "zeek.dns.query" + } + } + ], + "minimum_should_match": 1 + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.874274 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 4.3", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true" + }, + "body": { + "aggregations": { + "unique_flow_id": { + "cardinality": { + "field": "network.community_id" + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "bool": { + "should": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + } + ], + "minimum_should_match": 1 + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.8748940000000001 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 4.4", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "true", + "allow_no_indices": "true" + }, + "body": { + "query": { + "bool": { + "filter": [ + { + "bool": { + "should": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + } + ], + "minimum_should_match": 1 + } + }, + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "bool": { + "should": [ + { + "exists": { + "field": "tls.version" + } + }, + { + "exists": { + "field": "suricata.eve.tls.version" + } + }, + { + "exists": { + "field": "zeek.ssl.version" + } + } + ], + "minimum_should_match": 1 + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.875514 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 4.5", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true" + }, + "body": { + "aggregations": { + "source": { + "filter": { + "bool": { + "should": [ + { + "term": { + "source.ip": "10.0.0.0/8" + } + }, + { + "term": { + "source.ip": "192.168.0.0/16" + } + }, + { + "term": { + "source.ip": "172.16.0.0/12" + } + }, + { + "term": { + "source.ip": "fd00::/8" + } + } + ], + "minimum_should_match": 1 + } + }, + "aggs": { + "unique_private_ips": { + "cardinality": { + "field": "source.ip" + } + }, + "histogram": { + "auto_date_histogram": { + "field": "@timestamp", + "buckets": "6" + }, + "aggs": { + "count": { + "cardinality": { + "field": "source.ip" + } + } + } + } + } + }, + "destination": { + "filter": { + "bool": { + "should": [ + { + "term": { + "destination.ip": "10.0.0.0/8" + } + }, + { + "term": { + "destination.ip": "192.168.0.0/16" + } + }, + { + "term": { + "destination.ip": "172.16.0.0/12" + } + }, + { + "term": { + "destination.ip": "fd00::/8" + } + } + ], + "minimum_should_match": 1 + } + }, + "aggs": { + "unique_private_ips": { + "cardinality": { + "field": "destination.ip" + } + }, + "histogram": { + "auto_date_histogram": { + "field": "@timestamp", + "buckets": "6" + }, + "aggs": { + "count": { + "cardinality": { + "field": "destination.ip" + } + } + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.8766280000000001 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 4.6", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true", + "size": "0" + }, + "body": { + "aggregations": { + "top_n_flow_count": { + "cardinality": { + "field": "source.ip" + } + }, + "source": { + "terms": { + "field": "source.ip", + "size": 10, + "order": { + "bytes_out": "desc" + } + }, + "aggs": { + "bytes_in": { + "sum": { + "field": "destination.bytes" + } + }, + "bytes_out": { + "sum": { + "field": "source.bytes" + } + }, + "domain": { + "terms": { + "field": "source.domain", + "order": { + "timestamp": "desc" + } + }, + "aggs": { + "timestamp": { + "max": { + "field": "@timestamp" + } + } + } + }, + "location": { + "filter": { + "exists": { + "field": "source.geo" + } + }, + "aggs": { + "top_geo": { + "top_hits": { + "_source": "source.geo.*", + "size": 1 + } + } + } + }, + "autonomous_system": { + "filter": { + "exists": { + "field": "source.as" + } + }, + "aggs": { + "top_as": { + "top_hits": { + "_source": "source.as.*", + "size": 1 + } + } + } + }, + "flows": { + "cardinality": { + "field": "network.community_id" + } + }, + "destination_ips": { + "cardinality": { + "field": "destination.ip" + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + } + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.878279 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 4.7", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true", + "size": "0" + }, + "body": { + "aggregations": { + "top_n_flow_count": { + "cardinality": { + "field": "destination.ip" + } + }, + "destination": { + "terms": { + "field": "destination.ip", + "size": 10, + "order": { + "bytes_in": "desc" + } + }, + "aggs": { + "bytes_in": { + "sum": { + "field": "source.bytes" + } + }, + "bytes_out": { + "sum": { + "field": "destination.bytes" + } + }, + "domain": { + "terms": { + "field": "destination.domain", + "order": { + "timestamp": "desc" + } + }, + "aggs": { + "timestamp": { + "max": { + "field": "@timestamp" + } + } + } + }, + "location": { + "filter": { + "exists": { + "field": "destination.geo" + } + }, + "aggs": { + "top_geo": { + "top_hits": { + "_source": "destination.geo.*", + "size": 1 + } + } + } + }, + "autonomous_system": { + "filter": { + "exists": { + "field": "destination.as" + } + }, + "aggs": { + "top_as": { + "top_hits": { + "_source": "destination.as.*", + "size": 1 + } + } + } + }, + "flows": { + "cardinality": { + "field": "network.community_id" + } + }, + "source_ips": { + "cardinality": { + "field": "source.ip" + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + } + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.880134 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 4.8", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true", + "size": "0" + }, + "body": { + "aggregations": { + "top_countries_count": { + "cardinality": { + "field": "source.geo.country_iso_code" + } + }, + "source": { + "terms": { + "field": "source.geo.country_iso_code", + "size": 10, + "order": { + "bytes_out": "desc" + } + }, + "aggs": { + "bytes_in": { + "sum": { + "field": "destination.bytes" + } + }, + "bytes_out": { + "sum": { + "field": "source.bytes" + } + }, + "flows": { + "cardinality": { + "field": "network.community_id" + } + }, + "source_ips": { + "cardinality": { + "field": "source.ip" + } + }, + "destination_ips": { + "cardinality": { + "field": "destination.ip" + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + } + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.8813500000000001 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 4.9", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true", + "size": "0" + }, + "body": { + "aggregations": { + "top_countries_count": { + "cardinality": { + "field": "destination.geo.country_iso_code" + } + }, + "destination": { + "terms": { + "field": "destination.geo.country_iso_code", + "size": 10, + "order": { + "bytes_in": "desc" + } + }, + "aggs": { + "bytes_in": { + "sum": { + "field": "source.bytes" + } + }, + "bytes_out": { + "sum": { + "field": "destination.bytes" + } + }, + "flows": { + "cardinality": { + "field": "network.community_id" + } + }, + "source_ips": { + "cardinality": { + "field": "source.ip" + } + }, + "destination_ips": { + "cardinality": { + "field": "destination.ip" + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + } + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.881867 + }, + { + "name": "Elasticsearch: POST /logs-*/_async_search - network - 4.10", + "operation-type": "search", + "index": "logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "10001", + "preference": "1649684439115" + }, + "body": { + "docvalue_fields": [ + { + "field": "@timestamp", + "format": "epoch_millis" + }, + "source.geo.location" + ], + "size": 10000, + "_source": false, + "script_fields": {}, + "stored_fields": [ + "@timestamp", + "source.geo.location" + ], + "runtime_mappings": {}, + "query": { + "bool": { + "must": [], + "filter": [ + { + "range": { + "@timestamp": { + "format": "strict_date_optional_time", + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z" + } + } + } + ], + "should": [], + "must_not": [] + } + } + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.8833909999999999 + }, + { + "name": "Elasticsearch: POST /logs-*/_async_search - network - 4.11", + "operation-type": "search", + "index": "logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "10001", + "preference": "1649684439115" + }, + "body": { + "docvalue_fields": [ + { + "field": "@timestamp", + "format": "epoch_millis" + }, + "destination.geo.location" + ], + "size": 10000, + "_source": false, + "script_fields": {}, + "stored_fields": [ + "@timestamp", + "destination.geo.location" + ], + "runtime_mappings": {}, + "query": { + "bool": { + "must": [], + "filter": [ + { + "bool": { + "must": [ + { + "exists": { + "field": "destination.geo.location" + } + }, + { + "geo_bounding_box": { + "destination.geo.location": { + "top_left": [ + -180, + 85.05113 + ], + "bottom_right": [ + 180, + -85.05113 + ] + } + } + } + ] + } + }, + { + "range": { + "@timestamp": { + "format": "strict_date_optional_time", + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z" + } + } + } + ], + "should": [], + "must_not": [] + } + } + } + } + ] + } + ] + } + ] +} \ No newline at end of file diff --git a/elastic/security/workflows-logsdb/network/5.json b/elastic/security/workflows-logsdb/network/5.json new file mode 100644 index 000000000..7009d8ca6 --- /dev/null +++ b/elastic/security/workflows-logsdb/network/5.json @@ -0,0 +1,1698 @@ +{ + "name": "/app/security/*?{query}", + "id": "Select an IP to open details", + "requests": [ + { + "stream": [ + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 2.3292710000000003 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 5.1", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true" + }, + "body": { + "docvalue_fields": [ + { + "field": "@metadata.beat" + }, + { + "field": "@metadata.type" + }, + { + "field": "@metadata.version" + }, + { + "field": "@timestamp" + }, + { + "field": "agent.agent_id" + }, + { + "field": "agent.build.original" + }, + { + "field": "agent.ephemeral_id" + }, + { + "field": "agent.hostname" + }, + { + "field": "agent.id" + }, + { + "field": "agent.name" + }, + { + "field": "agent.type" + }, + { + "field": "agent.version" + }, + { + "field": "as.number" + }, + { + "field": "as.organization.name" + }, + { + "field": "auditd.data.a0" + }, + { + "field": "auditd.data.a1" + }, + { + "field": "auditd.data.a2" + }, + { + "field": "auditd.data.a3" + }, + { + "field": "auditd.data.a[0-3]" + }, + { + "field": "auditd.data.acct" + }, + { + "field": "auditd.data.acl" + }, + { + "field": "auditd.data.action" + }, + { + "field": "auditd.data.added" + }, + { + "field": "auditd.data.addr" + }, + { + "field": "auditd.data.apparmor" + }, + { + "field": "auditd.data.arch" + }, + { + "field": "auditd.data.arg" + }, + { + "field": "auditd.data.argc" + }, + { + "field": "auditd.data.audit_backlog_limit" + }, + { + "field": "auditd.data.audit_backlog_wait_time" + }, + { + "field": "auditd.data.audit_enabled" + }, + { + "field": "auditd.data.audit_failure" + }, + { + "field": "auditd.data.auid" + }, + { + "field": "auditd.data.banners" + }, + { + "field": "auditd.data.bool" + }, + { + "field": "auditd.data.bus" + }, + { + "field": "auditd.data.cap_fe" + }, + { + "field": "auditd.data.cap_fi" + }, + { + "field": "auditd.data.cap_fp" + }, + { + "field": "auditd.data.cap_fver" + }, + { + "field": "auditd.data.cap_pe" + }, + { + "field": "auditd.data.cap_pi" + }, + { + "field": "auditd.data.cap_pp" + }, + { + "field": "auditd.data.capability" + }, + { + "field": "auditd.data.capname" + }, + { + "field": "auditd.data.cgroup" + }, + { + "field": "auditd.data.changed" + }, + { + "field": "auditd.data.cipher" + }, + { + "field": "auditd.data.class" + }, + { + "field": "auditd.data.cmd" + }, + { + "field": "auditd.data.code" + }, + { + "field": "auditd.data.compat" + }, + { + "field": "auditd.data.daddr" + }, + { + "field": "auditd.data.data" + }, + { + "field": "auditd.data.default-context" + }, + { + "field": "auditd.data.device" + }, + { + "field": "auditd.data.dir" + }, + { + "field": "auditd.data.direction" + }, + { + "field": "auditd.data.dmac" + }, + { + "field": "auditd.data.dport" + }, + { + "field": "auditd.data.enforcing" + }, + { + "field": "auditd.data.entries" + }, + { + "field": "auditd.data.exit" + }, + { + "field": "auditd.data.fam" + }, + { + "field": "auditd.data.family" + }, + { + "field": "auditd.data.fd" + }, + { + "field": "auditd.data.fe" + }, + { + "field": "auditd.data.feature" + }, + { + "field": "auditd.data.fi" + }, + { + "field": "auditd.data.file" + }, + { + "field": "auditd.data.flags" + }, + { + "field": "auditd.data.format" + }, + { + "field": "auditd.data.fp" + }, + { + "field": "auditd.data.fver" + }, + { + "field": "auditd.data.grantors" + }, + { + "field": "auditd.data.grp" + }, + { + "field": "auditd.data.hook" + }, + { + "field": "auditd.data.hostname" + }, + { + "field": "auditd.data.icmp_type" + }, + { + "field": "auditd.data.id" + }, + { + "field": "auditd.data.igid" + }, + { + "field": "auditd.data.img-ctx" + }, + { + "field": "auditd.data.inif" + }, + { + "field": "auditd.data.ino" + }, + { + "field": "auditd.data.inode_gid" + }, + { + "field": "auditd.data.inode_uid" + }, + { + "field": "auditd.data.invalid_context" + }, + { + "field": "auditd.data.ioctlcmd" + }, + { + "field": "auditd.data.ip" + }, + { + "field": "auditd.data.ipid" + }, + { + "field": "auditd.data.ipx-net" + }, + { + "field": "auditd.data.items" + }, + { + "field": "auditd.data.iuid" + }, + { + "field": "auditd.data.kernel" + }, + { + "field": "auditd.data.kind" + }, + { + "field": "auditd.data.ksize" + }, + { + "field": "auditd.data.laddr" + }, + { + "field": "auditd.data.len" + }, + { + "field": "auditd.data.list" + }, + { + "field": "auditd.data.lport" + } + ], + "query": { + "bool": { + "filter": { + "bool": { + "should": [ + { + "term": { + "source.ip": "63.33.254.192" + } + }, + { + "term": { + "destination.ip": "63.33.254.192" + } + } + ] + } + } + } + }, + "_source": [ + "@timestamp" + ], + "size": 1, + "sort": [ + { + "@timestamp": { + "order": "desc" + } + } + ] + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 2.330529 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 5.2", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "true", + "allow_no_indices": "true" + }, + "body": { + "aggs": { + "anomalyActionGroup": { + "terms": { + "field": "job_id", + "order": { + "_count": "desc" + }, + "size": 10 + }, + "aggs": { + "anomalies": { + "date_histogram": { + "field": "timestamp", + "fixed_interval": "112500ms", + "min_doc_count": 0, + "extended_bounds": { + "min": 1643986800000, + "max": 1643990400000 + } + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [ + { + "bool": { + "should": [], + "minimum_should_match": 1 + } + }, + { + "match_phrase": { + "result_type": "record" + } + }, + { + "match_phrase": { + "destination.ip": "63.33.254.192" + } + }, + { + "range": { + "record_score": { + "gte": 50 + } + } + } + ], + "should": [], + "must_not": [] + } + }, + { + "range": { + "timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 2.331201 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 5.3", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true", + "size": "0" + }, + "body": { + "aggregations": { + "top_n_flow_count": { + "cardinality": { + "field": "source.ip" + } + }, + "source": { + "terms": { + "field": "source.ip", + "size": 10, + "order": { + "bytes_out": "desc" + } + }, + "aggs": { + "bytes_in": { + "sum": { + "field": "destination.bytes" + } + }, + "bytes_out": { + "sum": { + "field": "source.bytes" + } + }, + "domain": { + "terms": { + "field": "source.domain", + "order": { + "timestamp": "desc" + } + }, + "aggs": { + "timestamp": { + "max": { + "field": "@timestamp" + } + } + } + }, + "location": { + "filter": { + "exists": { + "field": "source.geo" + } + }, + "aggs": { + "top_geo": { + "top_hits": { + "_source": "source.geo.*", + "size": 1 + } + } + } + }, + "autonomous_system": { + "filter": { + "exists": { + "field": "source.as" + } + }, + "aggs": { + "top_as": { + "top_hits": { + "_source": "source.as.*", + "size": 1 + } + } + } + }, + "flows": { + "cardinality": { + "field": "network.community_id" + } + }, + "destination_ips": { + "cardinality": { + "field": "destination.ip" + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ], + "should": [ + { + "term": { + "destination.ip": "63.33.254.192" + } + } + ], + "minimum_should_match": 1 + } + } + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 2.331725 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 5.4", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true", + "size": "0" + }, + "body": { + "aggregations": { + "top_n_flow_count": { + "cardinality": { + "field": "destination.ip" + } + }, + "destination": { + "terms": { + "field": "destination.ip", + "size": 10, + "order": { + "bytes_in": "desc" + } + }, + "aggs": { + "bytes_in": { + "sum": { + "field": "source.bytes" + } + }, + "bytes_out": { + "sum": { + "field": "destination.bytes" + } + }, + "domain": { + "terms": { + "field": "destination.domain", + "order": { + "timestamp": "desc" + } + }, + "aggs": { + "timestamp": { + "max": { + "field": "@timestamp" + } + } + } + }, + "location": { + "filter": { + "exists": { + "field": "destination.geo" + } + }, + "aggs": { + "top_geo": { + "top_hits": { + "_source": "destination.geo.*", + "size": 1 + } + } + } + }, + "autonomous_system": { + "filter": { + "exists": { + "field": "destination.as" + } + }, + "aggs": { + "top_as": { + "top_hits": { + "_source": "destination.as.*", + "size": 1 + } + } + } + }, + "flows": { + "cardinality": { + "field": "network.community_id" + } + }, + "source_ips": { + "cardinality": { + "field": "source.ip" + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ], + "should": [ + { + "term": { + "source.ip": "63.33.254.192" + } + } + ], + "minimum_should_match": 1 + } + } + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 2.337487 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 5.5", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true", + "size": "0" + }, + "body": { + "aggregations": { + "top_countries_count": { + "cardinality": { + "field": "source.geo.country_iso_code" + } + }, + "source": { + "terms": { + "field": "source.geo.country_iso_code", + "size": 10, + "order": { + "bytes_out": "desc" + } + }, + "aggs": { + "bytes_in": { + "sum": { + "field": "destination.bytes" + } + }, + "bytes_out": { + "sum": { + "field": "source.bytes" + } + }, + "flows": { + "cardinality": { + "field": "network.community_id" + } + }, + "source_ips": { + "cardinality": { + "field": "source.ip" + } + }, + "destination_ips": { + "cardinality": { + "field": "destination.ip" + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ], + "should": [ + { + "term": { + "destination.ip": "63.33.254.192" + } + } + ], + "minimum_should_match": 1 + } + } + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 2.339848 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 5.6", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true", + "size": "0" + }, + "body": { + "aggregations": { + "top_countries_count": { + "cardinality": { + "field": "destination.geo.country_iso_code" + } + }, + "destination": { + "terms": { + "field": "destination.geo.country_iso_code", + "size": 10, + "order": { + "bytes_in": "desc" + } + }, + "aggs": { + "bytes_in": { + "sum": { + "field": "source.bytes" + } + }, + "bytes_out": { + "sum": { + "field": "destination.bytes" + } + }, + "flows": { + "cardinality": { + "field": "network.community_id" + } + }, + "source_ips": { + "cardinality": { + "field": "source.ip" + } + }, + "destination_ips": { + "cardinality": { + "field": "destination.ip" + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ], + "should": [ + { + "term": { + "source.ip": "63.33.254.192" + } + } + ], + "minimum_should_match": 1 + } + } + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 2.34215 + }, + { + "name": "Elasticsearch: POST /apm-*-transaction*,traces-apm*,auditbeat-*,endgame-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*/_async_search - network - 5.7", + "operation-type": "search", + "index": "apm-*-transaction*,traces-apm*,auditbeat-*,endgame-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true" + }, + "body": { + "aggs": { + "user_count": { + "cardinality": { + "field": "user.name" + } + }, + "users": { + "terms": { + "field": "user.name", + "size": 10, + "order": { + "_key": "asc" + } + }, + "aggs": { + "id": { + "terms": { + "field": "user.id" + } + }, + "groupId": { + "terms": { + "field": "user.group.id" + } + }, + "groupName": { + "terms": { + "field": "user.group.name" + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + }, + { + "term": { + "destination.ip": "63.33.254.192" + } + } + ], + "must_not": [ + { + "term": { + "event.category": "authentication" + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 2.3449560000000003 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 5.8", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true", + "size": "0" + }, + "body": { + "aggregations": { + "http_count": { + "cardinality": { + "field": "url.path" + } + }, + "url": { + "terms": { + "field": "url.path", + "size": 10, + "order": { + "_count": "desc" + } + }, + "aggs": { + "methods": { + "terms": { + "field": "http.request.method", + "size": 4 + } + }, + "domains": { + "terms": { + "field": "url.domain", + "size": 4 + } + }, + "status": { + "terms": { + "field": "http.response.status_code", + "size": 4 + } + }, + "source": { + "top_hits": { + "size": 1, + "_source": { + "includes": [ + "host.name", + "source.ip" + ] + } + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + }, + { + "exists": { + "field": "http.request.method" + } + } + ], + "should": [ + { + "term": { + "source.ip": "63.33.254.192" + } + }, + { + "term": { + "destination.ip": "63.33.254.192" + } + } + ], + "minimum_should_match": 1 + } + } + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 2.346292 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 5.9", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true" + }, + "body": { + "aggs": { + "count": { + "cardinality": { + "field": "tls.server.hash.sha1" + } + }, + "sha1": { + "terms": { + "field": "tls.server.hash.sha1", + "size": 10, + "order": { + "_key": "desc" + } + }, + "aggs": { + "issuers": { + "terms": { + "field": "tls.server.issuer" + } + }, + "subjects": { + "terms": { + "field": "tls.server.subject" + } + }, + "not_after": { + "terms": { + "field": "tls.server.not_after" + } + }, + "ja3": { + "terms": { + "field": "tls.client.ja3" + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + }, + { + "term": { + "destination.ip": "63.33.254.192" + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 2.353107 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 5.10", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true" + }, + "body": { + "docvalue_fields": [ + { + "field": "@metadata.beat" + }, + { + "field": "@metadata.type" + }, + { + "field": "@metadata.version" + }, + { + "field": "@timestamp" + }, + { + "field": "agent.agent_id" + }, + { + "field": "agent.build.original" + }, + { + "field": "agent.ephemeral_id" + }, + { + "field": "agent.hostname" + }, + { + "field": "agent.id" + }, + { + "field": "agent.name" + }, + { + "field": "agent.type" + }, + { + "field": "agent.version" + }, + { + "field": "as.number" + }, + { + "field": "as.organization.name" + }, + { + "field": "auditd.data.a0" + }, + { + "field": "auditd.data.a1" + }, + { + "field": "auditd.data.a2" + }, + { + "field": "auditd.data.a3" + }, + { + "field": "auditd.data.a[0-3]" + }, + { + "field": "auditd.data.acct" + }, + { + "field": "auditd.data.acl" + }, + { + "field": "auditd.data.action" + }, + { + "field": "auditd.data.added" + }, + { + "field": "auditd.data.addr" + }, + { + "field": "auditd.data.apparmor" + }, + { + "field": "auditd.data.arch" + }, + { + "field": "auditd.data.arg" + }, + { + "field": "auditd.data.argc" + }, + { + "field": "auditd.data.audit_backlog_limit" + }, + { + "field": "auditd.data.audit_backlog_wait_time" + }, + { + "field": "auditd.data.audit_enabled" + }, + { + "field": "auditd.data.audit_failure" + }, + { + "field": "auditd.data.auid" + }, + { + "field": "auditd.data.banners" + }, + { + "field": "auditd.data.bool" + }, + { + "field": "auditd.data.bus" + }, + { + "field": "auditd.data.cap_fe" + }, + { + "field": "auditd.data.cap_fi" + }, + { + "field": "auditd.data.cap_fp" + }, + { + "field": "auditd.data.cap_fver" + }, + { + "field": "auditd.data.cap_pe" + }, + { + "field": "auditd.data.cap_pi" + }, + { + "field": "auditd.data.cap_pp" + }, + { + "field": "auditd.data.capability" + }, + { + "field": "auditd.data.capname" + }, + { + "field": "auditd.data.cgroup" + }, + { + "field": "auditd.data.changed" + }, + { + "field": "auditd.data.cipher" + }, + { + "field": "auditd.data.class" + }, + { + "field": "auditd.data.cmd" + }, + { + "field": "auditd.data.code" + }, + { + "field": "auditd.data.compat" + }, + { + "field": "auditd.data.daddr" + }, + { + "field": "auditd.data.data" + }, + { + "field": "auditd.data.default-context" + }, + { + "field": "auditd.data.device" + }, + { + "field": "auditd.data.dir" + }, + { + "field": "auditd.data.direction" + }, + { + "field": "auditd.data.dmac" + }, + { + "field": "auditd.data.dport" + }, + { + "field": "auditd.data.enforcing" + }, + { + "field": "auditd.data.entries" + }, + { + "field": "auditd.data.exit" + }, + { + "field": "auditd.data.fam" + }, + { + "field": "auditd.data.family" + }, + { + "field": "auditd.data.fd" + }, + { + "field": "auditd.data.fe" + }, + { + "field": "auditd.data.feature" + }, + { + "field": "auditd.data.fi" + }, + { + "field": "auditd.data.file" + }, + { + "field": "auditd.data.flags" + }, + { + "field": "auditd.data.format" + }, + { + "field": "auditd.data.fp" + }, + { + "field": "auditd.data.fver" + }, + { + "field": "auditd.data.grantors" + }, + { + "field": "auditd.data.grp" + }, + { + "field": "auditd.data.hook" + }, + { + "field": "auditd.data.hostname" + }, + { + "field": "auditd.data.icmp_type" + }, + { + "field": "auditd.data.id" + }, + { + "field": "auditd.data.igid" + }, + { + "field": "auditd.data.img-ctx" + }, + { + "field": "auditd.data.inif" + }, + { + "field": "auditd.data.ino" + }, + { + "field": "auditd.data.inode_gid" + }, + { + "field": "auditd.data.inode_uid" + }, + { + "field": "auditd.data.invalid_context" + }, + { + "field": "auditd.data.ioctlcmd" + }, + { + "field": "auditd.data.ip" + }, + { + "field": "auditd.data.ipid" + }, + { + "field": "auditd.data.ipx-net" + }, + { + "field": "auditd.data.items" + }, + { + "field": "auditd.data.iuid" + }, + { + "field": "auditd.data.kernel" + }, + { + "field": "auditd.data.kind" + }, + { + "field": "auditd.data.ksize" + }, + { + "field": "auditd.data.laddr" + }, + { + "field": "auditd.data.len" + }, + { + "field": "auditd.data.list" + }, + { + "field": "auditd.data.lport" + } + ], + "aggs": { + "source": { + "filter": { + "term": { + "source.ip": "63.33.254.192" + } + }, + "aggs": { + "firstSeen": { + "min": { + "field": "@timestamp" + } + }, + "lastSeen": { + "max": { + "field": "@timestamp" + } + }, + "as": { + "filter": { + "exists": { + "field": "source.as" + } + }, + "aggs": { + "results": { + "top_hits": { + "size": 1, + "_source": [ + "source.as" + ], + "sort": [ + { + "@timestamp": "desc" + } + ] + } + } + } + }, + "geo": { + "filter": { + "exists": { + "field": "source.geo" + } + }, + "aggs": { + "results": { + "top_hits": { + "size": 1, + "_source": [ + "source.geo" + ], + "sort": [ + { + "@timestamp": "desc" + } + ] + } + } + } + } + } + }, + "destination": { + "filter": { + "term": { + "destination.ip": "63.33.254.192" + } + }, + "aggs": { + "firstSeen": { + "min": { + "field": "@timestamp" + } + }, + "lastSeen": { + "max": { + "field": "@timestamp" + } + }, + "as": { + "filter": { + "exists": { + "field": "destination.as" + } + }, + "aggs": { + "results": { + "top_hits": { + "size": 1, + "_source": [ + "destination.as" + ], + "sort": [ + { + "@timestamp": "desc" + } + ] + } + } + } + }, + "geo": { + "filter": { + "exists": { + "field": "destination.geo" + } + }, + "aggs": { + "results": { + "top_hits": { + "size": 1, + "_source": [ + "destination.geo" + ], + "sort": [ + { + "@timestamp": "desc" + } + ] + } + } + } + } + } + }, + "host": { + "filter": { + "term": { + "host.ip": "63.33.254.192" + } + }, + "aggs": { + "results": { + "top_hits": { + "size": 1, + "_source": [ + "host" + ], + "sort": [ + { + "@timestamp": "desc" + } + ] + } + } + } + } + }, + "query": { + "bool": { + "should": [] + } + }, + "size": 0 + } + } + ] + } + ] + } + ] +} \ No newline at end of file diff --git a/elastic/security/workflows-logsdb/network/6.json b/elastic/security/workflows-logsdb/network/6.json new file mode 100644 index 000000000..4dbf8e4c4 --- /dev/null +++ b/elastic/security/workflows-logsdb/network/6.json @@ -0,0 +1,1497 @@ +{ + "name": "/app/security/*?{query}", + "id": "Select the `Network` breadcrumb to return to dashboard", + "requests": [ + { + "stream": [ + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.20117 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 6a.1", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true" + }, + "body": { + "docvalue_fields": [ + { + "field": "@metadata.beat" + }, + { + "field": "@metadata.type" + }, + { + "field": "@metadata.version" + }, + { + "field": "@timestamp" + }, + { + "field": "agent.agent_id" + }, + { + "field": "agent.build.original" + }, + { + "field": "agent.ephemeral_id" + }, + { + "field": "agent.hostname" + }, + { + "field": "agent.id" + }, + { + "field": "agent.name" + }, + { + "field": "agent.type" + }, + { + "field": "agent.version" + }, + { + "field": "as.number" + }, + { + "field": "as.organization.name" + }, + { + "field": "auditd.data.a0" + }, + { + "field": "auditd.data.a1" + }, + { + "field": "auditd.data.a2" + }, + { + "field": "auditd.data.a3" + }, + { + "field": "auditd.data.a[0-3]" + }, + { + "field": "auditd.data.acct" + }, + { + "field": "auditd.data.acl" + }, + { + "field": "auditd.data.action" + }, + { + "field": "auditd.data.added" + }, + { + "field": "auditd.data.addr" + }, + { + "field": "auditd.data.apparmor" + }, + { + "field": "auditd.data.arch" + }, + { + "field": "auditd.data.arg" + }, + { + "field": "auditd.data.argc" + }, + { + "field": "auditd.data.audit_backlog_limit" + }, + { + "field": "auditd.data.audit_backlog_wait_time" + }, + { + "field": "auditd.data.audit_enabled" + }, + { + "field": "auditd.data.audit_failure" + }, + { + "field": "auditd.data.auid" + }, + { + "field": "auditd.data.banners" + }, + { + "field": "auditd.data.bool" + }, + { + "field": "auditd.data.bus" + }, + { + "field": "auditd.data.cap_fe" + }, + { + "field": "auditd.data.cap_fi" + }, + { + "field": "auditd.data.cap_fp" + }, + { + "field": "auditd.data.cap_fver" + }, + { + "field": "auditd.data.cap_pe" + }, + { + "field": "auditd.data.cap_pi" + }, + { + "field": "auditd.data.cap_pp" + }, + { + "field": "auditd.data.capability" + }, + { + "field": "auditd.data.capname" + }, + { + "field": "auditd.data.cgroup" + }, + { + "field": "auditd.data.changed" + }, + { + "field": "auditd.data.cipher" + }, + { + "field": "auditd.data.class" + }, + { + "field": "auditd.data.cmd" + }, + { + "field": "auditd.data.code" + }, + { + "field": "auditd.data.compat" + }, + { + "field": "auditd.data.daddr" + }, + { + "field": "auditd.data.data" + }, + { + "field": "auditd.data.default-context" + }, + { + "field": "auditd.data.device" + }, + { + "field": "auditd.data.dir" + }, + { + "field": "auditd.data.direction" + }, + { + "field": "auditd.data.dmac" + }, + { + "field": "auditd.data.dport" + }, + { + "field": "auditd.data.enforcing" + }, + { + "field": "auditd.data.entries" + }, + { + "field": "auditd.data.exit" + }, + { + "field": "auditd.data.fam" + }, + { + "field": "auditd.data.family" + }, + { + "field": "auditd.data.fd" + }, + { + "field": "auditd.data.fe" + }, + { + "field": "auditd.data.feature" + }, + { + "field": "auditd.data.fi" + }, + { + "field": "auditd.data.file" + }, + { + "field": "auditd.data.flags" + }, + { + "field": "auditd.data.format" + }, + { + "field": "auditd.data.fp" + }, + { + "field": "auditd.data.fver" + }, + { + "field": "auditd.data.grantors" + }, + { + "field": "auditd.data.grp" + }, + { + "field": "auditd.data.hook" + }, + { + "field": "auditd.data.hostname" + }, + { + "field": "auditd.data.icmp_type" + }, + { + "field": "auditd.data.id" + }, + { + "field": "auditd.data.igid" + }, + { + "field": "auditd.data.img-ctx" + }, + { + "field": "auditd.data.inif" + }, + { + "field": "auditd.data.ino" + }, + { + "field": "auditd.data.inode_gid" + }, + { + "field": "auditd.data.inode_uid" + }, + { + "field": "auditd.data.invalid_context" + }, + { + "field": "auditd.data.ioctlcmd" + }, + { + "field": "auditd.data.ip" + }, + { + "field": "auditd.data.ipid" + }, + { + "field": "auditd.data.ipx-net" + }, + { + "field": "auditd.data.items" + }, + { + "field": "auditd.data.iuid" + }, + { + "field": "auditd.data.kernel" + }, + { + "field": "auditd.data.kind" + }, + { + "field": "auditd.data.ksize" + }, + { + "field": "auditd.data.laddr" + }, + { + "field": "auditd.data.len" + }, + { + "field": "auditd.data.list" + }, + { + "field": "auditd.data.lport" + } + ], + "query": { + "match_all": {} + }, + "_source": [ + "@timestamp" + ], + "size": 1, + "sort": [ + { + "@timestamp": { + "order": "desc" + } + } + ] + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.201724 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 6a.2", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "true", + "allow_no_indices": "true" + }, + "body": { + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "bool": { + "should": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + } + ], + "minimum_should_match": 1 + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.20197700000000002 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 6a.3", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "true", + "allow_no_indices": "true" + }, + "body": { + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "bool": { + "should": [ + { + "exists": { + "field": "dns.question.name" + } + }, + { + "term": { + "suricata.eve.dns.type": { + "value": "query" + } + } + }, + { + "exists": { + "field": "zeek.dns.query" + } + } + ], + "minimum_should_match": 1 + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.20219700000000002 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 6a.4", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true" + }, + "body": { + "aggregations": { + "unique_flow_id": { + "cardinality": { + "field": "network.community_id" + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "bool": { + "should": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + } + ], + "minimum_should_match": 1 + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.202396 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 6a.5", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "true", + "allow_no_indices": "true" + }, + "body": { + "query": { + "bool": { + "filter": [ + { + "bool": { + "should": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + } + ], + "minimum_should_match": 1 + } + }, + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "bool": { + "should": [ + { + "exists": { + "field": "tls.version" + } + }, + { + "exists": { + "field": "suricata.eve.tls.version" + } + }, + { + "exists": { + "field": "zeek.ssl.version" + } + } + ], + "minimum_should_match": 1 + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.20261 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 6a.6", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true" + }, + "body": { + "aggregations": { + "source": { + "filter": { + "bool": { + "should": [ + { + "term": { + "source.ip": "10.0.0.0/8" + } + }, + { + "term": { + "source.ip": "192.168.0.0/16" + } + }, + { + "term": { + "source.ip": "172.16.0.0/12" + } + }, + { + "term": { + "source.ip": "fd00::/8" + } + } + ], + "minimum_should_match": 1 + } + }, + "aggs": { + "unique_private_ips": { + "cardinality": { + "field": "source.ip" + } + }, + "histogram": { + "auto_date_histogram": { + "field": "@timestamp", + "buckets": "6" + }, + "aggs": { + "count": { + "cardinality": { + "field": "source.ip" + } + } + } + } + } + }, + "destination": { + "filter": { + "bool": { + "should": [ + { + "term": { + "destination.ip": "10.0.0.0/8" + } + }, + { + "term": { + "destination.ip": "192.168.0.0/16" + } + }, + { + "term": { + "destination.ip": "172.16.0.0/12" + } + }, + { + "term": { + "destination.ip": "fd00::/8" + } + } + ], + "minimum_should_match": 1 + } + }, + "aggs": { + "unique_private_ips": { + "cardinality": { + "field": "destination.ip" + } + }, + "histogram": { + "auto_date_histogram": { + "field": "@timestamp", + "buckets": "6" + }, + "aggs": { + "count": { + "cardinality": { + "field": "destination.ip" + } + } + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.204187 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 6a.7", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true", + "size": "0" + }, + "body": { + "aggregations": { + "top_n_flow_count": { + "cardinality": { + "field": "source.ip" + } + }, + "source": { + "terms": { + "field": "source.ip", + "size": 10, + "order": { + "bytes_out": "desc" + } + }, + "aggs": { + "bytes_in": { + "sum": { + "field": "destination.bytes" + } + }, + "bytes_out": { + "sum": { + "field": "source.bytes" + } + }, + "domain": { + "terms": { + "field": "source.domain", + "order": { + "timestamp": "desc" + } + }, + "aggs": { + "timestamp": { + "max": { + "field": "@timestamp" + } + } + } + }, + "location": { + "filter": { + "exists": { + "field": "source.geo" + } + }, + "aggs": { + "top_geo": { + "top_hits": { + "_source": "source.geo.*", + "size": 1 + } + } + } + }, + "autonomous_system": { + "filter": { + "exists": { + "field": "source.as" + } + }, + "aggs": { + "top_as": { + "top_hits": { + "_source": "source.as.*", + "size": 1 + } + } + } + }, + "flows": { + "cardinality": { + "field": "network.community_id" + } + }, + "destination_ips": { + "cardinality": { + "field": "destination.ip" + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + } + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.205487 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 6a.8", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true", + "size": "0" + }, + "body": { + "aggregations": { + "top_n_flow_count": { + "cardinality": { + "field": "destination.ip" + } + }, + "destination": { + "terms": { + "field": "destination.ip", + "size": 10, + "order": { + "bytes_in": "desc" + } + }, + "aggs": { + "bytes_in": { + "sum": { + "field": "source.bytes" + } + }, + "bytes_out": { + "sum": { + "field": "destination.bytes" + } + }, + "domain": { + "terms": { + "field": "destination.domain", + "order": { + "timestamp": "desc" + } + }, + "aggs": { + "timestamp": { + "max": { + "field": "@timestamp" + } + } + } + }, + "location": { + "filter": { + "exists": { + "field": "destination.geo" + } + }, + "aggs": { + "top_geo": { + "top_hits": { + "_source": "destination.geo.*", + "size": 1 + } + } + } + }, + "autonomous_system": { + "filter": { + "exists": { + "field": "destination.as" + } + }, + "aggs": { + "top_as": { + "top_hits": { + "_source": "destination.as.*", + "size": 1 + } + } + } + }, + "flows": { + "cardinality": { + "field": "network.community_id" + } + }, + "source_ips": { + "cardinality": { + "field": "source.ip" + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + } + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.206044 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 6a.9", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true", + "size": "0" + }, + "body": { + "aggregations": { + "top_countries_count": { + "cardinality": { + "field": "source.geo.country_iso_code" + } + }, + "source": { + "terms": { + "field": "source.geo.country_iso_code", + "size": 10, + "order": { + "bytes_out": "desc" + } + }, + "aggs": { + "bytes_in": { + "sum": { + "field": "destination.bytes" + } + }, + "bytes_out": { + "sum": { + "field": "source.bytes" + } + }, + "flows": { + "cardinality": { + "field": "network.community_id" + } + }, + "source_ips": { + "cardinality": { + "field": "source.ip" + } + }, + "destination_ips": { + "cardinality": { + "field": "destination.ip" + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + } + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.20632599999999998 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 6a.10", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true", + "size": "0" + }, + "body": { + "aggregations": { + "top_countries_count": { + "cardinality": { + "field": "destination.geo.country_iso_code" + } + }, + "destination": { + "terms": { + "field": "destination.geo.country_iso_code", + "size": 10, + "order": { + "bytes_in": "desc" + } + }, + "aggs": { + "bytes_in": { + "sum": { + "field": "source.bytes" + } + }, + "bytes_out": { + "sum": { + "field": "destination.bytes" + } + }, + "flows": { + "cardinality": { + "field": "network.community_id" + } + }, + "source_ips": { + "cardinality": { + "field": "source.ip" + } + }, + "destination_ips": { + "cardinality": { + "field": "destination.ip" + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + } + } + } + ] + } + ] + }, + { + "stream": [ + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.227699 + }, + { + "name": "Elasticsearch: POST /logs-*/_async_search - network - 6b.1", + "operation-type": "search", + "index": "logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "preference": "1649684439115" + }, + "body": { + "size": 0, + "aggs": { + "destSplit": { + "terms": { + "script": { + "source": "doc['destination.geo.location'].value.toString()", + "lang": "painless" + }, + "order": { + "_count": "desc" + }, + "size": 100 + }, + "aggs": { + "sourceGrid": { + "geotile_grid": { + "field": "source.geo.location", + "precision": 3, + "size": 500 + }, + "aggs": { + "sourceCentroid": { + "geo_centroid": { + "field": "source.geo.location" + } + }, + "sum_of_source.bytes": { + "sum": { + "field": "source.bytes" + } + }, + "sum_of_destination.bytes": { + "sum": { + "field": "destination.bytes" + } + } + } + } + } + } + }, + "fields": [ + { + "field": "@timestamp", + "format": "date_time" + }, + { + "field": "event.created", + "format": "date_time" + }, + { + "field": "event.ingested", + "format": "date_time" + }, + { + "field": "file.accessed", + "format": "date_time" + }, + { + "field": "file.created", + "format": "date_time" + }, + { + "field": "file.ctime", + "format": "date_time" + }, + { + "field": "file.mtime", + "format": "date_time" + } + ], + "script_fields": {}, + "stored_fields": [ + "*" + ], + "runtime_mappings": {}, + "_source": { + "excludes": [] + }, + "query": { + "bool": { + "must": [], + "filter": [ + { + "bool": { + "must": [ + { + "exists": { + "field": "destination.geo.location" + } + }, + { + "geo_bounding_box": { + "destination.geo.location": { + "top_left": [ + -180, + 87.74251 + ], + "bottom_right": [ + 180, + -87.74251 + ] + } + } + } + ] + } + }, + { + "exists": { + "field": "source.geo.location" + } + } + ], + "should": [], + "must_not": [] + } + } + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.23141499999999998 + }, + { + "name": "Elasticsearch: POST /logs-*/_async_search - network - 6b.2", + "operation-type": "search", + "index": "logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "10001", + "preference": "1649684439115" + }, + "body": { + "docvalue_fields": [ + { + "field": "@timestamp", + "format": "epoch_millis" + }, + "source.geo.location" + ], + "size": 10000, + "_source": false, + "script_fields": {}, + "stored_fields": [ + "@timestamp", + "source.geo.location" + ], + "runtime_mappings": {}, + "query": { + "bool": { + "must": [], + "filter": [ + { + "range": { + "@timestamp": { + "format": "strict_date_optional_time", + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z" + } + } + } + ], + "should": [], + "must_not": [] + } + } + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.23291900000000001 + }, + { + "name": "Elasticsearch: POST /logs-*/_async_search - network - 6b.3", + "operation-type": "search", + "index": "logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "10001", + "preference": "1649684439115" + }, + "body": { + "docvalue_fields": [ + { + "field": "@timestamp", + "format": "epoch_millis" + }, + "destination.geo.location" + ], + "size": 10000, + "_source": false, + "script_fields": {}, + "stored_fields": [ + "@timestamp", + "destination.geo.location" + ], + "runtime_mappings": {}, + "query": { + "bool": { + "must": [], + "filter": [ + { + "bool": { + "must": [ + { + "exists": { + "field": "destination.geo.location" + } + }, + { + "geo_bounding_box": { + "destination.geo.location": { + "top_left": [ + -180, + 85.05113 + ], + "bottom_right": [ + 180, + -85.05113 + ] + } + } + } + ] + } + }, + { + "range": { + "@timestamp": { + "format": "strict_date_optional_time", + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z" + } + } + } + ], + "should": [], + "must_not": [] + } + } + } + } + ] + } + ] + } + ] +} \ No newline at end of file diff --git a/elastic/security/workflows-logsdb/network/7.json b/elastic/security/workflows-logsdb/network/7.json new file mode 100644 index 000000000..1ebdd691d --- /dev/null +++ b/elastic/security/workflows-logsdb/network/7.json @@ -0,0 +1,802 @@ +{ + "name": "/app/security/*?{query}", + "id": "Open `DNS` sub-tab", + "requests": [ + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.18745699999999998 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 7.1", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true", + "size": "0" + }, + "body": { + "docvalue_fields": [ + { + "field": "@metadata.beat" + }, + { + "field": "@metadata.type" + }, + { + "field": "@metadata.version" + }, + { + "field": "@timestamp" + }, + { + "field": "agent.agent_id" + }, + { + "field": "agent.build.original" + }, + { + "field": "agent.ephemeral_id" + }, + { + "field": "agent.hostname" + }, + { + "field": "agent.id" + }, + { + "field": "agent.name" + }, + { + "field": "agent.type" + }, + { + "field": "agent.version" + }, + { + "field": "as.number" + }, + { + "field": "as.organization.name" + }, + { + "field": "auditd.data.a0" + }, + { + "field": "auditd.data.a1" + }, + { + "field": "auditd.data.a2" + }, + { + "field": "auditd.data.a3" + }, + { + "field": "auditd.data.a[0-3]" + }, + { + "field": "auditd.data.acct" + }, + { + "field": "auditd.data.acl" + }, + { + "field": "auditd.data.action" + }, + { + "field": "auditd.data.added" + }, + { + "field": "auditd.data.addr" + }, + { + "field": "auditd.data.apparmor" + }, + { + "field": "auditd.data.arch" + }, + { + "field": "auditd.data.arg" + }, + { + "field": "auditd.data.argc" + }, + { + "field": "auditd.data.audit_backlog_limit" + }, + { + "field": "auditd.data.audit_backlog_wait_time" + }, + { + "field": "auditd.data.audit_enabled" + }, + { + "field": "auditd.data.audit_failure" + }, + { + "field": "auditd.data.auid" + }, + { + "field": "auditd.data.banners" + }, + { + "field": "auditd.data.bool" + }, + { + "field": "auditd.data.bus" + }, + { + "field": "auditd.data.cap_fe" + }, + { + "field": "auditd.data.cap_fi" + }, + { + "field": "auditd.data.cap_fp" + }, + { + "field": "auditd.data.cap_fver" + }, + { + "field": "auditd.data.cap_pe" + }, + { + "field": "auditd.data.cap_pi" + }, + { + "field": "auditd.data.cap_pp" + }, + { + "field": "auditd.data.capability" + }, + { + "field": "auditd.data.capname" + }, + { + "field": "auditd.data.cgroup" + }, + { + "field": "auditd.data.changed" + }, + { + "field": "auditd.data.cipher" + }, + { + "field": "auditd.data.class" + }, + { + "field": "auditd.data.cmd" + }, + { + "field": "auditd.data.code" + }, + { + "field": "auditd.data.compat" + }, + { + "field": "auditd.data.daddr" + }, + { + "field": "auditd.data.data" + }, + { + "field": "auditd.data.default-context" + }, + { + "field": "auditd.data.device" + }, + { + "field": "auditd.data.dir" + }, + { + "field": "auditd.data.direction" + }, + { + "field": "auditd.data.dmac" + }, + { + "field": "auditd.data.dport" + }, + { + "field": "auditd.data.enforcing" + }, + { + "field": "auditd.data.entries" + }, + { + "field": "auditd.data.exit" + }, + { + "field": "auditd.data.fam" + }, + { + "field": "auditd.data.family" + }, + { + "field": "auditd.data.fd" + }, + { + "field": "auditd.data.fe" + }, + { + "field": "auditd.data.feature" + }, + { + "field": "auditd.data.fi" + }, + { + "field": "auditd.data.file" + }, + { + "field": "auditd.data.flags" + }, + { + "field": "auditd.data.format" + }, + { + "field": "auditd.data.fp" + }, + { + "field": "auditd.data.fver" + }, + { + "field": "auditd.data.grantors" + }, + { + "field": "auditd.data.grp" + }, + { + "field": "auditd.data.hook" + }, + { + "field": "auditd.data.hostname" + }, + { + "field": "auditd.data.icmp_type" + }, + { + "field": "auditd.data.id" + }, + { + "field": "auditd.data.igid" + }, + { + "field": "auditd.data.img-ctx" + }, + { + "field": "auditd.data.inif" + }, + { + "field": "auditd.data.ino" + }, + { + "field": "auditd.data.inode_gid" + }, + { + "field": "auditd.data.inode_uid" + }, + { + "field": "auditd.data.invalid_context" + }, + { + "field": "auditd.data.ioctlcmd" + }, + { + "field": "auditd.data.ip" + }, + { + "field": "auditd.data.ipid" + }, + { + "field": "auditd.data.ipx-net" + }, + { + "field": "auditd.data.items" + }, + { + "field": "auditd.data.iuid" + }, + { + "field": "auditd.data.kernel" + }, + { + "field": "auditd.data.kind" + }, + { + "field": "auditd.data.ksize" + }, + { + "field": "auditd.data.laddr" + }, + { + "field": "auditd.data.len" + }, + { + "field": "auditd.data.list" + }, + { + "field": "auditd.data.lport" + } + ], + "aggregations": { + "dns_count": { + "cardinality": { + "field": "dns.question.registered_domain" + } + }, + "dns_name_query_count": { + "terms": { + "field": "dns.question.registered_domain", + "order": { + "unique_domains": "desc" + }, + "size": 10 + }, + "aggs": { + "unique_domains": { + "cardinality": { + "field": "dns.question.name" + } + }, + "dns_question_name": { + "date_histogram": { + "field": "@timestamp", + "fixed_interval": "112500ms", + "min_doc_count": 0, + "extended_bounds": { + "min": 1643986800000, + "max": 1643990400000 + } + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ], + "must_not": [ + { + "term": { + "dns.question.type": { + "value": "PTR" + } + } + } + ] + } + } + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.188295 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 7.2", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true", + "size": "0" + }, + "body": { + "docvalue_fields": [ + { + "field": "@metadata.beat" + }, + { + "field": "@metadata.type" + }, + { + "field": "@metadata.version" + }, + { + "field": "@timestamp" + }, + { + "field": "agent.agent_id" + }, + { + "field": "agent.build.original" + }, + { + "field": "agent.ephemeral_id" + }, + { + "field": "agent.hostname" + }, + { + "field": "agent.id" + }, + { + "field": "agent.name" + }, + { + "field": "agent.type" + }, + { + "field": "agent.version" + }, + { + "field": "as.number" + }, + { + "field": "as.organization.name" + }, + { + "field": "auditd.data.a0" + }, + { + "field": "auditd.data.a1" + }, + { + "field": "auditd.data.a2" + }, + { + "field": "auditd.data.a3" + }, + { + "field": "auditd.data.a[0-3]" + }, + { + "field": "auditd.data.acct" + }, + { + "field": "auditd.data.acl" + }, + { + "field": "auditd.data.action" + }, + { + "field": "auditd.data.added" + }, + { + "field": "auditd.data.addr" + }, + { + "field": "auditd.data.apparmor" + }, + { + "field": "auditd.data.arch" + }, + { + "field": "auditd.data.arg" + }, + { + "field": "auditd.data.argc" + }, + { + "field": "auditd.data.audit_backlog_limit" + }, + { + "field": "auditd.data.audit_backlog_wait_time" + }, + { + "field": "auditd.data.audit_enabled" + }, + { + "field": "auditd.data.audit_failure" + }, + { + "field": "auditd.data.auid" + }, + { + "field": "auditd.data.banners" + }, + { + "field": "auditd.data.bool" + }, + { + "field": "auditd.data.bus" + }, + { + "field": "auditd.data.cap_fe" + }, + { + "field": "auditd.data.cap_fi" + }, + { + "field": "auditd.data.cap_fp" + }, + { + "field": "auditd.data.cap_fver" + }, + { + "field": "auditd.data.cap_pe" + }, + { + "field": "auditd.data.cap_pi" + }, + { + "field": "auditd.data.cap_pp" + }, + { + "field": "auditd.data.capability" + }, + { + "field": "auditd.data.capname" + }, + { + "field": "auditd.data.cgroup" + }, + { + "field": "auditd.data.changed" + }, + { + "field": "auditd.data.cipher" + }, + { + "field": "auditd.data.class" + }, + { + "field": "auditd.data.cmd" + }, + { + "field": "auditd.data.code" + }, + { + "field": "auditd.data.compat" + }, + { + "field": "auditd.data.daddr" + }, + { + "field": "auditd.data.data" + }, + { + "field": "auditd.data.default-context" + }, + { + "field": "auditd.data.device" + }, + { + "field": "auditd.data.dir" + }, + { + "field": "auditd.data.direction" + }, + { + "field": "auditd.data.dmac" + }, + { + "field": "auditd.data.dport" + }, + { + "field": "auditd.data.enforcing" + }, + { + "field": "auditd.data.entries" + }, + { + "field": "auditd.data.exit" + }, + { + "field": "auditd.data.fam" + }, + { + "field": "auditd.data.family" + }, + { + "field": "auditd.data.fd" + }, + { + "field": "auditd.data.fe" + }, + { + "field": "auditd.data.feature" + }, + { + "field": "auditd.data.fi" + }, + { + "field": "auditd.data.file" + }, + { + "field": "auditd.data.flags" + }, + { + "field": "auditd.data.format" + }, + { + "field": "auditd.data.fp" + }, + { + "field": "auditd.data.fver" + }, + { + "field": "auditd.data.grantors" + }, + { + "field": "auditd.data.grp" + }, + { + "field": "auditd.data.hook" + }, + { + "field": "auditd.data.hostname" + }, + { + "field": "auditd.data.icmp_type" + }, + { + "field": "auditd.data.id" + }, + { + "field": "auditd.data.igid" + }, + { + "field": "auditd.data.img-ctx" + }, + { + "field": "auditd.data.inif" + }, + { + "field": "auditd.data.ino" + }, + { + "field": "auditd.data.inode_gid" + }, + { + "field": "auditd.data.inode_uid" + }, + { + "field": "auditd.data.invalid_context" + }, + { + "field": "auditd.data.ioctlcmd" + }, + { + "field": "auditd.data.ip" + }, + { + "field": "auditd.data.ipid" + }, + { + "field": "auditd.data.ipx-net" + }, + { + "field": "auditd.data.items" + }, + { + "field": "auditd.data.iuid" + }, + { + "field": "auditd.data.kernel" + }, + { + "field": "auditd.data.kind" + }, + { + "field": "auditd.data.ksize" + }, + { + "field": "auditd.data.laddr" + }, + { + "field": "auditd.data.len" + }, + { + "field": "auditd.data.list" + }, + { + "field": "auditd.data.lport" + } + ], + "aggregations": { + "dns_count": { + "cardinality": { + "field": "dns.question.registered_domain" + } + }, + "dns_name_query_count": { + "terms": { + "field": "dns.question.registered_domain", + "size": 1000000 + }, + "aggs": { + "bucket_sort": { + "bucket_sort": { + "sort": [ + { + "unique_domains": { + "order": "desc" + } + }, + { + "_key": { + "order": "asc" + } + } + ], + "from": 0, + "size": 10 + } + }, + "unique_domains": { + "cardinality": { + "field": "dns.question.name" + } + }, + "dns_bytes_in": { + "sum": { + "field": "source.bytes" + } + }, + "dns_bytes_out": { + "sum": { + "field": "destination.bytes" + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ], + "must_not": [ + { + "term": { + "dns.question.type": { + "value": "PTR" + } + } + } + ] + } + } + } + } + ] + } + ] +} \ No newline at end of file diff --git a/elastic/security/workflows-logsdb/network/8.json b/elastic/security/workflows-logsdb/network/8.json new file mode 100644 index 000000000..a5eaad2af --- /dev/null +++ b/elastic/security/workflows-logsdb/network/8.json @@ -0,0 +1,100 @@ +{ + "name": "/app/security/*?{query}", + "id": "Open `HTTP` sub-tab", + "requests": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.18767699999999998 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 8.1", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true", + "size": "0" + }, + "body": { + "aggregations": { + "http_count": { + "cardinality": { + "field": "url.path" + } + }, + "url": { + "terms": { + "field": "url.path", + "size": 10, + "order": { + "_count": "desc" + } + }, + "aggs": { + "methods": { + "terms": { + "field": "http.request.method", + "size": 4 + } + }, + "domains": { + "terms": { + "field": "url.domain", + "size": 4 + } + }, + "status": { + "terms": { + "field": "http.response.status_code", + "size": 4 + } + }, + "source": { + "top_hits": { + "size": 1, + "_source": { + "includes": [ + "host.name", + "source.ip" + ] + } + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + }, + { + "exists": { + "field": "http.request.method" + } + } + ] + } + } + } + } + ] +} \ No newline at end of file diff --git a/elastic/security/workflows-logsdb/network/9.json b/elastic/security/workflows-logsdb/network/9.json new file mode 100644 index 000000000..62454dd4f --- /dev/null +++ b/elastic/security/workflows-logsdb/network/9.json @@ -0,0 +1,86 @@ +{ + "name": "/app/security/*?{query}", + "id": "Open `TLS` sub-tab", + "requests": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.181845 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - network - 9.1", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true" + }, + "body": { + "aggs": { + "count": { + "cardinality": { + "field": "tls.server.hash.sha1" + } + }, + "sha1": { + "terms": { + "field": "tls.server.hash.sha1", + "size": 10, + "order": { + "_key": "desc" + } + }, + "aggs": { + "issuers": { + "terms": { + "field": "tls.server.issuer" + } + }, + "subjects": { + "terms": { + "field": "tls.server.subject" + } + }, + "not_after": { + "terms": { + "field": "tls.server.not_after" + } + }, + "ja3": { + "terms": { + "field": "tls.client.ja3" + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] +} \ No newline at end of file diff --git a/elastic/security/workflows-logsdb/network/README.md b/elastic/security/workflows-logsdb/network/README.md new file mode 100644 index 000000000..75988b40a --- /dev/null +++ b/elastic/security/workflows-logsdb/network/README.md @@ -0,0 +1,14 @@ +This workflow represents a user using the Network dashboard from the Security application in Kibana. +Specifically this involves executing the following steps: + +1. Opening the `Network` dashboard with a timespan set to `Today` +2. Set the time range to `now-24hr` to `now` +3. Set the time range to `now-8hr` to `now` +4. Set the time range to `now-1hr` to `now` +5. Select an IP to open details +6. Select the `Network` breadcrumb to return to dashboard +7. Open `DNS` sub-tab +8. Open `HTTP` sub-tab +9. Open `TLS` sub-tab +10. Open `Anomalies` sub-tab +11. Open `External alerts` sub-tab diff --git a/elastic/security/workflows-logsdb/overview/1.json b/elastic/security/workflows-logsdb/overview/1.json new file mode 100644 index 000000000..7f6e9cb02 --- /dev/null +++ b/elastic/security/workflows-logsdb/overview/1.json @@ -0,0 +1,1436 @@ +{ + "name": "/app/security/*?{query}", + "id": "Opening the `Overview` dashboard with a timespan set to `Today`", + "requests": [ + { + "stream": [ + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.328896 + }, + { + "name": "Elasticsearch: POST //_async_search - overview - 1a.1", + "operation-type": "search", + "index": "_async_search", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "true", + "allow_no_indices": "true" + }, + "body": { + "aggregations": { + "eventActionGroup": { + "terms": { + "field": "event.dataset", + "missing": "All others", + "order": { + "_count": "desc" + }, + "size": 10 + }, + "aggs": { + "events": { + "date_histogram": { + "field": "@timestamp", + "fixed_interval": "2699999ms", + "min_doc_count": 0, + "extended_bounds": { + "min": 1643950800000, + "max": 1644037199999 + } + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T05:00:00.000Z", + "lte": "2022-02-05T04:59:59.999Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.329581 + }, + { + "name": "Elasticsearch: POST /filebeat-*/_async_search - overview - 1a.2", + "operation-type": "search", + "index": "filebeat-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "true", + "allow_no_indices": "true" + }, + "body": { + "aggregations": { + "eventActionGroup": { + "terms": { + "field": "event.dataset", + "missing": "All others", + "order": { + "_count": "desc" + }, + "size": 10 + }, + "aggs": { + "events": { + "date_histogram": { + "field": "@timestamp", + "fixed_interval": "51552584970ms", + "min_doc_count": 0, + "extended_bounds": { + "min": 0, + "max": 1649682719049 + } + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [ + { + "bool": { + "should": [ + { + "match": { + "event.type": "indicator" + } + } + ], + "minimum_should_match": 1 + } + } + ], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "1970-01-01T00:00:00.000Z", + "lte": "2022-04-11T13:11:59.049Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.33012 + }, + { + "name": "Elasticsearch: POST //_async_search - overview - 1a.3", + "operation-type": "search", + "index": "_async_search", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "true", + "allow_no_indices": "true" + }, + "body": { + "aggregations": { + "alertsGroup": { + "terms": { + "field": "event.module", + "missing": "All others", + "order": { + "_count": "desc" + }, + "size": 10 + }, + "aggs": { + "alerts": { + "date_histogram": { + "field": "@timestamp", + "fixed_interval": "2699999ms", + "min_doc_count": 0, + "extended_bounds": { + "min": 1643950800000, + "max": 1644037199999 + } + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "bool": { + "filter": [ + { + "bool": { + "should": [ + { + "match": { + "event.kind": "alert" + } + } + ], + "minimum_should_match": 1 + } + } + ] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T05:00:00.000Z", + "lte": "2022-02-05T04:59:59.999Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.330659 + }, + { + "name": "Elasticsearch: POST //_async_search - overview - 1a.4", + "operation-type": "search", + "index": "_async_search", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true" + }, + "body": { + "aggregations": { + "auditd_count": { + "filter": { + "term": { + "event.module": "auditd" + } + } + }, + "endgame_module": { + "filter": { + "bool": { + "should": [ + { + "term": { + "event.module": "endpoint" + } + }, + { + "term": { + "event.module": "endgame" + } + } + ] + } + }, + "aggs": { + "dns_event_count": { + "filter": { + "bool": { + "should": [ + { + "bool": { + "filter": [ + { + "term": { + "network.protocol": "dns" + } + }, + { + "term": { + "event.category": "network" + } + } + ] + } + }, + { + "term": { + "endgame.event_type_full": "dns_event" + } + } + ] + } + } + }, + "file_event_count": { + "filter": { + "bool": { + "should": [ + { + "term": { + "event.category": "file" + } + }, + { + "term": { + "endgame.event_type_full": "file_event" + } + } + ] + } + } + }, + "image_load_event_count": { + "filter": { + "bool": { + "should": [ + { + "bool": { + "should": [ + { + "term": { + "event.category": "library" + } + }, + { + "term": { + "event.category": "driver" + } + } + ] + } + }, + { + "term": { + "endgame.event_type_full": "image_load_event" + } + } + ] + } + } + }, + "network_event_count": { + "filter": { + "bool": { + "should": [ + { + "bool": { + "filter": [ + { + "bool": { + "must_not": { + "term": { + "network.protocol": "dns" + } + } + } + }, + { + "term": { + "event.category": "network" + } + } + ] + } + }, + { + "term": { + "endgame.event_type_full": "network_event" + } + } + ] + } + } + }, + "process_event_count": { + "filter": { + "bool": { + "should": [ + { + "term": { + "event.category": "process" + } + }, + { + "term": { + "endgame.event_type_full": "process_event" + } + } + ] + } + } + }, + "registry_event": { + "filter": { + "bool": { + "should": [ + { + "term": { + "event.category": "registry" + } + }, + { + "term": { + "endgame.event_type_full": "registry_event" + } + } + ] + } + } + }, + "security_event_count": { + "filter": { + "bool": { + "should": [ + { + "bool": { + "filter": [ + { + "term": { + "event.category": "session" + } + }, + { + "term": { + "event.category": "authentication" + } + } + ] + } + }, + { + "term": { + "endgame.event_type_full": "security_event" + } + } + ] + } + } + } + } + }, + "fim_count": { + "filter": { + "term": { + "event.module": "file_integrity" + } + } + }, + "winlog_module": { + "filter": { + "term": { + "agent.type": "winlogbeat" + } + }, + "aggs": { + "mwsysmon_operational_event_count": { + "filter": { + "term": { + "winlog.channel": "Microsoft-Windows-Sysmon/Operational" + } + } + }, + "security_event_count": { + "filter": { + "term": { + "winlog.channel": "Security" + } + } + } + } + }, + "system_module": { + "filter": { + "term": { + "event.module": "system" + } + }, + "aggs": { + "login_count": { + "filter": { + "term": { + "event.dataset": "login" + } + } + }, + "package_count": { + "filter": { + "term": { + "event.dataset": "package" + } + } + }, + "process_count": { + "filter": { + "term": { + "event.dataset": "process" + } + } + }, + "user_count": { + "filter": { + "term": { + "event.dataset": "user" + } + } + }, + "filebeat_count": { + "filter": { + "term": { + "agent.type": "filebeat" + } + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [ + { + "bool": { + "filter": [ + { + "bool": { + "should": [ + { + "exists": { + "field": "host.name" + } + } + ], + "minimum_should_match": 1 + } + } + ] + } + } + ], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T05:00:00.000Z", + "lte": "2022-02-05T04:59:59.999Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.331714 + }, + { + "name": "Elasticsearch: POST //_async_search - overview - 1a.5", + "operation-type": "search", + "index": "_async_search", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true" + }, + "body": { + "aggregations": { + "unique_flow_count": { + "filter": { + "term": { + "type": "flow" + } + } + }, + "unique_dns_count": { + "filter": { + "term": { + "type": "dns" + } + } + }, + "unique_suricata_count": { + "filter": { + "term": { + "service.type": "suricata" + } + } + }, + "unique_zeek_count": { + "filter": { + "term": { + "service.type": "zeek" + } + } + }, + "unique_socket_count": { + "filter": { + "term": { + "event.dataset": "socket" + } + } + }, + "unique_filebeat_count": { + "filter": { + "term": { + "agent.type": "filebeat" + } + }, + "aggs": { + "unique_netflow_count": { + "filter": { + "term": { + "input.type": "netflow" + } + } + }, + "unique_panw_count": { + "filter": { + "term": { + "event.module": "panw" + } + } + }, + "unique_cisco_count": { + "filter": { + "term": { + "event.module": "cisco" + } + } + } + } + }, + "unique_packetbeat_count": { + "filter": { + "term": { + "agent.type": "packetbeat" + } + }, + "aggs": { + "unique_tls_count": { + "filter": { + "term": { + "network.protocol": "tls" + } + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [ + { + "bool": { + "filter": [ + { + "bool": { + "should": [ + { + "bool": { + "should": [ + { + "exists": { + "field": "source.ip" + } + } + ], + "minimum_should_match": 1 + } + }, + { + "bool": { + "should": [ + { + "exists": { + "field": "destination.ip" + } + } + ], + "minimum_should_match": 1 + } + } + ], + "minimum_should_match": 1 + } + } + ] + } + } + ], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T05:00:00.000Z", + "lte": "2022-02-05T04:59:59.999Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + } + ] + }, + { + "stream": [ + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.201754 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - overview - 1b.1", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "true", + "allow_no_indices": "true" + }, + "body": { + "aggregations": { + "alertsGroup": { + "terms": { + "field": "event.module", + "missing": "All others", + "order": { + "_count": "desc" + }, + "size": 10 + }, + "aggs": { + "alerts": { + "date_histogram": { + "field": "@timestamp", + "fixed_interval": "2699999ms", + "min_doc_count": 0, + "extended_bounds": { + "min": 1643950800000, + "max": 1644037199999 + } + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "bool": { + "filter": [ + { + "bool": { + "should": [ + { + "match": { + "event.kind": "alert" + } + } + ], + "minimum_should_match": 1 + } + } + ] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T05:00:00.000Z", + "lte": "2022-02-05T04:59:59.999Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.202743 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - overview - 1b.2", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "true", + "allow_no_indices": "true" + }, + "body": { + "aggregations": { + "eventActionGroup": { + "terms": { + "field": "event.dataset", + "missing": "All others", + "order": { + "_count": "desc" + }, + "size": 10 + }, + "aggs": { + "events": { + "date_histogram": { + "field": "@timestamp", + "fixed_interval": "2699999ms", + "min_doc_count": 0, + "extended_bounds": { + "min": 1643950800000, + "max": 1644037199999 + } + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T05:00:00.000Z", + "lte": "2022-02-05T04:59:59.999Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.203256 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - overview - 1b.3", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true" + }, + "body": { + "aggregations": { + "auditd_count": { + "filter": { + "term": { + "event.module": "auditd" + } + } + }, + "endgame_module": { + "filter": { + "bool": { + "should": [ + { + "term": { + "event.module": "endpoint" + } + }, + { + "term": { + "event.module": "endgame" + } + } + ] + } + }, + "aggs": { + "dns_event_count": { + "filter": { + "bool": { + "should": [ + { + "bool": { + "filter": [ + { + "term": { + "network.protocol": "dns" + } + }, + { + "term": { + "event.category": "network" + } + } + ] + } + }, + { + "term": { + "endgame.event_type_full": "dns_event" + } + } + ] + } + } + }, + "file_event_count": { + "filter": { + "bool": { + "should": [ + { + "term": { + "event.category": "file" + } + }, + { + "term": { + "endgame.event_type_full": "file_event" + } + } + ] + } + } + }, + "image_load_event_count": { + "filter": { + "bool": { + "should": [ + { + "bool": { + "should": [ + { + "term": { + "event.category": "library" + } + }, + { + "term": { + "event.category": "driver" + } + } + ] + } + }, + { + "term": { + "endgame.event_type_full": "image_load_event" + } + } + ] + } + } + }, + "network_event_count": { + "filter": { + "bool": { + "should": [ + { + "bool": { + "filter": [ + { + "bool": { + "must_not": { + "term": { + "network.protocol": "dns" + } + } + } + }, + { + "term": { + "event.category": "network" + } + } + ] + } + }, + { + "term": { + "endgame.event_type_full": "network_event" + } + } + ] + } + } + }, + "process_event_count": { + "filter": { + "bool": { + "should": [ + { + "term": { + "event.category": "process" + } + }, + { + "term": { + "endgame.event_type_full": "process_event" + } + } + ] + } + } + }, + "registry_event": { + "filter": { + "bool": { + "should": [ + { + "term": { + "event.category": "registry" + } + }, + { + "term": { + "endgame.event_type_full": "registry_event" + } + } + ] + } + } + }, + "security_event_count": { + "filter": { + "bool": { + "should": [ + { + "bool": { + "filter": [ + { + "term": { + "event.category": "session" + } + }, + { + "term": { + "event.category": "authentication" + } + } + ] + } + }, + { + "term": { + "endgame.event_type_full": "security_event" + } + } + ] + } + } + } + } + }, + "fim_count": { + "filter": { + "term": { + "event.module": "file_integrity" + } + } + }, + "winlog_module": { + "filter": { + "term": { + "agent.type": "winlogbeat" + } + }, + "aggs": { + "mwsysmon_operational_event_count": { + "filter": { + "term": { + "winlog.channel": "Microsoft-Windows-Sysmon/Operational" + } + } + }, + "security_event_count": { + "filter": { + "term": { + "winlog.channel": "Security" + } + } + } + } + }, + "system_module": { + "filter": { + "term": { + "event.module": "system" + } + }, + "aggs": { + "login_count": { + "filter": { + "term": { + "event.dataset": "login" + } + } + }, + "package_count": { + "filter": { + "term": { + "event.dataset": "package" + } + } + }, + "process_count": { + "filter": { + "term": { + "event.dataset": "process" + } + } + }, + "user_count": { + "filter": { + "term": { + "event.dataset": "user" + } + } + }, + "filebeat_count": { + "filter": { + "term": { + "agent.type": "filebeat" + } + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [ + { + "bool": { + "filter": [ + { + "bool": { + "should": [ + { + "exists": { + "field": "host.name" + } + } + ], + "minimum_should_match": 1 + } + } + ] + } + } + ], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T05:00:00.000Z", + "lte": "2022-02-05T04:59:59.999Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.203638 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - overview - 1b.4", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true" + }, + "body": { + "aggregations": { + "unique_flow_count": { + "filter": { + "term": { + "type": "flow" + } + } + }, + "unique_dns_count": { + "filter": { + "term": { + "type": "dns" + } + } + }, + "unique_suricata_count": { + "filter": { + "term": { + "service.type": "suricata" + } + } + }, + "unique_zeek_count": { + "filter": { + "term": { + "service.type": "zeek" + } + } + }, + "unique_socket_count": { + "filter": { + "term": { + "event.dataset": "socket" + } + } + }, + "unique_filebeat_count": { + "filter": { + "term": { + "agent.type": "filebeat" + } + }, + "aggs": { + "unique_netflow_count": { + "filter": { + "term": { + "input.type": "netflow" + } + } + }, + "unique_panw_count": { + "filter": { + "term": { + "event.module": "panw" + } + } + }, + "unique_cisco_count": { + "filter": { + "term": { + "event.module": "cisco" + } + } + } + } + }, + "unique_packetbeat_count": { + "filter": { + "term": { + "agent.type": "packetbeat" + } + }, + "aggs": { + "unique_tls_count": { + "filter": { + "term": { + "network.protocol": "tls" + } + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [ + { + "bool": { + "filter": [ + { + "bool": { + "should": [ + { + "bool": { + "should": [ + { + "exists": { + "field": "source.ip" + } + } + ], + "minimum_should_match": 1 + } + }, + { + "bool": { + "should": [ + { + "exists": { + "field": "destination.ip" + } + } + ], + "minimum_should_match": 1 + } + } + ], + "minimum_should_match": 1 + } + } + ] + } + } + ], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T05:00:00.000Z", + "lte": "2022-02-05T04:59:59.999Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + } + ] + } + ] +} \ No newline at end of file diff --git a/elastic/security/workflows-logsdb/overview/2.json b/elastic/security/workflows-logsdb/overview/2.json new file mode 100644 index 000000000..ce833b140 --- /dev/null +++ b/elastic/security/workflows-logsdb/overview/2.json @@ -0,0 +1,679 @@ +{ + "name": "POST /api/detection_engine/signals/search", + "id": "Set the time range to `now-24hr` to `now`", + "requests": [ + { + "stream": [ + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.17430199999999998 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - overview - 2.1", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "true", + "allow_no_indices": "true" + }, + "body": { + "aggregations": { + "alertsGroup": { + "terms": { + "field": "event.module", + "missing": "All others", + "order": { + "_count": "desc" + }, + "size": 10 + }, + "aggs": { + "alerts": { + "date_histogram": { + "field": "@timestamp", + "fixed_interval": "2700000ms", + "min_doc_count": 0, + "extended_bounds": { + "min": 1643904000000, + "max": 1643990400000 + } + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "bool": { + "filter": [ + { + "bool": { + "should": [ + { + "match": { + "event.kind": "alert" + } + } + ], + "minimum_should_match": 1 + } + } + ] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-03T16:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.175039 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - overview - 2.2", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "true", + "allow_no_indices": "true" + }, + "body": { + "aggregations": { + "eventActionGroup": { + "terms": { + "field": "event.dataset", + "missing": "All others", + "order": { + "_count": "desc" + }, + "size": 10 + }, + "aggs": { + "events": { + "date_histogram": { + "field": "@timestamp", + "fixed_interval": "2700000ms", + "min_doc_count": 0, + "extended_bounds": { + "min": 1643904000000, + "max": 1643990400000 + } + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-03T16:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.175417 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - overview - 2.3", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true" + }, + "body": { + "aggregations": { + "auditd_count": { + "filter": { + "term": { + "event.module": "auditd" + } + } + }, + "endgame_module": { + "filter": { + "bool": { + "should": [ + { + "term": { + "event.module": "endpoint" + } + }, + { + "term": { + "event.module": "endgame" + } + } + ] + } + }, + "aggs": { + "dns_event_count": { + "filter": { + "bool": { + "should": [ + { + "bool": { + "filter": [ + { + "term": { + "network.protocol": "dns" + } + }, + { + "term": { + "event.category": "network" + } + } + ] + } + }, + { + "term": { + "endgame.event_type_full": "dns_event" + } + } + ] + } + } + }, + "file_event_count": { + "filter": { + "bool": { + "should": [ + { + "term": { + "event.category": "file" + } + }, + { + "term": { + "endgame.event_type_full": "file_event" + } + } + ] + } + } + }, + "image_load_event_count": { + "filter": { + "bool": { + "should": [ + { + "bool": { + "should": [ + { + "term": { + "event.category": "library" + } + }, + { + "term": { + "event.category": "driver" + } + } + ] + } + }, + { + "term": { + "endgame.event_type_full": "image_load_event" + } + } + ] + } + } + }, + "network_event_count": { + "filter": { + "bool": { + "should": [ + { + "bool": { + "filter": [ + { + "bool": { + "must_not": { + "term": { + "network.protocol": "dns" + } + } + } + }, + { + "term": { + "event.category": "network" + } + } + ] + } + }, + { + "term": { + "endgame.event_type_full": "network_event" + } + } + ] + } + } + }, + "process_event_count": { + "filter": { + "bool": { + "should": [ + { + "term": { + "event.category": "process" + } + }, + { + "term": { + "endgame.event_type_full": "process_event" + } + } + ] + } + } + }, + "registry_event": { + "filter": { + "bool": { + "should": [ + { + "term": { + "event.category": "registry" + } + }, + { + "term": { + "endgame.event_type_full": "registry_event" + } + } + ] + } + } + }, + "security_event_count": { + "filter": { + "bool": { + "should": [ + { + "bool": { + "filter": [ + { + "term": { + "event.category": "session" + } + }, + { + "term": { + "event.category": "authentication" + } + } + ] + } + }, + { + "term": { + "endgame.event_type_full": "security_event" + } + } + ] + } + } + } + } + }, + "fim_count": { + "filter": { + "term": { + "event.module": "file_integrity" + } + } + }, + "winlog_module": { + "filter": { + "term": { + "agent.type": "winlogbeat" + } + }, + "aggs": { + "mwsysmon_operational_event_count": { + "filter": { + "term": { + "winlog.channel": "Microsoft-Windows-Sysmon/Operational" + } + } + }, + "security_event_count": { + "filter": { + "term": { + "winlog.channel": "Security" + } + } + } + } + }, + "system_module": { + "filter": { + "term": { + "event.module": "system" + } + }, + "aggs": { + "login_count": { + "filter": { + "term": { + "event.dataset": "login" + } + } + }, + "package_count": { + "filter": { + "term": { + "event.dataset": "package" + } + } + }, + "process_count": { + "filter": { + "term": { + "event.dataset": "process" + } + } + }, + "user_count": { + "filter": { + "term": { + "event.dataset": "user" + } + } + }, + "filebeat_count": { + "filter": { + "term": { + "agent.type": "filebeat" + } + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [ + { + "bool": { + "filter": [ + { + "bool": { + "should": [ + { + "exists": { + "field": "host.name" + } + } + ], + "minimum_should_match": 1 + } + } + ] + } + } + ], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-03T16:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.175824 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - overview - 2.4", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true" + }, + "body": { + "aggregations": { + "unique_flow_count": { + "filter": { + "term": { + "type": "flow" + } + } + }, + "unique_dns_count": { + "filter": { + "term": { + "type": "dns" + } + } + }, + "unique_suricata_count": { + "filter": { + "term": { + "service.type": "suricata" + } + } + }, + "unique_zeek_count": { + "filter": { + "term": { + "service.type": "zeek" + } + } + }, + "unique_socket_count": { + "filter": { + "term": { + "event.dataset": "socket" + } + } + }, + "unique_filebeat_count": { + "filter": { + "term": { + "agent.type": "filebeat" + } + }, + "aggs": { + "unique_netflow_count": { + "filter": { + "term": { + "input.type": "netflow" + } + } + }, + "unique_panw_count": { + "filter": { + "term": { + "event.module": "panw" + } + } + }, + "unique_cisco_count": { + "filter": { + "term": { + "event.module": "cisco" + } + } + } + } + }, + "unique_packetbeat_count": { + "filter": { + "term": { + "agent.type": "packetbeat" + } + }, + "aggs": { + "unique_tls_count": { + "filter": { + "term": { + "network.protocol": "tls" + } + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [ + { + "bool": { + "filter": [ + { + "bool": { + "should": [ + { + "bool": { + "should": [ + { + "exists": { + "field": "source.ip" + } + } + ], + "minimum_should_match": 1 + } + }, + { + "bool": { + "should": [ + { + "exists": { + "field": "destination.ip" + } + } + ], + "minimum_should_match": 1 + } + } + ], + "minimum_should_match": 1 + } + } + ] + } + } + ], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-03T16:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + } + ] + } + ] +} \ No newline at end of file diff --git a/elastic/security/workflows-logsdb/overview/3.json b/elastic/security/workflows-logsdb/overview/3.json new file mode 100644 index 000000000..f3d670c86 --- /dev/null +++ b/elastic/security/workflows-logsdb/overview/3.json @@ -0,0 +1,679 @@ +{ + "name": "POST /api/detection_engine/signals/search", + "id": "Set the time range to `now-8hr` to `now`", + "requests": [ + { + "stream": [ + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.195686 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - overview - 3.1", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "true", + "allow_no_indices": "true" + }, + "body": { + "aggregations": { + "alertsGroup": { + "terms": { + "field": "event.module", + "missing": "All others", + "order": { + "_count": "desc" + }, + "size": 10 + }, + "aggs": { + "alerts": { + "date_histogram": { + "field": "@timestamp", + "fixed_interval": "900000ms", + "min_doc_count": 0, + "extended_bounds": { + "min": 1643961600000, + "max": 1643990400000 + } + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "bool": { + "filter": [ + { + "bool": { + "should": [ + { + "match": { + "event.kind": "alert" + } + } + ], + "minimum_should_match": 1 + } + } + ] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T08:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.19619 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - overview - 3.2", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "true", + "allow_no_indices": "true" + }, + "body": { + "aggregations": { + "eventActionGroup": { + "terms": { + "field": "event.dataset", + "missing": "All others", + "order": { + "_count": "desc" + }, + "size": 10 + }, + "aggs": { + "events": { + "date_histogram": { + "field": "@timestamp", + "fixed_interval": "900000ms", + "min_doc_count": 0, + "extended_bounds": { + "min": 1643961600000, + "max": 1643990400000 + } + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T08:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.196509 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - overview - 3.3", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true" + }, + "body": { + "aggregations": { + "auditd_count": { + "filter": { + "term": { + "event.module": "auditd" + } + } + }, + "endgame_module": { + "filter": { + "bool": { + "should": [ + { + "term": { + "event.module": "endpoint" + } + }, + { + "term": { + "event.module": "endgame" + } + } + ] + } + }, + "aggs": { + "dns_event_count": { + "filter": { + "bool": { + "should": [ + { + "bool": { + "filter": [ + { + "term": { + "network.protocol": "dns" + } + }, + { + "term": { + "event.category": "network" + } + } + ] + } + }, + { + "term": { + "endgame.event_type_full": "dns_event" + } + } + ] + } + } + }, + "file_event_count": { + "filter": { + "bool": { + "should": [ + { + "term": { + "event.category": "file" + } + }, + { + "term": { + "endgame.event_type_full": "file_event" + } + } + ] + } + } + }, + "image_load_event_count": { + "filter": { + "bool": { + "should": [ + { + "bool": { + "should": [ + { + "term": { + "event.category": "library" + } + }, + { + "term": { + "event.category": "driver" + } + } + ] + } + }, + { + "term": { + "endgame.event_type_full": "image_load_event" + } + } + ] + } + } + }, + "network_event_count": { + "filter": { + "bool": { + "should": [ + { + "bool": { + "filter": [ + { + "bool": { + "must_not": { + "term": { + "network.protocol": "dns" + } + } + } + }, + { + "term": { + "event.category": "network" + } + } + ] + } + }, + { + "term": { + "endgame.event_type_full": "network_event" + } + } + ] + } + } + }, + "process_event_count": { + "filter": { + "bool": { + "should": [ + { + "term": { + "event.category": "process" + } + }, + { + "term": { + "endgame.event_type_full": "process_event" + } + } + ] + } + } + }, + "registry_event": { + "filter": { + "bool": { + "should": [ + { + "term": { + "event.category": "registry" + } + }, + { + "term": { + "endgame.event_type_full": "registry_event" + } + } + ] + } + } + }, + "security_event_count": { + "filter": { + "bool": { + "should": [ + { + "bool": { + "filter": [ + { + "term": { + "event.category": "session" + } + }, + { + "term": { + "event.category": "authentication" + } + } + ] + } + }, + { + "term": { + "endgame.event_type_full": "security_event" + } + } + ] + } + } + } + } + }, + "fim_count": { + "filter": { + "term": { + "event.module": "file_integrity" + } + } + }, + "winlog_module": { + "filter": { + "term": { + "agent.type": "winlogbeat" + } + }, + "aggs": { + "mwsysmon_operational_event_count": { + "filter": { + "term": { + "winlog.channel": "Microsoft-Windows-Sysmon/Operational" + } + } + }, + "security_event_count": { + "filter": { + "term": { + "winlog.channel": "Security" + } + } + } + } + }, + "system_module": { + "filter": { + "term": { + "event.module": "system" + } + }, + "aggs": { + "login_count": { + "filter": { + "term": { + "event.dataset": "login" + } + } + }, + "package_count": { + "filter": { + "term": { + "event.dataset": "package" + } + } + }, + "process_count": { + "filter": { + "term": { + "event.dataset": "process" + } + } + }, + "user_count": { + "filter": { + "term": { + "event.dataset": "user" + } + } + }, + "filebeat_count": { + "filter": { + "term": { + "agent.type": "filebeat" + } + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [ + { + "bool": { + "filter": [ + { + "bool": { + "should": [ + { + "exists": { + "field": "host.name" + } + } + ], + "minimum_should_match": 1 + } + } + ] + } + } + ], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T08:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 0.196795 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - overview - 3.4", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true" + }, + "body": { + "aggregations": { + "unique_flow_count": { + "filter": { + "term": { + "type": "flow" + } + } + }, + "unique_dns_count": { + "filter": { + "term": { + "type": "dns" + } + } + }, + "unique_suricata_count": { + "filter": { + "term": { + "service.type": "suricata" + } + } + }, + "unique_zeek_count": { + "filter": { + "term": { + "service.type": "zeek" + } + } + }, + "unique_socket_count": { + "filter": { + "term": { + "event.dataset": "socket" + } + } + }, + "unique_filebeat_count": { + "filter": { + "term": { + "agent.type": "filebeat" + } + }, + "aggs": { + "unique_netflow_count": { + "filter": { + "term": { + "input.type": "netflow" + } + } + }, + "unique_panw_count": { + "filter": { + "term": { + "event.module": "panw" + } + } + }, + "unique_cisco_count": { + "filter": { + "term": { + "event.module": "cisco" + } + } + } + } + }, + "unique_packetbeat_count": { + "filter": { + "term": { + "agent.type": "packetbeat" + } + }, + "aggs": { + "unique_tls_count": { + "filter": { + "term": { + "network.protocol": "tls" + } + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [ + { + "bool": { + "filter": [ + { + "bool": { + "should": [ + { + "bool": { + "should": [ + { + "exists": { + "field": "source.ip" + } + } + ], + "minimum_should_match": 1 + } + }, + { + "bool": { + "should": [ + { + "exists": { + "field": "destination.ip" + } + } + ], + "minimum_should_match": 1 + } + } + ], + "minimum_should_match": 1 + } + } + ] + } + } + ], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T08:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + } + ] + } + ] +} \ No newline at end of file diff --git a/elastic/security/workflows-logsdb/overview/4.json b/elastic/security/workflows-logsdb/overview/4.json new file mode 100644 index 000000000..1154b66aa --- /dev/null +++ b/elastic/security/workflows-logsdb/overview/4.json @@ -0,0 +1,679 @@ +{ + "name": "POST /api/detection_engine/signals/search", + "id": "Set the time range to `now-1hr` to `now`", + "requests": [ + { + "stream": [ + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 1.139176 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - overview - 4.1", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "true", + "allow_no_indices": "true" + }, + "body": { + "aggregations": { + "alertsGroup": { + "terms": { + "field": "event.module", + "missing": "All others", + "order": { + "_count": "desc" + }, + "size": 10 + }, + "aggs": { + "alerts": { + "date_histogram": { + "field": "@timestamp", + "fixed_interval": "112500ms", + "min_doc_count": 0, + "extended_bounds": { + "min": 1643986800000, + "max": 1643990400000 + } + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "bool": { + "filter": [ + { + "bool": { + "should": [ + { + "match": { + "event.kind": "alert" + } + } + ], + "minimum_should_match": 1 + } + } + ] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 1.13965 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - overview - 4.2", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "true", + "allow_no_indices": "true" + }, + "body": { + "aggregations": { + "eventActionGroup": { + "terms": { + "field": "event.dataset", + "missing": "All others", + "order": { + "_count": "desc" + }, + "size": 10 + }, + "aggs": { + "events": { + "date_histogram": { + "field": "@timestamp", + "fixed_interval": "112500ms", + "min_doc_count": 0, + "extended_bounds": { + "min": 1643986800000, + "max": 1643990400000 + } + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 1.140066 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - overview - 4.3", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true" + }, + "body": { + "aggregations": { + "auditd_count": { + "filter": { + "term": { + "event.module": "auditd" + } + } + }, + "endgame_module": { + "filter": { + "bool": { + "should": [ + { + "term": { + "event.module": "endpoint" + } + }, + { + "term": { + "event.module": "endgame" + } + } + ] + } + }, + "aggs": { + "dns_event_count": { + "filter": { + "bool": { + "should": [ + { + "bool": { + "filter": [ + { + "term": { + "network.protocol": "dns" + } + }, + { + "term": { + "event.category": "network" + } + } + ] + } + }, + { + "term": { + "endgame.event_type_full": "dns_event" + } + } + ] + } + } + }, + "file_event_count": { + "filter": { + "bool": { + "should": [ + { + "term": { + "event.category": "file" + } + }, + { + "term": { + "endgame.event_type_full": "file_event" + } + } + ] + } + } + }, + "image_load_event_count": { + "filter": { + "bool": { + "should": [ + { + "bool": { + "should": [ + { + "term": { + "event.category": "library" + } + }, + { + "term": { + "event.category": "driver" + } + } + ] + } + }, + { + "term": { + "endgame.event_type_full": "image_load_event" + } + } + ] + } + } + }, + "network_event_count": { + "filter": { + "bool": { + "should": [ + { + "bool": { + "filter": [ + { + "bool": { + "must_not": { + "term": { + "network.protocol": "dns" + } + } + } + }, + { + "term": { + "event.category": "network" + } + } + ] + } + }, + { + "term": { + "endgame.event_type_full": "network_event" + } + } + ] + } + } + }, + "process_event_count": { + "filter": { + "bool": { + "should": [ + { + "term": { + "event.category": "process" + } + }, + { + "term": { + "endgame.event_type_full": "process_event" + } + } + ] + } + } + }, + "registry_event": { + "filter": { + "bool": { + "should": [ + { + "term": { + "event.category": "registry" + } + }, + { + "term": { + "endgame.event_type_full": "registry_event" + } + } + ] + } + } + }, + "security_event_count": { + "filter": { + "bool": { + "should": [ + { + "bool": { + "filter": [ + { + "term": { + "event.category": "session" + } + }, + { + "term": { + "event.category": "authentication" + } + } + ] + } + }, + { + "term": { + "endgame.event_type_full": "security_event" + } + } + ] + } + } + } + } + }, + "fim_count": { + "filter": { + "term": { + "event.module": "file_integrity" + } + } + }, + "winlog_module": { + "filter": { + "term": { + "agent.type": "winlogbeat" + } + }, + "aggs": { + "mwsysmon_operational_event_count": { + "filter": { + "term": { + "winlog.channel": "Microsoft-Windows-Sysmon/Operational" + } + } + }, + "security_event_count": { + "filter": { + "term": { + "winlog.channel": "Security" + } + } + } + } + }, + "system_module": { + "filter": { + "term": { + "event.module": "system" + } + }, + "aggs": { + "login_count": { + "filter": { + "term": { + "event.dataset": "login" + } + } + }, + "package_count": { + "filter": { + "term": { + "event.dataset": "package" + } + } + }, + "process_count": { + "filter": { + "term": { + "event.dataset": "process" + } + } + }, + "user_count": { + "filter": { + "term": { + "event.dataset": "user" + } + } + }, + "filebeat_count": { + "filter": { + "term": { + "agent.type": "filebeat" + } + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [ + { + "bool": { + "filter": [ + { + "bool": { + "should": [ + { + "exists": { + "field": "host.name" + } + } + ], + "minimum_should_match": 1 + } + } + ] + } + } + ], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + }, + { + "stream": [ + { + "name": "sleep", + "operation-type": "sleep", + "duration": 1.140426 + }, + { + "name": "Elasticsearch: POST /auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*/_async_search - overview - 4.4", + "operation-type": "search", + "index": "auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,-*elastic-cloud-logs-*", + "request-params": { + "batched_reduce_size": "64", + "ignore_unavailable": "true", + "track_total_hits": "false", + "allow_no_indices": "true" + }, + "body": { + "aggregations": { + "unique_flow_count": { + "filter": { + "term": { + "type": "flow" + } + } + }, + "unique_dns_count": { + "filter": { + "term": { + "type": "dns" + } + } + }, + "unique_suricata_count": { + "filter": { + "term": { + "service.type": "suricata" + } + } + }, + "unique_zeek_count": { + "filter": { + "term": { + "service.type": "zeek" + } + } + }, + "unique_socket_count": { + "filter": { + "term": { + "event.dataset": "socket" + } + } + }, + "unique_filebeat_count": { + "filter": { + "term": { + "agent.type": "filebeat" + } + }, + "aggs": { + "unique_netflow_count": { + "filter": { + "term": { + "input.type": "netflow" + } + } + }, + "unique_panw_count": { + "filter": { + "term": { + "event.module": "panw" + } + } + }, + "unique_cisco_count": { + "filter": { + "term": { + "event.module": "cisco" + } + } + } + } + }, + "unique_packetbeat_count": { + "filter": { + "term": { + "agent.type": "packetbeat" + } + }, + "aggs": { + "unique_tls_count": { + "filter": { + "term": { + "network.protocol": "tls" + } + } + } + } + } + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "must": [], + "filter": [ + { + "bool": { + "filter": [ + { + "bool": { + "should": [ + { + "bool": { + "should": [ + { + "exists": { + "field": "source.ip" + } + } + ], + "minimum_should_match": 1 + } + }, + { + "bool": { + "should": [ + { + "exists": { + "field": "destination.ip" + } + } + ], + "minimum_should_match": 1 + } + } + ], + "minimum_should_match": 1 + } + } + ] + } + } + ], + "should": [], + "must_not": [] + } + }, + { + "range": { + "@timestamp": { + "gte": "2022-02-04T15:00:00.000Z", + "lte": "2022-02-04T16:00:00.000Z", + "format": "strict_date_optional_time" + } + } + } + ] + } + }, + "size": 0 + } + } + ] + } + ] + } + ] +} \ No newline at end of file diff --git a/elastic/security/workflows-logsdb/overview/README.md b/elastic/security/workflows-logsdb/overview/README.md new file mode 100644 index 000000000..c4a0774df --- /dev/null +++ b/elastic/security/workflows-logsdb/overview/README.md @@ -0,0 +1,8 @@ +This workflow represents a user using the Overview dashboard from the Security application in Kibana. +Specifically this involves executing the following steps: + +1. Opening the `Overview` dashboard with a timespan set to `Today` +2. Set the time range to `now-24hr` to `now` +3. Set the time range to `now-8hr` to `now` +4. Set the time range to `now-1hr` to `now` + diff --git a/it/test_security.py b/it/test_security.py index 9ab6da81e..1b403c9ab 100644 --- a/it/test_security.py +++ b/it/test_security.py @@ -16,6 +16,7 @@ # under the License. import pytest +import requests pytest_rally = pytest.importorskip("pytest_rally") @@ -39,6 +40,26 @@ def test_security_indexing_querying(self, es_cluster, rally): ) assert ret == 0 + def test_security_indexing_querying_logsdb(self, es_cluster, rally): + ret = rally.race( + track="elastic/security", + challenge="security-indexing-querying", + track_params={ + "number_of_replicas": "0", + "query_warmup_time_period": "1", + "query_time_period": "1", + "workflow_time_interval": "1", + "think_time_interval": "1", + "index_mode": "logsdb", + }, + ) + assert ret == 0 + response = requests.get( + f"http://127.0.0.1:19200/.ds-metricbeat-*,.ds-packetbeat-*, .ds-auditbeat-*, .ds-filebeat-*, .ds-heartbeat-*" + ) + for index in response.json(): + assert response.json().get(index).get("settings", {}).get("index", {}).get("mode") == "logsdb" + def test_security_generate_alerts_source_events(self, es_cluster, rally): ret = rally.race(track="elastic/security", challenge="generate-alerts-source-events", track_params={"number_of_replicas": "0"}) assert ret == 0