diff --git a/README.md b/README.md index 973feaa2..fefdcd9e 100644 --- a/README.md +++ b/README.md @@ -132,12 +132,6 @@ cp ./config/example.env ./config/lme-environment.env IPVAR=127.0.0.1 #your hosts ip ``` -### OPTIONAL: setting master password -This password will be used to encrypt all service user passwords and you should make sure to keep track of it (it will also be stored in `/etc/lme/pass.sh`). -``` -sudo -i ${PWD}/scripts/password_management.sh -i -``` -You can skip this step if you would like to have the script setup the master password for you and you'll never need to touch it :) ### **Automated Install** @@ -147,13 +141,13 @@ You can run this installer to run the total install in ansible. ```bash sudo apt update && sudo apt install -y ansible # cd ~/LME-PRIV/lme-2-arch # Or path to your clone of this repo -ansible-playbook ./scripts/install_lme_local.yml +ansible-playbook ./ansible/install_lme_local.yml ``` This assumes that you have the repo in `~/LME/`. If you don't, you can pass the `CLONE_DIRECTORY` variable to the playbook. ``` -ansible-playbook ./scripts/install_lme_local.yml -e "clone_dir=/path/to/clone/directory" +ansible-playbook ./ansible/install_lme_local.yml -e "clone_dir=/path/to/clone/directory" ``` This also assumes your user can sudo without a password. If you need to input a password when you sudo, you can run it with the `-K` flag and it will prompt you for a password. @@ -268,6 +262,33 @@ sudo -i podman volume rm -a **WARNING THIS WILL DELETE EVERYTHING!!!** +### Other Post install setup: +A few other things are needed and you're all set to go. +1. setting up fleet +2. fixing a few issues with wazuh (in a future release this won't be necessary) +3. setting up custom LME dashboards +4. setting up wazuh's dashboards +5. setting up a read only user for analysts to connect and query LME's data + +Luckily we've packed this in a script for you. Before running it we want to make sure our podman containers are healthy and setup. Run the command `sudo -i podman ps --format "{{.Names}} {{.Status}}"` +```bash +lme-user@ubuntu:~/LME-TEST$ sudo -i podman ps --format "{{.Names}} {{.Status}}" +lme-elasticsearch Up 49 minutes (healthy) +lme-wazuh-manager Up 48 minutes +lme-kibana Up 36 minutes (healthy) +lme-fleet-server Up 35 minutes +``` + +If you see something like the above you're good to go to run the command: +``` +ansible-playbook ./ansible/post_install_local.yml +``` + +You'll see the following in the `/opt/lme/dashboards/elastic/` and `/opt/lme/dashboards/wazuh/` directories if dashboard installation was successful: +```bash + +``` + ## Deploying Agents: ### Deploy Wazuh Agent on client machine (Linux) @@ -321,7 +342,9 @@ USER_VAULT_DIR="/etc/lme/vault" PASSWORD_FILE="/etc/lme/pass.sh" ``` -### MANUALLY setting up passwords and accessing passwords: +### MANUALLY setting up passwords and accessing passwords **UNSUPPORTED**: +**These steps are not fully supported and are left if others would like to suppor this in their environment** + Run the password_management.sh script: ```bash lme-user@ubuntu:~/LME-TEST$ sudo -i ${PWD}/scripts/password_management.sh -h @@ -342,10 +365,10 @@ $CLONE_DIRECTORY/scripts/extract_secrets.sh -p #to print source $CLONE_DIRECTORY/scripts/extract_secrets.sh #without printing values source $CLONE_DIRECTORY/scripts/extract_secrets.sh -q #with no output -## manually: +``` +#### manually getting passwords: #where wazuh_api is the service user whose password you want: sudo -i ansible-vault view /etc/lme/vault/$(sudo -i podman secret ls | grep wazuh_api | awk '{print $1}') -``` # Documentation: diff --git a/ansible/post_install_local.yml b/ansible/post_install_local.yml new file mode 100644 index 00000000..ac4f5ed6 --- /dev/null +++ b/ansible/post_install_local.yml @@ -0,0 +1,923 @@ +--- + +- name: Set up Fleet + hosts: localhost + become: yes + gather_facts: no + + vars: + headers: + kbn-version: "8.12.2" + kbn-xsrf: "kibana" + Content-Type: "application/json" + max_retries: 60 + delay_seconds: 10 + debug_mode: false + installed_file: "/opt/lme/FLEET_SETUP_FINISHED" + + tasks: + - name: Check if INSTALLED file exists + stat: + path: "{{ installed_file }}" + register: installed_file_check + + - name: Exit cleanly if INSTALLED file exists + debug: + msg: "The INSTALLED file exists. Exiting the play cleanly." + when: installed_file_check.stat.exists + + - name: End play if INSTALLED file exists + meta: end_play + when: installed_file_check.stat.exists + + #SETUP + - name: Read lme-environment.env file + ansible.builtin.slurp: + src: /opt/lme/lme-environment.env + register: lme_env_content + + - name: Set environment variables + ansible.builtin.set_fact: + env_dict: "{{ env_dict | default({}) | combine({ item.split('=', 1)[0]: item.split('=', 1)[1] }) }}" + loop: "{{ (lme_env_content['content'] | b64decode).split('\n') }}" + when: item != '' and not item.startswith('#') + + - name: Display set environment variables + debug: + msg: "Set {{ item.key }}" + loop: "{{ env_dict | dict2items }}" + when: item.value | length > 0 and (not debug_mode) + + - name: Source extract_secrets + ansible.builtin.shell: | + set -a + . {{ playbook_dir }}/../scripts/extract_secrets.sh -q + echo "elastic=$elastic" + echo "wazuh=$wazuh" + echo "kibana_system=$kibana_system" + echo "wazuh_api=$wazuh_api" + args: + executable: /bin/bash + register: extract_secrets_vars + no_log: "{{ not debug_mode }}" + + - name: Set secret variables + ansible.builtin.set_fact: + env_dict: "{{ env_dict | combine({ item.split('=', 1)[0]: item.split('=', 1)[1] }) }}" + loop: "{{ extract_secrets_vars.stdout_lines }}" + no_log: "{{ not debug_mode }}" + + - name: Set playbook variables + ansible.builtin.set_fact: + ipvar: "{{ env_dict.IPVAR | default('') }}" + local_kbn_url: "{{ env_dict.LOCAL_KBN_URL | default('') }}" + local_es_url: "{{ env_dict.LOCAL_ES_URL | default('') }}" + stack_version: "{{ env_dict.STACK_VERSION | default('') }}" + cluster_name: "{{ env_dict.CLUSTER_NAME | default('') }}" + elastic_username: "{{ env_dict.ELASTIC_USERNAME | default('') }}" + elasticsearch_username: "{{ env_dict.ELASTICSEARCH_USERNAME | default('') }}" + kibana_fleet_username: "{{ env_dict.KIBANA_FLEET_USERNAME | default('') }}" + indexer_username: "{{ env_dict.INDEXER_USERNAME | default('') }}" + api_username: "{{ env_dict.API_USERNAME | default('') }}" + license: "{{ env_dict.LICENSE | default('') }}" + es_port: "{{ env_dict.ES_PORT | default('') }}" + kibana_port: "{{ env_dict.KIBANA_PORT | default('') }}" + fleet_port: "{{ env_dict.FLEET_PORT | default('') }}" + mem_limit: "{{ env_dict.MEM_LIMIT | default('') }}" + elastic_password: "{{ env_dict.elastic | default('') }}" + wazuh_password: "{{ env_dict.wazuh | default('') }}" + kibana_system_password: "{{ env_dict.kibana_system | default('') }}" + wazuh_api_password: "{{ env_dict.wazuh_api | default('') }}" + + - name: Debug - Display set variables (sensitive information redacted) + debug: + msg: + - "ipvar: {{ ipvar }}" + - "local_kbn_url: {{ local_kbn_url }}" + - "local_es_url: {{ local_es_url }}" + - "elastic_username: {{ elastic_username }}" + - "stack_version: {{ stack_version }}" + - "cluster_name: {{ cluster_name }}" + - "elasticsearch_username: {{ elasticsearch_username }}" + - "kibana_fleet_username: {{ kibana_fleet_username }}" + - "indexer_username: {{ indexer_username }}" + - "api_username: {{ api_username }}" + - "license: {{ license }}" + - "es_port: {{ es_port }}" + - "kibana_port: {{ kibana_port }}" + - "fleet_port: {{ fleet_port }}" + - "mem_limit: {{ mem_limit }}" + - "elastic password is set: {{ elastic_password | length > 0 }}" + - "wazuh password is set: {{ wazuh_password | length > 0 }}" + - "kibana_system password is set: {{ kibana_system_password | length > 0 }}" + - "wazuh_api password is set: {{ wazuh_api_password | length > 0 }}" + when: debug_mode | bool + #SETUP + + - name: Wait for Kibana port to be available + wait_for: + host: "{{ ipvar }}" + port: "{{ kibana_port | int }}" + timeout: 300 + register: kibana_port_check + + - name: Wait for Fleet API to be ready + ansible.builtin.shell: | + attempt=0 + max_attempts=30 + delay=10 + while [ $attempt -lt $max_attempts ]; do + response=$(curl -s -o /dev/null -w "%{http_code}" -k -u elastic:{{ elastic_password }} {{ local_kbn_url }}/api/fleet/agents/setup) + if [ "$response" = "200" ]; then + echo "Fleet API is ready. Proceeding with configuration..." + exit 0 + fi + echo "Waiting for Fleet API to be ready..." + sleep $delay + attempt=$((attempt+1)) + done + echo "Fleet API did not become ready within the expected time." + exit 1 + register: fleet_api_check + changed_when: false + no_log: "{{ not debug_mode }}" + + - name: Display Fleet API check result + debug: + var: fleet_api_check.stdout_lines + + - name: Confirm Fleet API is ready + debug: + msg: "Fleet API is ready" + when: "'Fleet API is ready' in fleet_api_check.stdout" + + - name: Fail if Fleet API is not ready + fail: + msg: "Fleet API did not become ready within the expected time." + when: "'Fleet API is ready' not in fleet_api_check.stdout" + + - name: Get CA fingerprint + ansible.builtin.shell: | + sudo bash -c ' + set -a + . {{ playbook_dir }}/../scripts/extract_secrets.sh -q + set +a + /nix/var/nix/profiles/default/bin/podman exec -w /usr/share/elasticsearch/config/certs/ca lme-elasticsearch cat ca.crt | openssl x509 -noout -fingerprint -sha256 | cut -d "=" -f 2 | tr -d : | head -n1 + ' + register: ca_fingerprint + changed_when: false + become: yes + become_method: sudo + no_log: "{{ not debug_mode }}" + + - name: Display CA fingerprint + debug: + var: ca_fingerprint.stdout + when: + - ca_fingerprint is defined + - ca_fingerprint.stdout is defined + - debug_mode | bool + + - name: Set Fleet server hosts + uri: + url: "{{ local_kbn_url }}/api/fleet/settings" + method: PUT + user: "{{ elastic_username }}" + password: "{{ elastic_password }}" + force_basic_auth: yes + validate_certs: no + headers: "{{ headers }}" + body_format: json + body: + fleet_server_hosts: ["https://{{ ipvar }}:{{ fleet_port }}"] + register: fleet_server_hosts_result + no_log: "{{ not debug_mode }}" + ignore_errors: yes + + - name: Debug Fleet server hosts result + debug: + var: fleet_server_hosts_result + when: fleet_server_hosts_result is defined and debug_mode | bool + + - name: Set Fleet default output hosts + uri: + url: "{{ local_kbn_url }}/api/fleet/outputs/fleet-default-output" + method: PUT + user: "{{ elastic_username }}" + password: "{{ elastic_password }}" + force_basic_auth: yes + validate_certs: no + headers: "{{ headers }}" + body_format: json + body: + hosts: ["https://{{ ipvar }}:9200"] + register: fleet_output_hosts_result + no_log: "{{ not debug_mode }}" + ignore_errors: yes + + - name: Debug Fleet default output hosts result + debug: + var: fleet_output_hosts_result + when: fleet_output_hosts_result is defined + + - name: Set Fleet default output CA trusted fingerprint + uri: + url: "{{ local_kbn_url }}/api/fleet/outputs/fleet-default-output" + method: PUT + user: "{{ elastic_username }}" + password: "{{ elastic_password }}" + force_basic_auth: yes + validate_certs: no + headers: "{{ headers }}" + body_format: json + body: + ca_trusted_fingerprint: "{{ ca_fingerprint.stdout }}" + register: fleet_output_fingerprint_result + no_log: "{{ not debug_mode }}" + + - name: Set Fleet default output SSL verification mode + uri: + url: "{{ local_kbn_url }}/api/fleet/outputs/fleet-default-output" + method: PUT + user: "{{ elastic_username }}" + password: "{{ elastic_password }}" + force_basic_auth: yes + validate_certs: no + headers: "{{ headers }}" + body_format: json + body: + config_yaml: "ssl.verification_mode: certificate" + register: fleet_output_ssl_result + no_log: "{{ not debug_mode }}" + + - name: Create Endpoint Policy + uri: + url: "{{ local_kbn_url }}/api/fleet/agent_policies?sys_monitoring=true" + method: POST + user: "{{ elastic_username }}" + password: "{{ elastic_password }}" + force_basic_auth: yes + validate_certs: no + headers: "{{ headers }}" + body_format: json + body: + name: "Endpoint Policy" + description: "" + namespace: "default" + monitoring_enabled: ["logs", "metrics"] + inactivity_timeout: 1209600 + timeout: 600 + register: endpoint_policy_result + no_log: "{{ not debug_mode }}" + + - name: Get Endpoint package version + uri: + url: "{{ local_kbn_url }}/api/fleet/epm/packages/endpoint" + method: GET + user: "{{ elastic_username }}" + password: "{{ elastic_password }}" + force_basic_auth: yes + validate_certs: no + headers: "{{ headers }}" + register: endpoint_package_result + no_log: "{{ not debug_mode }}" + + - name: Create Elastic Defend package policy + uri: + url: "{{ local_kbn_url }}/api/fleet/package_policies" + method: POST + user: "{{ elastic_username }}" + password: "{{ elastic_password }}" + force_basic_auth: yes + validate_certs: no + headers: "{{ headers }}" + body_format: json + timeout: 600 + body: + name: "Elastic Defend" + description: "" + namespace: "default" + policy_id: "{{ endpoint_policy_result.json.item.id }}" + enabled: true + inputs: + - enabled: true + streams: [] + type: "ENDPOINT_INTEGRATION_CONFIG" + config: + _config: + value: + type: "endpoint" + endpointConfig: + preset: "EDRComplete" + package: + name: "endpoint" + title: "Elastic Defend" + version: "{{ endpoint_package_result.json.item.version }}" + register: elastic_defend_policy_result + no_log: "{{ not debug_mode }}" + + - name: Display results + debug: + var: "{{ item }}" + loop: + - fleet_server_hosts_result + - fleet_output_hosts_result + - fleet_output_fingerprint_result + - fleet_output_ssl_result + - endpoint_policy_result + - elastic_defend_policy_result + + - name: Create INSTALLED file + file: + path: "{{ installed_file }}" + state: touch + when: not installed_file_check.stat.exists + +- name: Install LME Dashboards + hosts: localhost + become: yes + gather_facts: no + + vars: + max_retries: 60 + delay_seconds: 10 + debug_mode: false + clone_directory: "{{ clone_dir | default('~/LME') }}" + dashboards_path: "/opt/lme/dashboards/elastic/*.ndjson" + kibana_url: "https://127.0.0.1:5601/api/saved_objects/_import?overwrite=true" + install_user: "root" + installed_file: "/opt/lme/dashboards/elastic/INSTALLED" + + + #TODO: have a task that creates dashboard_update user for later dashboard runs + tasks: + - name: Check if INSTALLED file exists + stat: + path: "{{ installed_file }}" + register: installed_file_check + + - name: Exit cleanly if INSTALLED file exists + debug: + msg: "The INSTALLED file exists. Exiting the play cleanly." + when: installed_file_check.stat.exists + + - name: End play if INSTALLED file exists + meta: end_play + when: installed_file_check.stat.exists + + #SETUP + - name: Read lme-environment.env file + ansible.builtin.slurp: + src: /opt/lme/lme-environment.env + register: lme_env_content + + - name: Set environment variables + ansible.builtin.set_fact: + env_dict: "{{ env_dict | default({}) | combine({ item.split('=', 1)[0]: item.split('=', 1)[1] }) }}" + loop: "{{ (lme_env_content['content'] | b64decode).split('\n') }}" + when: item != '' and not item.startswith('#') + + - name: Display set environment variables + debug: + msg: "Set {{ item.key }}" + loop: "{{ env_dict | dict2items }}" + when: item.value | length > 0 and (not debug_mode) + + - name: Source extract_secrets + ansible.builtin.shell: | + set -a + . {{ playbook_dir }}/../scripts/extract_secrets.sh -q + echo "elastic=$elastic" + echo "wazuh=$wazuh" + echo "kibana_system=$kibana_system" + echo "wazuh_api=$wazuh_api" + args: + executable: /bin/bash + register: extract_secrets_vars + no_log: "{{ not debug_mode }}" + + - name: Set secret variables + ansible.builtin.set_fact: + env_dict: "{{ env_dict | combine({ item.split('=', 1)[0]: item.split('=', 1)[1] }) }}" + loop: "{{ extract_secrets_vars.stdout_lines }}" + no_log: "{{ not debug_mode }}" + + - name: Set playbook variables + ansible.builtin.set_fact: + ipvar: "{{ env_dict.IPVAR | default('') }}" + local_kbn_url: "{{ env_dict.LOCAL_KBN_URL | default('') }}" + local_es_url: "{{ env_dict.LOCAL_ES_URL | default('') }}" + stack_version: "{{ env_dict.STACK_VERSION | default('') }}" + cluster_name: "{{ env_dict.CLUSTER_NAME | default('') }}" + elastic_username: "{{ env_dict.ELASTIC_USERNAME | default('') }}" + elasticsearch_username: "{{ env_dict.ELASTICSEARCH_USERNAME | default('') }}" + kibana_fleet_username: "{{ env_dict.KIBANA_FLEET_USERNAME | default('') }}" + indexer_username: "{{ env_dict.INDEXER_USERNAME | default('') }}" + api_username: "{{ env_dict.API_USERNAME | default('') }}" + license: "{{ env_dict.LICENSE | default('') }}" + es_port: "{{ env_dict.ES_PORT | default('') }}" + kibana_port: "{{ env_dict.KIBANA_PORT | default('') }}" + fleet_port: "{{ env_dict.FLEET_PORT | default('') }}" + mem_limit: "{{ env_dict.MEM_LIMIT | default('') }}" + elastic_password: "{{ env_dict.elastic | default('') }}" + wazuh_password: "{{ env_dict.wazuh | default('') }}" + kibana_system_password: "{{ env_dict.kibana_system | default('') }}" + wazuh_api_password: "{{ env_dict.wazuh_api | default('') }}" + + - name: Debug - Display set variables (sensitive information redacted) + debug: + msg: + - "ipvar: {{ ipvar }}" + - "local_kbn_url: {{ local_kbn_url }}" + - "local_es_url: {{ local_es_url }}" + - "elastic_username: {{ elastic_username }}" + - "stack_version: {{ stack_version }}" + - "cluster_name: {{ cluster_name }}" + - "elasticsearch_username: {{ elasticsearch_username }}" + - "kibana_fleet_username: {{ kibana_fleet_username }}" + - "indexer_username: {{ indexer_username }}" + - "api_username: {{ api_username }}" + - "license: {{ license }}" + - "es_port: {{ es_port }}" + - "kibana_port: {{ kibana_port }}" + - "fleet_port: {{ fleet_port }}" + - "mem_limit: {{ mem_limit }}" + - "elastic password is set: {{ elastic_password | length > 0 }}" + - "wazuh password is set: {{ wazuh_password | length > 0 }}" + - "kibana_system password is set: {{ kibana_system_password | length > 0 }}" + - "wazuh_api password is set: {{ wazuh_api_password | length > 0 }}" + when: debug_mode | bool + #SETUP + + + - name: Copy dashboards files /opt/lme/dashboards + copy: + src: "{{ clone_directory }}/dashboards/" + dest: /opt/lme/dashboards/ + owner: "{{ install_user }}" + group: "{{ install_user }}" + mode: '0644' + become: yes + + - name: Get list of dashboards + find: + paths: "{{ dashboards_path | dirname }}" + patterns: "*.ndjson" + register: dashboards + + - name: Upload dashboards to Kibana + shell: 'curl -X POST -k --user "{{ elastic_username }}":"{{ elastic_password }}" -H "kbn-xsrf: true" -F file=@"{{ item }}" "{{ kibana_url }}"' + loop: "{{ dashboards.files | map(attribute='path') | list }}" + args: + warn: false + + - name: Create INSTALLED file + file: + path: "{{ installed_file }}" + state: touch + when: not installed_file_check.stat.exists + +- name: Install Wazuh Dashboards + hosts: localhost + become: yes + gather_facts: no + + vars: + max_retries: 60 + delay_seconds: 10 + debug_mode: false + clone_directory: "{{ clone_dir | default('~/LME') }}" + dashboards_path: "/opt/lme/dashboards/wazuh/*.ndjson" + check_path: "/opt/lme/dashboards/wazuh/" + kibana_url: "https://127.0.0.1:5601/api/saved_objects/_import?overwrite=true" + install_user: "root" + installed_file: "/opt/lme/dashboards/wazuh/INSTALLED" + + tasks: + - name: Check if INSTALLED file exists + stat: + path: "{{ installed_file }}" + register: installed_file_check + + - name: Exit cleanly if INSTALLED file exists + debug: + msg: "The INSTALLED file exists. Exiting the playbook cleanly." + when: installed_file_check.stat.exists + + - name: End play if INSTALLED file exists + meta: end_play + when: installed_file_check.stat.exists + + #SETUP + - name: Read lme-environment.env file + ansible.builtin.slurp: + src: /opt/lme/lme-environment.env + register: lme_env_content + + - name: Set environment variables + ansible.builtin.set_fact: + env_dict: "{{ env_dict | default({}) | combine({ item.split('=', 1)[0]: item.split('=', 1)[1] }) }}" + loop: "{{ (lme_env_content['content'] | b64decode).split('\n') }}" + when: item != '' and not item.startswith('#') + + - name: Display set environment variables + debug: + msg: "Set {{ item.key }}" + loop: "{{ env_dict | dict2items }}" + when: item.value | length > 0 and ( not debug_mode ) + + - name: Source extract_secrets + ansible.builtin.shell: | + set -a + . {{ playbook_dir }}/../scripts/extract_secrets.sh -q + echo "elastic=$elastic" + echo "wazuh=$wazuh" + echo "kibana_system=$kibana_system" + echo "wazuh_api=$wazuh_api" + args: + executable: /bin/bash + register: extract_secrets_vars + no_log: "{{ not debug_mode }}" + + - name: Set secret variables + ansible.builtin.set_fact: + env_dict: "{{ env_dict | combine({ item.split('=', 1)[0]: item.split('=', 1)[1] }) }}" + loop: "{{ extract_secrets_vars.stdout_lines }}" + no_log: "{{ not debug_mode }}" + + - name: Set playbook variables + ansible.builtin.set_fact: + ipvar: "{{ env_dict.IPVAR | default('') }}" + local_kbn_url: "{{ env_dict.LOCAL_KBN_URL | default('') }}" + local_es_url: "{{ env_dict.LOCAL_ES_URL | default('') }}" + stack_version: "{{ env_dict.STACK_VERSION | default('') }}" + cluster_name: "{{ env_dict.CLUSTER_NAME | default('') }}" + elastic_username: "{{ env_dict.ELASTIC_USERNAME | default('') }}" + elasticsearch_username: "{{ env_dict.ELASTICSEARCH_USERNAME | default('') }}" + kibana_fleet_username: "{{ env_dict.KIBANA_FLEET_USERNAME | default('') }}" + indexer_username: "{{ env_dict.INDEXER_USERNAME | default('') }}" + api_username: "{{ env_dict.API_USERNAME | default('') }}" + license: "{{ env_dict.LICENSE | default('') }}" + es_port: "{{ env_dict.ES_PORT | default('') }}" + kibana_port: "{{ env_dict.KIBANA_PORT | default('') }}" + fleet_port: "{{ env_dict.FLEET_PORT | default('') }}" + mem_limit: "{{ env_dict.MEM_LIMIT | default('') }}" + elastic_password: "{{ env_dict.elastic | default('') }}" + wazuh_password: "{{ env_dict.wazuh | default('') }}" + kibana_system_password: "{{ env_dict.kibana_system | default('') }}" + wazuh_api_password: "{{ env_dict.wazuh_api | default('') }}" + + - name: Debug - Display set variables (sensitive information redacted) + debug: + msg: + - "ipvar: {{ ipvar }}" + - "local_kbn_url: {{ local_kbn_url }}" + - "local_es_url: {{ local_es_url }}" + - "elastic_username: {{ elastic_username }}" + - "stack_version: {{ stack_version }}" + - "cluster_name: {{ cluster_name }}" + - "elasticsearch_username: {{ elasticsearch_username }}" + - "kibana_fleet_username: {{ kibana_fleet_username }}" + - "indexer_username: {{ indexer_username }}" + - "api_username: {{ api_username }}" + - "license: {{ license }}" + - "es_port: {{ es_port }}" + - "kibana_port: {{ kibana_port }}" + - "fleet_port: {{ fleet_port }}" + - "mem_limit: {{ mem_limit }}" + - "elastic password is set: {{ elastic_password | length > 0 }}" + - "wazuh password is set: {{ wazuh_password | length > 0 }}" + - "kibana_system password is set: {{ kibana_system_password | length > 0 }}" + - "wazuh_api password is set: {{ wazuh_api_password | length > 0 }}" + when: debug_mode | bool + #SETUP + + + - name: Check if dashboards_path exists + stat: + path: "{{ check_path }}" + register: path + + - name: Fail if dashboards_path doesn't exist + fail: + msg: "Dashboards path {{ check_path }} doesn't exist, theres been an error" + when: + - not path.stat.exists + + - name: Get list of dashboards + find: + paths: "{{ dashboards_path | dirname }}" + patterns: "*.ndjson" + register: dashboards + + - name: Upload dashboards to Kibana + shell: 'curl -X POST -k --user "{{ elastic_username }}":"{{ elastic_password }}" -H "kbn-xsrf: true" -F file=@"{{ item }}" "{{ kibana_url }}"' + args: + warn: false + loop: "{{ dashboards.files | map(attribute='path') | list }}" + + - name: Create INSTALLED file + file: + path: "{{ installed_file }}" + state: touch + when: not installed_file_check.stat.exists + +- name: Fix Wazuh Post Install Issues + hosts: localhost + become: yes + gather_facts: no + + vars: + max_retries: 60 + delay_seconds: 10 + debug_mode: false + clone_directory: "{{ clone_dir | default('~/LME') }}" + install_user: "{{ ansible_user_id }}" + + tasks: + #SETUP + - name: Read lme-environment.env file + ansible.builtin.slurp: + src: /opt/lme/lme-environment.env + register: lme_env_content + + - name: Set environment variables + ansible.builtin.set_fact: + env_dict: "{{ env_dict | default({}) | combine({ item.split('=', 1)[0]: item.split('=', 1)[1] }) }}" + loop: "{{ (lme_env_content['content'] | b64decode).split('\n') }}" + when: item != '' and not item.startswith('#') + + - name: Display set environment variables + debug: + msg: "Set {{ item.key }}" + loop: "{{ env_dict | dict2items }}" + when: item.value | length > 0 and (not debug_mode) + + - name: Source extract_secrets + ansible.builtin.shell: | + set -a + . {{ playbook_dir }}/../scripts/extract_secrets.sh -q + echo "elastic=$elastic" + echo "wazuh=$wazuh" + echo "kibana_system=$kibana_system" + echo "wazuh_api=$wazuh_api" + args: + executable: /bin/bash + register: extract_secrets_vars + no_log: "{{ not debug_mode }}" + + - name: Set secret variables + ansible.builtin.set_fact: + env_dict: "{{ env_dict | combine({ item.split('=', 1)[0]: item.split('=', 1)[1] }) }}" + loop: "{{ extract_secrets_vars.stdout_lines }}" + no_log: "{{ not debug_mode }}" + + - name: Set playbook variables + ansible.builtin.set_fact: + ipvar: "{{ env_dict.IPVAR | default('') }}" + local_kbn_url: "{{ env_dict.LOCAL_KBN_URL | default('') }}" + local_es_url: "{{ env_dict.LOCAL_ES_URL | default('') }}" + stack_version: "{{ env_dict.STACK_VERSION | default('') }}" + cluster_name: "{{ env_dict.CLUSTER_NAME | default('') }}" + elastic_username: "{{ env_dict.ELASTIC_USERNAME | default('') }}" + elasticsearch_username: "{{ env_dict.ELASTICSEARCH_USERNAME | default('') }}" + kibana_fleet_username: "{{ env_dict.KIBANA_FLEET_USERNAME | default('') }}" + indexer_username: "{{ env_dict.INDEXER_USERNAME | default('') }}" + api_username: "{{ env_dict.API_USERNAME | default('') }}" + license: "{{ env_dict.LICENSE | default('') }}" + es_port: "{{ env_dict.ES_PORT | default('') }}" + kibana_port: "{{ env_dict.KIBANA_PORT | default('') }}" + fleet_port: "{{ env_dict.FLEET_PORT | default('') }}" + mem_limit: "{{ env_dict.MEM_LIMIT | default('') }}" + elastic_password: "{{ env_dict.elastic | default('') }}" + wazuh_password: "{{ env_dict.wazuh | default('') }}" + kibana_system_password: "{{ env_dict.kibana_system | default('') }}" + wazuh_api_password: "{{ env_dict.wazuh_api | default('') }}" + + - name: Debug - Display set variables (sensitive information redacted) + debug: + msg: + - "ipvar: {{ ipvar }}" + - "local_kbn_url: {{ local_kbn_url }}" + - "local_es_url: {{ local_es_url }}" + - "elastic_username: {{ elastic_username }}" + - "stack_version: {{ stack_version }}" + - "cluster_name: {{ cluster_name }}" + - "elasticsearch_username: {{ elasticsearch_username }}" + - "kibana_fleet_username: {{ kibana_fleet_username }}" + - "indexer_username: {{ indexer_username }}" + - "api_username: {{ api_username }}" + - "license: {{ license }}" + - "es_port: {{ es_port }}" + - "kibana_port: {{ kibana_port }}" + - "fleet_port: {{ fleet_port }}" + - "mem_limit: {{ mem_limit }}" + - "elastic password is set: {{ elastic_password | length > 0 }}" + - "wazuh password is set: {{ wazuh_password | length > 0 }}" + - "kibana_system password is set: {{ kibana_system_password | length > 0 }}" + - "wazuh_api password is set: {{ wazuh_api_password | length > 0 }}" + when: debug_mode | bool + #SETUP + - name: expand path + set_fact: + clone_directory: "{{clone_directory | expanduser }}" + + - name: fix wazuh password + ansible.builtin.expect: + #source + podman exec + command: "{{ clone_directory }}/scripts/wazuh_rbac.sh" + responses: + ".*'wazuh'.*": + - "{{ wazuh_password }}" + ".*'wazuh-wui'.*": + - "{{ wazuh_api_password }}" + timeout: 30 + become: yes + +- name: Create Read Only User + hosts: localhost + become: yes + gather_facts: no + + vars: + max_retries: 60 + delay_seconds: 10 + debug_mode: false + clone_directory: "{{ clone_dir | default('~/LME') }}" + install_user: "root" + + tasks: + #SETUP + - name: Read lme-environment.env file + ansible.builtin.slurp: + src: /opt/lme/lme-environment.env + register: lme_env_content + + - name: Set environment variables + ansible.builtin.set_fact: + env_dict: "{{ env_dict | default({}) | combine({ item.split('=', 1)[0]: item.split('=', 1)[1] }) }}" + loop: "{{ (lme_env_content['content'] | b64decode).split('\n') }}" + when: item != '' and not item.startswith('#') + + - name: Display set environment variables + debug: + msg: "Set {{ item.key }}" + loop: "{{ env_dict | dict2items }}" + when: item.value | length > 0 and (not debug_mode) + + - name: Source extract_secrets + ansible.builtin.shell: | + set -a + . {{ playbook_dir }}/../scripts/extract_secrets.sh -q + echo "elastic=$elastic" + echo "wazuh=$wazuh" + echo "kibana_system=$kibana_system" + echo "wazuh_api=$wazuh_api" + args: + executable: /bin/bash + register: extract_secrets_vars + no_log: "{{ not debug_mode }}" + + - name: Set secret variables + ansible.builtin.set_fact: + env_dict: "{{ env_dict | combine({ item.split('=', 1)[0]: item.split('=', 1)[1] }) }}" + loop: "{{ extract_secrets_vars.stdout_lines }}" + no_log: "{{ not debug_mode }}" + + - name: Set playbook variables + ansible.builtin.set_fact: + ipvar: "{{ env_dict.IPVAR | default('') }}" + local_kbn_url: "{{ env_dict.LOCAL_KBN_URL | default('') }}" + local_es_url: "{{ env_dict.LOCAL_ES_URL | default('') }}" + stack_version: "{{ env_dict.STACK_VERSION | default('') }}" + cluster_name: "{{ env_dict.CLUSTER_NAME | default('') }}" + elastic_username: "{{ env_dict.ELASTIC_USERNAME | default('') }}" + elasticsearch_username: "{{ env_dict.ELASTICSEARCH_USERNAME | default('') }}" + kibana_fleet_username: "{{ env_dict.KIBANA_FLEET_USERNAME | default('') }}" + indexer_username: "{{ env_dict.INDEXER_USERNAME | default('') }}" + api_username: "{{ env_dict.API_USERNAME | default('') }}" + license: "{{ env_dict.LICENSE | default('') }}" + es_port: "{{ env_dict.ES_PORT | default('') }}" + kibana_port: "{{ env_dict.KIBANA_PORT | default('') }}" + fleet_port: "{{ env_dict.FLEET_PORT | default('') }}" + mem_limit: "{{ env_dict.MEM_LIMIT | default('') }}" + elastic_password: "{{ env_dict.elastic | default('') }}" + wazuh_password: "{{ env_dict.wazuh | default('') }}" + kibana_system_password: "{{ env_dict.kibana_system | default('') }}" + wazuh_api_password: "{{ env_dict.wazuh_api | default('') }}" + + - name: Debug - Display set variables (sensitive information redacted) + debug: + msg: + - "ipvar: {{ ipvar }}" + - "local_kbn_url: {{ local_kbn_url }}" + - "local_es_url: {{ local_es_url }}" + - "elastic_username: {{ elastic_username }}" + - "stack_version: {{ stack_version }}" + - "cluster_name: {{ cluster_name }}" + - "elasticsearch_username: {{ elasticsearch_username }}" + - "kibana_fleet_username: {{ kibana_fleet_username }}" + - "indexer_username: {{ indexer_username }}" + - "api_username: {{ api_username }}" + - "license: {{ license }}" + - "es_port: {{ es_port }}" + - "kibana_port: {{ kibana_port }}" + - "fleet_port: {{ fleet_port }}" + - "mem_limit: {{ mem_limit }}" + - "elastic password is set: {{ elastic_password | length > 0 }}" + - "wazuh password is set: {{ wazuh_password | length > 0 }}" + - "kibana_system password is set: {{ kibana_system_password | length > 0 }}" + - "wazuh_api password is set: {{ wazuh_api_password | length > 0 }}" + when: debug_mode | bool + #SETUP + + - name: Wait for Elasticsearch to be ready + uri: + url: "{{ local_es_url }}" + method: GET + user: "{{ elastic_username }}" + password: "{{ elastic_password }}" + force_basic_auth: yes + validate_certs: no + status_code: 200 + register: result + until: result.status is defined and result.status == 200 + retries: 60 + delay: 10 + ignore_errors: yes + + - name: Check if Elasticsearch is ready + fail: + msg: "Elasticsearch is not ready after 10 minutes. Please check the LME service and Elasticsearch logs." + when: result.status is not defined or result.status != 200 + + #TODO: --cacert "{{ ansible_env.HOME }}/.local/share/containers/storage/volumes/lme_certs/_data/ca/ca.crt" + - name: Create readonly role using curl + shell: > + curl -X POST "{{ local_es_url }}/_security/role/readonly_role" + -u "{{ elastic_username }}:{{ elastic_password }}" + -k + -H "Content-Type: application/json" + -d '{ + "indices": [ + { + "names": ["*"], + "privileges": ["read", "view_index_metadata"] + } + ], + "cluster": ["monitor"], + "applications": [ + { + "application": "kibana-.kibana", + "privileges": ["read"], + "resources": ["*"] + } + ] + }' + args: + warn: false + register: role_creation_result + when: result.status is defined and result.status == 200 + + - name: Display role creation result + debug: + msg: "Role creation output: {{ role_creation_result.stdout | default('Role creation skipped') }}" + + #maybe check for each in the shell script below? + - name: Register a variable, ignore errors and continue + shell: | + source /root/.profile + password=$( + curl -X POST "{{ local_es_url }}/_security/user/readonly_user" + -u "{{ elastic_username }}:{{ elastic_password }}" + -k + -H "Content-Type: application/json" + -d '{ + "password": "{{ read_only_password.stdout }}", + "roles": ["readonly_role"], + "full_name": "Read Only User" + }' + args: + warn: false + register: user_creation_result + when: result.status is defined and result.status == 200 + + - name: Display user creation result + debug: + msg: "User creation output: {{ user_creation_result.stdout | default('User creation skipped') }}" + + - name: DISPLAY NEW READONLY USER PASSWORD + debug: + msg: "LOGIN WITH readonly_user via:\n USER: readonlyuser\nPassword: {{ read_only_password.stdout }}" + diff --git a/config/setup/init-setup.sh b/config/setup/init-setup.sh index 9884d2c3..ef5e9bcd 100644 --- a/config/setup/init-setup.sh +++ b/config/setup/init-setup.sh @@ -5,8 +5,8 @@ if [[ -z "${ELASTIC_PASSWORD:-}" || -z "${KIBANA_PASSWORD:-}" ]]; then echo "ERROR: ELASTIC_PASSWORD and/or KIBANA_PASSWORD are missing." exit 1 fi -echo $ELASTIC_PASSWORD -echo $KIBANA_PASSWORD +#echo $ELASTIC_PASSWORD +#echo $KIBANA_PASSWORD CONFIG_DIR="/usr/share/elasticsearch/config" CERTS_DIR="${CONFIG_DIR}/certs" diff --git a/dashboards/Readme.md b/dashboards/Readme.md new file mode 100644 index 00000000..054932ba --- /dev/null +++ b/dashboards/Readme.md @@ -0,0 +1,62 @@ +# Folder for all the dashboards + +## Wazuh Dashboards: +For more info on these dashboards see wazuh's documentation: [LINK](https://documentation.wazuh.com/current/integrations-guide/elastic-stack/index.html) +This is the dashboard URL: +```bash +https://packages.wazuh.com/integrations/elastic/4.x-8.x/dashboards/wz-es-4.x-8.x-dashboards.ndjson +``` + +## How to update dashboards +Currently you need to run `ansible-playbook post_install_local.yml` to upload the current LME dashboards. + +## Updating to new dashboards and removing old ones (Starting with 1.1.0) +Browse to `Kibana->Stack Management` then select `Saved Objects`. +On the Saved Objects page, you can filter by dashboards. + +Select the filter `Type` and select `dashboard`. + +* It is suggested that you export the dashboards first (readme below) so you have a backup. +You can delete all of the dashboards before importing the new ones. + + +### Exporting dashboards: *TODO test this* +It is recommended that you export your dashboards before updating them, especially if you have customized them or created new ones. +To export the dashboards use the `export_dashboards.py`. +It is easiest to export them from the ubuntu machine where you have installed the ELK stack because the +default port and hostname are in the script. You will need the user and password for elastic that were printed +on your initial install. + +##### The files will be exported to `./exported` + +#### Running on Ubuntu + +``` +./export_dashboards.py -u elastic -p YOURUNIQUEPASS +``` + +The modules should already be installed on Ubuntu, but If the script complains about missing modules: +``` +pip install -r requirements.txt +``` + +#### Running on Windows +You must have python and the modules installed. (You can install python 3 from the Microsoft Store). Then install the requirements: +``` +pip install -r requirements.txt +``` + +You will probably have to pass the host that you connect to for kibana when running on windows. +``` +python .\export_dashboards.py -u elastic -p YOURUNIQUEPASS --host x.x.x.x +``` + +## Customizing dashboards: +When customizing dashboards keep in mind to be sure the name of the file does not conflict with one on git. In future iterations of LME, updates will overwrite any dashboard file that you have customized or named the same as an original file that appears in this directory. + +In addition, any other dashboards you want to save in git and track in this repository can maintained safely (assuming the new files do not overlap in name with any original file in LME) by doing the following: + 1. Creating your own local branch in this LME repo + 2. Commiting any changes + 3. pulling in changes from `main` to your local repo + + diff --git a/dashboards/elastic/User_Security_2.ndjson b/dashboards/elastic/User_Security_2.ndjson new file mode 100644 index 00000000..3bbf5dce --- /dev/null +++ b/dashboards/elastic/User_Security_2.ndjson @@ -0,0 +1,39 @@ +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"title":"Dashboard Menu","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Dashboard Menu\",\"type\":\"markdown\",\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"[Computer Software Overview](#/dashboard/33f0d3b0-8b8a-11ea-b1c6-a5bf39283f12)\\n| [Process Explorer](#/dashboard/f2cbc110-8400-11ee-a3de-f1bc0525ad6c)\\n| [Security log](#/dashboard/51186cd0-e8e9-11e9-9070-f78ae052729a) \\n| [Sysmon summary](#/dashboard/d2c73990-e5d4-11e9-8f1d-73a2ea4cc3ed) \\n| [User Security](#/dashboard/e5f203f0-6182-11ee-b035-d5f231e90733) \\n| [User HR](#/dashboard/618bc5d0-84f8-11ee-9838-ff0db128d8b2)\\n| [ Credential Access logs](#/dashboard/403259b0-42ff-11ef-ad69-a315bc8e9abb)\\n| [ Privilege Access logs](#/dashboard/ff4536e0-439c-11ef-bb7f-8131442929d4)\\n| [ Policy Changes & System Activity](#/dashboard/b9590350-4ad6-11ef-b548-fb0fe2537bf7)\\n| [ Identity access Management](#/dashboard/99145260-4618-11ef-af9e-99159f20f35b)\\n\\n\",\"openLinksInNewTab\":false}}"},"coreMigrationVersion":"8.8.0","created_at":"2024-10-11T17:52:25.220Z","id":"12735ff0-9396-11ea-b41f-4dc1d87833fe","managed":false,"references":[],"type":"visualization","typeMigrationVersion":"8.5.0","updated_at":"2024-10-11T17:52:25.220Z","version":"WzY4MCwzXQ=="} +{"attributes":{"fieldAttrs":"{\"host.name\":{\"count\":7},\"process.name\":{\"count\":6},\"winlog.computer_name\":{\"count\":5},\"winlog.event_data.ProcessName\":{\"count\":10},\"source.ip\":{\"count\":3},\"source.port\":{\"count\":3},\"winlog.event_data.IpAddress\":{\"count\":6},\"winlog.event_data.IpPort\":{\"count\":2},\"winlog.event_data.LogonProcessName\":{\"count\":2},\"process.pid\":{\"count\":1},\"winlog.event_data.ProcessId\":{\"count\":5},\"winlog.event_data.TargetDomainName\":{\"count\":9},\"client.user.domain\":{\"count\":1},\"client.user.name\":{\"count\":1},\"group.domain\":{\"count\":1},\"host.user.domain\":{\"count\":1},\"server.user.domain\":{\"count\":1},\"user.domain\":{\"count\":2},\"winlog.event_data.LogonType\":{\"count\":2},\"winlog.event_data.Status\":{\"count\":1},\"winlog.event_data.SubStatus\":{\"count\":1},\"winlog.event_data.TargetUserName\":{\"count\":3},\"winlog.event_data.WorkstationName\":{\"count\":1},\"winlog.logon.failure.status\":{\"count\":1},\"event.id\":{\"count\":1},\"winlog.event_data.ProcessID\":{\"count\":1},\"process.executable\":{\"count\":2},\"destination.ip\":{\"count\":1},\"destination.port\":{\"count\":1},\"network.transport\":{\"count\":1},\"user.name\":{\"count\":1},\"winlog.event_data.DestinationIp\":{\"count\":5},\"winlog.event_data.DestinationPort\":{\"count\":1},\"winlog.event_data.Path\":{\"count\":1},\"winlog.event_data.SourceIp\":{\"count\":3},\"winlog.event_data.SourcePort\":{\"count\":3},\"winlog.event_data.SourcePortName\":{\"count\":1},\"winlog.event_data.SubjectDomainName\":{\"count\":1},\"winlog.event_data.SubjectUserName\":{\"count\":2},\"winlog.event_data.TargetUser\":{\"count\":2}}","fieldFormatMap":"{\"winver\":{\"id\":\"string\",\"params\":{\"parsedUrl\":{\"origin\":\"\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"}}},\"user.name\":{\"id\":\"string\",\"params\":{\"parsedUrl\":{\"origin\":\"https://elastic-lme.contoso.local\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"}}},\"process.executable\":{\"id\":\"string\",\"params\":{\"parsedUrl\":{\"origin\":\"https://elastic-lme.contoso.local\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"}}},\"host.name\":{\"id\":\"string\",\"params\":{\"parsedUrl\":{\"origin\":\"https://elastic-lme.contoso.local\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"}}}}","fields":"[]","name":"logs-*","runtimeFieldMap":"{\"day_of_week\":{\"type\":\"long\",\"script\":{\"source\":\"emit(doc['@timestamp'].value.dayOfWeekEnum.getValue())\"}},\"hour_of_day\":{\"type\":\"long\",\"script\":{\"source\":\"emit (doc['@timestamp'].value.getHour())\"}}}","sourceFilters":"[]","timeFieldName":"@timestamp","title":"logs-*","typeMeta":"{}"},"coreMigrationVersion":"8.8.0","created_at":"2024-10-11T17:52:25.220Z","id":"68a051a0-1d7f-11e9-9fc5-a91039822035","managed":false,"references":[],"type":"index-pattern","typeMigrationVersion":"8.0.0","updated_at":"2024-10-11T17:52:25.220Z","version":"WzY4MSwzXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[]}"},"title":"Security - Select User","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security - Select User\",\"type\":\"input_control_vis\",\"aggs\":[],\"params\":{\"controls\":[{\"id\":\"1587572089136\",\"label\":\"Domain(s)\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\",\"fieldName\":\"winlog.event_data.TargetDomainName\",\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1587713561601\",\"fieldName\":\"winlog.event_data.TargetUserName\",\"parent\":\"\",\"label\":\"Username(s)\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false}}"},"coreMigrationVersion":"8.8.0","created_at":"2024-10-11T17:52:25.220Z","id":"a64ec020-84b4-11ea-b7fb-01bea49d9239","managed":false,"references":[{"id":"68a051a0-1d7f-11e9-9fc5-a91039822035","name":"control_0_index_pattern","type":"index-pattern"},{"id":"68a051a0-1d7f-11e9-9fc5-a91039822035","name":"control_1_index_pattern","type":"index-pattern"}],"type":"visualization","typeMigrationVersion":"8.5.0","updated_at":"2024-10-11T17:52:25.220Z","version":"WzY4MiwzXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security - Filter Hosts","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security - Filter Hosts\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Event count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"host.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Host name\"}}]}"},"coreMigrationVersion":"8.8.0","created_at":"2024-10-11T17:52:25.220Z","id":"8b7ff050-8ed4-11ea-904c-391ecaa2f2f4","managed":false,"references":[{"id":"68a051a0-1d7f-11e9-9fc5-a91039822035","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","typeMigrationVersion":"8.5.0","updated_at":"2024-10-11T17:52:25.220Z","version":"WzY4MywzXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"title":"Security - Select Host","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security - Select Host\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1588685297382\",\"fieldName\":\"host.name\",\"parent\":\"\",\"label\":\"Host\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}"},"coreMigrationVersion":"8.8.0","created_at":"2024-10-11T17:52:25.220Z","id":"53b65290-8ed4-11ea-904c-391ecaa2f2f4","managed":false,"references":[{"id":"68a051a0-1d7f-11e9-9fc5-a91039822035","name":"control_0_index_pattern","type":"index-pattern"}],"type":"visualization","typeMigrationVersion":"8.5.0","updated_at":"2024-10-11T17:52:25.220Z","version":"WzY4NCwzXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"title":"Security - Logons Title","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security - Logons Title\",\"type\":\"markdown\",\"params\":{\"markdown\":\"## Logons\",\"openLinksInNewTab\":false,\"fontSize\":12},\"aggs\":[]}"},"coreMigrationVersion":"8.8.0","created_at":"2024-10-11T17:52:25.220Z","id":"d58b0380-8540-11ea-b6c5-5d9149593ce4","managed":false,"references":[],"type":"visualization","typeMigrationVersion":"8.5.0","updated_at":"2024-10-11T17:52:25.220Z","version":"WzY4NSwzXQ=="} +{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"(event.code:4624 OR event.code:4625) and not user.name:*$\",\"language\":\"kuery\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"meta\":{\"type\":\"phrases\",\"key\":\"user.domain\",\"value\":\"NT AUTHORITY, Window Manager, Font Driver Host\",\"params\":[\"NT AUTHORITY\",\"Window Manager\",\"Font Driver Host\"],\"alias\":null,\"negate\":true,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"bool\":{\"should\":[{\"match_phrase\":{\"user.domain\":\"NT AUTHORITY\"}},{\"match_phrase\":{\"user.domain\":\"Window Manager\"}},{\"match_phrase\":{\"user.domain\":\"Font Driver Host\"}}],\"minimum_should_match\":1}},\"$state\":{\"store\":\"appState\"}}]}"},"sort":[["@timestamp","desc"]],"title":"Human User Logon Events","version":1},"coreMigrationVersion":"8.8.0","created_at":"2024-10-11T17:52:25.220Z","id":"dc42fc40-84a1-11ea-b7fb-01bea49d9239","managed":false,"references":[{"id":"68a051a0-1d7f-11e9-9fc5-a91039822035","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"68a051a0-1d7f-11e9-9fc5-a91039822035","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","typeMigrationVersion":"8.0.0","updated_at":"2024-10-11T17:52:25.220Z","version":"WzY4NiwzXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Security - Logon attempts","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security - Logon attempts\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}}}]},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Login attempts\"}}]}"},"coreMigrationVersion":"8.8.0","created_at":"2024-10-11T17:52:25.220Z","id":"22170f50-853c-11ea-b6c5-5d9149593ce4","managed":false,"references":[{"id":"dc42fc40-84a1-11ea-b7fb-01bea49d9239","name":"search_0","type":"search"}],"type":"visualization","typeMigrationVersion":"8.5.0","updated_at":"2024-10-11T17:52:25.220Z","version":"WzY4NywzXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Security - Logon events over time","uiStateJSON":"{\"vis\":{\"colors\":{\"Failed attempts\":\"#BF1B00\",\"Successful atempts\":\"#629E51\"}}}","version":1,"visState":"{\"title\":\"Security - Logon events over time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#34130C\"},\"dimensions\":{\"x\":{\"accessor\":1,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"HH:mm:ss\"}},\"params\":{\"date\":true,\"interval\":\"PT30S\",\"format\":\"HH:mm:ss\",\"bounds\":{\"min\":\"2020-04-23T08:41:59.000Z\",\"max\":\"2020-04-23T08:56:59.000Z\"}},\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"series\":[{\"accessor\":0,\"format\":{},\"params\":{},\"aggType\":\"filters\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true,\"legendSize\":\"auto\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":\"event.code:4625\",\"language\":\"lucene\"},\"label\":\"Failed attempts\"},{\"input\":{\"query\":\"event.code:4624\",\"language\":\"lucene\"},\"label\":\"Successful atempts\"}]}},{\"id\":\"3\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}]}"},"coreMigrationVersion":"8.8.0","created_at":"2024-10-11T17:52:25.220Z","id":"c0c8b560-84a9-11ea-b7fb-01bea49d9239","managed":false,"references":[{"id":"dc42fc40-84a1-11ea-b7fb-01bea49d9239","name":"search_0","type":"search"}],"type":"visualization","typeMigrationVersion":"8.5.0","updated_at":"2024-10-11T17:52:25.220Z","version":"WzY4OCwzXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"type\":\"phrases\",\"key\":\"event.code\",\"value\":\"4,624, 4,625\",\"params\":[\"4624\",\"4625\"],\"alias\":null,\"negate\":false,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"bool\":{\"should\":[{\"match_phrase\":{\"event.code\":\"4624\"}},{\"match_phrase\":{\"event.code\":\"4625\"}}],\"minimum_should_match\":1}},\"$state\":{\"store\":\"appState\"}}]}"},"savedSearchRefName":"search_0","title":"Security - Logon hosts pie","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security - Logon hosts pie\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true,\"legendDisplay\":\"show\",\"legendSize\":\"auto\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Computers\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Computer\"}}]}"},"coreMigrationVersion":"8.8.0","created_at":"2024-10-11T17:52:25.220Z","id":"489f7350-853d-11ea-b6c5-5d9149593ce4","managed":false,"references":[{"id":"68a051a0-1d7f-11e9-9fc5-a91039822035","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"},{"id":"dc42fc40-84a1-11ea-b7fb-01bea49d9239","name":"search_0","type":"search"}],"type":"visualization","typeMigrationVersion":"8.5.0","updated_at":"2024-10-11T17:52:25.220Z","version":"WzY4OSwzXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Security - Logon hosts","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security - Logon hosts\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}}}]},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"host.name\",\"customLabel\":\"Hosts\"}}]}"},"coreMigrationVersion":"8.8.0","created_at":"2024-10-11T17:52:25.220Z","id":"a179afa0-853c-11ea-b6c5-5d9149593ce4","managed":false,"references":[{"id":"dc42fc40-84a1-11ea-b7fb-01bea49d9239","name":"search_0","type":"search"}],"type":"visualization","typeMigrationVersion":"8.5.0","updated_at":"2024-10-11T17:52:25.220Z","version":"WzY5MCwzXQ=="} +{"attributes":{"columns":["event.code","host.name","winlog.event_data.TargetDomainName","winlog.event_data.TargetUserName","winlog.event_data.IpAddress","event.action","event.outcome","winlog.event_data.LogonType"],"description":"","grid":{"columns":{"user.domain":{"width":119},"user.name":{"width":134}}},"hideChart":false,"hits":0,"isTextBasedQuery":false,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"(event.code:4624 OR event.code:4625) and not user.name:*$\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"timeRestore":false,"title":"Human Logon & Logoff events","usesAdHocDataView":false,"version":1},"coreMigrationVersion":"8.8.0","created_at":"2024-10-11T17:52:25.220Z","id":"2325be20-8616-11ea-a720-c7a0431f179d","managed":false,"references":[{"id":"68a051a0-1d7f-11e9-9fc5-a91039822035","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","typeMigrationVersion":"8.0.0","updated_at":"2024-10-11T17:52:25.220Z","version":"WzY5MSwzXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"title":"Security - Network Title","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security - Network Title\",\"type\":\"markdown\",\"params\":{\"markdown\":\"## Network Connections\",\"openLinksInNewTab\":false,\"fontSize\":12},\"aggs\":[]}"},"coreMigrationVersion":"8.8.0","created_at":"2024-10-11T17:52:25.220Z","id":"a1229110-860f-11ea-a720-c7a0431f179d","managed":false,"references":[],"type":"visualization","typeMigrationVersion":"8.5.0","updated_at":"2024-10-11T17:52:25.220Z","version":"WzY5MiwzXQ=="} +{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"winlog.event_id : \\\"3\\\" and event.provider : \\\"Microsoft-Windows-Sysmon\\\" \",\"language\":\"kuery\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"},"sort":[["@timestamp","desc"]],"title":"All network activity ","version":1},"coreMigrationVersion":"8.8.0","created_at":"2024-10-11T17:52:25.220Z","id":"d1a74ce0-8641-11ea-907a-33d103156187","managed":false,"references":[{"id":"68a051a0-1d7f-11e9-9fc5-a91039822035","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","typeMigrationVersion":"8.0.0","updated_at":"2024-10-11T17:52:25.220Z","version":"WzY5MywzXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Security - Network Activity Line","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security - Network Activity Line\",\"type\":\"line\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Connections\",\"emptyAsNull\":false},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-15y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"extendToTimeRange\":false,\"scaleMetricValues\":false,\"interval\":\"auto\",\"used_interval\":\"30d\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"}],\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Connections\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Connections\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#34130C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"HH:mm:ss\"}},\"params\":{\"date\":true,\"interval\":\"PT30S\",\"format\":\"HH:mm:ss\",\"bounds\":{\"min\":\"2020-04-24T15:29:10.918Z\",\"max\":\"2020-04-24T15:44:10.918Z\"}},\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"legendSize\":\"auto\",\"truncateLegend\":true,\"maxLegendLines\":1,\"radiusRatio\":9}}"},"coreMigrationVersion":"8.8.0","created_at":"2024-10-11T17:52:25.220Z","id":"ec7ad2d0-8641-11ea-907a-33d103156187","managed":false,"references":[{"id":"d1a74ce0-8641-11ea-907a-33d103156187","name":"search_0","type":"search"}],"type":"visualization","typeMigrationVersion":"8.5.0","updated_at":"2024-10-11T17:52:25.220Z","version":"WzY5NCwzXQ=="} +{"attributes":{"columns":["winlog.event_data.DestinationHostname","destination.ip","winlog.event_data.DestinationIsIpv6","network.","process.executable","winlog.event_data.DestinationPort","winlog.event_data.Protocol","winlog.user.name","winlog.user.type","source.ip","winlog.event_data.SourceIsIpv6","source.port","network.protocol"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"winlog.event_id:3 AND NOT (destination.ip:\\\"10.0.0.0/8\\\" OR destination.ip:\\\"172.16.0.0/16\\\" OR destination.ip:\\\"192.168.0.0/16\\\" OR destionation.ip:\\\"224.0.0.0/24\\\" OR destination.ip:\\\"169.254.0.0/16\\\" OR destination.ip:\\\"127.0.0.1\\\" OR destination.ip:\\\"fe80::/10\\\" OR destination.ip:\\\"fc00::/7\\\") AND NOT (process.name:iexplore.exe OR process.name:chrome.exe OR process.name:firefox.exe OR process.name:opera.exe) AND event.provider : \\\"Microsoft-Windows-Sysmon\\\" \",\"language\":\"kuery\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"},"sort":[["@timestamp","desc"]],"title":"srch_sd_non_browsers_connection","version":1},"coreMigrationVersion":"8.8.0","created_at":"2024-10-11T17:52:25.220Z","id":"a0f75d50-e5e8-11e9-8f1d-73a2ea4cc3ed","managed":false,"references":[{"id":"68a051a0-1d7f-11e9-9fc5-a91039822035","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","typeMigrationVersion":"8.0.0","updated_at":"2024-10-11T17:52:25.220Z","version":"WzY5NSwzXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Security - Network Process List","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security - Network Process List\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"emptyAsNull\":false},\"schema\":\"metric\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"winlog.event_data.DestinationIp\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"includeIsRegex\":true,\"excludeIsRegex\":true,\"customLabel\":\"Destination IP\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":false,\"type\":\"terms\",\"params\":{\"field\":\"winlog.event_data.TargetUserName\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"includeIsRegex\":true,\"excludeIsRegex\":true,\"customLabel\":\"Logged on user\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"host.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"includeIsRegex\":true,\"excludeIsRegex\":true,\"customLabel\":\"Computer\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"winlog.event_data.ProcessId\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"includeIsRegex\":true,\"excludeIsRegex\":true},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":4,\"direction\":\"asc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"dimensions\":{\"metrics\":[{\"accessor\":5,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":3,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":4,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"date\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]},\"percentageCol\":\"\",\"showToolbar\":true,\"autoFitRowToContent\":false}}"},"coreMigrationVersion":"8.8.0","created_at":"2024-10-11T17:52:25.220Z","id":"31a7d490-e677-11e9-8be5-cd86dcca33f3","managed":false,"references":[{"id":"a0f75d50-e5e8-11e9-8f1d-73a2ea4cc3ed","name":"search_0","type":"search"}],"type":"visualization","typeMigrationVersion":"8.5.0","updated_at":"2024-10-11T17:52:25.220Z","version":"WzY5NiwzXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Security - Network connections area ","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security - Network connections area \",\"type\":\"area\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"emptyAsNull\":false},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":false,\"type\":\"terms\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"includeIsRegex\":true,\"excludeIsRegex\":true},\"schema\":\"group\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"winlog.event_data.ProcessId\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"includeIsRegex\":true,\"excludeIsRegex\":true},\"schema\":\"group\"}],\"params\":{\"type\":\"area\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"area\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#34130C\"},\"labels\":{},\"dimensions\":{\"x\":null,\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"series\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"legendSize\":\"auto\",\"truncateLegend\":true,\"maxLegendLines\":1,\"radiusRatio\":9}}"},"coreMigrationVersion":"8.8.0","created_at":"2024-10-11T17:52:25.220Z","id":"3fb9dfd0-8887-11ea-99ef-bd4d29afe41e","managed":false,"references":[{"id":"a0f75d50-e5e8-11e9-8f1d-73a2ea4cc3ed","name":"search_0","type":"search"}],"type":"visualization","typeMigrationVersion":"8.5.0","updated_at":"2024-10-11T17:52:25.220Z","version":"WzY5NywzXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Overview - Processes with unusual network activity","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Overview - Processes with unusual network activity\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"emptyAsNull\":false},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"significant_terms\",\"params\":{\"field\":\"winlog.event_data.ProcessId\",\"size\":10,\"include\":\"\",\"json\":\"\",\"customLabel\":\"Process\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"string\"},\"params\":{},\"label\":\"Process\",\"aggType\":\"significant_terms\"}]},\"showToolbar\":true,\"autoFitRowToContent\":false}}"},"coreMigrationVersion":"8.8.0","created_at":"2024-10-11T17:52:25.220Z","id":"245778d0-8641-11ea-907a-33d103156187","managed":false,"references":[{"id":"a0f75d50-e5e8-11e9-8f1d-73a2ea4cc3ed","name":"search_0","type":"search"}],"type":"visualization","typeMigrationVersion":"8.5.0","updated_at":"2024-10-11T17:52:25.220Z","version":"WzY5OCwzXQ=="} +{"attributes":{"columns":["host.name","winlog.event_data.TargetUserName","winlog.event_data.TargetDomainName","winlog.event_data.SourceIp","winlog.event_data.SourcePort","winlog.event_data.DestinationIp","winlog.event_data.DestinationPort","winlog.event_data.ProcessId","winlog.event_data.ProcessName"],"description":"","grid":{"columns":{"winlog.event_data.SubjectDomainName":{"width":216}}},"hideChart":false,"hits":0,"isTextBasedQuery":false,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"winlog.event_id:3 AND NOT (destination.ip:\\\"10.0.0.0/8\\\" OR destination.ip:\\\"172.16.0.0/16\\\" OR destination.ip:\\\"192.168.0.0/16\\\" OR destionation.ip:\\\"224.0.0.0/24\\\" OR destination.ip:\\\"169.254.0.0/16\\\" OR destination.ip:\\\"127.0.0.1\\\" OR destination.ip:\\\"fe80::/10\\\" OR destination.ip:\\\"fc00::/7\\\") and event.provider : \\\"Microsoft-Windows-Sysmon\\\" \",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"timeRestore":false,"title":"srch_uds_non_private_network","usesAdHocDataView":false,"version":1},"coreMigrationVersion":"8.8.0","created_at":"2024-10-11T17:52:25.220Z","id":"027102a0-e69f-11e9-8be5-cd86dcca33f3","managed":false,"references":[{"id":"68a051a0-1d7f-11e9-9fc5-a91039822035","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","typeMigrationVersion":"8.0.0","updated_at":"2024-10-11T17:52:25.220Z","version":"WzY5OSwzXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"title":"Security - Processes Title","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security - Processes Title\",\"type\":\"markdown\",\"params\":{\"markdown\":\"## Processes & Powershell\",\"openLinksInNewTab\":false,\"fontSize\":12},\"aggs\":[]}"},"coreMigrationVersion":"8.8.0","created_at":"2024-10-11T17:52:25.220Z","id":"813d18f0-8869-11ea-99ef-bd4d29afe41e","managed":false,"references":[],"type":"visualization","typeMigrationVersion":"8.5.0","updated_at":"2024-10-11T17:52:25.220Z","version":"WzcwMCwzXQ=="} +{"attributes":{"columns":["host.name","winlog.event_data.TargetDomainName","winlog.event_data.User","winlog.event_data.ProcessId","winlog.event_data.ProcessName","winlog.event_data.Hashes","process.args"],"description":"","grid":{},"hideChart":false,"hits":0,"isTextBasedQuery":false,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.code:\\\"1\\\" AND event.provider : \\\"Microsoft-Windows-Sysmon\\\" \",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"timeRestore":false,"title":"Process Spawns","usesAdHocDataView":false,"version":1},"coreMigrationVersion":"8.8.0","created_at":"2024-10-11T17:52:25.220Z","id":"ca56a030-8899-11ea-99ef-bd4d29afe41e","managed":false,"references":[{"id":"68a051a0-1d7f-11e9-9fc5-a91039822035","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","typeMigrationVersion":"8.0.0","updated_at":"2024-10-11T17:52:25.220Z","version":"WzcwMSwzXQ=="} +{"attributes":{"columns":["user.domain","user.name","host.name","process.executable","process.command_line","process.parent.executable","process.parent.command_line","file.path","event.code"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"kuery\",\"query\":\"process.parent.name:\\\"powershell.exe\\\" OR process.name:\\\"powershell.exe\\\" OR winlog.event_data.OriginalFileName:\\\"PowerShell.EXE\\\" OR process.command_line.text:\\\"powershell\\\" OR parent.process.command_line.text:\\\"powershell\\\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"},"sort":[["@timestamp","desc"]],"title":"srch_sd_powershell_run","version":1},"coreMigrationVersion":"8.8.0","created_at":"2024-10-11T17:52:25.220Z","id":"2e276480-ec16-11e9-befc-81397a291157","managed":false,"references":[{"id":"68a051a0-1d7f-11e9-9fc5-a91039822035","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","typeMigrationVersion":"8.0.0","updated_at":"2024-10-11T17:52:25.220Z","version":"WzcwMiwzXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Security - Powershell Run Count","uiStateJSON":"{}","version":1,"visState":"{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Security - Powershell Run Count\",\"type\":\"metric\"}"},"coreMigrationVersion":"8.8.0","created_at":"2024-10-11T17:52:25.220Z","id":"60553d40-ec18-11e9-befc-81397a291157","managed":false,"references":[{"id":"2e276480-ec16-11e9-befc-81397a291157","name":"search_0","type":"search"}],"type":"visualization","typeMigrationVersion":"8.5.0","updated_at":"2024-10-11T17:52:25.220Z","version":"WzcwMywzXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Security - Powershell runs over time","uiStateJSON":"{}","version":1,"visState":"{\"type\":\"line\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now/w\",\"to\":\"now/w\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"dimensions\":{\"x\":null,\"y\":[{\"accessor\":0,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#34130C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"legendSize\":\"auto\"},\"title\":\"Security - Powershell runs over time\"}"},"coreMigrationVersion":"8.8.0","created_at":"2024-10-11T17:52:25.220Z","id":"bc2e06f0-8930-11ea-9bd8-f3fed1ec2140","managed":false,"references":[{"id":"2e276480-ec16-11e9-befc-81397a291157","name":"search_0","type":"search"}],"type":"visualization","typeMigrationVersion":"8.5.0","updated_at":"2024-10-11T17:52:25.220Z","version":"WzcwNCwzXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Security - Power shell hosts pie","uiStateJSON":"{}","version":1,"visState":"{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addTooltip\":true,\"dimensions\":{\"metric\":{\"accessor\":0,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}},\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\",\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true,\"legendDisplay\":\"show\",\"legendSize\":\"auto\"},\"title\":\"Security - Power shell hosts pie\",\"type\":\"pie\"}"},"coreMigrationVersion":"8.8.0","created_at":"2024-10-11T17:52:25.220Z","id":"2b71e9f0-8931-11ea-9bd8-f3fed1ec2140","managed":false,"references":[{"id":"2e276480-ec16-11e9-befc-81397a291157","name":"search_0","type":"search"}],"type":"visualization","typeMigrationVersion":"8.5.0","updated_at":"2024-10-11T17:52:25.220Z","version":"WzcwNSwzXQ=="} +{"attributes":{"columns":["user.domain","user.name","host.name","process.executable","process.args","process.parent.executable","process.parent.args"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"(process.parent.name:\\\"powershell.exe\\\" OR process.name:\\\"powershell.exe\\\" OR winlog.event_data.OriginalFileName:\\\"PowerShell.EXE\\\") AND process.command_line.text:(\\\"invoke\\\" or \\\"bypass\\\" or \\\"iex\\\" or \\\"ex\\\" or \\\"icm\\\" or \\\"new-object\\\" or \\\"set\\\" or \\\"get\\\" or \\\"write\\\" or \\\"out\\\" or \\\"download\\\" or \\\"encoded\\\")\",\"language\":\"kuery\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"},"sort":[["@timestamp","desc"]],"title":"Potentially Suspicious Powershell","version":1},"coreMigrationVersion":"8.8.0","created_at":"2024-10-11T17:52:25.220Z","id":"ff5a53b0-ebf7-11e9-befc-81397a291157","managed":false,"references":[{"id":"68a051a0-1d7f-11e9-9fc5-a91039822035","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","typeMigrationVersion":"8.0.0","updated_at":"2024-10-11T17:52:25.220Z","version":"WzcwNiwzXQ=="} +{"attributes":{"columns":["user.domain","user.name","host.name","destination.domain","destination.ip"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"winlog.event_id:3 AND (process.parent.name:\\\"powershell.exe\\\" OR process.name:\\\"powershell.exe\\\" OR winlog.event_data.OriginalFileName:\\\"PowerShell.EXE\\\") AND event.provider : \\\"Microsoft-Windows-Sysmon\\\" \",\"language\":\"kuery\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"},"sort":[["@timestamp","desc"]],"title":"srch_uds_powershell_network","version":1},"coreMigrationVersion":"8.8.0","created_at":"2024-10-11T17:52:25.220Z","id":"c97a71f0-8952-11ea-9bd8-f3fed1ec2140","managed":false,"references":[{"id":"68a051a0-1d7f-11e9-9fc5-a91039822035","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","typeMigrationVersion":"8.0.0","updated_at":"2024-10-11T17:52:25.220Z","version":"WzcwNywzXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"title":"Security - Files title","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security - Files title\",\"type\":\"markdown\",\"params\":{\"markdown\":\"## Files\",\"openLinksInNewTab\":false,\"fontSize\":12},\"aggs\":[]}"},"coreMigrationVersion":"8.8.0","created_at":"2024-10-11T17:52:25.220Z","id":"404f6e60-895e-11ea-9bd8-f3fed1ec2140","managed":false,"references":[],"type":"visualization","typeMigrationVersion":"8.5.0","updated_at":"2024-10-11T17:52:25.220Z","version":"WzcwOCwzXQ=="} +{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"file.path.text: \\\"tmp\\\" OR file.path.text:\\\"temp\\\"\",\"language\":\"kuery\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"exists\",\"key\":\"file.path\",\"value\":\"exists\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"exists\":{\"field\":\"file.path\"},\"$state\":{\"store\":\"appState\"}}]}"},"sort":[["@timestamp","desc"]],"title":"TEMP & %TEMP%","version":1},"coreMigrationVersion":"8.8.0","created_at":"2024-10-11T17:52:25.220Z","id":"fbbf01c0-e697-11e9-8be5-cd86dcca33f3","managed":false,"references":[{"id":"68a051a0-1d7f-11e9-9fc5-a91039822035","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"68a051a0-1d7f-11e9-9fc5-a91039822035","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","typeMigrationVersion":"8.0.0","updated_at":"2024-10-11T17:52:25.220Z","version":"WzcwOSwzXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"TEMP & %TEMP%","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.path\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Target File\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"host.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":30,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Hostname\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]},\"percentageCol\":\"\",\"showToolbar\":true},\"title\":\"TEMP & %TEMP%\"}"},"coreMigrationVersion":"8.8.0","created_at":"2024-10-11T17:52:25.220Z","id":"1a0c4520-e698-11e9-8be5-cd86dcca33f3","managed":false,"references":[{"id":"fbbf01c0-e697-11e9-8be5-cd86dcca33f3","name":"search_0","type":"search"}],"type":"visualization","typeMigrationVersion":"8.5.0","updated_at":"2024-10-11T17:52:25.220Z","version":"WzcxMCwzXQ=="} +{"attributes":{"columns":["@timestamp","user.domain","user.name","host.name","process.executable","winlog.event_data.ProcessId"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"winlog.event_id: \\\"9\\\" AND event.provider : \\\"Microsoft-Windows-Sysmon\\\" \",\"language\":\"kuery\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"},"sort":[["@timestamp","desc"]],"title":"Raw Access Events","version":1},"coreMigrationVersion":"8.8.0","created_at":"2024-10-11T17:52:25.220Z","id":"6b97d600-8960-11ea-9bd8-f3fed1ec2140","managed":false,"references":[{"id":"68a051a0-1d7f-11e9-9fc5-a91039822035","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","typeMigrationVersion":"8.0.0","updated_at":"2024-10-11T17:52:25.220Z","version":"WzcxMSwzXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"title":"Security - Windows Defender Title","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security - Windows Defender Title\",\"type\":\"markdown\",\"params\":{\"markdown\":\"## Windows Defender\",\"openLinksInNewTab\":false,\"fontSize\":12},\"aggs\":[]}"},"coreMigrationVersion":"8.8.0","created_at":"2024-10-11T17:52:25.220Z","id":"ebbab910-8960-11ea-9bd8-f3fed1ec2140","managed":false,"references":[],"type":"visualization","typeMigrationVersion":"8.5.0","updated_at":"2024-10-11T17:52:25.220Z","version":"WzcxMiwzXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"winlog.event_id:(1006 or 1007 or 1008 or 1009 or 1116 or 1117 or 1118 or 1119)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security - AV Events Count","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security - AV Events Count\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}}}]},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Windows AV Events\"}}]}"},"coreMigrationVersion":"8.8.0","created_at":"2024-10-11T17:52:25.220Z","id":"4d08ec30-e5c1-11e9-ac01-d5832a8a14d8","managed":false,"references":[{"id":"68a051a0-1d7f-11e9-9fc5-a91039822035","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","typeMigrationVersion":"8.5.0","updated_at":"2024-10-11T17:52:25.220Z","version":"WzcxMywzXQ=="} +{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"type\":\"phrases\",\"key\":\"winlog.event_id\",\"value\":\"1,006, 1,007, 1,008, 1,009, 1,116, 1,117, 1,118, 1,119\",\"params\":[\"1006\",\"1007\",\"1008\",\"1009\",\"1116\",\"1117\",\"1118\",\"1119\"],\"negate\":false,\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"bool\":{\"should\":[{\"match_phrase\":{\"winlog.event_id\":\"1006\"}},{\"match_phrase\":{\"winlog.event_id\":\"1007\"}},{\"match_phrase\":{\"winlog.event_id\":\"1008\"}},{\"match_phrase\":{\"winlog.event_id\":\"1009\"}},{\"match_phrase\":{\"winlog.event_id\":\"1116\"}},{\"match_phrase\":{\"winlog.event_id\":\"1117\"}},{\"match_phrase\":{\"winlog.event_id\":\"1118\"}},{\"match_phrase\":{\"winlog.event_id\":\"1119\"}}],\"minimum_should_match\":1}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"AV Detection event","version":1},"coreMigrationVersion":"8.8.0","created_at":"2024-10-11T17:52:25.220Z","id":"3c3bc850-7bc7-11e9-b45c-ad49d0e60b5a","managed":false,"references":[{"id":"68a051a0-1d7f-11e9-9fc5-a91039822035","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"68a051a0-1d7f-11e9-9fc5-a91039822035","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","typeMigrationVersion":"8.0.0","updated_at":"2024-10-11T17:52:25.220Z","version":"WzcxNCwzXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"AV Hits (Count)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"AV Hits (Count)\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"AV Detection hits\"}}]}"},"coreMigrationVersion":"8.8.0","created_at":"2024-10-11T17:52:25.220Z","id":"45277cd0-7bdf-11e9-b45c-ad49d0e60b5a","managed":false,"references":[{"id":"3c3bc850-7bc7-11e9-b45c-ad49d0e60b5a","name":"search_0","type":"search"}],"type":"visualization","typeMigrationVersion":"8.5.0","updated_at":"2024-10-11T17:52:25.220Z","version":"WzcxNSwzXQ=="} +{"attributes":{"columns":["winlog.event_data.Detection User","host.name","winlog.event_data.Path","winlog.event_data.FWLink"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"winlog.event_id: 1116\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.provider\",\"params\":{\"query\":\"Microsoft-Windows-Windows Defender\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"event.provider\":{\"query\":\"Microsoft-Windows-Windows Defender\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}"},"sort":[["@timestamp","desc"]],"title":"Defender AV Detections","version":1},"coreMigrationVersion":"8.8.0","created_at":"2024-10-11T17:52:25.220Z","id":"854e4470-8966-11ea-9bd8-f3fed1ec2140","managed":false,"references":[{"id":"68a051a0-1d7f-11e9-9fc5-a91039822035","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"68a051a0-1d7f-11e9-9fc5-a91039822035","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","typeMigrationVersion":"8.0.0","updated_at":"2024-10-11T17:52:25.220Z","version":"WzcxNiwzXQ=="} +{"attributes":{"description":"User Security overview, filtered by Domain / Username or hostname","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":3,\"i\":\"f755ac59-6f3f-4dcb-ae0c-758507dd83f3\"},\"panelIndex\":\"f755ac59-6f3f-4dcb-ae0c-758507dd83f3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_f755ac59-6f3f-4dcb-ae0c-758507dd83f3\"},{\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":3,\"w\":23,\"h\":7,\"i\":\"064b662c-7a7a-4a68-9f89-6677770cf040\"},\"panelIndex\":\"064b662c-7a7a-4a68-9f89-6677770cf040\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Search users\",\"panelRefName\":\"panel_064b662c-7a7a-4a68-9f89-6677770cf040\"},{\"type\":\"visualization\",\"gridData\":{\"x\":23,\"y\":3,\"w\":25,\"h\":7,\"i\":\"4104303d-2849-4c78-85d0-1fa9f49f4b80\"},\"panelIndex\":\"4104303d-2849-4c78-85d0-1fa9f49f4b80\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Filter hosts\",\"panelRefName\":\"panel_4104303d-2849-4c78-85d0-1fa9f49f4b80\"},{\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":10,\"w\":23,\"h\":7,\"i\":\"0195638d-458a-4ff6-ad4d-a991c7a7e882\"},\"panelIndex\":\"0195638d-458a-4ff6-ad4d-a991c7a7e882\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Search hosts\",\"panelRefName\":\"panel_0195638d-458a-4ff6-ad4d-a991c7a7e882\"},{\"type\":\"lens\",\"gridData\":{\"x\":23,\"y\":10,\"w\":25,\"h\":7,\"i\":\"3593d5e7-318e-48a0-9b9d-73ba207f18f8\"},\"panelIndex\":\"3593d5e7-318e-48a0-9b9d-73ba207f18f8\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"68a051a0-1d7f-11e9-9fc5-a91039822035\",\"name\":\"indexpattern-datasource-layer-d123adeb-fd39-4176-b3c9-69c88d2852d5\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"6f33ff19-9959-4c43-b791-939582a0b3d2\",\"isTransposed\":false},{\"columnId\":\"26752485-2aa5-4908-b400-504d6e7ef451\",\"isTransposed\":false}],\"layerId\":\"d123adeb-fd39-4176-b3c9-69c88d2852d5\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"d123adeb-fd39-4176-b3c9-69c88d2852d5\":{\"columns\":{\"6f33ff19-9959-4c43-b791-939582a0b3d2\":{\"label\":\"Event Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"26752485-2aa5-4908-b400-504d6e7ef451\":{\"label\":\"winlog.event_data.TargetUserName\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"winlog.event_data.TargetUserName\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"6f33ff19-9959-4c43-b791-939582a0b3d2\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"26752485-2aa5-4908-b400-504d6e7ef451\",\"6f33ff19-9959-4c43-b791-939582a0b3d2\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Filter users\"},{\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":17,\"w\":48,\"h\":4,\"i\":\"387d6ff2-16e6-4efb-959e-c31b718f481f\"},\"panelIndex\":\"387d6ff2-16e6-4efb-959e-c31b718f481f\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_387d6ff2-16e6-4efb-959e-c31b718f481f\"},{\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":21,\"w\":9,\"h\":7,\"i\":\"0c2033ce-4b41-46d4-9360-df760fef6fcc\"},\"panelIndex\":\"0c2033ce-4b41-46d4-9360-df760fef6fcc\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0c2033ce-4b41-46d4-9360-df760fef6fcc\"},{\"type\":\"visualization\",\"gridData\":{\"x\":9,\"y\":21,\"w\":20,\"h\":14,\"i\":\"08b30cb5-bf80-4ca4-82f7-04a3adaf6a91\"},\"panelIndex\":\"08b30cb5-bf80-4ca4-82f7-04a3adaf6a91\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Logon attempts\",\"panelRefName\":\"panel_08b30cb5-bf80-4ca4-82f7-04a3adaf6a91\"},{\"type\":\"visualization\",\"gridData\":{\"x\":29,\"y\":21,\"w\":19,\"h\":14,\"i\":\"f4085a94-9a0b-436d-8351-0d3835018b74\"},\"panelIndex\":\"f4085a94-9a0b-436d-8351-0d3835018b74\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Logged on computers\",\"panelRefName\":\"panel_f4085a94-9a0b-436d-8351-0d3835018b74\"},{\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":28,\"w\":9,\"h\":7,\"i\":\"1dde117a-b1ce-4c92-ae25-1f5ec64a8033\"},\"panelIndex\":\"1dde117a-b1ce-4c92-ae25-1f5ec64a8033\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1dde117a-b1ce-4c92-ae25-1f5ec64a8033\"},{\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":35,\"w\":48,\"h\":17,\"i\":\"d1b7aa24-820d-4c80-8e0a-e5af2df3e656\"},\"panelIndex\":\"d1b7aa24-820d-4c80-8e0a-e5af2df3e656\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"User Logon & Logoff Events\",\"panelRefName\":\"panel_d1b7aa24-820d-4c80-8e0a-e5af2df3e656\"},{\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":52,\"w\":48,\"h\":4,\"i\":\"f04dffb7-7c21-4a21-b3be-72e290369616\"},\"panelIndex\":\"f04dffb7-7c21-4a21-b3be-72e290369616\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_f04dffb7-7c21-4a21-b3be-72e290369616\"},{\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":56,\"w\":48,\"h\":14,\"i\":\"1e09c80a-b1f8-4c23-a669-07dea699f6c7\"},\"panelIndex\":\"1e09c80a-b1f8-4c23-a669-07dea699f6c7\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"All network connections\",\"panelRefName\":\"panel_1e09c80a-b1f8-4c23-a669-07dea699f6c7\"},{\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":70,\"w\":24,\"h\":15,\"i\":\"790db76b-0f52-47b6-bbe8-8ca8611dcee1\"},\"panelIndex\":\"790db76b-0f52-47b6-bbe8-8ca8611dcee1\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"title\":\"Network connections from non-browser processes\",\"panelRefName\":\"panel_790db76b-0f52-47b6-bbe8-8ca8611dcee1\"},{\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":70,\"w\":24,\"h\":15,\"i\":\"7e9aade7-496b-49a9-8e35-df93fcafb8d8\"},\"panelIndex\":\"7e9aade7-496b-49a9-8e35-df93fcafb8d8\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Network connection by protocol\",\"panelRefName\":\"panel_7e9aade7-496b-49a9-8e35-df93fcafb8d8\"},{\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":85,\"w\":48,\"h\":15,\"i\":\"3ea3bab7-f3de-44e2-b656-ea91f798bfa3\"},\"panelIndex\":\"3ea3bab7-f3de-44e2-b656-ea91f798bfa3\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Unusual network connections from non-browser processes\",\"panelRefName\":\"panel_3ea3bab7-f3de-44e2-b656-ea91f798bfa3\"},{\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":100,\"w\":48,\"h\":10,\"i\":\"cecdc65a-4681-48ce-a897-e7e502d53c51\"},\"panelIndex\":\"cecdc65a-4681-48ce-a897-e7e502d53c51\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Network Connection Events (Sysmon ID 3)\",\"panelRefName\":\"panel_cecdc65a-4681-48ce-a897-e7e502d53c51\"},{\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":110,\"w\":48,\"h\":4,\"i\":\"f13a86c6-fb30-4594-bd8e-a6599de3b105\"},\"panelIndex\":\"f13a86c6-fb30-4594-bd8e-a6599de3b105\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_f13a86c6-fb30-4594-bd8e-a6599de3b105\"},{\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":114,\"w\":48,\"h\":14,\"i\":\"62305f6a-aea7-4392-bc0f-1b39401608af\"},\"panelIndex\":\"62305f6a-aea7-4392-bc0f-1b39401608af\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Spawned Processes\",\"panelRefName\":\"panel_62305f6a-aea7-4392-bc0f-1b39401608af\"},{\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":128,\"w\":10,\"h\":15,\"i\":\"c9f7b834-936e-41ab-899f-0acd5acc8ce1\"},\"panelIndex\":\"c9f7b834-936e-41ab-899f-0acd5acc8ce1\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Powershell Events\",\"panelRefName\":\"panel_c9f7b834-936e-41ab-899f-0acd5acc8ce1\"},{\"type\":\"visualization\",\"gridData\":{\"x\":10,\"y\":128,\"w\":20,\"h\":15,\"i\":\"df23eba1-9d1e-4776-9427-45cc96c3d74c\"},\"panelIndex\":\"df23eba1-9d1e-4776-9427-45cc96c3d74c\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Powershell events over time\",\"panelRefName\":\"panel_df23eba1-9d1e-4776-9427-45cc96c3d74c\"},{\"type\":\"visualization\",\"gridData\":{\"x\":30,\"y\":128,\"w\":18,\"h\":15,\"i\":\"f04ccc93-e9e6-4de1-aa00-cc20fd3c510e\"},\"panelIndex\":\"f04ccc93-e9e6-4de1-aa00-cc20fd3c510e\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Powershell events by computer\",\"panelRefName\":\"panel_f04ccc93-e9e6-4de1-aa00-cc20fd3c510e\"},{\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":143,\"w\":25,\"h\":16,\"i\":\"d630d92b-3dc6-47a1-b463-06dc87153147\"},\"panelIndex\":\"d630d92b-3dc6-47a1-b463-06dc87153147\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Potentially suspicious powershell\",\"panelRefName\":\"panel_d630d92b-3dc6-47a1-b463-06dc87153147\"},{\"type\":\"search\",\"gridData\":{\"x\":25,\"y\":143,\"w\":23,\"h\":16,\"i\":\"5ffe76a2-586e-4f12-bfad-9715292678e4\"},\"panelIndex\":\"5ffe76a2-586e-4f12-bfad-9715292678e4\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Powershell network connections\",\"panelRefName\":\"panel_5ffe76a2-586e-4f12-bfad-9715292678e4\"},{\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":159,\"w\":48,\"h\":4,\"i\":\"106ce826-a753-43a2-b8f3-7a28b0d71b3f\"},\"panelIndex\":\"106ce826-a753-43a2-b8f3-7a28b0d71b3f\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_106ce826-a753-43a2-b8f3-7a28b0d71b3f\"},{\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":163,\"w\":24,\"h\":15,\"i\":\"f53fdf2f-baed-47bf-bd90-31bbbf4d910e\"},\"panelIndex\":\"f53fdf2f-baed-47bf-bd90-31bbbf4d910e\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"References to temporary files\",\"panelRefName\":\"panel_f53fdf2f-baed-47bf-bd90-31bbbf4d910e\"},{\"type\":\"search\",\"gridData\":{\"x\":24,\"y\":163,\"w\":24,\"h\":15,\"i\":\"26910234-8a4e-4797-92c6-f671974c3d35\"},\"panelIndex\":\"26910234-8a4e-4797-92c6-f671974c3d35\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"RawAccessRead (Sysmon Event 9)\",\"panelRefName\":\"panel_26910234-8a4e-4797-92c6-f671974c3d35\"},{\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":178,\"w\":48,\"h\":4,\"i\":\"773e7777-35f0-42c8-ae3a-16fc9194d154\"},\"panelIndex\":\"773e7777-35f0-42c8-ae3a-16fc9194d154\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_773e7777-35f0-42c8-ae3a-16fc9194d154\"},{\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":182,\"w\":12,\"h\":14,\"i\":\"8ea5e414-49b6-434a-9833-02ca36d879c4\"},\"panelIndex\":\"8ea5e414-49b6-434a-9833-02ca36d879c4\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Defender event count\",\"panelRefName\":\"panel_8ea5e414-49b6-434a-9833-02ca36d879c4\"},{\"type\":\"visualization\",\"gridData\":{\"x\":12,\"y\":182,\"w\":12,\"h\":14,\"i\":\"fe6db4cf-96dc-4798-add6-dd01080f4e39\"},\"panelIndex\":\"fe6db4cf-96dc-4798-add6-dd01080f4e39\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_fe6db4cf-96dc-4798-add6-dd01080f4e39\"},{\"type\":\"search\",\"gridData\":{\"x\":24,\"y\":182,\"w\":24,\"h\":14,\"i\":\"230a9f9f-3a92-4d27-88d3-b6f6622cdffb\"},\"panelIndex\":\"230a9f9f-3a92-4d27-88d3-b6f6622cdffb\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"AV Detections (Event 1116)\",\"panelRefName\":\"panel_230a9f9f-3a92-4d27-88d3-b6f6622cdffb\"}]","timeRestore":false,"title":"User Security 2.0","version":1},"coreMigrationVersion":"8.8.0","created_at":"2024-10-11T22:18:43.029Z","id":"fd349c99-a0c6-4578-8133-92a10848b68d","managed":false,"references":[{"id":"12735ff0-9396-11ea-b41f-4dc1d87833fe","name":"f755ac59-6f3f-4dcb-ae0c-758507dd83f3:panel_f755ac59-6f3f-4dcb-ae0c-758507dd83f3","type":"visualization"},{"id":"a64ec020-84b4-11ea-b7fb-01bea49d9239","name":"064b662c-7a7a-4a68-9f89-6677770cf040:panel_064b662c-7a7a-4a68-9f89-6677770cf040","type":"visualization"},{"id":"8b7ff050-8ed4-11ea-904c-391ecaa2f2f4","name":"4104303d-2849-4c78-85d0-1fa9f49f4b80:panel_4104303d-2849-4c78-85d0-1fa9f49f4b80","type":"visualization"},{"id":"53b65290-8ed4-11ea-904c-391ecaa2f2f4","name":"0195638d-458a-4ff6-ad4d-a991c7a7e882:panel_0195638d-458a-4ff6-ad4d-a991c7a7e882","type":"visualization"},{"id":"68a051a0-1d7f-11e9-9fc5-a91039822035","name":"3593d5e7-318e-48a0-9b9d-73ba207f18f8:indexpattern-datasource-layer-d123adeb-fd39-4176-b3c9-69c88d2852d5","type":"index-pattern"},{"id":"d58b0380-8540-11ea-b6c5-5d9149593ce4","name":"387d6ff2-16e6-4efb-959e-c31b718f481f:panel_387d6ff2-16e6-4efb-959e-c31b718f481f","type":"visualization"},{"id":"22170f50-853c-11ea-b6c5-5d9149593ce4","name":"0c2033ce-4b41-46d4-9360-df760fef6fcc:panel_0c2033ce-4b41-46d4-9360-df760fef6fcc","type":"visualization"},{"id":"c0c8b560-84a9-11ea-b7fb-01bea49d9239","name":"08b30cb5-bf80-4ca4-82f7-04a3adaf6a91:panel_08b30cb5-bf80-4ca4-82f7-04a3adaf6a91","type":"visualization"},{"id":"489f7350-853d-11ea-b6c5-5d9149593ce4","name":"f4085a94-9a0b-436d-8351-0d3835018b74:panel_f4085a94-9a0b-436d-8351-0d3835018b74","type":"visualization"},{"id":"a179afa0-853c-11ea-b6c5-5d9149593ce4","name":"1dde117a-b1ce-4c92-ae25-1f5ec64a8033:panel_1dde117a-b1ce-4c92-ae25-1f5ec64a8033","type":"visualization"},{"id":"2325be20-8616-11ea-a720-c7a0431f179d","name":"d1b7aa24-820d-4c80-8e0a-e5af2df3e656:panel_d1b7aa24-820d-4c80-8e0a-e5af2df3e656","type":"search"},{"id":"a1229110-860f-11ea-a720-c7a0431f179d","name":"f04dffb7-7c21-4a21-b3be-72e290369616:panel_f04dffb7-7c21-4a21-b3be-72e290369616","type":"visualization"},{"id":"ec7ad2d0-8641-11ea-907a-33d103156187","name":"1e09c80a-b1f8-4c23-a669-07dea699f6c7:panel_1e09c80a-b1f8-4c23-a669-07dea699f6c7","type":"visualization"},{"id":"31a7d490-e677-11e9-8be5-cd86dcca33f3","name":"790db76b-0f52-47b6-bbe8-8ca8611dcee1:panel_790db76b-0f52-47b6-bbe8-8ca8611dcee1","type":"visualization"},{"id":"3fb9dfd0-8887-11ea-99ef-bd4d29afe41e","name":"7e9aade7-496b-49a9-8e35-df93fcafb8d8:panel_7e9aade7-496b-49a9-8e35-df93fcafb8d8","type":"visualization"},{"id":"245778d0-8641-11ea-907a-33d103156187","name":"3ea3bab7-f3de-44e2-b656-ea91f798bfa3:panel_3ea3bab7-f3de-44e2-b656-ea91f798bfa3","type":"visualization"},{"id":"027102a0-e69f-11e9-8be5-cd86dcca33f3","name":"cecdc65a-4681-48ce-a897-e7e502d53c51:panel_cecdc65a-4681-48ce-a897-e7e502d53c51","type":"search"},{"id":"813d18f0-8869-11ea-99ef-bd4d29afe41e","name":"f13a86c6-fb30-4594-bd8e-a6599de3b105:panel_f13a86c6-fb30-4594-bd8e-a6599de3b105","type":"visualization"},{"id":"ca56a030-8899-11ea-99ef-bd4d29afe41e","name":"62305f6a-aea7-4392-bc0f-1b39401608af:panel_62305f6a-aea7-4392-bc0f-1b39401608af","type":"search"},{"id":"60553d40-ec18-11e9-befc-81397a291157","name":"c9f7b834-936e-41ab-899f-0acd5acc8ce1:panel_c9f7b834-936e-41ab-899f-0acd5acc8ce1","type":"visualization"},{"id":"bc2e06f0-8930-11ea-9bd8-f3fed1ec2140","name":"df23eba1-9d1e-4776-9427-45cc96c3d74c:panel_df23eba1-9d1e-4776-9427-45cc96c3d74c","type":"visualization"},{"id":"2b71e9f0-8931-11ea-9bd8-f3fed1ec2140","name":"f04ccc93-e9e6-4de1-aa00-cc20fd3c510e:panel_f04ccc93-e9e6-4de1-aa00-cc20fd3c510e","type":"visualization"},{"id":"ff5a53b0-ebf7-11e9-befc-81397a291157","name":"d630d92b-3dc6-47a1-b463-06dc87153147:panel_d630d92b-3dc6-47a1-b463-06dc87153147","type":"search"},{"id":"c97a71f0-8952-11ea-9bd8-f3fed1ec2140","name":"5ffe76a2-586e-4f12-bfad-9715292678e4:panel_5ffe76a2-586e-4f12-bfad-9715292678e4","type":"search"},{"id":"404f6e60-895e-11ea-9bd8-f3fed1ec2140","name":"106ce826-a753-43a2-b8f3-7a28b0d71b3f:panel_106ce826-a753-43a2-b8f3-7a28b0d71b3f","type":"visualization"},{"id":"1a0c4520-e698-11e9-8be5-cd86dcca33f3","name":"f53fdf2f-baed-47bf-bd90-31bbbf4d910e:panel_f53fdf2f-baed-47bf-bd90-31bbbf4d910e","type":"visualization"},{"id":"6b97d600-8960-11ea-9bd8-f3fed1ec2140","name":"26910234-8a4e-4797-92c6-f671974c3d35:panel_26910234-8a4e-4797-92c6-f671974c3d35","type":"search"},{"id":"ebbab910-8960-11ea-9bd8-f3fed1ec2140","name":"773e7777-35f0-42c8-ae3a-16fc9194d154:panel_773e7777-35f0-42c8-ae3a-16fc9194d154","type":"visualization"},{"id":"4d08ec30-e5c1-11e9-ac01-d5832a8a14d8","name":"8ea5e414-49b6-434a-9833-02ca36d879c4:panel_8ea5e414-49b6-434a-9833-02ca36d879c4","type":"visualization"},{"id":"45277cd0-7bdf-11e9-b45c-ad49d0e60b5a","name":"fe6db4cf-96dc-4798-add6-dd01080f4e39:panel_fe6db4cf-96dc-4798-add6-dd01080f4e39","type":"visualization"},{"id":"854e4470-8966-11ea-9bd8-f3fed1ec2140","name":"230a9f9f-3a92-4d27-88d3-b6f6622cdffb:panel_230a9f9f-3a92-4d27-88d3-b6f6622cdffb","type":"search"}],"type":"dashboard","typeMigrationVersion":"8.9.0","updated_at":"2024-10-11T22:18:43.029Z","version":"Wzk5NSw0XQ=="} +{"excludedObjects":[],"excludedObjectsCount":0,"exportedCount":38,"missingRefCount":0,"missingReferences":[]} \ No newline at end of file diff --git a/dashboards/export_dashboards.py b/dashboards/export_dashboards.py new file mode 100755 index 00000000..0c98119f --- /dev/null +++ b/dashboards/export_dashboards.py @@ -0,0 +1,171 @@ +#!/usr/bin/env python3 +import argparse +import base64 +import json +import os +import re +import requests +from pathlib import Path +from urllib3.exceptions import InsecureRequestWarning + +# Suppress the InsecureRequestWarning (We are using a self-signed cert) +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + +ALL = 'all' + + +class Api: + def __init__(self, args): + self.ids = None + self.basic_auth = self.get_basic_auth(args.user, args.password) + self.root_url = f'https://{args.host}:{args.port}' + + def export_dashboards(self): + self.set_ids() + self.export_selected_dashboard(self.select_dashboard()) + + @staticmethod + def get_basic_auth(username, password): + return base64.b64encode(f"{username}:{password}".encode()).decode() + + def get_ids(self): + url = f'{self.root_url}/api/kibana/management/saved_objects/_find?perPage=500&page=1&type=dashboard&sortField=updated_at&sortOrder=desc' + + try: + response = requests.get(url, headers={'Authorization': f'Basic {self.basic_auth}'}, verify=False) + + if response.status_code == 200: + data = response.json() + #ids = {item['id']: item['meta']['title'] for item in data.get('saved_objects', [])} + #return ids + ids = { + item['id']: item['meta']['title'] + for item in data.get('saved_objects', []) + if '[' not in item['meta']['title'] and ']' not in item['meta']['title'] + } + return ids + else: + print(f"HTTP request failed with status code: {response.status_code}") + print(response.text) + return {} + except Exception as e: + print(f"An error occurred: {str(e)}") + return {} + + def set_ids(self, ids=None): + if ids is None: + ids = self.get_ids() + self.ids = ids + + def select_dashboard(self): + print("Please select a dashboard ID:") + item = 1 + choices = {} + + # Iterate through ids and display them with corresponding numbers + for this_id, title in self.ids.items(): + print(item, this_id, title) + choices[item] = this_id + item += 1 + + if item == 1: + print("I could not find any dashboards") + return + + choices[item] = ALL + print(item, "Select all dashboards") + + # Ask the user to select a number + while True: + try: + choice = int(input("Select a number: ")) + if choice in choices: + selected_id = choices[choice] + if selected_id == ALL: + return ALL # Return 'all' if the user selects all dashboards + else: + return selected_id # Return the selected dashboard ID + else: + print("Invalid choice. Please select a valid number.") + except ValueError: + print("Invalid input. Please enter a number.") + + def export_selected_dashboard(self, selected_dashboard): + if selected_dashboard == ALL: + print("You selected to export all dashboards") + self.dump_all_dashboards() + else: + print(f"You selected dashboard ID: {selected_dashboard}") + self.dump_dashboard(selected_dashboard) + + def dump_dashboard(self, selected_id): + print(f"Dumping dashboard: {selected_id}: {self.ids[selected_id]}...") + # Dumping dashboard: e5f203f0-6182-11ee-b035-d5f231e90733: User Security + + dashboard_json = self.get_dashboard_json(selected_id) + + if dashboard_json is not None: + script_dir = os.path.dirname(os.path.abspath(__file__)) + export_path = Path(script_dir) / 'exported' + os.makedirs(export_path, exist_ok=True) + + filename = re.sub(r"\W+", "_", self.ids[selected_id].lower()) + ".dumped.ndjson" + + print(f"Writing to file {filename}") + export_path = export_path / filename + + Api.write_to_file(export_path, dashboard_json) + return + + print("There was a problem dumping the dashboard") + + def dump_all_dashboards(self): + for this_id in self.ids: + self.dump_dashboard(this_id) + + def get_dashboard_json(self, selected_id): + url = f'{self.root_url}/api/saved_objects/_export' + data = { + "objects": [{"id": selected_id, "type": "dashboard"}], + "includeReferencesDeep": True + } + headers = { + "kbn-xsrf": "true", + 'Authorization': f'Basic {self.basic_auth}' + } + try: + response = requests.post(url, headers=headers, json=data, verify=False) + + if response.status_code == 200: + return response.text + else: + print(f"HTTP request failed with status code: {response.status_code}") + print(response.text) + return None + + except Exception as e: + print(f"An error occurred: {str(e)}") + return None + + @staticmethod + def write_to_file(filename, content): + with open(filename, 'wb') as file: + file.write(content.encode('utf-8')) + + +def main(): + # Define command-line arguments with defaults + parser = argparse.ArgumentParser(description='Retrieve IDs from Elasticsearch') + parser.add_argument('-u', '--user', required=True, help='Elasticsearch username') + parser.add_argument('-p', '--password', required=True, help='Elasticsearch password') + parser.add_argument('--host', default='localhost', help='Elasticsearch host (default: localhost)') + parser.add_argument('--port', default='443', help='Elasticsearch port (default: 443)') + args = parser.parse_args() + + api = Api(args) + + api.export_dashboards() + + +if __name__ == '__main__': + main() diff --git a/dashboards/requirements.txt b/dashboards/requirements.txt new file mode 100644 index 00000000..345bc273 --- /dev/null +++ b/dashboards/requirements.txt @@ -0,0 +1,2 @@ +requests +urllib3 \ No newline at end of file diff --git a/dashboards/wazuh/wz-es-4.x-8.x-dashboards.ndjson b/dashboards/wazuh/wz-es-4.x-8.x-dashboards.ndjson new file mode 100644 index 00000000..a02f7704 --- /dev/null +++ b/dashboards/wazuh/wz-es-4.x-8.x-dashboards.ndjson @@ -0,0 +1,9 @@ +{"attributes":{"fieldAttrs":"{}","fieldFormatMap":"{}","fields":"[]","name":"wazuh-alerts-4.x-*","runtimeFieldMap":"{}","sourceFilters":"[]","timeFieldName":"timestamp","title":"wazuh-alerts-4.x-*","typeMeta":"{}"},"coreMigrationVersion":"8.6.2","created_at":"2023-04-24T17:17:45.191Z","id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","migrationVersion":{"index-pattern":"8.0.0"},"references":[],"type":"index-pattern","updated_at":"2023-04-24T17:17:45.191Z","version":"WzI1MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":7,\"y\":0,\"w\":8,\"h\":5,\"i\":\"9931cceb-51f1-4e47-bd26-491e7a624592\"},\"panelIndex\":\"9931cceb-51f1-4e47-bd26-491e7a624592\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-1dc5f9b1-9f0c-458b-98e6-e92708af5b9d\",\"type\":\"index-pattern\"},{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"b9624937-542e-4ac9-9f09-ae532ade3311\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"1dc5f9b1-9f0c-458b-98e6-e92708af5b9d\",\"accessor\":\"df19010a-26e5-446d-9d74-56fe2495e38b\",\"layerType\":\"data\",\"textAlign\":\"center\",\"size\":\"xxl\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#db5871\",\"stop\":2}],\"colorStops\":[{\"color\":\"#db5871\",\"stop\":null}],\"continuity\":\"all\",\"maxSteps\":5}}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"b9624937-542e-4ac9-9f09-ae532ade3311\",\"type\":\"exists\",\"key\":\"data.vulnerability.severity\",\"value\":\"exists\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{\"exists\":{\"field\":\"data.vulnerability.severity\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"1dc5f9b1-9f0c-458b-98e6-e92708af5b9d\":{\"columns\":{\"df19010a-26e5-446d-9d74-56fe2495e38b\":{\"label\":\"Critical Severity Alerts\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"data.vulnerability.severity\",\"isBucketed\":false,\"filter\":{\"query\":\"data.vulnerability.severity : \\\"Critical\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"df19010a-26e5-446d-9d74-56fe2495e38b\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":15,\"y\":0,\"w\":8,\"h\":5,\"i\":\"a0b05cdd-c4b5-46b0-af2e-32253bd965e6\"},\"panelIndex\":\"a0b05cdd-c4b5-46b0-af2e-32253bd965e6\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-fd6049b6-e52c-449e-9775-ded5ac1eac15\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"fd6049b6-e52c-449e-9775-ded5ac1eac15\",\"accessor\":\"2ce8bbeb-74d7-4e28-b616-6edd33c1f981\",\"layerType\":\"data\",\"textAlign\":\"center\",\"size\":\"xxl\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#0c5da3\",\"stop\":2}],\"colorStops\":[{\"color\":\"#0c5da3\",\"stop\":null}],\"continuity\":\"all\",\"maxSteps\":5}}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"fd6049b6-e52c-449e-9775-ded5ac1eac15\":{\"columns\":{\"2ce8bbeb-74d7-4e28-b616-6edd33c1f981\":{\"label\":\"Hight Severity Alerts\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"data.vulnerability.severity\",\"isBucketed\":false,\"filter\":{\"query\":\"data.vulnerability.severity : \\\"High\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"2ce8bbeb-74d7-4e28-b616-6edd33c1f981\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":23,\"y\":0,\"w\":9,\"h\":5,\"i\":\"b22f2aba-370b-40f2-8f30-c7175fd21d84\"},\"panelIndex\":\"b22f2aba-370b-40f2-8f30-c7175fd21d84\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-a8774fa0-5ae6-4746-94bd-cd21a0210641\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"a8774fa0-5ae6-4746-94bd-cd21a0210641\",\"accessor\":\"b7764bb5-540b-4183-a8c5-e9e856e48949\",\"layerType\":\"data\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#007d73\",\"stop\":2}],\"colorStops\":[{\"color\":\"#007d73\",\"stop\":null}],\"continuity\":\"all\",\"maxSteps\":5}},\"textAlign\":\"center\",\"size\":\"xxl\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"a8774fa0-5ae6-4746-94bd-cd21a0210641\":{\"columns\":{\"b7764bb5-540b-4183-a8c5-e9e856e48949\":{\"label\":\"Medium Severity Alerts\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"data.vulnerability.severity\",\"isBucketed\":false,\"filter\":{\"query\":\"data.vulnerability.severity : \\\"Medium\\\" \",\"language\":\"kuery\"},\"reducedTimeRange\":\"\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"b7764bb5-540b-4183-a8c5-e9e856e48949\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":32,\"y\":0,\"w\":9,\"h\":5,\"i\":\"dad9436c-6a56-47cc-a52a-065c86d64c7f\"},\"panelIndex\":\"dad9436c-6a56-47cc-a52a-065c86d64c7f\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-a397e361-0b6a-4d18-b957-2afce890f6c3\",\"type\":\"index-pattern\"},{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"a532bc3a-2caf-4353-9a37-17d4fb373b0d\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"a397e361-0b6a-4d18-b957-2afce890f6c3\",\"accessor\":\"c0f27509-4ce0-4eca-94c5-e1eddfc176e9\",\"layerType\":\"data\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#222222\",\"stop\":2}],\"colorStops\":[{\"color\":\"#222222\",\"stop\":null}],\"continuity\":\"all\",\"maxSteps\":5}},\"textAlign\":\"center\",\"size\":\"xxl\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"a532bc3a-2caf-4353-9a37-17d4fb373b0d\",\"alias\":\"data.vulnerability.severity : \\\"Low\\\" \",\"type\":\"custom\",\"key\":\"query\",\"value\":\"{\\\"bool\\\":{\\\"must\\\":[],\\\"filter\\\":[{\\\"bool\\\":{\\\"should\\\":[{\\\"term\\\":{\\\"data.vulnerability.severity\\\":\\\"Low\\\"}}],\\\"minimum_should_match\\\":1}}],\\\"should\\\":[],\\\"must_not\\\":[]}}\",\"disabled\":false,\"negate\":false},\"query\":{\"bool\":{\"must\":[],\"filter\":[{\"bool\":{\"should\":[{\"term\":{\"data.vulnerability.severity\":\"Low\"}}],\"minimum_should_match\":1}}],\"should\":[],\"must_not\":[]}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"a397e361-0b6a-4d18-b957-2afce890f6c3\":{\"columns\":{\"c0f27509-4ce0-4eca-94c5-e1eddfc176e9\":{\"label\":\"Low Severity Alerts\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"data.vulnerability.severity\",\"isBucketed\":false,\"filter\":{\"query\":\"data.vulnerability.severity : \\\"Low\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"c0f27509-4ce0-4eca-94c5-e1eddfc176e9\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":5,\"w\":25,\"h\":14,\"i\":\"8fe06d85-091b-47aa-a809-aae9150a3314\"},\"panelIndex\":\"8fe06d85-091b-47aa-a809-aae9150a3314\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-47832b00-8a1a-4d99-8631-89379474c236\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"curveType\":\"CURVE_MONOTONE_X\",\"fillOpacity\":1,\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"area_stacked\",\"layers\":[{\"layerId\":\"47832b00-8a1a-4d99-8631-89379474c236\",\"accessors\":[\"32448531-8094-4131-89c9-38ed77a620ec\"],\"position\":\"top\",\"seriesType\":\"area_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"yConfig\":[{\"forAccessor\":\"32448531-8094-4131-89c9-38ed77a620ec\",\"axisMode\":\"auto\"}],\"xAccessor\":\"f20c7be6-a511-4b95-be88-6de506dbf1d8\",\"splitAccessor\":\"526e79e6-d985-4fc0-b5f3-ec87f5d24b83\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"47832b00-8a1a-4d99-8631-89379474c236\":{\"columns\":{\"526e79e6-d985-4fc0-b5f3-ec87f5d24b83\":{\"label\":\"Top 5 values of data.vulnerability.severity\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.vulnerability.severity\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"32448531-8094-4131-89c9-38ed77a620ec\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}},\"f20c7be6-a511-4b95-be88-6de506dbf1d8\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"3h\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"32448531-8094-4131-89c9-38ed77a620ec\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"526e79e6-d985-4fc0-b5f3-ec87f5d24b83\",\"f20c7be6-a511-4b95-be88-6de506dbf1d8\",\"32448531-8094-4131-89c9-38ed77a620ec\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Alert severity\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":25,\"y\":5,\"w\":23,\"h\":14,\"i\":\"680cfedf-a868-4de2-8173-897f4df7f6d7\"},\"panelIndex\":\"680cfedf-a868-4de2-8173-897f4df7f6d7\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsHeatmap\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-6f9a4ce5-1395-4bc6-9dd6-0a8c130e9d8a\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"shape\":\"heatmap\",\"layerId\":\"6f9a4ce5-1395-4bc6-9dd6-0a8c130e9d8a\",\"layerType\":\"data\",\"legend\":{\"isVisible\":true,\"position\":\"right\",\"type\":\"heatmap_legend\"},\"gridConfig\":{\"type\":\"heatmap_grid\",\"isCellLabelVisible\":false,\"isYAxisLabelVisible\":true,\"isXAxisLabelVisible\":true,\"isYAxisTitleVisible\":false,\"isXAxisTitleVisible\":true,\"yTitle\":\"\"},\"valueAccessor\":\"4e7e0e20-a869-417a-b9ba-fac0c17e10ed\",\"yAccessor\":\"6fcc771b-b4e8-4684-80da-49b7b897dc24\",\"xAccessor\":\"e8d69708-c954-444b-a94f-9eb1befd3197\",\"palette\":{\"type\":\"palette\",\"name\":\"positive\",\"params\":{\"name\":\"positive\",\"continuity\":\"above\",\"reverse\":false,\"stops\":[{\"color\":\"#d6e9e4\",\"stop\":0},{\"color\":\"#aed3ca\",\"stop\":20},{\"color\":\"#85bdb1\",\"stop\":40},{\"color\":\"#5aa898\",\"stop\":60},{\"color\":\"#209280\",\"stop\":80}],\"rangeMin\":0,\"rangeMax\":null},\"accessor\":\"4e7e0e20-a869-417a-b9ba-fac0c17e10ed\"}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"6f9a4ce5-1395-4bc6-9dd6-0a8c130e9d8a\":{\"columns\":{\"4e7e0e20-a869-417a-b9ba-fac0c17e10ed\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":false},\"6fcc771b-b4e8-4684-80da-49b7b897dc24\":{\"label\":\"Top 3 values of data.vulnerability.severity\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.vulnerability.severity\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4e7e0e20-a869-417a-b9ba-fac0c17e10ed\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":false},\"e8d69708-c954-444b-a94f-9eb1befd3197\":{\"label\":\"agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4e7e0e20-a869-417a-b9ba-fac0c17e10ed\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"6fcc771b-b4e8-4684-80da-49b7b897dc24\",\"e8d69708-c954-444b-a94f-9eb1befd3197\",\"4e7e0e20-a869-417a-b9ba-fac0c17e10ed\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Vulnerabilities heat map\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":19,\"w\":48,\"h\":14,\"i\":\"5a8626af-2bc4-4317-ad7f-20622c16db0a\"},\"panelIndex\":\"5a8626af-2bc4-4317-ad7f-20622c16db0a\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-d94ddf3d-d285-450e-aba4-46057df55fb7\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"542028d8-117e-4ee0-ba25-3ff4475940aa\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"e26de584-b46b-474e-bcd4-11bd37ff8e2e\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"1007fe8b-8a98-4b60-b8ef-93cd49227cd4\"},{\"isTransposed\":false,\"columnId\":\"ec84289b-cb43-4fae-9b94-7b17b696e4e0\"},{\"isTransposed\":false,\"columnId\":\"89ac7aeb-dfe3-449c-a109-6686a3610a4b\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"5a0e5d4b-1345-4f59-ba8b-662451bf949b\",\"hidden\":true},{\"columnId\":\"4732efcd-d7cd-4a02-8b03-c498b3bb637c\",\"isTransposed\":false},{\"columnId\":\"056be5db-ea40-4979-9985-8f0c73a8dcef\",\"isTransposed\":false}],\"layerId\":\"d94ddf3d-d285-450e-aba4-46057df55fb7\",\"layerType\":\"data\",\"paging\":{\"size\":10,\"enabled\":true}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"d94ddf3d-d285-450e-aba4-46057df55fb7\":{\"columns\":{\"542028d8-117e-4ee0-ba25-3ff4475940aa\":{\"label\":\"agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"5a0e5d4b-1345-4f59-ba8b-662451bf949b\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"e26de584-b46b-474e-bcd4-11bd37ff8e2e\":{\"label\":\"data.vulnerability.cve\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.vulnerability.cve\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"5a0e5d4b-1345-4f59-ba8b-662451bf949b\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"1007fe8b-8a98-4b60-b8ef-93cd49227cd4\":{\"label\":\"data.vulnerability.package.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.vulnerability.package.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"5a0e5d4b-1345-4f59-ba8b-662451bf949b\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"ec84289b-cb43-4fae-9b94-7b17b696e4e0\":{\"label\":\"data.vulnerability.severity\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.vulnerability.package.version\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"5a0e5d4b-1345-4f59-ba8b-662451bf949b\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"89ac7aeb-dfe3-449c-a109-6686a3610a4b\":{\"label\":\"rule.id\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"5a0e5d4b-1345-4f59-ba8b-662451bf949b\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"5a0e5d4b-1345-4f59-ba8b-662451bf949b\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"4732efcd-d7cd-4a02-8b03-c498b3bb637c\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"056be5db-ea40-4979-9985-8f0c73a8dcef\":{\"label\":\"data.vulnerability.package.version\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.vulnerability.package.version\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"5a0e5d4b-1345-4f59-ba8b-662451bf949b\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"4732efcd-d7cd-4a02-8b03-c498b3bb637c\",\"542028d8-117e-4ee0-ba25-3ff4475940aa\",\"e26de584-b46b-474e-bcd4-11bd37ff8e2e\",\"1007fe8b-8a98-4b60-b8ef-93cd49227cd4\",\"056be5db-ea40-4979-9985-8f0c73a8dcef\",\"ec84289b-cb43-4fae-9b94-7b17b696e4e0\",\"89ac7aeb-dfe3-449c-a109-6686a3610a4b\",\"5a0e5d4b-1345-4f59-ba8b-662451bf949b\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Events\"}]","timeRestore":false,"title":"wazuh-vulnerabilities-v1.0","version":1},"coreMigrationVersion":"8.6.2","created_at":"2023-04-24T18:37:41.475Z","id":"1e68dc60-e2b5-11ed-9db8-9f0e23f622c3","migrationVersion":{"dashboard":"8.6.0"},"references":[{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"9931cceb-51f1-4e47-bd26-491e7a624592:indexpattern-datasource-layer-1dc5f9b1-9f0c-458b-98e6-e92708af5b9d","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"9931cceb-51f1-4e47-bd26-491e7a624592:b9624937-542e-4ac9-9f09-ae532ade3311","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"a0b05cdd-c4b5-46b0-af2e-32253bd965e6:indexpattern-datasource-layer-fd6049b6-e52c-449e-9775-ded5ac1eac15","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"b22f2aba-370b-40f2-8f30-c7175fd21d84:indexpattern-datasource-layer-a8774fa0-5ae6-4746-94bd-cd21a0210641","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"dad9436c-6a56-47cc-a52a-065c86d64c7f:indexpattern-datasource-layer-a397e361-0b6a-4d18-b957-2afce890f6c3","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"dad9436c-6a56-47cc-a52a-065c86d64c7f:a532bc3a-2caf-4353-9a37-17d4fb373b0d","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"8fe06d85-091b-47aa-a809-aae9150a3314:indexpattern-datasource-layer-47832b00-8a1a-4d99-8631-89379474c236","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"680cfedf-a868-4de2-8173-897f4df7f6d7:indexpattern-datasource-layer-6f9a4ce5-1395-4bc6-9dd6-0a8c130e9d8a","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"5a8626af-2bc4-4317-ad7f-20622c16db0a:indexpattern-datasource-layer-d94ddf3d-d285-450e-aba4-46057df55fb7","type":"index-pattern"}],"type":"dashboard","updated_at":"2023-04-24T18:37:41.475Z","version":"WzQ3OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":5,\"i\":\"c90b5ced-c476-4336-8248-5f5eee09b7d3\"},\"panelIndex\":\"c90b5ced-c476-4336-8248-5f5eee09b7d3\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-f7d51ed1-e2c7-4eff-a2f0-426523a27b79\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"f7d51ed1-e2c7-4eff-a2f0-426523a27b79\",\"accessor\":\"bba216ab-0609-4fc7-9f00-3f95df7bd9e5\",\"layerType\":\"data\",\"textAlign\":\"center\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#1E75B6\",\"stop\":300}],\"colorStops\":[{\"color\":\"#1E75B6\",\"stop\":null}],\"continuity\":\"all\",\"maxSteps\":5}},\"size\":\"xxl\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"f7d51ed1-e2c7-4eff-a2f0-426523a27b79\":{\"columns\":{\"bba216ab-0609-4fc7-9f00-3f95df7bd9e5\":{\"label\":\"Total\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"bba216ab-0609-4fc7-9f00-3f95df7bd9e5\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":16,\"y\":0,\"w\":8,\"h\":5,\"i\":\"dc864252-a518-4187-80ca-b581ad14f1cb\"},\"panelIndex\":\"dc864252-a518-4187-80ca-b581ad14f1cb\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-a63a4df1-6335-4d1e-a8fb-44d550e0513b\",\"type\":\"index-pattern\"},{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"4cd727d8-200d-4869-b702-ff540bd3ff56\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"a63a4df1-6335-4d1e-a8fb-44d550e0513b\",\"accessor\":\"65d5d9ac-208b-4393-b498-12f4351445bd\",\"layerType\":\"data\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#e57488\",\"stop\":8}],\"colorStops\":[{\"color\":\"#e57488\",\"stop\":null}],\"continuity\":\"all\",\"maxSteps\":5}},\"textAlign\":\"center\",\"size\":\"xxl\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"4cd727d8-200d-4869-b702-ff540bd3ff56\",\"alias\":\"rule.level >= 12\",\"type\":\"custom\",\"key\":\"query\",\"value\":\"{\\\"bool\\\":{\\\"must\\\":[],\\\"filter\\\":[{\\\"bool\\\":{\\\"should\\\":[{\\\"range\\\":{\\\"rule.level\\\":{\\\"gte\\\":\\\"12\\\"}}}],\\\"minimum_should_match\\\":1}}],\\\"should\\\":[],\\\"must_not\\\":[]}}\",\"disabled\":false,\"negate\":false},\"query\":{\"bool\":{\"must\":[],\"filter\":[{\"bool\":{\"should\":[{\"range\":{\"rule.level\":{\"gte\":\"12\"}}}],\"minimum_should_match\":1}}],\"should\":[],\"must_not\":[]}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"a63a4df1-6335-4d1e-a8fb-44d550e0513b\":{\"columns\":{\"65d5d9ac-208b-4393-b498-12f4351445bd\":{\"label\":\"Level 12 or above alerts\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"rule.level >= 12\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"65d5d9ac-208b-4393-b498-12f4351445bd\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":0,\"w\":8,\"h\":5,\"i\":\"4bab10c4-2a6d-4f8f-8094-323581c98950\"},\"panelIndex\":\"4bab10c4-2a6d-4f8f-8094-323581c98950\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-28318134-b7bd-4faa-b21e-b0a6665b526f\",\"type\":\"index-pattern\"},{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"1b7728c2-28d0-40f9-81ed-74e77231242c\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"28318134-b7bd-4faa-b21e-b0a6665b526f\",\"accessor\":\"e1a6a50b-cffe-4c92-b756-bad658aee97d\",\"layerType\":\"data\",\"textAlign\":\"center\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#d4458d\",\"stop\":4}],\"colorStops\":[{\"color\":\"#d4458d\",\"stop\":null}],\"continuity\":\"all\",\"maxSteps\":5}},\"size\":\"xxl\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"1b7728c2-28d0-40f9-81ed-74e77231242c\",\"alias\":\"rule.groups : \\\"authentication_failed\\\" or \\\"win_authentication_failed\\\" or \\\"authentication_failures\\\"\",\"type\":\"custom\",\"key\":\"query\",\"value\":\"{\\\"bool\\\":{\\\"must\\\":[],\\\"filter\\\":[{\\\"bool\\\":{\\\"should\\\":[{\\\"bool\\\":{\\\"should\\\":[{\\\"term\\\":{\\\"rule.groups\\\":\\\"authentication_failed\\\"}}],\\\"minimum_should_match\\\":1}},{\\\"multi_match\\\":{\\\"type\\\":\\\"phrase\\\",\\\"query\\\":\\\"win_authentication_failed\\\",\\\"lenient\\\":true}},{\\\"multi_match\\\":{\\\"type\\\":\\\"phrase\\\",\\\"query\\\":\\\"authentication_failures\\\",\\\"lenient\\\":true}}],\\\"minimum_should_match\\\":1}}],\\\"should\\\":[],\\\"must_not\\\":[]}}\",\"disabled\":false,\"negate\":false},\"query\":{\"bool\":{\"must\":[],\"filter\":[{\"bool\":{\"should\":[{\"bool\":{\"should\":[{\"term\":{\"rule.groups\":\"authentication_failed\"}}],\"minimum_should_match\":1}},{\"multi_match\":{\"type\":\"phrase\",\"query\":\"win_authentication_failed\",\"lenient\":true}},{\"multi_match\":{\"type\":\"phrase\",\"query\":\"authentication_failures\",\"lenient\":true}}],\"minimum_should_match\":1}}],\"should\":[],\"must_not\":[]}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"28318134-b7bd-4faa-b21e-b0a6665b526f\":{\"columns\":{\"e1a6a50b-cffe-4c92-b756-bad658aee97d\":{\"label\":\"Athentication failure\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"rule.groups\",\"isBucketed\":false,\"filter\":{\"query\":\"rule.groups : \\\"authentication_failed\\\" or \\\"win_authentication_failed\\\" or \\\"authentication_failures\\\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"e1a6a50b-cffe-4c92-b756-bad658aee97d\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":32,\"y\":0,\"w\":8,\"h\":5,\"i\":\"3cc5e7d4-2f44-438e-8529-6dfae4e29b16\"},\"panelIndex\":\"3cc5e7d4-2f44-438e-8529-6dfae4e29b16\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-67c3da39-aad2-4ff4-812f-15cf135b2d12\",\"type\":\"index-pattern\"},{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"933a08d4-fd4c-4829-938c-df17bc87af15\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"67c3da39-aad2-4ff4-812f-15cf135b2d12\",\"accessor\":\"ea00d671-3e3a-434a-8813-1dfa3a023112\",\"layerType\":\"data\",\"textAlign\":\"center\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#1a938a\",\"stop\":2}],\"colorStops\":[{\"color\":\"#1a938a\",\"stop\":null}],\"continuity\":\"all\",\"maxSteps\":5}},\"size\":\"xxl\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"933a08d4-fd4c-4829-938c-df17bc87af15\",\"type\":\"exists\",\"key\":\"rule.groups\",\"value\":\"exists\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{\"exists\":{\"field\":\"rule.groups\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"67c3da39-aad2-4ff4-812f-15cf135b2d12\":{\"columns\":{\"ea00d671-3e3a-434a-8813-1dfa3a023112\":{\"label\":\"Authentication success\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"rule.groups\",\"isBucketed\":false,\"filter\":{\"query\":\"rule.groups: \\\"authentication_success\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"ea00d671-3e3a-434a-8813-1dfa3a023112\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":5,\"w\":32,\"h\":14,\"i\":\"fc1f8b94-2637-4f4d-a998-f6a59c6b9e7e\"},\"panelIndex\":\"fc1f8b94-2637-4f4d-a998-f6a59c6b9e7e\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-e8600050-5477-49a7-a28e-ce9a47ded5f5\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"e8600050-5477-49a7-a28e-ce9a47ded5f5\",\"accessors\":[\"8d76d731-1e09-4706-b3d9-48108dd7dd32\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"splitAccessor\":\"3f2d0dea-171c-41ed-9452-29106c10a968\",\"xAccessor\":\"c5296771-93c8-48cb-bf57-cad19d8c829e\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"e8600050-5477-49a7-a28e-ce9a47ded5f5\":{\"columns\":{\"8d76d731-1e09-4706-b3d9-48108dd7dd32\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"c5296771-93c8-48cb-bf57-cad19d8c829e\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":false,\"dropPartials\":false}},\"3f2d0dea-171c-41ed-9452-29106c10a968\":{\"label\":\"Top 5 values of agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"8d76d731-1e09-4706-b3d9-48108dd7dd32\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"3f2d0dea-171c-41ed-9452-29106c10a968\",\"c5296771-93c8-48cb-bf57-cad19d8c829e\",\"8d76d731-1e09-4706-b3d9-48108dd7dd32\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Alerts evolution - Top 5 agents\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":32,\"y\":5,\"w\":16,\"h\":14,\"i\":\"e35f33d0-784d-471a-842e-576523d0ca80\"},\"panelIndex\":\"e35f33d0-784d-471a-842e-576523d0ca80\",\"embeddableConfig\":{\"attributes\":{\"title\":\"Top Mitre\",\"description\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-d2ef6c07-620f-431e-85f2-77175187e0fe\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"shape\":\"pie\",\"layers\":[{\"layerId\":\"d2ef6c07-620f-431e-85f2-77175187e0fe\",\"primaryGroups\":[\"a676e778-cad9-431e-b520-3e87b3a0afb2\"],\"metrics\":[\"c2640e02-f544-4f25-a0a4-aaec8e9e2f47\"],\"numberDisplay\":\"percent\",\"categoryDisplay\":\"hide\",\"legendDisplay\":\"show\",\"nestedLegend\":false,\"layerType\":\"data\",\"emptySizeRatio\":0.3,\"legendSize\":\"xlarge\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"d2ef6c07-620f-431e-85f2-77175187e0fe\":{\"columns\":{\"a676e778-cad9-431e-b520-3e87b3a0afb2\":{\"label\":\"Top 5 values of rule.mitre.tactic\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.mitre.tactic\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"c2640e02-f544-4f25-a0a4-aaec8e9e2f47\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}},\"c2640e02-f544-4f25-a0a4-aaec8e9e2f47\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"a676e778-cad9-431e-b520-3e87b3a0afb2\",\"c2640e02-f544-4f25-a0a4-aaec8e9e2f47\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Top Mitre ATT&K tactics\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":19,\"w\":48,\"h\":15,\"i\":\"ee6f5f4c-2a18-4733-a593-23c1f2a24376\"},\"panelIndex\":\"ee6f5f4c-2a18-4733-a593-23c1f2a24376\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-f001be29-b6cc-4c99-8aae-5941a7f9a8ee\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"72a21fae-312d-4cbb-8a94-fa24d4b29933\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"884cc56d-feb1-40dd-89a9-e006ec72dd85\"},{\"isTransposed\":false,\"columnId\":\"5333b889-bfc5-4e1a-a4e3-54828d1dd91b\"},{\"isTransposed\":false,\"columnId\":\"b3369c71-8edb-4569-89df-883f23ea2785\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\",\"hidden\":true,\"colorMode\":\"none\"},{\"columnId\":\"6bb85b4f-0834-416d-8ade-49d83caac7ee\",\"isTransposed\":false,\"oneClickFilter\":false},{\"columnId\":\"4a2c3535-ba05-42d2-8dbb-5218d3309ea6\",\"isTransposed\":false},{\"columnId\":\"c74264a6-eb65-4232-9444-a503723c6fdf\",\"isTransposed\":false,\"oneClickFilter\":true}],\"layerId\":\"f001be29-b6cc-4c99-8aae-5941a7f9a8ee\",\"layerType\":\"data\",\"headerRowHeight\":\"custom\",\"headerRowHeightLines\":2,\"rowHeight\":\"custom\",\"rowHeightLines\":2,\"paging\":{\"size\":10,\"enabled\":true}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"f001be29-b6cc-4c99-8aae-5941a7f9a8ee\":{\"columns\":{\"72a21fae-312d-4cbb-8a94-fa24d4b29933\":{\"label\":\"agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"884cc56d-feb1-40dd-89a9-e006ec72dd85\":{\"label\":\"rule.description\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.description\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"5333b889-bfc5-4e1a-a4e3-54828d1dd91b\":{\"label\":\"rule.mitre.tactic\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.mitre.tactic\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"b3369c71-8edb-4569-89df-883f23ea2785\":{\"label\":\"rule.id\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"233f059c-ccd6-4a64-a6be-4961a3c4d500\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"6bb85b4f-0834-416d-8ade-49d83caac7ee\":{\"label\":\"rule.level\",\"dataType\":\"number\",\"operationType\":\"range\",\"sourceField\":\"rule.level\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"includeEmptyRows\":true,\"type\":\"histogram\",\"ranges\":[{\"from\":0,\"to\":1000,\"label\":\"\"}],\"maxBars\":\"auto\"}},\"4a2c3535-ba05-42d2-8dbb-5218d3309ea6\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"c74264a6-eb65-4232-9444-a503723c6fdf\":{\"label\":\"rule.mitre.id\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.mitre.id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"4a2c3535-ba05-42d2-8dbb-5218d3309ea6\",\"72a21fae-312d-4cbb-8a94-fa24d4b29933\",\"c74264a6-eb65-4232-9444-a503723c6fdf\",\"5333b889-bfc5-4e1a-a4e3-54828d1dd91b\",\"884cc56d-feb1-40dd-89a9-e006ec72dd85\",\"6bb85b4f-0834-416d-8ade-49d83caac7ee\",\"b3369c71-8edb-4569-89df-883f23ea2785\",\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Security alerts\"}]","timeRestore":false,"title":"wazuh-security-events-v1.0","version":1},"coreMigrationVersion":"8.6.2","created_at":"2023-04-24T18:37:25.862Z","id":"1002c610-a23f-11ed-9c45-1d7f2cbf4bd8","migrationVersion":{"dashboard":"8.6.0"},"references":[{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"c90b5ced-c476-4336-8248-5f5eee09b7d3:indexpattern-datasource-layer-f7d51ed1-e2c7-4eff-a2f0-426523a27b79","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"dc864252-a518-4187-80ca-b581ad14f1cb:indexpattern-datasource-layer-a63a4df1-6335-4d1e-a8fb-44d550e0513b","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"dc864252-a518-4187-80ca-b581ad14f1cb:4cd727d8-200d-4869-b702-ff540bd3ff56","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"4bab10c4-2a6d-4f8f-8094-323581c98950:indexpattern-datasource-layer-28318134-b7bd-4faa-b21e-b0a6665b526f","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"4bab10c4-2a6d-4f8f-8094-323581c98950:1b7728c2-28d0-40f9-81ed-74e77231242c","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"3cc5e7d4-2f44-438e-8529-6dfae4e29b16:indexpattern-datasource-layer-67c3da39-aad2-4ff4-812f-15cf135b2d12","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"3cc5e7d4-2f44-438e-8529-6dfae4e29b16:933a08d4-fd4c-4829-938c-df17bc87af15","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"fc1f8b94-2637-4f4d-a998-f6a59c6b9e7e:indexpattern-datasource-layer-e8600050-5477-49a7-a28e-ce9a47ded5f5","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"e35f33d0-784d-471a-842e-576523d0ca80:indexpattern-datasource-layer-d2ef6c07-620f-431e-85f2-77175187e0fe","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"ee6f5f4c-2a18-4733-a593-23c1f2a24376:indexpattern-datasource-layer-f001be29-b6cc-4c99-8aae-5941a7f9a8ee","type":"index-pattern"}],"type":"dashboard","updated_at":"2023-04-24T18:37:25.862Z","version":"WzQ3MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"8.6.2\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":29,\"h\":15,\"i\":\"976e6302-500a-427c-bd29-75cee9034fe6\"},\"panelIndex\":\"976e6302-500a-427c-bd29-75cee9034fe6\",\"embeddableConfig\":{\"savedVis\":{\"id\":\"\",\"title\":\"PCI DSS requirements\",\"description\":\"\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false,\"valueAxis\":\"\"},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{},\"style\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"\"},\"style\":{}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":0,\"showCircles\":true,\"circlesRadius\":10,\"interpolate\":\"linear\",\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"detailedTooltip\":true,\"palette\":{\"type\":\"palette\",\"name\":\"default\"},\"addLegend\":true,\"legendPosition\":\"right\",\"fittingFunction\":\"linear\",\"times\":[],\"addTimeMarker\":false,\"truncateLegend\":true,\"maxLegendLines\":1,\"radiusRatio\":9,\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"labels\":{}},\"uiState\":{},\"data\":{\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"emptyAsNull\":false},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-10w\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"extendToTimeRange\":false,\"scaleMetricValues\":false,\"interval\":\"auto\",\"used_interval\":\"1d\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.pci_dss\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"includeIsRegex\":true,\"excludeIsRegex\":true},\"schema\":\"group\"}],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":15,\"i\":\"d299d776-0b4f-4955-b7d6-5717119dba59\"},\"panelIndex\":\"d299d776-0b4f-4955-b7d6-5717119dba59\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-c85ec231-a4fc-495d-b8d6-1aad7dc1e489\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"c85ec231-a4fc-495d-b8d6-1aad7dc1e489\",\"accessors\":[\"0ca7b7c5-03fd-401d-bd44-201d8ca00b25\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"e17436ee-06c3-4b4e-acda-f8d379648407\",\"splitAccessor\":\"852bf376-24f0-4b54-8568-0964c3289eb4\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"c85ec231-a4fc-495d-b8d6-1aad7dc1e489\":{\"columns\":{\"e17436ee-06c3-4b4e-acda-f8d379648407\":{\"label\":\"Requirements\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.pci_dss\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"0ca7b7c5-03fd-401d-bd44-201d8ca00b25\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"0ca7b7c5-03fd-401d-bd44-201d8ca00b25\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"852bf376-24f0-4b54-8568-0964c3289eb4\":{\"label\":\"Top 5 values of agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"0ca7b7c5-03fd-401d-bd44-201d8ca00b25\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"e17436ee-06c3-4b4e-acda-f8d379648407\",\"852bf376-24f0-4b54-8568-0964c3289eb4\",\"0ca7b7c5-03fd-401d-bd44-201d8ca00b25\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Requirements by agent\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":15,\"w\":48,\"h\":17,\"i\":\"f3674cc2-b4c6-44e1-baa9-6dcb9b932a01\"},\"panelIndex\":\"f3674cc2-b4c6-44e1-baa9-6dcb9b932a01\",\"embeddableConfig\":{\"attributes\":{\"title\":\"PCI DSS\",\"description\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-951964d6-a0d3-4593-911f-b598f1bdd7a6\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"951964d6-a0d3-4593-911f-b598f1bdd7a6\",\"layerType\":\"data\",\"columns\":[{\"isTransposed\":false,\"columnId\":\"27ae8c68-e64e-4824-9422-df1611b74c58\"},{\"isTransposed\":false,\"columnId\":\"30508bd4-917e-4614-9922-c445af8e8a8f\"},{\"isTransposed\":false,\"columnId\":\"7044d45a-dce5-4fbe-8af4-64a9b1e14840\"},{\"isTransposed\":false,\"columnId\":\"49885e99-2da3-4165-9b20-9d78ccaca4bd\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"df70835d-3cfb-4ead-a942-d60c00330c30\"},{\"columnId\":\"f7cf15d8-617e-4a52-bdc2-6b94a9c722ad\",\"isTransposed\":false,\"hidden\":true},{\"columnId\":\"f96a237b-410c-475c-863e-60acde29fc71\",\"isTransposed\":false,\"oneClickFilter\":true}],\"paging\":{\"size\":10,\"enabled\":true}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"951964d6-a0d3-4593-911f-b598f1bdd7a6\":{\"columns\":{\"27ae8c68-e64e-4824-9422-df1611b74c58\":{\"label\":\"rule.description\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.description\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f7cf15d8-617e-4a52-bdc2-6b94a9c722ad\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"30508bd4-917e-4614-9922-c445af8e8a8f\":{\"label\":\"rule.level\",\"dataType\":\"number\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.level\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f7cf15d8-617e-4a52-bdc2-6b94a9c722ad\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"7044d45a-dce5-4fbe-8af4-64a9b1e14840\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"49885e99-2da3-4165-9b20-9d78ccaca4bd\":{\"label\":\"agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f7cf15d8-617e-4a52-bdc2-6b94a9c722ad\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"df70835d-3cfb-4ead-a942-d60c00330c30\":{\"label\":\"rule.pci_dss\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.pci_dss\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f7cf15d8-617e-4a52-bdc2-6b94a9c722ad\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"f7cf15d8-617e-4a52-bdc2-6b94a9c722ad\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"f96a237b-410c-475c-863e-60acde29fc71\":{\"label\":\"rule.id\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f7cf15d8-617e-4a52-bdc2-6b94a9c722ad\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"7044d45a-dce5-4fbe-8af4-64a9b1e14840\",\"49885e99-2da3-4165-9b20-9d78ccaca4bd\",\"df70835d-3cfb-4ead-a942-d60c00330c30\",\"27ae8c68-e64e-4824-9422-df1611b74c58\",\"30508bd4-917e-4614-9922-c445af8e8a8f\",\"f96a237b-410c-475c-863e-60acde29fc71\",\"f7cf15d8-617e-4a52-bdc2-6b94a9c722ad\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Recent events\"}]","timeRestore":false,"title":"wazuh-pci-dss-v1.0","version":1},"coreMigrationVersion":"8.6.2","created_at":"2023-04-24T18:37:10.201Z","id":"ad09bc40-a634-11ed-8b0e-91d62e747cc9","migrationVersion":{"dashboard":"8.6.0"},"references":[{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"976e6302-500a-427c-bd29-75cee9034fe6:kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"d299d776-0b4f-4955-b7d6-5717119dba59:indexpattern-datasource-layer-c85ec231-a4fc-495d-b8d6-1aad7dc1e489","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"f3674cc2-b4c6-44e1-baa9-6dcb9b932a01:indexpattern-datasource-layer-951964d6-a0d3-4593-911f-b598f1bdd7a6","type":"index-pattern"}],"type":"dashboard","updated_at":"2023-04-24T18:37:10.201Z","version":"WzQ2NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":18,\"h\":13,\"i\":\"847a1b06-c15d-41a2-9a08-73b056e959fb\"},\"panelIndex\":\"847a1b06-c15d-41a2-9a08-73b056e959fb\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-0c3e7889-e551-4507-bb13-1a4ff7d96f96\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"curveType\":\"LINEAR\",\"fillOpacity\":1,\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"area_stacked\",\"layers\":[{\"layerId\":\"0c3e7889-e551-4507-bb13-1a4ff7d96f96\",\"accessors\":[\"9b7ab5ea-5a4d-4fc1-a493-861ed613bfdb\"],\"position\":\"top\",\"seriesType\":\"area_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"f4e6f4ad-fca2-4012-9dc4-a34df1d4a5ec\",\"yConfig\":[{\"forAccessor\":\"9b7ab5ea-5a4d-4fc1-a493-861ed613bfdb\",\"color\":\"#40d4e0\"}]}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"0c3e7889-e551-4507-bb13-1a4ff7d96f96\":{\"columns\":{\"f4e6f4ad-fca2-4012-9dc4-a34df1d4a5ec\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"9b7ab5ea-5a4d-4fc1-a493-861ed613bfdb\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"rule.groups : \\\"rootcheck\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"f4e6f4ad-fca2-4012-9dc4-a34df1d4a5ec\",\"9b7ab5ea-5a4d-4fc1-a493-861ed613bfdb\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Emotet malware activity\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":18,\"y\":0,\"w\":30,\"h\":13,\"i\":\"cc5ad74e-c871-4ac3-9487-328adc286921\"},\"panelIndex\":\"cc5ad74e-c871-4ac3-9487-328adc286921\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-5ccb00b3-1675-4c9f-a542-927c5930e66e\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"5ccb00b3-1675-4c9f-a542-927c5930e66e\",\"accessors\":[\"f001735e-ca2b-455d-a50a-b7f44b005f0b\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"b662da8a-50ee-4dae-a2bb-25861753d95c\",\"splitAccessor\":\"52edc505-8c8a-4965-a3f3-46ca861738af\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"5ccb00b3-1675-4c9f-a542-927c5930e66e\":{\"columns\":{\"52edc505-8c8a-4965-a3f3-46ca861738af\":{\"label\":\"Top 5 values of data.title\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.title\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f001735e-ca2b-455d-a50a-b7f44b005f0b\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]}},\"b662da8a-50ee-4dae-a2bb-25861753d95c\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"f001735e-ca2b-455d-a50a-b7f44b005f0b\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"rule.groups : \\\"rootcheck\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"52edc505-8c8a-4965-a3f3-46ca861738af\",\"b662da8a-50ee-4dae-a2bb-25861753d95c\",\"f001735e-ca2b-455d-a50a-b7f44b005f0b\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Rootkits activity over time\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":13,\"w\":48,\"h\":21,\"i\":\"e3873842-502a-4ba4-a3ab-d5bcdc9d908c\"},\"panelIndex\":\"e3873842-502a-4ba4-a3ab-d5bcdc9d908c\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-777017d9-58d0-4f3f-8461-64af784d41a4\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"56e30fec-0d21-4af5-9751-7630c08713e8\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"94ca03f4-c063-4be7-b4c1-007c8a6d271a\"},{\"isTransposed\":false,\"columnId\":\"1169cee0-a32f-48d2-8e12-2919736d710a\"},{\"isTransposed\":false,\"columnId\":\"23107287-fb86-49ea-bdea-79d55b5e7ea4\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"125edb0b-de81-41b8-9612-1d87188e2b12\"},{\"isTransposed\":false,\"columnId\":\"a1caa30b-78e1-493d-bb05-f29242d47609\",\"hidden\":true},{\"columnId\":\"694278f2-f767-4450-90f5-4a95905e989f\",\"isTransposed\":false},{\"columnId\":\"1073b1b6-aa33-4e11-841b-0b6459a56603\",\"isTransposed\":false}],\"layerId\":\"777017d9-58d0-4f3f-8461-64af784d41a4\",\"layerType\":\"data\",\"headerRowHeight\":\"custom\",\"headerRowHeightLines\":2,\"rowHeight\":\"custom\",\"rowHeightLines\":2,\"paging\":{\"size\":10,\"enabled\":true}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"777017d9-58d0-4f3f-8461-64af784d41a4\":{\"columns\":{\"56e30fec-0d21-4af5-9751-7630c08713e8\":{\"label\":\"agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a1caa30b-78e1-493d-bb05-f29242d47609\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"94ca03f4-c063-4be7-b4c1-007c8a6d271a\":{\"label\":\"rule.mitre.technique\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.mitre.technique\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a1caa30b-78e1-493d-bb05-f29242d47609\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"1169cee0-a32f-48d2-8e12-2919736d710a\":{\"label\":\"rule.mitre.tactic\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.mitre.tactic\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a1caa30b-78e1-493d-bb05-f29242d47609\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"23107287-fb86-49ea-bdea-79d55b5e7ea4\":{\"label\":\"rule.id\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a1caa30b-78e1-493d-bb05-f29242d47609\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"125edb0b-de81-41b8-9612-1d87188e2b12\":{\"label\":\"rule.description\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.description\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a1caa30b-78e1-493d-bb05-f29242d47609\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"a1caa30b-78e1-493d-bb05-f29242d47609\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"rule.groups : \\\"rootcheck\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"694278f2-f767-4450-90f5-4a95905e989f\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"1073b1b6-aa33-4e11-841b-0b6459a56603\":{\"label\":\"rule.level\",\"dataType\":\"number\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.level\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a1caa30b-78e1-493d-bb05-f29242d47609\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"694278f2-f767-4450-90f5-4a95905e989f\",\"56e30fec-0d21-4af5-9751-7630c08713e8\",\"94ca03f4-c063-4be7-b4c1-007c8a6d271a\",\"1169cee0-a32f-48d2-8e12-2919736d710a\",\"1073b1b6-aa33-4e11-841b-0b6459a56603\",\"23107287-fb86-49ea-bdea-79d55b5e7ea4\",\"125edb0b-de81-41b8-9612-1d87188e2b12\",\"a1caa30b-78e1-493d-bb05-f29242d47609\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Security alerts\"}]","timeRestore":false,"title":"wazuh-malware-detection-v1.0","version":1},"coreMigrationVersion":"8.6.2","created_at":"2023-04-24T18:36:31.797Z","id":"f9bb41b0-a3cf-11ed-9187-5147a2b9eedf","migrationVersion":{"dashboard":"8.6.0"},"references":[{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"847a1b06-c15d-41a2-9a08-73b056e959fb:indexpattern-datasource-layer-0c3e7889-e551-4507-bb13-1a4ff7d96f96","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"cc5ad74e-c871-4ac3-9487-328adc286921:indexpattern-datasource-layer-5ccb00b3-1675-4c9f-a542-927c5930e66e","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"e3873842-502a-4ba4-a3ab-d5bcdc9d908c:indexpattern-datasource-layer-777017d9-58d0-4f3f-8461-64af784d41a4","type":"index-pattern"}],"type":"dashboard","updated_at":"2023-04-24T18:36:31.797Z","version":"WzQwNywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":15,\"h\":13,\"i\":\"caf3fb07-a3b0-4f51-b000-926f4b26ee4f\"},\"panelIndex\":\"caf3fb07-a3b0-4f51-b000-926f4b26ee4f\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-3ef3cbb5-abf3-4697-9e38-f4cf60bcdd5d\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"shape\":\"donut\",\"layers\":[{\"layerId\":\"3ef3cbb5-abf3-4697-9e38-f4cf60bcdd5d\",\"primaryGroups\":[\"ccea2153-9f5c-4f65-9346-1feceb3783eb\"],\"metrics\":[\"06ae1d26-0a3a-4f59-b5bd-8cb93b640f86\"],\"numberDisplay\":\"hidden\",\"categoryDisplay\":\"hide\",\"legendDisplay\":\"show\",\"nestedLegend\":false,\"layerType\":\"data\",\"emptySizeRatio\":0.7,\"legendSize\":\"large\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"3ef3cbb5-abf3-4697-9e38-f4cf60bcdd5d\":{\"columns\":{\"06ae1d26-0a3a-4f59-b5bd-8cb93b640f86\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"filter\":{\"query\":\"\",\"language\":\"kuery\"}},\"ccea2153-9f5c-4f65-9346-1feceb3783eb\":{\"label\":\"Top 5 values of rule.groups\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.groups\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"06ae1d26-0a3a-4f59-b5bd-8cb93b640f86\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"ccea2153-9f5c-4f65-9346-1feceb3783eb\",\"06ae1d26-0a3a-4f59-b5bd-8cb93b640f86\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Alert groups\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":15,\"y\":0,\"w\":33,\"h\":13,\"i\":\"115417e6-11a1-4a55-8055-220b69dad98e\"},\"panelIndex\":\"115417e6-11a1-4a55-8055-220b69dad98e\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-54e72470-df75-47d1-a7a6-3d2f807a39d1\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":false,\"position\":\"right\",\"showSingleSeries\":false},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"54e72470-df75-47d1-a7a6-3d2f807a39d1\",\"accessors\":[\"db53a2e0-d936-4f7c-86bb-fc4e20810e64\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"f518cf1a-0d1d-44c7-97a0-12c5cd840e14\",\"splitAccessor\":\"a195fccb-9268-453a-b824-54f1e3f72d12\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"54e72470-df75-47d1-a7a6-3d2f807a39d1\":{\"columns\":{\"a195fccb-9268-453a-b824-54f1e3f72d12\":{\"label\":\"Top 5 values of rule.groups\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.groups\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"db53a2e0-d936-4f7c-86bb-fc4e20810e64\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}},\"f518cf1a-0d1d-44c7-97a0-12c5cd840e14\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"db53a2e0-d936-4f7c-86bb-fc4e20810e64\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"rule.groups : \\\"audit\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"a195fccb-9268-453a-b824-54f1e3f72d12\",\"f518cf1a-0d1d-44c7-97a0-12c5cd840e14\",\"db53a2e0-d936-4f7c-86bb-fc4e20810e64\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Events\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":13,\"w\":48,\"h\":13,\"i\":\"edc2487b-0a85-4975-b841-457471ee5cd0\"},\"panelIndex\":\"edc2487b-0a85-4975-b841-457471ee5cd0\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-f001be29-b6cc-4c99-8aae-5941a7f9a8ee\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"5f8c9137-f9b6-4074-ba6c-9fa777b6afdf\"},{\"columnId\":\"4a2c3535-ba05-42d2-8dbb-5218d3309ea6\",\"isTransposed\":false},{\"isTransposed\":false,\"columnId\":\"72a21fae-312d-4cbb-8a94-fa24d4b29933\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"884cc56d-feb1-40dd-89a9-e006ec72dd85\"},{\"columnId\":\"6bb85b4f-0834-416d-8ade-49d83caac7ee\",\"isTransposed\":false,\"oneClickFilter\":false},{\"isTransposed\":false,\"columnId\":\"b3369c71-8edb-4569-89df-883f23ea2785\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\",\"hidden\":true,\"colorMode\":\"none\"}],\"layerId\":\"f001be29-b6cc-4c99-8aae-5941a7f9a8ee\",\"layerType\":\"data\",\"headerRowHeight\":\"custom\",\"headerRowHeightLines\":2,\"rowHeight\":\"custom\",\"rowHeightLines\":2,\"paging\":{\"size\":10,\"enabled\":true}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"f001be29-b6cc-4c99-8aae-5941a7f9a8ee\":{\"columns\":{\"5f8c9137-f9b6-4074-ba6c-9fa777b6afdf\":{\"label\":\"rule.groups\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.groups\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"4a2c3535-ba05-42d2-8dbb-5218d3309ea6\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"72a21fae-312d-4cbb-8a94-fa24d4b29933\":{\"label\":\"agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"884cc56d-feb1-40dd-89a9-e006ec72dd85\":{\"label\":\"rule.description\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.description\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"6bb85b4f-0834-416d-8ade-49d83caac7ee\":{\"label\":\"rule.level\",\"dataType\":\"number\",\"operationType\":\"range\",\"sourceField\":\"rule.level\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"includeEmptyRows\":true,\"type\":\"histogram\",\"ranges\":[{\"from\":0,\"to\":1000,\"label\":\"\"}],\"maxBars\":\"auto\"}},\"b3369c71-8edb-4569-89df-883f23ea2785\":{\"label\":\"rule.id\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"233f059c-ccd6-4a64-a6be-4961a3c4d500\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"4a2c3535-ba05-42d2-8dbb-5218d3309ea6\",\"72a21fae-312d-4cbb-8a94-fa24d4b29933\",\"5f8c9137-f9b6-4074-ba6c-9fa777b6afdf\",\"884cc56d-feb1-40dd-89a9-e006ec72dd85\",\"6bb85b4f-0834-416d-8ade-49d83caac7ee\",\"b3369c71-8edb-4569-89df-883f23ea2785\",\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":true},\"title\":\"Security alerts\"}]","timeRestore":false,"title":"wazuh-incident-response-v1.0","version":1},"coreMigrationVersion":"8.6.2","created_at":"2023-04-24T18:36:14.435Z","id":"e30257a0-a641-11ed-8b0e-91d62e747cc9","migrationVersion":{"dashboard":"8.6.0"},"references":[{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"caf3fb07-a3b0-4f51-b000-926f4b26ee4f:indexpattern-datasource-layer-3ef3cbb5-abf3-4697-9e38-f4cf60bcdd5d","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"115417e6-11a1-4a55-8055-220b69dad98e:indexpattern-datasource-layer-54e72470-df75-47d1-a7a6-3d2f807a39d1","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"edc2487b-0a85-4975-b841-457471ee5cd0:indexpattern-datasource-layer-f001be29-b6cc-4c99-8aae-5941a7f9a8ee","type":"index-pattern"}],"type":"dashboard","updated_at":"2023-04-24T18:36:14.435Z","version":"WzQwMCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":12,\"i\":\"9c90478b-ef8d-4f0a-89ea-7cac2fb2b631\"},\"panelIndex\":\"9c90478b-ef8d-4f0a-89ea-7cac2fb2b631\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-b9d91550-4d81-4724-926b-368cbac70c5c\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"shape\":\"donut\",\"layers\":[{\"layerId\":\"b9d91550-4d81-4724-926b-368cbac70c5c\",\"primaryGroups\":[\"393155df-15ed-400b-bef4-be554873a6c6\"],\"metrics\":[\"bc0afca3-aed2-4b22-970c-c91ac3e2bc02\"],\"numberDisplay\":\"percent\",\"categoryDisplay\":\"hide\",\"legendDisplay\":\"show\",\"nestedLegend\":false,\"layerType\":\"data\",\"emptySizeRatio\":0.7}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"b9d91550-4d81-4724-926b-368cbac70c5c\":{\"columns\":{\"393155df-15ed-400b-bef4-be554873a6c6\":{\"label\":\"Top 5 values of data.docker.Action\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.docker.Action\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"bc0afca3-aed2-4b22-970c-c91ac3e2bc02\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}},\"bc0afca3-aed2-4b22-970c-c91ac3e2bc02\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"393155df-15ed-400b-bef4-be554873a6c6\",\"bc0afca3-aed2-4b22-970c-c91ac3e2bc02\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Top 5 events\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":14,\"y\":0,\"w\":34,\"h\":12,\"i\":\"ec92f542-1336-4a92-90e6-548fa7a78db6\"},\"panelIndex\":\"ec92f542-1336-4a92-90e6-548fa7a78db6\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-45315f08-c693-4bdc-aa72-8546f280b2b2\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"45315f08-c693-4bdc-aa72-8546f280b2b2\",\"accessors\":[\"69651d63-8697-41d8-b639-5d77e806c90a\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"93ae869a-82d8-4825-9391-568728d510a7\",\"splitAccessor\":\"588460de-4d21-471e-922f-0b59d3ec977f\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"45315f08-c693-4bdc-aa72-8546f280b2b2\":{\"columns\":{\"93ae869a-82d8-4825-9391-568728d510a7\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"69651d63-8697-41d8-b639-5d77e806c90a\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"588460de-4d21-471e-922f-0b59d3ec977f\":{\"label\":\"Top 3 values of data.docker.Type\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.docker.Type\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"69651d63-8697-41d8-b639-5d77e806c90a\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"588460de-4d21-471e-922f-0b59d3ec977f\",\"93ae869a-82d8-4825-9391-568728d510a7\",\"69651d63-8697-41d8-b639-5d77e806c90a\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Events by source over time\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":12,\"w\":48,\"h\":37,\"i\":\"cac9a63e-4892-4879-bd94-210fd3b5b3d0\"},\"panelIndex\":\"cac9a63e-4892-4879-bd94-210fd3b5b3d0\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-c51272e9-4ceb-4095-a2a2-7d27d957fc4e\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"1cedf71d-5da2-423a-8108-0d28190dc1f2\",\"isTransposed\":false},{\"columnId\":\"09e332ce-350b-499a-8df5-9b15ed375c20\",\"isTransposed\":false,\"oneClickFilter\":true},{\"columnId\":\"e323b79e-be8f-458d-80b9-100d79e6fc3c\",\"isTransposed\":false,\"hidden\":true},{\"columnId\":\"655b8229-82ac-4302-a97c-a5b1778f22f9\",\"isTransposed\":false},{\"columnId\":\"c47bc042-54fd-4134-9cec-05f36c5c95e0\",\"isTransposed\":false},{\"columnId\":\"1bef96c9-5098-47db-9d76-2eba9c1cfd33\",\"isTransposed\":false},{\"columnId\":\"a61f2679-de38-4a5d-b105-dab5d341a400\",\"isTransposed\":false},{\"columnId\":\"f7109d3b-68d4-418c-b4c4-fe451858d375\",\"isTransposed\":false},{\"columnId\":\"28c7593f-f805-4cbd-afed-94dfdbde7d29\",\"isTransposed\":false,\"oneClickFilter\":true}],\"layerId\":\"c51272e9-4ceb-4095-a2a2-7d27d957fc4e\",\"layerType\":\"data\",\"headerRowHeight\":\"custom\",\"headerRowHeightLines\":2,\"rowHeight\":\"custom\",\"rowHeightLines\":2,\"paging\":{\"size\":10,\"enabled\":true}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"c51272e9-4ceb-4095-a2a2-7d27d957fc4e\":{\"columns\":{\"1cedf71d-5da2-423a-8108-0d28190dc1f2\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"09e332ce-350b-499a-8df5-9b15ed375c20\":{\"label\":\"agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e323b79e-be8f-458d-80b9-100d79e6fc3c\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"e323b79e-be8f-458d-80b9-100d79e6fc3c\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"655b8229-82ac-4302-a97c-a5b1778f22f9\":{\"label\":\"data.docker.Type\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.docker.Type\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e323b79e-be8f-458d-80b9-100d79e6fc3c\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"c47bc042-54fd-4134-9cec-05f36c5c95e0\":{\"label\":\"data.docker.Action\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.docker.Action\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e323b79e-be8f-458d-80b9-100d79e6fc3c\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"1bef96c9-5098-47db-9d76-2eba9c1cfd33\":{\"label\":\"data.docker.Actor.ID\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.docker.Actor.ID\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e323b79e-be8f-458d-80b9-100d79e6fc3c\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"a61f2679-de38-4a5d-b105-dab5d341a400\":{\"label\":\"rule.description\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.description\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e323b79e-be8f-458d-80b9-100d79e6fc3c\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"f7109d3b-68d4-418c-b4c4-fe451858d375\":{\"label\":\"rule.level\",\"dataType\":\"number\",\"operationType\":\"range\",\"sourceField\":\"rule.level\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"includeEmptyRows\":true,\"type\":\"histogram\",\"ranges\":[{\"from\":0,\"to\":1000,\"label\":\"\"}],\"maxBars\":\"auto\"}},\"28c7593f-f805-4cbd-afed-94dfdbde7d29\":{\"label\":\"rule.id\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e323b79e-be8f-458d-80b9-100d79e6fc3c\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"1cedf71d-5da2-423a-8108-0d28190dc1f2\",\"09e332ce-350b-499a-8df5-9b15ed375c20\",\"655b8229-82ac-4302-a97c-a5b1778f22f9\",\"1bef96c9-5098-47db-9d76-2eba9c1cfd33\",\"c47bc042-54fd-4134-9cec-05f36c5c95e0\",\"a61f2679-de38-4a5d-b105-dab5d341a400\",\"f7109d3b-68d4-418c-b4c4-fe451858d375\",\"28c7593f-f805-4cbd-afed-94dfdbde7d29\",\"e323b79e-be8f-458d-80b9-100d79e6fc3c\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Events\"}]","timeRestore":false,"title":"wazuh-docker-listener-v1.0","version":1},"coreMigrationVersion":"8.6.2","created_at":"2023-04-24T18:35:50.548Z","id":"8359c240-a7cf-11ed-8b0e-91d62e747cc9","migrationVersion":{"dashboard":"8.6.0"},"references":[{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"9c90478b-ef8d-4f0a-89ea-7cac2fb2b631:indexpattern-datasource-layer-b9d91550-4d81-4724-926b-368cbac70c5c","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"ec92f542-1336-4a92-90e6-548fa7a78db6:indexpattern-datasource-layer-45315f08-c693-4bdc-aa72-8546f280b2b2","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"cac9a63e-4892-4879-bd94-210fd3b5b3d0:indexpattern-datasource-layer-c51272e9-4ceb-4095-a2a2-7d27d957fc4e","type":"index-pattern"}],"type":"dashboard","updated_at":"2023-04-24T18:35:50.548Z","version":"WzM5MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":31,\"h\":15,\"i\":\"5177564c-7c79-4412-9c03-99dca92b90d5\"},\"panelIndex\":\"5177564c-7c79-4412-9c03-99dca92b90d5\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-bca83102-e00c-4277-b280-a91ef087536e\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"left\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"curveType\":\"CURVE_MONOTONE_X\",\"fillOpacity\":1,\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"area_stacked\",\"layers\":[{\"layerId\":\"bca83102-e00c-4277-b280-a91ef087536e\",\"accessors\":[\"80ac5cd7-4cfb-4c07-ad75-3cedb6212f18\"],\"position\":\"top\",\"seriesType\":\"area_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"4d2f8c1f-5ce3-449b-b0d7-f1d1989ba49e\",\"splitAccessor\":\"0e534aac-0aaf-4458-8d88-e2575fb2ebb9\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"bca83102-e00c-4277-b280-a91ef087536e\":{\"columns\":{\"0e534aac-0aaf-4458-8d88-e2575fb2ebb9\":{\"label\":\"Top 3 values of data.aws.source\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.aws.source\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"80ac5cd7-4cfb-4c07-ad75-3cedb6212f18\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]}},\"4d2f8c1f-5ce3-449b-b0d7-f1d1989ba49e\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"80ac5cd7-4cfb-4c07-ad75-3cedb6212f18\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"rule.groups : \\\"amazon\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"0e534aac-0aaf-4458-8d88-e2575fb2ebb9\",\"4d2f8c1f-5ce3-449b-b0d7-f1d1989ba49e\",\"80ac5cd7-4cfb-4c07-ad75-3cedb6212f18\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Events by source over time\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":31,\"y\":0,\"w\":17,\"h\":15,\"i\":\"692e518d-0688-414b-92e8-6b2bf1b960dd\"},\"panelIndex\":\"692e518d-0688-414b-92e8-6b2bf1b960dd\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-ecb05aff-bc9d-4ba1-b817-bf4016e0c5ef\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"shape\":\"donut\",\"layers\":[{\"layerId\":\"ecb05aff-bc9d-4ba1-b817-bf4016e0c5ef\",\"primaryGroups\":[\"e81edf81-ce10-496b-8ca9-eb38d5ff2ccb\"],\"metrics\":[\"4a2c1031-e343-427d-b141-b47ccc7a570a\"],\"numberDisplay\":\"hidden\",\"categoryDisplay\":\"hide\",\"legendDisplay\":\"show\",\"nestedLegend\":false,\"layerType\":\"data\",\"emptySizeRatio\":0.7}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"ecb05aff-bc9d-4ba1-b817-bf4016e0c5ef\":{\"columns\":{\"e81edf81-ce10-496b-8ca9-eb38d5ff2ccb\":{\"label\":\"Top 5 values of data.aws.source\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.aws.source\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4a2c1031-e343-427d-b141-b47ccc7a570a\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]}},\"4a2c1031-e343-427d-b141-b47ccc7a570a\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"e81edf81-ce10-496b-8ca9-eb38d5ff2ccb\",\"4a2c1031-e343-427d-b141-b47ccc7a570a\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Sources\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":15,\"w\":48,\"h\":15,\"i\":\"25e0d536-4163-46e6-abd5-5cd45cd9f30a\"},\"panelIndex\":\"25e0d536-4163-46e6-abd5-5cd45cd9f30a\",\"embeddableConfig\":{\"attributes\":{\"title\":\"e\",\"description\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-c23cdcb3-1e5c-46f0-9ef2-827d9b867cb2\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"8882fc10-f772-4a02-af1f-049b59a04dfd\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"1835ff08-affb-403c-991e-8e642c7a5456\"},{\"isTransposed\":false,\"columnId\":\"6dce6ade-b342-4645-9ff2-228f319d69f7\"},{\"isTransposed\":false,\"columnId\":\"f8266242-342d-4046-8bb5-90efe4839a60\",\"hidden\":true},{\"columnId\":\"06b78908-beb7-4a01-a9b0-b7f9775318d9\",\"isTransposed\":false},{\"columnId\":\"ea992e31-8ea1-4548-8182-da51c911cf21\",\"isTransposed\":false},{\"columnId\":\"a8c6efd9-93b3-4636-96ea-43b359962134\",\"isTransposed\":false,\"oneClickFilter\":true}],\"layerId\":\"c23cdcb3-1e5c-46f0-9ef2-827d9b867cb2\",\"layerType\":\"data\",\"headerRowHeight\":\"custom\",\"headerRowHeightLines\":2,\"rowHeight\":\"custom\",\"rowHeightLines\":2,\"paging\":{\"size\":10,\"enabled\":true}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"c23cdcb3-1e5c-46f0-9ef2-827d9b867cb2\":{\"columns\":{\"8882fc10-f772-4a02-af1f-049b59a04dfd\":{\"label\":\"agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f8266242-342d-4046-8bb5-90efe4839a60\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"1835ff08-affb-403c-991e-8e642c7a5456\":{\"label\":\"data.aws.source\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.aws.source\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f8266242-342d-4046-8bb5-90efe4839a60\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"6dce6ade-b342-4645-9ff2-228f319d69f7\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"f8266242-342d-4046-8bb5-90efe4839a60\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"06b78908-beb7-4a01-a9b0-b7f9775318d9\":{\"label\":\"rule.description\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.description\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f8266242-342d-4046-8bb5-90efe4839a60\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"ea992e31-8ea1-4548-8182-da51c911cf21\":{\"label\":\"rule.level\",\"dataType\":\"number\",\"operationType\":\"range\",\"sourceField\":\"rule.level\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"includeEmptyRows\":true,\"type\":\"histogram\",\"ranges\":[{\"from\":0,\"to\":1000,\"label\":\"\"}],\"maxBars\":\"auto\"}},\"a8c6efd9-93b3-4636-96ea-43b359962134\":{\"label\":\"rule.id\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f8266242-342d-4046-8bb5-90efe4839a60\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"6dce6ade-b342-4645-9ff2-228f319d69f7\",\"8882fc10-f772-4a02-af1f-049b59a04dfd\",\"1835ff08-affb-403c-991e-8e642c7a5456\",\"06b78908-beb7-4a01-a9b0-b7f9775318d9\",\"ea992e31-8ea1-4548-8182-da51c911cf21\",\"a8c6efd9-93b3-4636-96ea-43b359962134\",\"f8266242-342d-4046-8bb5-90efe4839a60\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Events\"}]","timeRestore":false,"title":"wazuh-amazon-aws-v1.0","version":1},"coreMigrationVersion":"8.6.2","created_at":"2023-04-24T18:35:30.916Z","id":"ff5626e0-a63f-11ed-8b0e-91d62e747cc9","migrationVersion":{"dashboard":"8.6.0"},"references":[{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"5177564c-7c79-4412-9c03-99dca92b90d5:indexpattern-datasource-layer-bca83102-e00c-4277-b280-a91ef087536e","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"692e518d-0688-414b-92e8-6b2bf1b960dd:indexpattern-datasource-layer-ecb05aff-bc9d-4ba1-b817-bf4016e0c5ef","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"25e0d536-4163-46e6-abd5-5cd45cd9f30a:indexpattern-datasource-layer-c23cdcb3-1e5c-46f0-9ef2-827d9b867cb2","type":"index-pattern"}],"type":"dashboard","updated_at":"2023-04-24T18:35:30.916Z","version":"WzM1OCwxXQ=="} +{"excludedObjects":[],"excludedObjectsCount":0,"exportedCount":8,"missingRefCount":0,"missingReferences":[]} \ No newline at end of file diff --git a/docs/markdown/logging-guidance/cloud.md b/docs/markdown/logging-guidance/cloud.md index 56ad50e5..dd08bf5b 100644 --- a/docs/markdown/logging-guidance/cloud.md +++ b/docs/markdown/logging-guidance/cloud.md @@ -13,9 +13,11 @@ In order for the LME agents to talk to LME in the cloud you'll need to ensure th The easiest way is to make sure you can hit these LME server ports from the on-prem client: - WAZUH ([DOCS](https://documentation.wazuh.com/current/user-manual/agent/agent-enrollment/requirements.html)): 1514,1515 - - Agent ([DOCS](https://www.elastic.co/guide/en/elastic-stack/current/installing-stack-demo-self.html#install-stack-self-elastic-agent)): 8220 + - Agent ([DOCS](https://www.elastic.co/guide/en/elastic-stack/current/installing-stack-demo-self.html#install-stack-self-elastic-agent)): 8220 (fleet commands), 9200 (input to elasticsearch) -You'll need to make sure your Cloud firewall is setup to allow those ports. On azure, network security groups (NSG) run a firewall on your virtual machines network interfaces. You'll need to update your LME virtual machine's rules to allow inbound connections on the agent ports. Azure has a detailed guide for how to add security rules [here](https://learn.microsoft.com/en-us/azure/virtual-network/manage-network-security-group?tabs=network-security-group-portal#create-a-security-rule) +You'll need to make sure your Cloud firewall is setup to allow those ports. On azure, network security groups (NSG) run a firewall on your virtual machines network interfaces. You'll need to update your LME virtual machine's rules to allow inbound connections on the agent ports. Azure has a detailed guide for how to add security rules [here](https://learn.microsoft.com/en-us/azure/virtual-network/manage-network-security-group?tabs=network-security-group-portal#create-a-security-rule). + +##### ***We highly suggest you do not open ANY PORT globally and restrict it based on your clients ip address or your client's subnets.**** Then on LME, you'll want to make sure you have either the firewall disabled (if you're using the cloud firewall as the main firewall): ``` @@ -44,11 +46,17 @@ You can add the above ports to ufw via the following command: sudo ufw allow 1514 sudo ufw allow 1515 sudo ufw allow 8220 +sudo ufw allow 9200 +``` +If you want to use the wazuh api, you'll also need to setup port 55000 to be allowed in: +``` +sudo ufw allow 55000 ``` -In addition, you'll need to setup rules to forward traffic to the container network: +In addition, you'll need to setup rules to forward traffic to the container network and allow traffic to run on the container network: ``` -ufw allow in on eth0 out on podman1 to any port +ufw route allow in on eth0 out on podman1 to any port 443,1514,1515,5601,8220,9200 proto tcp +ufw route allow in on podman1 ``` Theres a helpful stackoverflow article on why: [LINK](https://stackoverflow.com/questions/70870689/configure-ufw-for-podman-on-port-443) Your `podman1` interface name maybe differently, check the output of your network interfaces here and see if its also called podman1: @@ -56,6 +64,21 @@ Your `podman1` interface name maybe differently, check the output of your networ sudo -i podman network inspect lme | jq 'map(select(.name == "lme")) | map(.network_interface) | .[]' ``` +Your rules can be dumped and shown like so: +``` +root@ubuntu:~# ufw show added +Added user rules (see 'ufw status' for running firewall): +ufw allow 22 +ufw allow 1514 +ufw allow 1515 +ufw allow 8220 +ufw route allow in on eth0 out on podman1 to any port 443,1514,1515,5601,8220,9200 proto tcp +ufw allow 443 +ufw allow in on podman1 +ufw allow 9200 +root@ubuntu:~# +``` + ### Deploying LME for cloud infrastructure: Every cloud setup is different, but as long as the LME server is on the same network and able to talk to the machines you want to monitor everything should be good to go. diff --git a/docs/markdown/reference/troubleshooting.md b/docs/markdown/reference/troubleshooting.md index 140d9d87..bb7f943e 100644 --- a/docs/markdown/reference/troubleshooting.md +++ b/docs/markdown/reference/troubleshooting.md @@ -1,12 +1,12 @@ # Troubleshooting LME Install -## Troubleshooting Diagram +## Troubleshooting Diagram TODO redo the chart for troubleshooting steps Below is a diagram of the LME architecture with labels referring to possible issues at that specific location. Refer to the chart below for protocol information, process information, log file locations, and common issues at each point in LME. You can also find more detailed troubleshooting steps for each chapter after the chart. -![Troubleshooting overview](/docs/imgs/troubleshooting-overview.jpg) +![Troubleshooting overview](/docs/imgs/troubleshooting-overview.jpg) TODO we should remake this

Figure 1: Troubleshooting overview diagram

@@ -19,39 +19,11 @@ Figure 1: Troubleshooting overview diagram | c | Outbound TCP 5044.

Lumberjack protocol using TLS mutual authentication. Certificates generated as part of the install, and downloaded as a ZIP from the Linux server. | On the Windows Event Collector, Press Windows key + R. Then type 'services.msc' to access services on this machine. You should have:

‘winlogbeat’.

It should be set to automatically start and is running. | %programdata%\winlogbeat\logs\winlogbeat | TBC | | d | Inbound TCP 5044.

Lumberjack protocol using TLS mutual authentication. Certificates generated as part of the install. | On the Linux server type ‘sudo docker stack ps lme’, and check that lme_logstash, lme_kibana and lme_elasticsearch all have a **current status** of running. | On the Linux server type:

‘sudo docker service logs -f lme_logstash’ | TBC | -## Chapter 1 - Setting up Windows Event Forwarding - -### Installing Group Policy Management Tools - -If you receive the error `Windows cannot find 'gpmc.msc'`, you need to install the optional feature `Group Policy Management Tools`. - - - For Windows Server, follow Microsoft's instructions [here](https://learn.microsoft.com/en-us/azure/active-directory-domain-services/manage-group-policy#install-group-policy-management-tools). In short, you need to add the "Group Policy Management" Feature from the "Add Roles and Features" menu in Server Manager. - - For Windows 10/11, open the "Run" dialog box by pressing Windows key + R. Run the command `ms-settings:optionalfeatures` to open Windows Optional Features in Settings. Select "Add a Feature," then scroll down until you find `RSAT: Group Policy Management Tools`. Check the box next to it and select install. - - ![add optional feature](/docs/imgs/gpo_pics/optional_features.png) -

- Figure 2: Add a feature -

- - ![install gpmc.msc](/docs/imgs/gpo_pics/rsat_gpmc_optional_features.png) -

- Figure 3: Install RSAT: Group Policy Management Tools -

- -- Note: You only need `gpmc.msc` installed on one machine to manage the others. For example, you can install it only on the Domain Controller and modify the Group Policy from that machine. - -### Installing Active Directory Domain Services - -If you receive the error `dsa.msc` cannot be found, you will need to install `Active Directoy Domain Services`. The process is nearly identical to the above section [Installing Group Policy Management Tools](#installing-group-policy-management-tools), save for the following exceptions: - - - For Windows Server, the feature is located under "Remote Server Administration Tools". Expand by pressing the arrow on the left and check the box next to `Role Administration Tools`. The other nested features should be selected as well. - - For Windows 10/11, the Optional Feature to install is called `RSAT: Active Directory Domain Services and Lightweight Directory Services Tools`. - -## Chapter 2 - Installing Sysmon +## Sysmon/Auditd installation: If you are having trouble not seeing Sysmon logs in the client's Event Viewer or not seeing forwarded logs on the WEC, first try restarting all of your systems and running `gpupdate /force` on the domain controller and clients. -### No Logs Forwarded from Clients +### No Logs Forwarded from Clients TODO update for new sysmon instructions When diagnosing issues in installing Sysmon on the clients using Group Policy, the first place to check is `Task Scheduler` on one of the clients. Look for `LME-Sysmon-Task` listed under "Active Tasks." Based on whether or not the task is listed, different troubleshooting steps will prove useful: @@ -70,27 +42,9 @@ Windows Tasks are a fickle beast. In order for a task to trigger for the first t #### 3. The task runs, but Sysmon is not installed -If you don't see `sysmon64` listed in `services.msc`, it's likely the install script failed somehow. Double check that the files are organized correctly according to the diagram in the [Chapter 2 checklist](/docs/markdown/chapter2.md#chapter-2---checklist). - -## Chapter 3 - Installing the ELK Stack and Retrieving Logs - -### Events not forwarded to Kibana -The `winlogbeat` service installed in [section 3.3](/docs/markdown/chapter3/chapter3.md#33-configuring-winlogbeat-on-windows-event-collector-server) is responsible for sending events from the collector to Kibana. Confirm the `winlogbeat` service is running and check the log file (`C:\ProgramData\winlogbeat\logs`) for errors. - -By default the `ForwardedEvents` maximum log size is around 20MB so events will be lost if the `winlogbeat` service stops. Consider increasing the size of the `ForwardedEvents` log file to help reduce log loss in this scenario. Historical logs are sent once the `winlogbeat` service starts. - -* Open Microsoft Event View (`eventvwr`) -* Expand _Windows Logs_ and right click _Forwarded Events_ -* Click _properties_ -* Adjust \_Maximum log size (KB)_ to a higher value. Note that the system will automatically adjust the size to the nearest multiple of 64KB. - -![Adjusting the log size](/docs/imgs/AdjustForwardedEventsLogSize.png) - -### Events not forwarding from Domain Controllers -Please be aware that Logging Made Easy does not currently support logging Domain Controllers, and the log volumes may be significant from servers with this role. If you wish to proceed forwarding logs from your Domain Controllers please be aware you do this at your own risk! Monitoring such servers has not been tested and may have unintended side effects. - - +If you don't see `sysmon64` listed in `services.msc`, it's likely the install script failed somehow. +## Logging Issues ### Space issues during install: If there are size constraints on your system and your system doesn't meet our expected requirements, you could run into issues like this [ISSUE](https://github.com/cisagov/LME/issues/19). @@ -104,16 +58,17 @@ root@util:~# resize2fs /dev/mapper/ubuntu--vg-ubuntu--lv ### Containers restarting/not running: Usually if you have issues with containers restarting there is probably something wrong with your host or the container itself. Like in the above sample, a wrong password could be preventing the Elastic Stack from operating properly. You can check the container logs like so: -``` -#TO list the name of the container -sudo docker ps --format "{{.Names}}" +```bash +sudo -i podman ps --format "{{.Names}} {{.Status}}" +``` +```bash #Using the above name you found, check its logs here. -sudo docker logs -f [CONTAINER_NAME] +sudo -i podman logs -f $CONTAINER_NAME ``` Hopefully that is enough to determine the issue, but below we have some common issues you could encounter: -#### Directory Permission issues +#### Directory Permission issues TODO redo this for podman If you encounter errors like [this](https://github.com/cisagov/LME/issues/15) in the container logs, probably your host ownership or permissions for mounted files, don't match what the container expects them to be. In this case the `/usr/share/elasticsearch/backups` which is mapped from `/opt/lme/backups` on the host. You can see this in the [docker-compose-stack.yml](https://github.com/cisagov/LME/blob/main/Chapter%203%20Files/docker-compose-stack.yml) file: ``` @@ -135,55 +90,76 @@ The user id in the container is 1000, so by setting the proper owner we fix the We know this by investigating the backing docker container image for elasticsearch [LINK](https://github.com/elastic/elasticsearch/blob/61d59b31a27448e3d7d28907717b1b8c23f52f3e/distribution/docker/src/docker/Dockerfile#L185) [GITHUB](https://github.com/elastic/elasticsearch/blob/main/distribution/docker/src/docker/Dockerfile) -#### deploy.sh stalls on: waiting for elasticsearch to connect -This was a bug that was fixed in the current iteration of deploy.sh. This occurs if the `elastic` user password was already set in a previous deployment of LME. The easiest fix for this is to delete your old LME volumes as that will clear out any old settings that would be preventing install. + +## Container Troubleshooting: + +### "dependent containers which must be removed" +sometimes podman doesn't kill containers properly when you stop and start `lme.service` + +If you get the below error after inspecting the logs in systemd: +```bash +#journal: +journalctl -xeu lme-elasticsearch.service +#OR systemctl +systemctl status lme* ``` -#DONT RUN THIS IF YOU HAVE DATA YOU WANT TO PRESERVE!! -sudo docker volume rm lme_esdata -sudo docker volume rm lme_logstashdata + +ERROR: +```bash +ubuntu lme-elasticsearch[43436]: Error: container bf9cb322d092c13126bd0341a1b9c5e03b475599e6371e82d4d866fb088fc3c4 has dependent containers which must be removed before it: ff7a6b654913838050360a2cea14fa1fdf5be1d542e5420354ddf03b88a1d2c9: container already exists ``` -However most users will probably want to preserve their data, so using the following method you can reset the user password for the built-in elastic user. -Run the following commands to reset your user password to a known password +Then you'll need to do the following: +1. kill the other containers it lists manually +``` +sudo -i podman rm ff7a6b654913838050360a2cea14fa1fdf5be1d542e5420354ddf03b88a1d2c9 +sudo -i podman rm bf9cb322d092c13126bd0341a1b9c5e03b475599e6371e82d4d866fb088fc3c4 ``` -#grab the name: -sudo docker ps --format "{{.Names}}" | grep -i elastic -#go into elasticsearch container -sudo docker exec -it ${NAME_HERE} /bin/bash -#ignore cert issues with our self signed cert: -echo "xpack.security.http.ssl.verification_mode: certificate" >> config/elasticsearch.yml -#reset in the container: -#add a -f if needed -elasticsearch-reset-password -v -u elastic -i --url https://localhost:9200 +2. remove other containers that are dead: +``` +sudo -i podman ps -a +sudo podman rm $CONTAINER_ID +``` +4. restart the `lme.service` +``` +systemctl restart lme.service ``` -If the elasticsearch-reset-password is not available in your version of elasticsearch, you may be able to try recreating the container with a newer version of LME and running the same above steps. We have not tested this last suggestion, so attempting this last step won't be supported, but is worth a try if none of the above works. -### Elasticsearch fails to boot on Linux server -Sometimes environmental differences can make the installation process get screwed up [ISSUE](https://github.com/cisagov/LME/issues/21). If you have the luxury, you could perform a full reinstall: -If you are unable to access https://, this is most likely because the elasticsearch service fails to run on the Linux server. To perform a full reinstall: -``` -cd /opt/lme/Chapter\ 3\ Files/ -sudo ./deploy.sh uninstall -#delete everything: -rm -r /opt/lme -#Reclone the LME repository into /opt/lme/: -git clone git@github.com:cisagov/LME.git /opt/lme/ -#Navigate back to Chapter 3 Files: -cd /opt/lme/Chapter\ 3\ Files/ -sudo ./deploy.sh install -#Save credentials, then continue with Chapter 3 installation +### Memory in containers (need more ram//less ram usage) +If you're on a resource constrained host and need to limit/edit the memory used by the containers add the following into the quadlet file. The following is a git diff showing adding memory into the elasticsearch container. This can be done for any other quadlet as well. + +```bash +diff --git a/quadlet/lme-elasticsearch.container b/quadlet/lme-elasticsearch.container +index da3091a..fad3e8b 100644 +--- a/quadlet/lme-elasticsearch.container ++++ b/quadlet/lme-elasticsearch.container +@@ -22,7 +22,7 @@ Secret=kibana_system,type=env,target=KIBANA_PASSWORD + EnvironmentFile=/opt/lme/lme-environment.env + Image=localhost/elasticsearch:LME_LATEST + Network=lme +-PodmanArgs=--memory 8gb --network-alias lme-elasticsearch --health-interval=2s ++PodmanArgs= --network-alias lme-elasticsearch --health-interval=2s + PublishPort=9200:9200 + Ulimit=memlock=-1:-1 + Volume=lme_certs:/usr/share/elasticsearch/config/certs ``` -Optionally you could uninstall docker entirely and reinstall it from the deploy.sh script. If you do end up removing Docker this link could be helpful: https://askubuntu.com/a/1021506. -## Chapter 4 and Beyond +### JVM heap size TODO finish +It may be that you have alot of ram to work with and want your container to consume that RAM (especially in the case of elasticsearch running under the Java Virtual Machine. Elasticsearch is written in Java). + +So you'll want to edit the JVM options: [ELASTIC_DOCS_JVM](https://www.elastic.co/guide/en/elasticsearch/reference/current/advanced-configuration.html) +To do that in the container, you'll want to.... + + +## Elastic troubleshooting steps ### Manual Dashboard Install This step should not be required by default, and should only be used if the installer has failed to automatically populate the expected dashboards or if you wish to make use of your own modified version of the supplied visualizations. Each dashboard and its visualization objects is contained within a NDJSON file (previously JSON) and can be easily imported -You can now import the dashboards by clicking ‘Management’ -> ‘Stack Management’ -> ‘Saved Objects’. Please follow the steps in Figure 4, and the NDJSON files are located in [Chapter 4 Files\dashboards](/Chapter%204%20Files/dashboards). +You can now import the dashboards by clicking ‘Management’ -> ‘Stack Management’ -> ‘Saved Objects’. Please follow the steps in Figure 4, and the NDJSON files are located in [dashboards/](/dashboards). ![Importing Objects](/docs/imgs/import.png) @@ -215,11 +191,11 @@ Select "Index Patterns" under Kibana Stack Management: ![Check Default Index](/docs/imgs/index-patterns.png) -Verify that the "Default" label is set next to the ```winlogbeat-*``` Index pattern: +Verify that the "Default" label is set next to the ```INDEX_NAME-*``` Index pattern: ![Check Default Index](/docs/imgs/default-winlogbeat.png) -If this Index pattern is not selected as the default, this can be re-done by clicking on the ```winlogbeat-*``` pattern and then selecting the following option in the subsequent page: +If this Index pattern is not selected as the default, this can be re-done by clicking on the ```INDEX_NAME-*``` pattern and then selecting the following option in the subsequent page: ![Set Default Index](/docs/imgs/default-index-pattern.png) @@ -280,15 +256,6 @@ Note that this will need to be run for each index that contains problematic data For security the self-signed certificates generated for use by LME at install time will only remain valid for a period of two years, which will cause LME to stop functioning once these certificates expire. In this case the certificates can be recreated by following the instructions detailed [here](/docs/markdown/maintenance/certificates.md#regenerating-self-signed-certificates). -### Dashboard Update Script Failing - -If you encounter an error when the dashboards are updated using the dashboard update script, either manually or as part of automatic updates, this may mean that your current version of Elastic is too old to support the minimum functionality required for the new dashboard versions. Ensure that the latest supported version of the Elastic stack is in use with the following command: -``` -cd /opt/lme/Chapter\ 1\ Files/ -sudo ./deploy.sh update -``` -Then upload the latest dashboards by following one of the methods described [here](/docs/markdown/chapter4.md#411-import-initial-dashboards). - ## Other Common Errors @@ -302,13 +269,14 @@ LME currently runs using the docker stack deployment architecture. To Stop LME: ``` -sudo docker stack rm lme +sudo systemctl stop lme.service ``` To Start LME: ``` -sudo docker stack deploy lme --compose-file /opt/lme/Chapter\ 3\ Files/docker-compose-stack-live.yml +sudo systemctl restart lme.service ``` + ## Using API ### Changing elastic Username Password diff --git a/quadlet/lme-elasticsearch.container b/quadlet/lme-elasticsearch.container index da3091a4..fad3e8bb 100644 --- a/quadlet/lme-elasticsearch.container +++ b/quadlet/lme-elasticsearch.container @@ -22,7 +22,7 @@ Secret=kibana_system,type=env,target=KIBANA_PASSWORD EnvironmentFile=/opt/lme/lme-environment.env Image=localhost/elasticsearch:LME_LATEST Network=lme -PodmanArgs=--memory 8gb --network-alias lme-elasticsearch --health-interval=2s +PodmanArgs= --network-alias lme-elasticsearch --health-interval=2s PublishPort=9200:9200 Ulimit=memlock=-1:-1 Volume=lme_certs:/usr/share/elasticsearch/config/certs diff --git a/quadlet/lme-kibana.container b/quadlet/lme-kibana.container index cbbba789..fe0e9c7b 100644 --- a/quadlet/lme-kibana.container +++ b/quadlet/lme-kibana.container @@ -20,7 +20,7 @@ Secret=kibana_system,type=env,target=ELASTICSEARCH_PASSWORD EnvironmentFile=/opt/lme/lme-environment.env Image=localhost/kibana:LME_LATEST Network=lme -PodmanArgs=--memory 4gb --network-alias lme-kibana --requires lme-elasticsearch --health-interval=2s +PodmanArgs= --network-alias lme-kibana --requires lme-elasticsearch --health-interval=2s PublishPort=5601:5601,443:5601 Volume=lme_certs:/usr/share/kibana/config/certs Volume=lme_kibanadata:/usr/share/kibana/data diff --git a/scripts/wazuh_rbac.sh b/scripts/wazuh_rbac.sh new file mode 100755 index 00000000..53e89ec8 --- /dev/null +++ b/scripts/wazuh_rbac.sh @@ -0,0 +1,3 @@ +#!/bin/bash +source /root/.profile +podman exec -it lme-wazuh-manager /var/ossec/bin/rbac_control change-password