[SIEM] Overview Page - Expand Winlogbeat Stats (#55696)
This commit is contained in:
parent
e39ef65c4c
commit
1e91775a7f
|
@ -29,7 +29,8 @@
|
|||
"endgameRegistry": 396,
|
||||
"endgameSecurity": 397,
|
||||
"filebeatSystemModule": 890,
|
||||
"winlogbeat": 100,
|
||||
"winlogbeatSecurity": 70,
|
||||
"winlogbeatMWSysmonOperational": 30,
|
||||
"__typename": "OverviewHostData"
|
||||
},
|
||||
"__typename": "Source"
|
||||
|
|
|
@ -61,9 +61,13 @@ export const STAT_USER = {
|
|||
value: '789',
|
||||
domId: '[data-test-subj="host-stat-auditbeatUser"]',
|
||||
};
|
||||
export const STAT_WINLOGBEAT = {
|
||||
value: '100',
|
||||
domId: '[data-test-subj="host-stat-winlogbeat"]',
|
||||
export const STAT_WINLOGBEAT_SECURITY = {
|
||||
value: '70',
|
||||
domId: '[data-test-subj="host-stat-winlogbeatSecurity"]',
|
||||
};
|
||||
export const STAT_WINLOGBEAT_MWSYSMON_OPERATIONAL = {
|
||||
value: '30',
|
||||
domId: '[data-test-subj="host-stat-winlogbeatMWSysmonOperational"]',
|
||||
};
|
||||
|
||||
export const HOST_STATS = [
|
||||
|
@ -81,7 +85,8 @@ export const HOST_STATS = [
|
|||
STAT_PACKAGE,
|
||||
STAT_PROCESS,
|
||||
STAT_USER,
|
||||
STAT_WINLOGBEAT,
|
||||
STAT_WINLOGBEAT_SECURITY,
|
||||
STAT_WINLOGBEAT_MWSYSMON_OPERATIONAL,
|
||||
];
|
||||
|
||||
// Network Stats
|
||||
|
|
|
@ -602,7 +602,7 @@ exports[`Overview Host Stat Data rendering it renders the default OverviewHostSt
|
|||
>
|
||||
<EuiFlexGroup
|
||||
justifyContent="spaceBetween"
|
||||
key="winlogbeat"
|
||||
key="winlogbeatSecurity"
|
||||
>
|
||||
<EuiFlexItem
|
||||
grow={false}
|
||||
|
@ -613,19 +613,51 @@ exports[`Overview Host Stat Data rendering it renders the default OverviewHostSt
|
|||
>
|
||||
<styled.div>
|
||||
<FormattedMessage
|
||||
defaultMessage="Winlogbeat"
|
||||
id="xpack.siem.overview.winlogbeatTitle"
|
||||
defaultMessage="Security"
|
||||
id="xpack.siem.overview.winlogbeatSecurityTitle"
|
||||
values={Object {}}
|
||||
/>
|
||||
</styled.div>
|
||||
</EuiText>
|
||||
</EuiFlexItem>
|
||||
<EuiFlexItem
|
||||
data-test-subj="host-stat-winlogbeat"
|
||||
data-test-subj="host-stat-winlogbeatSecurity"
|
||||
grow={false}
|
||||
>
|
||||
<StatValue
|
||||
count={296999}
|
||||
count={195929}
|
||||
isGroupStat={false}
|
||||
isLoading={false}
|
||||
max={296999}
|
||||
/>
|
||||
</EuiFlexItem>
|
||||
</EuiFlexGroup>
|
||||
<EuiFlexGroup
|
||||
justifyContent="spaceBetween"
|
||||
key="winlogbeatMWSysmonOperational"
|
||||
>
|
||||
<EuiFlexItem
|
||||
grow={false}
|
||||
>
|
||||
<EuiText
|
||||
color="subdued"
|
||||
size="s"
|
||||
>
|
||||
<styled.div>
|
||||
<FormattedMessage
|
||||
defaultMessage="Microsoft-Windows-Sysmon/Operational"
|
||||
id="xpack.siem.overview.winlogbeatMWSysmonOperational"
|
||||
values={Object {}}
|
||||
/>
|
||||
</styled.div>
|
||||
</EuiText>
|
||||
</EuiFlexItem>
|
||||
<EuiFlexItem
|
||||
data-test-subj="host-stat-winlogbeatMWSysmonOperational"
|
||||
grow={false}
|
||||
>
|
||||
<StatValue
|
||||
count={101070}
|
||||
isGroupStat={false}
|
||||
isLoading={false}
|
||||
max={296999}
|
||||
|
|
|
@ -117,11 +117,24 @@ export const getOverviewHostStats = (data: OverviewHostData): FormattedStat[] =>
|
|||
id: 'filebeatSystemModule',
|
||||
},
|
||||
{
|
||||
count: data.winlogbeat ?? 0,
|
||||
count: data.winlogbeatSecurity ?? 0,
|
||||
title: (
|
||||
<FormattedMessage id="xpack.siem.overview.winlogbeatTitle" defaultMessage="Winlogbeat" />
|
||||
<FormattedMessage
|
||||
id="xpack.siem.overview.winlogbeatSecurityTitle"
|
||||
defaultMessage="Security"
|
||||
/>
|
||||
),
|
||||
id: 'winlogbeat',
|
||||
id: 'winlogbeatSecurity',
|
||||
},
|
||||
{
|
||||
count: data.winlogbeatMWSysmonOperational ?? 0,
|
||||
title: (
|
||||
<FormattedMessage
|
||||
id="xpack.siem.overview.winlogbeatMWSysmonOperational"
|
||||
defaultMessage="Microsoft-Windows-Sysmon/Operational"
|
||||
/>
|
||||
),
|
||||
id: 'winlogbeatMWSysmonOperational',
|
||||
},
|
||||
];
|
||||
|
||||
|
@ -182,7 +195,7 @@ const hostStatGroups: StatGroup[] = [
|
|||
defaultMessage="Winlogbeat"
|
||||
/>
|
||||
),
|
||||
statIds: ['winlogbeat'],
|
||||
statIds: ['winlogbeatSecurity', 'winlogbeatMWSysmonOperational'],
|
||||
},
|
||||
];
|
||||
|
||||
|
|
|
@ -22,6 +22,7 @@ export const mockData: { OverviewHost: OverviewHostData } = {
|
|||
endgameRegistry: 39161718,
|
||||
endgameSecurity: 39202122,
|
||||
filebeatSystemModule: 568,
|
||||
winlogbeat: 296999,
|
||||
winlogbeatSecurity: 195929,
|
||||
winlogbeatMWSysmonOperational: 101070,
|
||||
},
|
||||
};
|
||||
|
|
|
@ -28,7 +28,8 @@ export type OverviewStatId =
|
|||
| 'packetbeatDNS'
|
||||
| 'packetbeatFlow'
|
||||
| 'packetbeatTLS'
|
||||
| 'winlogbeat';
|
||||
| 'winlogbeatSecurity'
|
||||
| 'winlogbeatMWSysmonOperational';
|
||||
|
||||
export interface FormattedStat {
|
||||
count: number;
|
||||
|
|
|
@ -31,7 +31,8 @@ export const overviewHostQuery = gql`
|
|||
endgameRegistry
|
||||
endgameSecurity
|
||||
filebeatSystemModule
|
||||
winlogbeat
|
||||
winlogbeatSecurity
|
||||
winlogbeatMWSysmonOperational
|
||||
inspect @include(if: $inspect) {
|
||||
dsl
|
||||
response
|
||||
|
|
|
@ -9291,7 +9291,15 @@
|
|||
"deprecationReason": null
|
||||
},
|
||||
{
|
||||
"name": "winlogbeat",
|
||||
"name": "winlogbeatSecurity",
|
||||
"description": "",
|
||||
"args": [],
|
||||
"type": { "kind": "SCALAR", "name": "Float", "ofType": null },
|
||||
"isDeprecated": false,
|
||||
"deprecationReason": null
|
||||
},
|
||||
{
|
||||
"name": "winlogbeatMWSysmonOperational",
|
||||
"description": "",
|
||||
"args": [],
|
||||
"type": { "kind": "SCALAR", "name": "Float", "ofType": null },
|
||||
|
|
|
@ -1847,7 +1847,9 @@ export interface OverviewHostData {
|
|||
|
||||
filebeatSystemModule?: Maybe<number>;
|
||||
|
||||
winlogbeat?: Maybe<number>;
|
||||
winlogbeatSecurity?: Maybe<number>;
|
||||
|
||||
winlogbeatMWSysmonOperational?: Maybe<number>;
|
||||
|
||||
inspect?: Maybe<Inspect>;
|
||||
}
|
||||
|
@ -4029,7 +4031,9 @@ export namespace GetOverviewHostQuery {
|
|||
|
||||
filebeatSystemModule: Maybe<number>;
|
||||
|
||||
winlogbeat: Maybe<number>;
|
||||
winlogbeatSecurity: Maybe<number>;
|
||||
|
||||
winlogbeatMWSysmonOperational: Maybe<number>;
|
||||
|
||||
inspect: Maybe<Inspect>;
|
||||
};
|
||||
|
|
|
@ -35,7 +35,8 @@ export const overviewSchema = gql`
|
|||
endgameRegistry: Float
|
||||
endgameSecurity: Float
|
||||
filebeatSystemModule: Float
|
||||
winlogbeat: Float
|
||||
winlogbeatSecurity: Float
|
||||
winlogbeatMWSysmonOperational: Float
|
||||
inspect: Inspect
|
||||
}
|
||||
|
||||
|
|
|
@ -1849,7 +1849,9 @@ export interface OverviewHostData {
|
|||
|
||||
filebeatSystemModule?: Maybe<number>;
|
||||
|
||||
winlogbeat?: Maybe<number>;
|
||||
winlogbeatSecurity?: Maybe<number>;
|
||||
|
||||
winlogbeatMWSysmonOperational?: Maybe<number>;
|
||||
|
||||
inspect?: Maybe<Inspect>;
|
||||
}
|
||||
|
@ -7831,7 +7833,13 @@ export namespace OverviewHostDataResolvers {
|
|||
|
||||
filebeatSystemModule?: FilebeatSystemModuleResolver<Maybe<number>, TypeParent, TContext>;
|
||||
|
||||
winlogbeat?: WinlogbeatResolver<Maybe<number>, TypeParent, TContext>;
|
||||
winlogbeatSecurity?: WinlogbeatSecurityResolver<Maybe<number>, TypeParent, TContext>;
|
||||
|
||||
winlogbeatMWSysmonOperational?: WinlogbeatMwSysmonOperationalResolver<
|
||||
Maybe<number>,
|
||||
TypeParent,
|
||||
TContext
|
||||
>;
|
||||
|
||||
inspect?: InspectResolver<Maybe<Inspect>, TypeParent, TContext>;
|
||||
}
|
||||
|
@ -7906,7 +7914,12 @@ export namespace OverviewHostDataResolvers {
|
|||
Parent = OverviewHostData,
|
||||
TContext = SiemContext
|
||||
> = Resolver<R, Parent, TContext>;
|
||||
export type WinlogbeatResolver<
|
||||
export type WinlogbeatSecurityResolver<
|
||||
R = Maybe<number>,
|
||||
Parent = OverviewHostData,
|
||||
TContext = SiemContext
|
||||
> = Resolver<R, Parent, TContext>;
|
||||
export type WinlogbeatMwSysmonOperationalResolver<
|
||||
R = Maybe<number>,
|
||||
Parent = OverviewHostData,
|
||||
TContext = SiemContext
|
||||
|
|
|
@ -143,7 +143,8 @@ describe('Siem Overview elasticsearch_adapter', () => {
|
|||
mockNoDataResponse.aggregations.system_module.process_count.doc_count = 0;
|
||||
mockNoDataResponse.aggregations.system_module.user_count.doc_count = 0;
|
||||
mockNoDataResponse.aggregations.system_module.filebeat_count.doc_count = 0;
|
||||
mockNoDataResponse.aggregations.winlog_count.doc_count = 0;
|
||||
mockNoDataResponse.aggregations.winlog_module.security_event_count.doc_count = 0;
|
||||
mockNoDataResponse.aggregations.winlog_module.mwsysmon_operational_event_count.doc_count = 0;
|
||||
const mockCallWithRequest = jest.fn();
|
||||
mockCallWithRequest.mockResolvedValue(mockNoDataResponse);
|
||||
const mockFramework: FrameworkAdapter = {
|
||||
|
@ -181,7 +182,8 @@ describe('Siem Overview elasticsearch_adapter', () => {
|
|||
endgameRegistry: 0,
|
||||
endgameSecurity: 0,
|
||||
filebeatSystemModule: 0,
|
||||
winlogbeat: 0,
|
||||
winlogbeatSecurity: 0,
|
||||
winlogbeatMWSysmonOperational: 0,
|
||||
});
|
||||
});
|
||||
});
|
||||
|
|
|
@ -117,7 +117,16 @@ export class ElasticsearchOverviewAdapter implements OverviewAdapter {
|
|||
'aggregations.system_module.filebeat_count.doc_count',
|
||||
response
|
||||
),
|
||||
winlogbeat: getOr(null, 'aggregations.winlog_count.doc_count', response),
|
||||
winlogbeatSecurity: getOr(
|
||||
null,
|
||||
'aggregations.winlog_module.security_event_count.doc_count',
|
||||
response
|
||||
),
|
||||
winlogbeatMWSysmonOperational: getOr(
|
||||
null,
|
||||
'aggregations.winlog_module.mwsysmon_operational_event_count.doc_count',
|
||||
response
|
||||
),
|
||||
};
|
||||
}
|
||||
}
|
||||
|
|
|
@ -137,7 +137,14 @@ export const mockResponseHost = {
|
|||
user_count: { doc_count: 1979 },
|
||||
filebeat_count: { doc_count: 225 },
|
||||
},
|
||||
winlog_count: { doc_count: 737 },
|
||||
winlog_module: {
|
||||
security_event_count: {
|
||||
doc_count: 523,
|
||||
},
|
||||
mwsysmon_operational_event_count: {
|
||||
doc_count: 214,
|
||||
},
|
||||
},
|
||||
},
|
||||
};
|
||||
|
||||
|
@ -160,5 +167,6 @@ export const mockResultHost = {
|
|||
endgameRegistry: 896,
|
||||
endgameSecurity: 897,
|
||||
filebeatSystemModule: 225,
|
||||
winlogbeat: 737,
|
||||
winlogbeatSecurity: 523,
|
||||
winlogbeatMWSysmonOperational: 214,
|
||||
};
|
||||
|
|
|
@ -203,12 +203,28 @@ export const buildOverviewHostQuery = ({
|
|||
},
|
||||
},
|
||||
},
|
||||
winlog_count: {
|
||||
winlog_module: {
|
||||
filter: {
|
||||
term: {
|
||||
'agent.type': 'winlogbeat',
|
||||
},
|
||||
},
|
||||
aggs: {
|
||||
mwsysmon_operational_event_count: {
|
||||
filter: {
|
||||
term: {
|
||||
'winlog.channel': 'Microsoft-Windows-Sysmon/Operational',
|
||||
},
|
||||
},
|
||||
},
|
||||
security_event_count: {
|
||||
filter: {
|
||||
term: {
|
||||
'winlog.channel': 'Security',
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
system_module: {
|
||||
filter: {
|
||||
|
|
|
@ -11343,7 +11343,6 @@
|
|||
"xpack.siem.overview.startedText.docsLinkText": "ドキュメンテーション",
|
||||
"xpack.siem.overview.startedText.siemSolutionLinkText": "SIEM ソリューション",
|
||||
"xpack.siem.overview.startedTitle": "はじめて使う",
|
||||
"xpack.siem.overview.winlogbeatTitle": "Winlogbeat",
|
||||
"xpack.siem.pages.fourohfour.noContentFoundDescription": "コンテンツがありません",
|
||||
"xpack.siem.paginatedTable.rowsButtonLabel": "ページごとの行数",
|
||||
"xpack.siem.paginatedTable.showingSubtitle": "表示中",
|
||||
|
|
|
@ -11342,7 +11342,6 @@
|
|||
"xpack.siem.overview.startedText.docsLinkText": "文档",
|
||||
"xpack.siem.overview.startedText.siemSolutionLinkText": "SIEM 解决方案",
|
||||
"xpack.siem.overview.startedTitle": "入门",
|
||||
"xpack.siem.overview.winlogbeatTitle": "Winlogbeat",
|
||||
"xpack.siem.pages.fourohfour.noContentFoundDescription": "未找到任何内容",
|
||||
"xpack.siem.paginatedTable.rowsButtonLabel": "每页行数",
|
||||
"xpack.siem.paginatedTable.showingSubtitle": "显示",
|
||||
|
|
|
@ -35,7 +35,8 @@ export default function({ getService }: FtrProviderContext) {
|
|||
endgameRegistry: 1,
|
||||
endgameSecurity: 4,
|
||||
filebeatSystemModule: 0,
|
||||
winlogbeat: 1,
|
||||
winlogbeatSecurity: 0,
|
||||
winlogbeatMWSysmonOperational: 0,
|
||||
__typename: 'OverviewHostData',
|
||||
};
|
||||
|
||||
|
|
Loading…
Reference in a new issue