diff --git a/x-pack/plugins/ml/public/jobs/new_job/simple/recognize/create_job/create_job.html b/x-pack/plugins/ml/public/jobs/new_job/simple/recognize/create_job/create_job.html index 84ff772afc85..68729812b069 100644 --- a/x-pack/plugins/ml/public/jobs/new_job/simple/recognize/create_job/create_job.html +++ b/x-pack/plugins/ml/public/jobs/new_job/simple/recognize/create_job/create_job.html @@ -225,7 +225,7 @@

{{ui.kibanaLabels[key]}}

-
+
{{obj.title}} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/dashboard/ml_auditbeat_docker_audit_events.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/dashboard/ml_auditbeat_docker_audit_events.json new file mode 100644 index 000000000000..26715920b064 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/dashboard/ml_auditbeat_docker_audit_events.json @@ -0,0 +1,11 @@ +{ + "title": "ML Auditbeat Docker: Audit Events", + "description": "All events occurring within docker containers", + "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":13,\"i\":\"1\"},\"version\":\"6.4.0\",\"panelIndex\":\"1\",\"type\":\"visualization\",\"id\":\"ml_auditbeat_docker_container_count\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":13,\"y\":0,\"w\":35,\"h\":13,\"i\":\"2\"},\"version\":\"6.4.0\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"id\":\"ml_auditbeat_docker_container_images\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":0,\"y\":13,\"w\":48,\"h\":13,\"i\":\"3\"},\"version\":\"6.4.0\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"id\":\"ml_auditbeat_docker_container_event_volume\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":24,\"y\":26,\"w\":24,\"h\":15,\"i\":\"4\"},\"version\":\"6.4.0\",\"panelIndex\":\"4\",\"type\":\"visualization\",\"id\":\"ml_auditbeat_docker_processes\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":0,\"y\":26,\"w\":24,\"h\":15,\"i\":\"5\"},\"version\":\"6.4.0\",\"panelIndex\":\"5\",\"type\":\"visualization\",\"id\":\"ml_auditbeat_docker_process_presence\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":24,\"y\":41,\"w\":24,\"h\":15,\"i\":\"6\"},\"version\":\"6.4.0\",\"panelIndex\":\"6\",\"type\":\"visualization\",\"id\":\"ml_auditbeat_docker_commands\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":0,\"y\":41,\"w\":24,\"h\":15,\"i\":\"7\"},\"version\":\"6.4.0\",\"panelIndex\":\"7\",\"type\":\"search\",\"id\":\"ml_auditbeat_docker_events\",\"embeddableConfig\":{}}]", + "optionsJSON": "{\"darkTheme\":false,\"useMargins\":true,\"hidePanelTitles\":false}", + "version": 1, + "timeRestore": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/search/ml_auditbeat_docker_events.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/search/ml_auditbeat_docker_events.json new file mode 100644 index 000000000000..e11519c4b3d8 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/search/ml_auditbeat_docker_events.json @@ -0,0 +1,16 @@ +{ + "title": "ML Auditbeat Docker: Docker Events", + "description": "Audit Events Correlated with Docker Metadata", + "hits": 0, + "columns": [ + "_source" + ], + "sort": [ + "@timestamp", + "desc" + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"INDEX_PATTERN_ID\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"index\":\"INDEX_PATTERN_ID\",\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"exists\",\"key\":\"docker.container.id\",\"value\":\"exists\"},\"exists\":{\"field\":\"docker.container.id\"},\"$state\":{\"store\":\"appState\"}}]}" + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/visualization/ml_auditbeat_docker_commands.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/visualization/ml_auditbeat_docker_commands.json new file mode 100644 index 000000000000..d83c5c0b4243 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/visualization/ml_auditbeat_docker_commands.json @@ -0,0 +1,11 @@ +{ + "title": "ML Auditbeat Docker: Commands", + "visState": "{\"title\":\"ML Auditbeat Docker: Commands\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process.title\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "description": "", + "savedSearchId": "ml_auditbeat_docker_events", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/visualization/ml_auditbeat_docker_container_count.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/visualization/ml_auditbeat_docker_container_count.json new file mode 100644 index 000000000000..bd4806fbf2d4 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/visualization/ml_auditbeat_docker_container_count.json @@ -0,0 +1,11 @@ +{ + "title": "ML Auditbeat Docker: Container Count", + "visState": "{\"title\":\"ML Auditbeat Docker: Container Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"docker.container.id\"}}]}", + "uiStateJSON": "{}", + "description": "", + "savedSearchId": "ml_auditbeat_docker_events", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/visualization/ml_auditbeat_docker_container_event_volume.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/visualization/ml_auditbeat_docker_container_event_volume.json new file mode 100644 index 000000000000..a3dc7b816789 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/visualization/ml_auditbeat_docker_container_event_volume.json @@ -0,0 +1,11 @@ +{ + "title": "ML Auditbeat Docker: Container Event Volume", + "visState": "{\"title\":\"ML Auditbeat Docker: Container Event Volume\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"docker.container.id\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", + "uiStateJSON": "{}", + "description": "", + "savedSearchId": "ml_auditbeat_docker_events", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/visualization/ml_auditbeat_docker_container_images.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/visualization/ml_auditbeat_docker_container_images.json new file mode 100644 index 000000000000..749117c2ed08 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/visualization/ml_auditbeat_docker_container_images.json @@ -0,0 +1,11 @@ +{ + "title": "ML Auditbeat Docker: Container Images", + "visState": "{\"title\":\"ML Auditbeat Docker: Container Images\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"docker.container.image\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "description": "", + "savedSearchId": "ml_auditbeat_docker_events", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[]}" + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/visualization/ml_auditbeat_docker_process_presence.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/visualization/ml_auditbeat_docker_process_presence.json new file mode 100644 index 000000000000..ed90d87f1191 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/visualization/ml_auditbeat_docker_process_presence.json @@ -0,0 +1,12 @@ + +{ + "title": "ML Auditbeat Docker: Process Presence", + "visState": "{\"title\":\"ML Auditbeat Docker: Process Presence\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Unique\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Unique\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"process.exe\",\"customLabel\":\"Unique\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"process.exe\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"docker.container.name\",\"size\":1,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"row\":true}}]}", + "uiStateJSON": "{}", + "description": "", + "savedSearchId": "ml_auditbeat_docker_events", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/visualization/ml_auditbeat_docker_processes.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/visualization/ml_auditbeat_docker_processes.json new file mode 100644 index 000000000000..eb0349414992 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/visualization/ml_auditbeat_docker_processes.json @@ -0,0 +1,11 @@ +{ + "title": "ML Auditbeat Docker: Processes", + "visState": "{\"title\":\"ML Auditbeat Docker: Processes\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"process.exe\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"docker.container.name\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"row\":true}}]}", + "uiStateJSON": "{}", + "description": "", + "savedSearchId": "ml_auditbeat_docker_events", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/logo.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/logo.json new file mode 100644 index 000000000000..8f5e61d1b765 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/logo.json @@ -0,0 +1,5 @@ +{ + "src": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgAgMAAAAOFJJnAAAADFBMVEUAAAAAAAABf3X////ZaOWRAAAAAXRSTlMAQObYZgAAAAFiS0dEAxEMTPIAAAAfSURBVBjTYwgNDXVqBBIMcEYAAwNTAwMD60hkYIQGAIQRIolX2EV0AAAAAElFTkSuQmCC", + "height": 32, + "width": 32 +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/manifest.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/manifest.json new file mode 100644 index 000000000000..5aade8ad0a93 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/manifest.json @@ -0,0 +1,86 @@ +{ + "id": "auditbeat_process_docker", + "title": "Auditbeat Docker processes", + "description": "Detect unusual processes on Docker containers", + "type": "Auditbeat data", + "logoFile": "logo.json", + "defaultIndexPattern": "auditbeat-*", + "query": { + "bool": { + "must": [ + { + "exists": { + "field": "auditd" + } + }, + { + "exists": { + "field": "docker.container.id" + } + } + ] + } + }, + "jobs": [ + { + "id": "docker_high_count_events", + "file": "docker_high_count_events.json" + }, + { + "id": "docker_suspicious_process_activity", + "file": "docker_suspicious_process_activity.json" + } + ], + "datafeeds": [ + { + "id": "datafeed-docker_high_count_events", + "file": "datafeed_docker_high_count_events.json", + "job_id": "docker_high_count_events" + }, + { + "id": "datafeed-docker_suspicious_process_activity", + "file": "datafeed_docker_suspicious_process_activity.json", + "job_id": "docker_suspicious_process_activity" + } + ], + "kibana": { + "dashboard": [ + { + "id": "ml_auditbeat_docker_audit_events", + "file": "ml_auditbeat_docker_audit_events.json" + } + ], + "search": [ + { + "id": "ml_auditbeat_docker_events", + "file": "ml_auditbeat_docker_events.json" + } + ], + "visualization": [ + { + "id": "ml_auditbeat_docker_commands", + "file": "ml_auditbeat_docker_commands.json" + }, + { + "id": "ml_auditbeat_docker_container_count", + "file": "ml_auditbeat_docker_container_count.json" + }, + { + "id": "ml_auditbeat_docker_container_event_volume", + "file": "ml_auditbeat_docker_container_event_volume.json" + }, + { + "id": "ml_auditbeat_docker_container_images", + "file": "ml_auditbeat_docker_container_images.json" + }, + { + "id": "ml_auditbeat_docker_processes", + "file": "ml_auditbeat_docker_processes.json" + }, + { + "id": "ml_auditbeat_docker_process_presence", + "file": "ml_auditbeat_docker_process_presence.json" + } + ] + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/ml/datafeed_docker_high_count_events.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/ml/datafeed_docker_high_count_events.json new file mode 100644 index 000000000000..84dea03a0771 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/ml/datafeed_docker_high_count_events.json @@ -0,0 +1,27 @@ +{ + "job_id": "JOB_ID", + "indexes": [ + "INDEX_PATTERN_NAME" + ], + "types": [], + "query": { + "bool": { + "must": [ + { + "match": { + "event.type": "syscall" + } + }, + { + "exists": { + "field":"docker.container.id" + } + } + ] + } + }, + "scroll_size": 1000, + "chunking_config": { + "mode": "auto" + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/ml/datafeed_docker_suspicious_process_activity.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/ml/datafeed_docker_suspicious_process_activity.json new file mode 100644 index 000000000000..84dea03a0771 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/ml/datafeed_docker_suspicious_process_activity.json @@ -0,0 +1,27 @@ +{ + "job_id": "JOB_ID", + "indexes": [ + "INDEX_PATTERN_NAME" + ], + "types": [], + "query": { + "bool": { + "must": [ + { + "match": { + "event.type": "syscall" + } + }, + { + "exists": { + "field":"docker.container.id" + } + } + ] + } + }, + "scroll_size": 1000, + "chunking_config": { + "mode": "auto" + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/ml/docker_high_count_events.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/ml/docker_high_count_events.json new file mode 100644 index 000000000000..c6423265cb0e --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/ml/docker_high_count_events.json @@ -0,0 +1,35 @@ +{ + "job_type": "anomaly_detector", + "description": "Auditbeat: Detect Unusual Increases in Docker Process Volume", + "groups": ["auditbeat"], + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "high_count partitionfield=\"docker.container.id\"", + "function": "high_count", + "partition_field_name": "docker.container.id" + } + ], + "influencers": [ + "process.exe" + ] + }, + "analysis_limits": { + "model_memory_limit": "256mb", + "categorization_examples_limit": 4 + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "custom_urls": [ + { + "url_name": "Docker Events", + "time_range": "1h", + "url_value": "kibana#/dashboard/ml_auditbeat_docker_audit_events?_g=(time:(from:'$earliest$',mode:absolute,to:'$latest$'))&_a=(filters:!(),query:(language:lucene,query:'docker.container.id:\"$docker.container.id$\"'))" + } + ] + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/ml/docker_suspicious_process_activity.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/ml/docker_suspicious_process_activity.json new file mode 100644 index 000000000000..0e58fb96219d --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/ml/docker_suspicious_process_activity.json @@ -0,0 +1,35 @@ +{ + "job_type": "anomaly_detector", + "description": "Auditbeat: Detect Rare Process Executions in Docker Containers", + "groups": ["auditbeat"], + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "rare by 'process.exe'", + "function": "rare", + "by_field_name": "process.exe" + } + ], + "influencers": [ + "process.exe", + "docker.container.id" + ] + }, + "analysis_limits": { + "model_memory_limit": "256mb" + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "custom_urls": [ + { + "url_name": "Docker Events", + "time_range": "1h", + "url_value": "kibana#/dashboard/ml_auditbeat_docker_audit_events?_g=(time:(from:'$earliest$',mode:absolute,to:'$latest$'))&_a=(filters:!(),query:(language:lucene,query:'docker.container.id:\"$docker.container.id$\" AND process.exe:\"$process.exe$\"'))" + } + ] + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/dashboard/ml_auditbeat_hosts_audit_events.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/dashboard/ml_auditbeat_hosts_audit_events.json new file mode 100644 index 000000000000..e5be851d5089 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/dashboard/ml_auditbeat_hosts_audit_events.json @@ -0,0 +1,11 @@ +{ + "title": "ML Auditbeat Hosts: Audit Events", + "description": "All events occuring directly on host machines", + "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":12,\"i\":\"1\"},\"version\":\"6.4.0\",\"panelIndex\":\"1\",\"type\":\"visualization\",\"id\":\"ml_auditbeat_hosts_event_volume\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":24,\"y\":12,\"w\":24,\"h\":15,\"i\":\"2\"},\"version\":\"6.4.0\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"id\":\"ml_auditbeat_hosts_kernel_actions\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":0,\"y\":12,\"w\":24,\"h\":15,\"i\":\"3\"},\"version\":\"6.4.0\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"id\":\"ml_auditbeat_hosts_kernel_action_presence\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":24,\"y\":27,\"w\":24,\"h\":15,\"i\":\"4\"},\"version\":\"6.4.0\",\"panelIndex\":\"4\",\"type\":\"visualization\",\"id\":\"ml_auditbeat_hosts_processes\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":0,\"y\":27,\"w\":24,\"h\":15,\"i\":\"5\"},\"version\":\"6.4.0\",\"panelIndex\":\"5\",\"type\":\"visualization\",\"id\":\"ml_auditbeat_hosts_process_presence\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":0,\"y\":42,\"w\":24,\"h\":15,\"i\":\"6\"},\"version\":\"6.4.0\",\"panelIndex\":\"6\",\"type\":\"visualization\",\"id\":\"ml_auditbeat_hosts_command_line\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":24,\"y\":42,\"w\":24,\"h\":15,\"i\":\"7\"},\"version\":\"6.4.0\",\"panelIndex\":\"7\",\"type\":\"visualization\",\"id\":\"ml_auditbeat_hosts_exe_thing\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":0,\"y\":57,\"w\":24,\"h\":15,\"i\":\"8\"},\"version\":\"6.4.0\",\"panelIndex\":\"8\",\"type\":\"search\",\"id\":\"ml_auditbeat_hosts_events\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":24,\"y\":57,\"w\":24,\"h\":15,\"i\":\"9\"},\"version\":\"6.4.0\",\"panelIndex\":\"9\",\"type\":\"search\",\"id\":\"ml_auditbeat_all_events\",\"embeddableConfig\":{}}]", + "optionsJSON": "{\"darkTheme\":false,\"useMargins\":true,\"hidePanelTitles\":false}", + "version": 1, + "timeRestore": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/search/ml_auditbeat_all_events.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/search/ml_auditbeat_all_events.json new file mode 100644 index 000000000000..f46420eec239 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/search/ml_auditbeat_all_events.json @@ -0,0 +1,16 @@ +{ + "title": "ML Auditbeat: All Events", + "description": "All Audit Events Captured By Auditbeat", + "hits": 0, + "columns": [ + "_source" + ], + "sort": [ + "@timestamp", + "desc" + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"INDEX_PATTERN_ID\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/search/ml_auditbeat_hosts_events.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/search/ml_auditbeat_hosts_events.json new file mode 100644 index 000000000000..3c0db9408e51 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/search/ml_auditbeat_hosts_events.json @@ -0,0 +1,16 @@ +{ + "title": "ML Auditbeat Hosts: Host Events", + "description": "Audit Events occurring directly on host machines", + "hits": 0, + "columns": [ + "_source" + ], + "sort": [ + "@timestamp", + "desc" + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"INDEX_PATTERN_ID\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"index\":\"INDEX_PATTERN_ID\",\"negate\":true,\"disabled\":false,\"alias\":null,\"type\":\"exists\",\"key\":\"docker.container.id\",\"value\":\"exists\"},\"exists\":{\"field\":\"docker.container.id\"},\"$state\":{\"store\":\"appState\"}}]}" + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/visualization/ml_auditbeat_hosts_command_line.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/visualization/ml_auditbeat_hosts_command_line.json new file mode 100644 index 000000000000..58e5e60d9472 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/visualization/ml_auditbeat_hosts_command_line.json @@ -0,0 +1,11 @@ +{ + "title": "ML Auditbeat Hosts: Command Line", + "visState": "{\"title\":\"ML Auditbeat Hosts: Command Line\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process.title\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "description": "", + "savedSearchId": "ml_auditbeat_hosts_events", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/visualization/ml_auditbeat_hosts_event_volume.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/visualization/ml_auditbeat_hosts_event_volume.json new file mode 100644 index 000000000000..71ccdaeb8c88 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/visualization/ml_auditbeat_hosts_event_volume.json @@ -0,0 +1,11 @@ +{ + "title": "ML Auditbeat Hosts: Event Volume", + "visState": "{\"title\":\"ML Auditbeat Hosts: Event Volume\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"beat.hostname\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", + "uiStateJSON": "{}", + "description": "", + "savedSearchId": "ml_auditbeat_hosts_events", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/visualization/ml_auditbeat_hosts_exe_thing.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/visualization/ml_auditbeat_hosts_exe_thing.json new file mode 100644 index 000000000000..f7603880ccfe --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/visualization/ml_auditbeat_hosts_exe_thing.json @@ -0,0 +1,11 @@ +{ + "title": "ML Auditbeat Hosts: Exe Thing", + "visState": "{\"title\":\"ML Auditbeat Hosts: Exe Thing\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"process.exe\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"auditd.summary.object.primary\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", + "uiStateJSON": "{}", + "description": "", + "savedSearchId": "ml_auditbeat_hosts_events", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/visualization/ml_auditbeat_hosts_kernel_action_presence.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/visualization/ml_auditbeat_hosts_kernel_action_presence.json new file mode 100644 index 000000000000..941f6e0e57cd --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/visualization/ml_auditbeat_hosts_kernel_action_presence.json @@ -0,0 +1,11 @@ +{ + "title": "ML Auditbeat Hosts: Kernel Action Presence", + "visState": "{\"title\":\"ML Auditbeat Hosts: Kernel Action Presence\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Unique count of event.action\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Unique count of event.action\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"event.action\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"event.action\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", + "uiStateJSON": "{}", + "description": "", + "savedSearchId": "ml_auditbeat_hosts_events", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/visualization/ml_auditbeat_hosts_kernel_actions.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/visualization/ml_auditbeat_hosts_kernel_actions.json new file mode 100644 index 000000000000..911c25101dbd --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/visualization/ml_auditbeat_hosts_kernel_actions.json @@ -0,0 +1,11 @@ +{ + "title": "ML Auditbeat Hosts: Kernel Actions", + "visState": "{\"title\":\"ML Auditbeat Hosts: Kernel Actions\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"event.action\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", + "uiStateJSON": "{}", + "description": "", + "savedSearchId": "ml_auditbeat_hosts_events", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/visualization/ml_auditbeat_hosts_process_presence.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/visualization/ml_auditbeat_hosts_process_presence.json new file mode 100644 index 000000000000..94a83135cf2c --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/visualization/ml_auditbeat_hosts_process_presence.json @@ -0,0 +1,11 @@ +{ + "title": "ML Auditbeat Hosts: Process Presence", + "visState": "{\"title\":\"ML Auditbeat Hosts: Process Presence\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Unique count of process.exe\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Unique count of process.exe\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"process.exe\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}]}", + "uiStateJSON": "{}", + "description": "", + "savedSearchId": "ml_auditbeat_hosts_events", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/visualization/ml_auditbeat_hosts_processes.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/visualization/ml_auditbeat_hosts_processes.json new file mode 100644 index 000000000000..bc0c6da5b861 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/visualization/ml_auditbeat_hosts_processes.json @@ -0,0 +1,11 @@ +{ + "title": "ML Auditbeat Hosts: Processes", + "visState": "{\"title\":\"ML Auditbeat Hosts: Processes\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"process.exe\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", + "uiStateJSON": "{}", + "description": "", + "savedSearchId": "ml_auditbeat_hosts_events", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/logo.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/logo.json new file mode 100644 index 000000000000..8f5e61d1b765 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/logo.json @@ -0,0 +1,5 @@ +{ + "src": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgAgMAAAAOFJJnAAAADFBMVEUAAAAAAAABf3X////ZaOWRAAAAAXRSTlMAQObYZgAAAAFiS0dEAxEMTPIAAAAfSURBVBjTYwgNDXVqBBIMcEYAAwNTAwMD60hkYIQGAIQRIolX2EV0AAAAAElFTkSuQmCC", + "height": 32, + "width": 32 +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/manifest.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/manifest.json new file mode 100644 index 000000000000..ac667e3f525b --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/manifest.json @@ -0,0 +1,96 @@ +{ + "id": "auditbeat_process_hosts", + "title": "Auditbeat host processes", + "description": "Detect unusual processes on hosts", + "type": "Auditbeat data", + "logoFile": "logo.json", + "defaultIndexPattern": "auditbeat-*", + "query": { + "bool": { + "must": [ + { + "exists": { + "field": "auditd" + } + } + ], + "must_not": [ + { + "exists": { + "field": "docker.container.id" + } + } + ] + } + }, + "jobs": [ + { + "id": "hosts_high_count_events", + "file": "hosts_high_count_events.json" + }, + { + "id": "hosts_suspicious_process_activity", + "file": "hosts_suspicious_process_activity.json" + } + ], + "datafeeds": [ + { + "id": "datafeed-hosts_high_count_events", + "file": "datafeed_hosts_high_count_events.json", + "job_id": "hosts_high_count_events" + }, + { + "id": "datafeed-hosts_suspicious_process_activity", + "file": "datafeed_hosts_suspicious_process_activity.json", + "job_id": "hosts_suspicious_process_activity" + } + ], + "kibana": { + "dashboard": [ + { + "id": "ml_auditbeat_hosts_audit_events", + "file": "ml_auditbeat_hosts_audit_events.json" + } + ], + "search": [ + { + "id": "ml_auditbeat_hosts_events", + "file": "ml_auditbeat_hosts_events.json" + }, + { + "id": "ml_auditbeat_all_events", + "file": "ml_auditbeat_all_events.json" + } + ], + "visualization": [ + { + "id": "ml_auditbeat_hosts_command_line", + "file": "ml_auditbeat_hosts_command_line.json" + }, + { + "id": "ml_auditbeat_hosts_event_volume", + "file": "ml_auditbeat_hosts_event_volume.json" + }, + { + "id": "ml_auditbeat_hosts_exe_thing", + "file": "ml_auditbeat_hosts_exe_thing.json" + }, + { + "id": "ml_auditbeat_hosts_kernel_action_presence", + "file": "ml_auditbeat_hosts_kernel_action_presence.json" + }, + { + "id": "ml_auditbeat_hosts_kernel_actions", + "file": "ml_auditbeat_hosts_kernel_actions.json" + }, + { + "id": "ml_auditbeat_hosts_process_presence", + "file": "ml_auditbeat_hosts_process_presence.json" + }, + { + "id": "ml_auditbeat_hosts_processes", + "file": "ml_auditbeat_hosts_processes.json" + } + ] + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/ml/datafeed_hosts_high_count_events.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/ml/datafeed_hosts_high_count_events.json new file mode 100644 index 000000000000..a9fab9b33f1a --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/ml/datafeed_hosts_high_count_events.json @@ -0,0 +1,29 @@ +{ + "job_id": "JOB_ID", + "indexes": [ + "INDEX_PATTERN_NAME" + ], + "types": [], + "query":{ + "bool": { + "must":[ + { + "match": { + "event.type": "syscall" + } + } + ], + "must_not": [ + { + "exists": { + "field": "docker.container.id" + } + } + ] + } + }, + "scroll_size": 1000, + "chunking_config": { + "mode": "auto" + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/ml/datafeed_hosts_suspicious_process_activity.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/ml/datafeed_hosts_suspicious_process_activity.json new file mode 100644 index 000000000000..f760e7f2ab08 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/ml/datafeed_hosts_suspicious_process_activity.json @@ -0,0 +1,29 @@ +{ + "job_id": "JOB_ID", + "indexes": [ + "INDEX_PATTERN_NAME" + ], + "types": [], + "query":{ + "bool": { + "must":[ + { + "match": { + "event.type": "syscall" + } + } + ], + "must_not": [ + { + "exists": { + "field": "docker.container.id" + } + } + ] + } +}, + "scroll_size": 1000, + "chunking_config": { + "mode": "auto" + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/ml/hosts_high_count_events.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/ml/hosts_high_count_events.json new file mode 100644 index 000000000000..81abf4db3569 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/ml/hosts_high_count_events.json @@ -0,0 +1,36 @@ +{ + "job_type": "anomaly_detector", + "description": "Auditbeat Hosts: Detect Unusual Increases in Host Process Volume", + "groups": ["auditbeat"], + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "high_count partitionfield=\"beat.hostname\"", + "function": "high_count", + "partition_field_name": "beat.hostname" + } + ], + "influencers": [ + "beat.hostname", + "process.exe" + ] + }, + "analysis_limits": { + "model_memory_limit": "256mb", + "categorization_examples_limit": 4 + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "custom_urls": [ + { + "url_name": "Host Events", + "time_range": "1h", + "url_value": "kibana#/dashboard/ml_auditbeat_hosts_audit_events?_g=(time:(from:'$earliest$',mode:absolute,to:'$latest$'))&_a=(filters:!(),query:(language:lucene,query:'beat.hostname:\"$beat.hostname$\"'))" + } + ] + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/ml/hosts_suspicious_process_activity.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/ml/hosts_suspicious_process_activity.json new file mode 100644 index 000000000000..7ef2aafe964a --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/ml/hosts_suspicious_process_activity.json @@ -0,0 +1,35 @@ +{ + "job_type": "anomaly_detector", + "description": "Auditbeat Hosts: Detect Rare Process Executions on Hosts", + "groups": ["auditbeat"], + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "rare by 'process.exe'", + "function": "rare", + "by_field_name": "process.exe" + } + ], + "influencers": [ + "process.exe", + "beat.hostname" + ] + }, + "analysis_limits": { + "model_memory_limit": "256mb" + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "custom_urls": [ + { + "url_name": "Host Events", + "time_range": "1h", + "url_value": "kibana#/dashboard/ml_auditbeat_hosts_audit_events?_g=(time:(from:'$earliest$',mode:absolute,to:'$latest$'))&_a=(filters:!(),query:(language:lucene,query:'beat.hostname:\"$beat.hostname$\" AND process.exe:\"$process.exe$\"'))" + } + ] + } +}