mirror of
https://github.com/valitydev/wazuh-kibana-app.git
synced 2024-11-06 18:05:20 +00:00
Modified overview fim visualizations
This commit is contained in:
Jesús Ángel
parent
c8c50ee319
commit
9198d22755
@ -16,8 +16,7 @@ import TabNames from '../../utils/tab-names';
|
||||
import TabDescription from '../../../server/reporting/tab-description';
|
||||
|
||||
import {
|
||||
metricsGeneral,
|
||||
metricsFim,
|
||||
metricsGeneral,
|
||||
metricsAudit,
|
||||
metricsVulnerability,
|
||||
metricsScap,
|
||||
@ -86,9 +85,6 @@ app.controller('overviewController', function(
|
||||
case 'general':
|
||||
createMetrics(metricsGeneral);
|
||||
break;
|
||||
case 'fim':
|
||||
createMetrics(metricsFim);
|
||||
break;
|
||||
case 'audit':
|
||||
createMetrics(metricsAudit);
|
||||
break;
|
||||
|
||||
@ -34,7 +34,7 @@ class TabVisualizations {
|
||||
this.overview = {
|
||||
welcome: 0,
|
||||
general: 11,
|
||||
fim: 10,
|
||||
fim: 8,
|
||||
pm: 5,
|
||||
vuls: 8,
|
||||
oscap: 11,
|
||||
|
||||
@ -1,84 +1,67 @@
|
||||
<md-content flex layout="column" ng-if="tab === 'fim' && tabView === 'panels'" ng-class="{'no-opacity': resultState !== 'ready' || !rendered}">
|
||||
|
||||
<div layout="row">
|
||||
<md-card flex class="wz-metric-color wz-md-card">
|
||||
<md-card-content layout="row" class="wz-padding-metric">
|
||||
<div class="wz-text-truncatable" flex>Files added: <span class="wz-text-bold" ng-bind="fimAdded()"></span></div>
|
||||
<div class="wz-text-truncatable" flex>Files modified: <span class="wz-text-bold" ng-bind="fimModified()"></span></div>
|
||||
<div class="wz-text-truncatable" flex>Files deleted: <span class="wz-text-bold" ng-bind="fimDeleted()"></span></div>
|
||||
</md-card-content>
|
||||
</md-card>
|
||||
</div>
|
||||
|
||||
<div class="wz-no-display">
|
||||
<kbn-vis vis-id="'Wazuh-App-Overview-FIM-Added'" ></kbn-vis>
|
||||
<kbn-vis vis-id="'Wazuh-App-Overview-FIM-Modified'"></kbn-vis>
|
||||
<kbn-vis vis-id="'Wazuh-App-Overview-FIM-Deleted'"></kbn-vis>
|
||||
</div>
|
||||
|
||||
<div layout="row" class="height-400">
|
||||
|
||||
<div flex layout="column">
|
||||
<md-card flex class="wz-md-card">
|
||||
<md-card-content class="wazuh-column" >
|
||||
<span class="wz-headline-title">Events over time</span>
|
||||
<md-divider class="wz-margin-top-10"></md-divider>
|
||||
<kbn-vis id="Wazuh-App-Overview-FIM-Events-over-time" vis-id="'Wazuh-App-Overview-FIM-Events-over-time'"></kbn-vis>
|
||||
</md-card-content>
|
||||
</md-card>
|
||||
</div>
|
||||
|
||||
<div flex="30" layout="column">
|
||||
<md-card flex class="wz-md-card">
|
||||
<md-card-content class="wazuh-column" >
|
||||
<span class="wz-headline-title">Top user owners</span>
|
||||
<md-divider class="wz-margin-top-10"></md-divider>
|
||||
<kbn-vis id="Wazuh-App-Overview-FIM-Top-user-owners" vis-id="'Wazuh-App-Overview-FIM-Top-user-owners'"></kbn-vis>
|
||||
</md-card-content>
|
||||
</md-card>
|
||||
<md-card flex class="wz-md-card">
|
||||
<md-card-content class="wazuh-column" >
|
||||
<span class="wz-headline-title">Top group owners</span>
|
||||
<md-divider class="wz-margin-top-10"></md-divider>
|
||||
<kbn-vis vis-id="'Wazuh-App-Overview-FIM-Top-group-owners'" id="Wazuh-App-Overview-FIM-Top-group-owners"></kbn-vis>
|
||||
</md-card-content>
|
||||
</md-card>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
|
||||
<div layout="row" class="height-213">
|
||||
<div layout="row" class="height-225">
|
||||
<md-card flex class="wz-md-card">
|
||||
<md-card-content class="wazuh-column" >
|
||||
<span class="wz-headline-title">Top file changes</span>
|
||||
<md-card-content class="wazuh-column">
|
||||
<span class="wz-headline-title">Top 5 agents with deleted files</span>
|
||||
<md-divider class="wz-margin-top-10"></md-divider>
|
||||
<kbn-vis id="Wazuh-App-Overview-FIM-Top-file-changes" vis-id="'Wazuh-App-Overview-FIM-Top-file-changes'"></kbn-vis>
|
||||
<kbn-vis id="Wazuh-App-Overview-FIM-deleted" vis-id="'Wazuh-App-Overview-FIM-deleted'"></kbn-vis>
|
||||
</md-card-content>
|
||||
</md-card>
|
||||
<md-card flex class="wz-md-card">
|
||||
<md-card-content class="wazuh-column" >
|
||||
<span class="wz-headline-title">Root user file changes</span>
|
||||
<md-card-content class="wazuh-column">
|
||||
<span class="wz-headline-title">Top 5 agents with new files</span>
|
||||
<md-divider class="wz-margin-top-10"></md-divider>
|
||||
<kbn-vis id="Wazuh-App-Overview-FIM-Root-user-file-changes" vis-id="'Wazuh-App-Overview-FIM-Root-user-file-changes'"></kbn-vis>
|
||||
<kbn-vis id="Wazuh-App-Overview-FIM-added" vis-id="'Wazuh-App-Overview-FIM-added'"></kbn-vis>
|
||||
</md-card-content>
|
||||
</md-card>
|
||||
<md-card flex class="wz-md-card">
|
||||
<md-card-content class="wazuh-column" >
|
||||
<span class="wz-headline-title">World writable modified files</span>
|
||||
<md-card-content class="wazuh-column">
|
||||
<span class="wz-headline-title">Top 5 agents with modified files</span>
|
||||
<md-divider class="wz-margin-top-10"></md-divider>
|
||||
<kbn-vis id="Wazuh-App-Overview-FIM-World-writable-modified-files" vis-id="'Wazuh-App-Overview-FIM-World-writable-modified-files'"></kbn-vis>
|
||||
<kbn-vis id="Wazuh-App-Overview-FIM-modified" vis-id="'Wazuh-App-Overview-FIM-modified'"></kbn-vis>
|
||||
</md-card-content>
|
||||
</md-card>
|
||||
</div>
|
||||
|
||||
<div layout="row" class="height-570">
|
||||
<div layout="row" class="height-300">
|
||||
<md-card flex="15" class="wz-md-card">
|
||||
<md-card-content class="wazuh-column">
|
||||
<span class="wz-headline-title">FIM alerts volume</span>
|
||||
<md-divider class="wz-margin-top-10"></md-divider>
|
||||
<kbn-vis vis-id="'Wazuh-App-Overview-FIM-Percentage-affected'"></kbn-vis>
|
||||
</md-card-content>
|
||||
</md-card>
|
||||
<md-card flex class="wz-md-card">
|
||||
<md-card-content class="wazuh-column">
|
||||
<span class="wz-headline-title">Events summary</span>
|
||||
<md-divider class="wz-margin-top-10"></md-divider>
|
||||
<kbn-vis vis-id="'Wazuh-App-Overview-FIM-Events-summary'"></kbn-vis>
|
||||
<kbn-vis id="Wazuh-App-Overview-FIM-Events-summary" vis-id="'Wazuh-App-Overview-FIM-Events-summary'"></kbn-vis>
|
||||
</md-card-content>
|
||||
</md-card>
|
||||
</div>
|
||||
|
||||
</md-content>
|
||||
<div layout="row" class="height-300">
|
||||
<md-card flex class="wz-md-card">
|
||||
<md-card-content class="wazuh-column">
|
||||
<span class="wz-headline-title">Top 5 rules</span>
|
||||
<md-divider class="wz-margin-top-10"></md-divider>
|
||||
<kbn-vis vis-id="'Wazuh-App-Overview-FIM-Top-5-rules'"></kbn-vis>
|
||||
</md-card-content>
|
||||
</md-card>
|
||||
|
||||
<md-card flex class="wz-md-card">
|
||||
<md-card-content class="wazuh-column">
|
||||
<span class="wz-headline-title">Whodata usage</span>
|
||||
<md-divider class="wz-margin-top-10"></md-divider>
|
||||
<kbn-vis id="Wazuh-App-Overview-FIM-Whodata-usage" vis-id="'Wazuh-App-Overview-FIM-Whodata-usage'"></kbn-vis>
|
||||
</md-card-content>
|
||||
</md-card>
|
||||
<md-card flex class="wz-md-card">
|
||||
<md-card-content class="wazuh-column">
|
||||
<span class="wz-headline-title">Top 5 users</span>
|
||||
<md-divider class="wz-margin-top-10"></md-divider>
|
||||
<kbn-vis vis-id="'Wazuh-App-Overview-FIM-top-agents-user'"></kbn-vis>
|
||||
</md-card-content>
|
||||
</md-card>
|
||||
</div>
|
||||
</md-content>
|
||||
@ -20,13 +20,6 @@ const metricsGeneral = {
|
||||
'[vis-id="\'Wazuh-App-Overview-General-Authentication-success\'"]'
|
||||
};
|
||||
|
||||
// Metrics FIM
|
||||
const metricsFim = {
|
||||
fimAdded: '[vis-id="\'Wazuh-App-Overview-FIM-Added\'"]',
|
||||
fimModified: '[vis-id="\'Wazuh-App-Overview-FIM-Modified\'"]',
|
||||
fimDeleted: '[vis-id="\'Wazuh-App-Overview-FIM-Deleted\'"]'
|
||||
};
|
||||
|
||||
// Metrics Audit
|
||||
const metricsAudit = {
|
||||
auditNewFiles: '[vis-id="\'Wazuh-App-Overview-Audit-New-files\'"]',
|
||||
@ -86,8 +79,7 @@ const metricsAws = {
|
||||
};
|
||||
|
||||
export default {
|
||||
metricsGeneral,
|
||||
metricsFim,
|
||||
metricsGeneral,
|
||||
metricsAudit,
|
||||
metricsVulnerability,
|
||||
metricsScap,
|
||||
|
||||
@ -11,332 +11,129 @@
|
||||
*/
|
||||
export default [
|
||||
{
|
||||
_id: 'Wazuh-App-Overview-FIM-Added',
|
||||
_source: {
|
||||
title: 'Added',
|
||||
visState:
|
||||
'{"title":"Added","type":"metric","params":{"addTooltip":true,"addLegend":false,"type":"metric","metric":{"percentageMode":false,"colorSchema":"Green to Red","useRange":false,"colorsRange":[{"from":0,"to":100}],"invertColors":false,"labels":{"show":true,"color":"black"},"style":{"fontSize":20,"bgColor":false,"labelColor":false,"subText":""},"metricColorMode":"None"}},"aggs":[{"id":"1","enabled":true,"type":"count","schema":"metric","params":{"customLabel":"Added"}}]}',
|
||||
uiStateJSON: '{"vis":{"defaultColors":{"0 - 100":"rgb(0,104,55)"}}}',
|
||||
description: '',
|
||||
version: 1,
|
||||
kibanaSavedObjectMeta: {
|
||||
searchSourceJSON: `{
|
||||
"index":"wazuh-alerts",
|
||||
"filter":[
|
||||
{
|
||||
"meta": {
|
||||
"index": "wazuh-alerts",
|
||||
"type": "phrases",
|
||||
"key": "syscheck.event",
|
||||
"value": "added, readded",
|
||||
"params": [
|
||||
"added",
|
||||
"readded"
|
||||
],
|
||||
"negate": false,
|
||||
"disabled": false,
|
||||
"alias": null
|
||||
},
|
||||
"query": {
|
||||
"bool": {
|
||||
"should": [
|
||||
{
|
||||
"match_phrase": {
|
||||
"syscheck.event": "added"
|
||||
}
|
||||
},
|
||||
{
|
||||
"match_phrase": {
|
||||
"syscheck.event": "readded"
|
||||
}
|
||||
}
|
||||
],
|
||||
"minimum_should_match": 1
|
||||
}
|
||||
},
|
||||
"$state": {
|
||||
"store": "appState"
|
||||
}
|
||||
}
|
||||
],
|
||||
"query":{"query":"","language":"lucene"}
|
||||
}`
|
||||
}
|
||||
},
|
||||
_type: 'visualization'
|
||||
},
|
||||
{
|
||||
_id: 'Wazuh-App-Overview-FIM-Modified',
|
||||
_source: {
|
||||
title: 'Modified',
|
||||
visState:
|
||||
'{"title":"Modified","type":"metric","params":{"addTooltip":true,"addLegend":false,"type":"metric","metric":{"percentageMode":false,"colorSchema":"Green to Red","useRange":false,"colorsRange":[{"from":0,"to":100}],"invertColors":false,"labels":{"show":true,"color":"black"},"style":{"fontSize":20,"bgColor":false,"labelColor":false,"subText":""},"metricColorMode":"None"}},"aggs":[{"id":"1","enabled":true,"type":"count","schema":"metric","params":{"customLabel":"Modified"}}]}',
|
||||
uiStateJSON: '{"vis":{"defaultColors":{"0 - 100":"rgb(0,104,55)"}}}',
|
||||
description: '',
|
||||
version: 1,
|
||||
kibanaSavedObjectMeta: {
|
||||
searchSourceJSON: `{
|
||||
"index":"wazuh-alerts",
|
||||
"filter":[
|
||||
{
|
||||
"meta": {
|
||||
"index": "wazuh-alerts",
|
||||
"negate": false,
|
||||
"disabled": false,
|
||||
"alias": null,
|
||||
"type": "phrase",
|
||||
"key": "syscheck.event",
|
||||
"value": "modified",
|
||||
"params": {
|
||||
"query": "modified",
|
||||
"type": "phrase"
|
||||
}
|
||||
},
|
||||
"query": {
|
||||
"match": {
|
||||
"syscheck.event": {
|
||||
"query": "modified",
|
||||
"type": "phrase"
|
||||
}
|
||||
}
|
||||
},
|
||||
"$state": {
|
||||
"store": "appState"
|
||||
}
|
||||
}
|
||||
],
|
||||
"query":{"query":"","language":"lucene"}
|
||||
}`
|
||||
}
|
||||
},
|
||||
_type: 'visualization'
|
||||
},
|
||||
{
|
||||
_id: 'Wazuh-App-Overview-FIM-Deleted',
|
||||
_source: {
|
||||
title: 'Deleted',
|
||||
visState:
|
||||
'{"title":"Deleted","type":"metric","params":{"addTooltip":true,"addLegend":false,"type":"metric","metric":{"percentageMode":false,"colorSchema":"Green to Red","useRange":false,"colorsRange":[{"from":0,"to":100}],"invertColors":false,"labels":{"show":true,"color":"black"},"style":{"fontSize":20,"bgColor":false,"labelColor":false,"subText":""},"metricColorMode":"None"}},"aggs":[{"id":"1","enabled":true,"type":"count","schema":"metric","params":{"customLabel":"Deleted"}}]}',
|
||||
uiStateJSON: '{"vis":{"defaultColors":{"0 - 100":"rgb(0,104,55)"}}}',
|
||||
description: '',
|
||||
version: 1,
|
||||
kibanaSavedObjectMeta: {
|
||||
searchSourceJSON: `{
|
||||
"index":"wazuh-alerts",
|
||||
"filter":[
|
||||
{
|
||||
"meta": {
|
||||
"index": "wazuh-alerts",
|
||||
"negate": false,
|
||||
"disabled": false,
|
||||
"alias": null,
|
||||
"type": "phrase",
|
||||
"key": "syscheck.event",
|
||||
"value": "deleted",
|
||||
"params": {
|
||||
"query": "deleted",
|
||||
"type": "phrase"
|
||||
}
|
||||
},
|
||||
"query": {
|
||||
"match": {
|
||||
"syscheck.event": {
|
||||
"query": "deleted",
|
||||
"type": "phrase"
|
||||
}
|
||||
}
|
||||
},
|
||||
"$state": {
|
||||
"store": "appState"
|
||||
}
|
||||
}
|
||||
],
|
||||
"query":{"query":"","language":"lucene"}
|
||||
}`
|
||||
}
|
||||
},
|
||||
_type: 'visualization'
|
||||
},
|
||||
{
|
||||
_id: 'Wazuh-App-Overview-FIM-Events-over-time',
|
||||
_source: {
|
||||
title: 'Events over time',
|
||||
visState:
|
||||
'{"title":"Events over time","type":"area","params":{"type":"area","grid":{"categoryLines":false,"style":{"color":"#eee"}},"categoryAxes":[{"id":"CategoryAxis-1","type":"category","position":"bottom","show":true,"style":{},"scale":{"type":"linear"},"labels":{"show":true,"truncate":100},"title":{}}],"valueAxes":[{"id":"ValueAxis-1","name":"LeftAxis-1","type":"value","position":"left","show":true,"style":{},"scale":{"type":"linear","mode":"normal"},"labels":{"show":true,"rotate":0,"filter":false,"truncate":100},"title":{"text":"Count"}}],"seriesParams":[{"show":"true","type":"area","mode":"stacked","data":{"label":"Count","id":"1"},"drawLinesBetweenPoints":true,"showCircles":true,"interpolate":"linear","valueAxis":"ValueAxis-1"}],"addTooltip":true,"addLegend":true,"legendPosition":"right","times":[],"addTimeMarker":false},"aggs":[{"id":"1","enabled":true,"type":"count","schema":"metric","params":{}},{"id":"2","enabled":true,"type":"date_histogram","schema":"segment","params":{"field":"@timestamp","interval":"h","customInterval":"30m","min_doc_count":1,"extended_bounds":{}}},{"id":"3","enabled":true,"type":"terms","schema":"group","params":{"field":"rule.groups","size":5,"order":"desc","orderBy":"_term"}}]}',
|
||||
uiStateJSON: '{}',
|
||||
description: '',
|
||||
version: 1,
|
||||
kibanaSavedObjectMeta: {
|
||||
searchSourceJSON:
|
||||
'{"index":"wazuh-alerts","filter":[],"query":{"query":"","language":"lucene"}}'
|
||||
}
|
||||
},
|
||||
_type: 'visualization'
|
||||
},
|
||||
{
|
||||
_id: 'Wazuh-App-Overview-FIM-Top-user-owners',
|
||||
_type: 'visualization',
|
||||
_source: {
|
||||
title: 'Top user owners',
|
||||
visState:
|
||||
'{"title":"Top user owners","type":"pie","params":{"isDonut":true,"shareYAxis":true,"addTooltip":true,"addLegend":true,"type":"pie","legendPosition":"right","labels":{"show":false,"values":true,"last_level":true,"truncate":100}},"aggs":[{"id":"1","enabled":true,"type":"count","schema":"metric","params":{}},{"id":"3","enabled":true,"type":"terms","schema":"segment","params":{"field":"syscheck.uname_after","size":5,"order":"desc","orderBy":"1"}}]}',
|
||||
uiStateJSON: '{}',
|
||||
description: '',
|
||||
version: 1,
|
||||
kibanaSavedObjectMeta: {
|
||||
searchSourceJSON:
|
||||
'{"index":"wazuh-alerts","filter":[],"query":{"query":"","language":"lucene"}}'
|
||||
"_id": 'Wazuh-App-Overview-FIM-Events-summary',
|
||||
"_type": "visualization",
|
||||
"_source": {
|
||||
"title": 'Events summary',
|
||||
"visState": "{\"title\":\"FIM-05\",\"type\":\"vega\",\"params\":{\"spec\":\"{\\n/*\\n\\nWelcome to Vega visualizations. Here you can design your own dataviz from scratch using a declarative language called Vega, or its simpler form Vega-Lite. In Vega, you have the full control of what data is loaded, even from multiple sources, how that data is transformed, and what visual elements are used to show it. Use help icon to view Vega examples, tutorials, and other docs. Use the wrench icon to reformat this text, or to remove comments.\\n\\nThis example graph shows the document count in all indexes in the current time range. You might need to adjust the time filter in the upper right corner.\\n*/\\n\\n $schema: https://vega.github.io/schema/vega-lite/v2.json\\n \\n // Define the data source\\n data: {\\n url: {\\n/*\\nAn object instead of a string for the \\\"url\\\" param is treated as an Elasticsearch query. Anything inside this object is not part of the Vega language, but only understood by Kibana and Elasticsearch server. This query counts the number of documents per time interval, assuming you have a @timestamp field in your data.\\n\\nKibana has a special handling for the fields surrounded by \\\"%\\\". They are processed before the the query is sent to Elasticsearch. This way the query becomes context aware, and can use the time range and the dashboard filters.\\n*/\\n\\n // Apply dashboard context filters when set\\n %context%: true\\n // Filter the time picker (upper right corner) with this field\\n %timefield%: @timestamp\\n\\n/*\\nSee .search() documentation for : https://www.elastic.co/guide/en/elasticsearch/client/javascript-api/current/api-reference.html#api-search\\n*/\\n\\n // Which index to search\\n index: _all\\n // Aggregate data by the time field into time buckets, counting the number of documents in each bucket.\\n body: {\\n aggs: {\\n time_buckets: {\\n date_histogram: {\\n // Use date histogram aggregation on @timestamp field\\n field: @timestamp\\n // The interval value will depend on the daterange picker (true), or use an integer to set an approximate bucket count\\n interval: {%autointerval%: true}\\n // Make sure we get an entire range, even if it has no data\\n extended_bounds: {\\n // Use the current time range's start and end\\n min: {%timefilter%: \\\"min\\\"}\\n max: {%timefilter%: \\\"max\\\"}\\n }\\n // Use this for linear (e.g. line, area) graphs. Without it, empty buckets will not show up\\n min_doc_count: 0\\n }\\n }\\n }\\n // Speed up the response by only including aggregation results\\n size: 0\\n }\\n }\\n/*\\nElasticsearch will return results in this format:\\n\\naggregations: {\\n time_buckets: {\\n buckets: [\\n {\\n key_as_string: 2015-11-30T22:00:00.000Z\\n key: 1448920800000\\n doc_count: 0\\n },\\n {\\n key_as_string: 2015-11-30T23:00:00.000Z\\n key: 1448924400000\\n doc_count: 0\\n }\\n ...\\n ]\\n }\\n}\\n\\nFor our graph, we only need the list of bucket values. Use the format.property to discard everything else.\\n*/\\n format: {property: \\\"aggregations.time_buckets.buckets\\\"}\\n }\\n\\n // \\\"mark\\\" is the graphics element used to show our data. Other mark values are: area, bar, circle, line, point, rect, rule, square, text, and tick. See https://vega.github.io/vega-lite/docs/mark.html\\n mark: line\\n\\n // \\\"encoding\\\" tells the \\\"mark\\\" what data to use and in what way. See https://vega.github.io/vega-lite/docs/encoding.html\\n encoding: {\\n x: {\\n // The \\\"key\\\" value is the timestamp in milliseconds. Use it for X axis.\\n field: key\\n type: temporal\\n axis: {title: false} // Customize X axis format\\n }\\n y: {\\n // The \\\"doc_count\\\" is the count per bucket. Use it for Y axis.\\n field: doc_count\\n type: quantitative\\n axis: {title: \\\"Alerts count\\\"}\\n }\\n }\\n}\\n\"},\"aggs\":[]}",
|
||||
"uiStateJSON": "{}",
|
||||
"description": "",
|
||||
"version": 1,
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"index\":\"wazuh-alerts\",\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"rule.groups\",\"value\":\"syscheck\",\"params\":{\"query\":\"syscheck\",\"type\":\"phrase\"}},\"query\":{\"match\":{\"rule.groups\":{\"query\":\"syscheck\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}"
|
||||
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
_id: 'Wazuh-App-Overview-FIM-Top-group-owners',
|
||||
_type: 'visualization',
|
||||
_source: {
|
||||
title: 'Top group owners',
|
||||
visState:
|
||||
'{"title":"Top group owners","type":"pie","params":{"isDonut":true,"shareYAxis":true,"addTooltip":true,"addLegend":true,"type":"pie","legendPosition":"right","labels":{"show":false,"values":true,"last_level":true,"truncate":100}},"aggs":[{"id":"1","enabled":true,"type":"count","schema":"metric","params":{}},{"id":"2","enabled":true,"type":"terms","schema":"segment","params":{"field":"syscheck.gname_after","size":5,"order":"desc","orderBy":"1"}}]}',
|
||||
uiStateJSON: '{}',
|
||||
description: '',
|
||||
version: 1,
|
||||
kibanaSavedObjectMeta: {
|
||||
searchSourceJSON:
|
||||
'{"index":"wazuh-alerts","filter":[],"query":{"query":"","language":"lucene"}}'
|
||||
"_id": "Wazuh-App-Overview-FIM-Top-5-rules",
|
||||
"_type": "visualization",
|
||||
"_source": {
|
||||
"title": "Top 5 rules",
|
||||
"visState": "{\"title\":\"FIM-01\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.id\",\"size\":3,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Rule\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.description\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Description\"}}]}",
|
||||
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
|
||||
"description": "",
|
||||
"version": 1,
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": "{\"index\":\"wazuh-alerts\",\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"index\":\"wazuh-alerts\",\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"rule.groups\",\"value\":\"syscheck\",\"params\":{\"query\":\"syscheck\",\"type\":\"phrase\"}},\"query\":{\"match\":{\"rule.groups\":{\"query\":\"syscheck\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
_id: 'Wazuh-App-Overview-FIM-Top-file-changes',
|
||||
_source: {
|
||||
title: 'Top file changes',
|
||||
visState:
|
||||
'{"title":"Top file changes","type":"pie","params":{"isDonut":false,"shareYAxis":true,"addTooltip":true,"addLegend":true,"type":"pie","legendPosition":"right","labels":{"show":false,"values":true,"last_level":true,"truncate":100}},"aggs":[{"id":"1","enabled":true,"type":"count","schema":"metric","params":{}},{"id":"2","enabled":true,"type":"terms","schema":"segment","params":{"field":"syscheck.path","size":5,"order":"desc","orderBy":"1"}}]}',
|
||||
uiStateJSON: '{}',
|
||||
description: '',
|
||||
version: 1,
|
||||
kibanaSavedObjectMeta: {
|
||||
searchSourceJSON: `{
|
||||
"index":"wazuh-alerts",
|
||||
"filter":[
|
||||
{
|
||||
"meta": {
|
||||
"index": "wazuh-alerts",
|
||||
"negate": false,
|
||||
"disabled": false,
|
||||
"alias": null,
|
||||
"type": "phrase",
|
||||
"key": "syscheck.event",
|
||||
"value": "modified",
|
||||
"params": {
|
||||
"query": "modified",
|
||||
"type": "phrase"
|
||||
}
|
||||
},
|
||||
"query": {
|
||||
"match": {
|
||||
"syscheck.event": {
|
||||
"query": "modified",
|
||||
"type": "phrase"
|
||||
}
|
||||
}
|
||||
},
|
||||
"$state": {
|
||||
"store": "appState"
|
||||
}
|
||||
}
|
||||
],
|
||||
"query":{"query":"","language":"lucene"}
|
||||
}`
|
||||
"_id": "Wazuh-App-Overview-FIM-Top-5-agents",
|
||||
"_type": "visualization",
|
||||
"_source": {
|
||||
"title": "Top 5 agents",
|
||||
"visState": "{\"title\":\"FIM-04\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"agent.name\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}",
|
||||
"uiStateJSON": "{}",
|
||||
"description": "",
|
||||
"version": 1,
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": "{\"index\":\"wazuh-alerts\",\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"index\":\"wazuh-alerts\",\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"rule.groups\",\"value\":\"syscheck\",\"params\":{\"query\":\"syscheck\",\"type\":\"phrase\"}},\"query\":{\"match\":{\"rule.groups\":{\"query\":\"syscheck\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"index\":\"wazuh-alerts\",\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"syscheck.audit.effective_user.name\",\"value\":\"root\",\"params\":{\"query\":\"root\",\"type\":\"phrase\"}},\"query\":{\"match\":{\"syscheck.audit.effective_user.name\":{\"query\":\"root\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}"
|
||||
}
|
||||
},
|
||||
_type: 'visualization'
|
||||
}
|
||||
},
|
||||
{
|
||||
_id: 'Wazuh-App-Overview-FIM-Root-user-file-changes',
|
||||
_source: {
|
||||
title: 'Root user file changes',
|
||||
visState:
|
||||
'{"title":"Root user file changes","type":"pie","params":{"isDonut":false,"shareYAxis":true,"addTooltip":true,"addLegend":true,"type":"pie","legendPosition":"right","labels":{"show":false,"values":true,"last_level":true,"truncate":100}},"aggs":[{"id":"1","enabled":true,"type":"count","schema":"metric","params":{}},{"id":"2","enabled":true,"type":"terms","schema":"segment","params":{"field":"syscheck.path","otherBucket":false,"otherBucketLabel":"Other","missingBucket":false,"missingBucketLabel":"Missing","size":5,"order":"desc","orderBy":"1"}}]}',
|
||||
uiStateJSON: '{}',
|
||||
description: '',
|
||||
version: 1,
|
||||
kibanaSavedObjectMeta: {
|
||||
searchSourceJSON:
|
||||
'{"index":"wazuh-alerts","filter":[{"meta":{"index":"wazuh-alerts","negate":false,"disabled":false,"alias":null,"type":"phrase","key":"rule.groups","value":"syscheck","params":{"query":"syscheck","type":"phrase"}},"query":{"match":{"rule.groups":{"query":"syscheck","type":"phrase"}}},"$state":{"store":"appState"}},{"query":{"query_string":{"query":"syscheck.uid_before:0 or syscheck.uid_after:0 or syscheck.gid_after:root or syscheck.gid_before:0","analyze_wildcard":true,"default_field":"*"}},"meta":{"negate":false,"index":"wazuh-alerts","disabled":false,"alias":null,"type":"query_string","key":"query","value":"syscheck.uid_before:0 or syscheck.uid_after:0 or syscheck.gid_after:root or syscheck.gid_before:0"},"$state":{"store":"appState"}}],"query":{"query":"","language":"lucene"}}'
|
||||
"_id": "Wazuh-App-Overview-FIM-Percentage-affected",
|
||||
"_type": "visualization",
|
||||
"_source": {
|
||||
"title": "Affected alerts",
|
||||
"visState": "{\"title\":\"FIM-02\",\"type\":\"goal\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"isDisplayWarning\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":true,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"meter\",\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}",
|
||||
"uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
|
||||
"description": "",
|
||||
"version": 1,
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": "{\"index\":\"wazuh-alerts\",\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"index\":\"wazuh-alerts\",\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"rule.groups\",\"value\":\"syscheck\",\"params\":{\"query\":\"syscheck\",\"type\":\"phrase\"}},\"query\":{\"match\":{\"rule.groups\":{\"query\":\"syscheck\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"index\":\"wazuh-alerts\",\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"range\",\"key\":\"rule.level\",\"value\":\"7 to 16\",\"params\":{\"gte\":7,\"lt\":16}},\"range\":{\"rule.level\":{\"gte\":7,\"lt\":16}},\"$state\":{\"store\":\"appState\"}}]}"
|
||||
}
|
||||
},
|
||||
_type: 'visualization'
|
||||
}
|
||||
},
|
||||
{
|
||||
_id: 'Wazuh-App-Overview-FIM-World-writable-modified-files',
|
||||
_source: {
|
||||
title: 'World writable modified files',
|
||||
visState:
|
||||
'{"title":"World writable modified files","type":"pie","params":{"type":"pie","addTooltip":true,"addLegend":true,"legendPosition":"right","isDonut":true},"aggs":[{"id":"1","enabled":true,"type":"count","schema":"metric","params":{}},{"id":"2","enabled":true,"type":"terms","schema":"segment","params":{"field":"syscheck.path","size":5,"order":"desc","orderBy":"1"}}]}',
|
||||
uiStateJSON: '{}',
|
||||
description: '',
|
||||
version: 1,
|
||||
kibanaSavedObjectMeta: {
|
||||
searchSourceJSON: `{
|
||||
"index":"wazuh-alerts",
|
||||
"filter":[
|
||||
{
|
||||
"meta": {
|
||||
"index": "wazuh-alerts",
|
||||
"negate": false,
|
||||
"disabled": false,
|
||||
"alias": null,
|
||||
"type": "exists",
|
||||
"key": "syscheck.perm_after",
|
||||
"value": "exists"
|
||||
},
|
||||
"exists": {
|
||||
"field": "syscheck.perm_after"
|
||||
},
|
||||
"$state": {
|
||||
"store": "appState"
|
||||
}
|
||||
},
|
||||
{
|
||||
"query": {
|
||||
"regexp": {
|
||||
"syscheck.perm_after": "[0-7]{5}([2367])"
|
||||
}
|
||||
},
|
||||
"meta": {
|
||||
"negate": false,
|
||||
"index": "wazuh-alerts",
|
||||
"disabled": false,
|
||||
"alias": null,
|
||||
"type": "custom",
|
||||
"key": "query",
|
||||
"value": {"regexp":{"syscheck.perm_after": "[0-7]{5}([2367])" }}
|
||||
},
|
||||
"$state": {
|
||||
"store": "appState"
|
||||
}
|
||||
}
|
||||
],
|
||||
"query":{"query":"","language":"lucene"}
|
||||
}`
|
||||
"_id": "Wazuh-App-Overview-FIM-Whodata-usage",
|
||||
"_type": "visualization",
|
||||
"_source": {
|
||||
"title": "Whodata usage",
|
||||
"visState": "{\"title\":\"whodatavsagents\",\"type\":\"area\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":false,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"agent.name\",\"customLabel\":\"Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"segment\",\"params\":{\"filters\":[{\"input\":{\"query\":\"\"},\"label\":\"Agents\"},{\"input\":{\"query\":\"_exists_:syscheck.audit.effective_user.name\"},\"label\":\"Agents using whodata\"}]}}]}",
|
||||
"uiStateJSON": "{}",
|
||||
"description": "",
|
||||
"version": 1,
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": "{\"index\":\"wazuh-alerts\",\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"wazuh-alerts\",\"key\":\"rule.groups\",\"negate\":false,\"params\":{\"query\":\"syscheck\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"syscheck\"},\"query\":{\"match\":{\"rule.groups\":{\"query\":\"syscheck\",\"type\":\"phrase\"}}}}]}"
|
||||
}
|
||||
},
|
||||
_type: 'visualization'
|
||||
}
|
||||
},
|
||||
{
|
||||
_id: 'Wazuh-App-Overview-FIM-Events-summary',
|
||||
_type: 'visualization',
|
||||
_source: {
|
||||
title: 'Events summary',
|
||||
visState:
|
||||
'{"title":"Events summary","type":"table","params":{"perPage":10,"showPartialRows":false,"showMeticsAtAllLevels":false,"sort":{"columnIndex":null,"direction":null},"showTotal":false,"totalFunc":"sum"},"aggs":[{"id":"1","enabled":true,"type":"count","schema":"metric","params":{}},{"id":"2","enabled":true,"type":"terms","schema":"bucket","params":{"field":"agent.name","otherBucket":false,"otherBucketLabel":"Other","missingBucket":false,"missingBucketLabel":"Missing","size":50,"order":"desc","orderBy":"1","customLabel":"Agent"}},{"id":"3","enabled":true,"type":"terms","schema":"bucket","params":{"field":"syscheck.path","otherBucket":false,"otherBucketLabel":"Other","missingBucket":false,"missingBucketLabel":"Missing","size":5,"order":"desc","orderBy":"1","customLabel":"File"}},{"id":"5","enabled":true,"type":"terms","schema":"bucket","params":{"field":"rule.description","otherBucket":false,"otherBucketLabel":"Other","missingBucket":false,"missingBucketLabel":"Missing","size":5,"order":"desc","orderBy":"1","customLabel":"Description"}}]}',
|
||||
uiStateJSON:
|
||||
'{"vis":{"params":{"sort":{"columnIndex":3,"direction":"desc"}}}}',
|
||||
description: '',
|
||||
version: 1,
|
||||
kibanaSavedObjectMeta: {
|
||||
searchSourceJSON:
|
||||
'{"index":"wazuh-alerts","filter":[],"query":{"query":"","language":"lucene"}}'
|
||||
"_id": "Wazuh-App-Overview-FIM-deleted",
|
||||
"_type": "visualization",
|
||||
"_source": {
|
||||
"title": "Top deleted",
|
||||
"visState": "{\"title\":\"deleted\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"syscheck.path\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"agent.name\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}",
|
||||
"uiStateJSON": "{}",
|
||||
"description": "",
|
||||
"version": 1,
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": "{\"index\":\"wazuh-alerts\",\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"index\":\"wazuh-alerts\",\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"rule.groups\",\"value\":\"syscheck\",\"params\":{\"query\":\"syscheck\",\"type\":\"phrase\"}},\"query\":{\"match\":{\"rule.groups\":{\"query\":\"syscheck\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"index\":\"wazuh-alerts\",\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"syscheck.event\",\"value\":\"deleted\",\"params\":{\"query\":\"deleted\",\"type\":\"phrase\"}},\"query\":{\"match\":{\"syscheck.event\":{\"query\":\"deleted\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"_id": "Wazuh-App-Overview-FIM-added",
|
||||
"_type": "visualization",
|
||||
"_source": {
|
||||
"title": "Top added",
|
||||
"visState": "{\"title\":\"added\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"syscheck.path\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"agent.name\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}",
|
||||
"uiStateJSON": "{}",
|
||||
"description": "",
|
||||
"version": 1,
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": "{\"index\":\"wazuh-alerts\",\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"index\":\"wazuh-alerts\",\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"rule.groups\",\"value\":\"syscheck\",\"params\":{\"query\":\"syscheck\",\"type\":\"phrase\"}},\"query\":{\"match\":{\"rule.groups\":{\"query\":\"syscheck\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"index\":\"wazuh-alerts\",\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"syscheck.event\",\"value\":\"added\",\"params\":{\"query\":\"added\",\"type\":\"phrase\"}},\"query\":{\"match\":{\"syscheck.event\":{\"query\":\"added\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"_id": "Wazuh-App-Overview-FIM-modified",
|
||||
"_type": "visualization",
|
||||
"_source": {
|
||||
"title": "Top modified",
|
||||
"visState": "{\"title\":\"modified\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"syscheck.path\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"agent.name\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}",
|
||||
"uiStateJSON": "{}",
|
||||
"description": "",
|
||||
"version": 1,
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": "{\"index\":\"wazuh-alerts\",\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"index\":\"wazuh-alerts\",\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"rule.groups\",\"value\":\"syscheck\",\"params\":{\"query\":\"syscheck\",\"type\":\"phrase\"}},\"query\":{\"match\":{\"rule.groups\":{\"query\":\"syscheck\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"index\":\"wazuh-alerts\",\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"syscheck.event\",\"value\":\"modified\",\"params\":{\"query\":\"modified\",\"type\":\"phrase\"}},\"query\":{\"match\":{\"syscheck.event\":{\"query\":\"modified\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"_id": "Wazuh-App-Overview-FIM-top-agents-user",
|
||||
"_type": "visualization",
|
||||
"_source": {
|
||||
"title": "Top agents-user",
|
||||
"visState": "{\"title\":\"tabletopagents\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"agent.id\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Agent ID\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"agent.name\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Agent name\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"syscheck.audit.effective_user.name\",\"size\":1,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Top user\"}}]}",
|
||||
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
|
||||
"description": "",
|
||||
"version": 1,
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": "{\"index\":\"wazuh-alerts\",\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"index\":\"wazuh-alerts\",\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"rule.groups\",\"value\":\"syscheck\",\"params\":{\"query\":\"syscheck\",\"type\":\"phrase\"}},\"query\":{\"match\":{\"rule.groups\":{\"query\":\"syscheck\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user