Filebeat auditd: Fix Top Exec Commands dashboard visualization (#27638) (#27646)

adriansr · web-flow · commit 9b574ef776ee · 2021-08-30T19:07:25.000+02:00
This visualization was expecting an uppercase EXECVE value in
event.action while the ingest pipeline was lowercasing this value.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -192,6 +192,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Fixes the Snyk module to work with the new API changes. {pull}27358[27358]
 - Fixes a bug in `http_endpoint` that caused numbers encoded as strings. {issue}27382[27382] {pull}27480[27480]
 - Update indentation for azure filebeat configuration. {pull}26604[26604]
+- Auditd: Fix Top Exec Commands dashboard visualization. {pull}27638[27638]
 
 *Heartbeat*
 
diff --git a/filebeat/module/auditd/_meta/kibana/7/dashboard/Filebeat-auditd.ndjson b/filebeat/module/auditd/_meta/kibana/7/dashboard/Filebeat-auditd.ndjson
@@ -1,5 +1,5 @@
 {"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Event types breakdown [Filebeat Auditd] ECS","uiStateJSON":"{}","version":1,"visState":"{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"Audit Event Types ECS\",\"type\":\"pie\"}"},"coreMigrationVersion":"8.0.0","id":"6295bdd0-0a0e-11e7-825f-6748cda7d858-ecs","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"filebeat-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2021-08-04T16:33:56.442Z","version":"WzQzNDYsMV0="}
-{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.action:EXECVE\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Top Exec Commands [Filebeat Auditd] ECS","uiStateJSON":"{\"vis\": {\"params\": {\"sort\": {\"columnIndex\": null, \"direction\": null}}}}","version":1,"visState":"{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Command (arg 0)\",\"field\":\"auditd.log.a0\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":30},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"showToolbar\":true},\"title\":\"Audit Top Exec Commands ECS\",\"type\":\"table\"}"},"coreMigrationVersion":"8.0.0","id":"5ebdbe50-0a0f-11e7-825f-6748cda7d858-ecs","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"filebeat-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2021-08-04T16:33:56.442Z","version":"WzQzNDcsMV0="}
+{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.action:execve\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Top Exec Commands [Filebeat Auditd] ECS","uiStateJSON":"{\"vis\": {\"params\": {\"sort\": {\"columnIndex\": null, \"direction\": null}}}}","version":1,"visState":"{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Command (arg 0)\",\"field\":\"auditd.log.a0\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":30},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"showToolbar\":true},\"title\":\"Audit Top Exec Commands ECS\",\"type\":\"table\"}"},"coreMigrationVersion":"8.0.0","id":"5ebdbe50-0a0f-11e7-825f-6748cda7d858-ecs","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"filebeat-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2021-08-04T16:33:56.442Z","version":"WzQzNDcsMV0="}
 {"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"title":"Event Results [Filebeat Auditd] ECS","uiStateJSON":"{}","version":1,"visState":"{\"aggs\":[],\"params\":{\"expression\":\".es(q=\\\"event.dataset:auditd.log NOT event.outcome:failure\\\").label(\\\"Success\\\"), .es(q=\\\"event.outcome:failed\\\").label(\\\"Failure\\\").title(\\\"Audit Event Results\\\")\",\"interval\":\"auto\"},\"title\":\"Event Results [Filebeat Auditd] ECS\",\"type\":\"timelion\"}"},"coreMigrationVersion":"8.0.0","id":"2bb0fa70-0a11-11e7-9e84-43da493ad0c7-ecs","migrationVersion":{"visualization":"7.14.0"},"references":[],"type":"visualization","updated_at":"2021-08-04T16:33:56.442Z","version":"WzQzNDgsMV0="}
 {"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Event Address Geo Location [Filebeat Auditd] ECS","uiStateJSON":"{}","version":1,"visState":"{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"field\":\"source.geo.location\",\"precision\":2},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"listeners\":{},\"params\":{\"addTooltip\":true,\"heatBlur\":15,\"heatMaxZoom\":16,\"heatMinOpacity\":0.1,\"heatNormalizeData\":true,\"heatRadius\":25,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[15,5],\"mapType\":\"Scaled Circle Markers\",\"mapZoom\":2,\"wms\":{\"enabled\":false,\"options\":{\"attribution\":\"Maps provided by USGS\",\"format\":\"image/png\",\"layers\":\"0\",\"styles\":\"\",\"transparent\":true,\"version\":\"1.3.0\"},\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\"}},\"title\":\"Audit Event Address Geo Location ECS\",\"type\":\"tile_map\"}"},"coreMigrationVersion":"8.0.0","id":"d1726930-0a7f-11e7-8b04-eb22a5669f27-ecs","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"filebeat-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2021-08-04T16:33:56.442Z","version":"WzQzNDksMV0="}
 {"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Event Account Tag Cloud [Filebeat Auditd] ECS","uiStateJSON":"{}","version":1,"visState":"{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"hideLabel\":false,\"maxFontSize\":42,\"minFontSize\":15,\"orientation\":\"single\",\"scale\":\"linear\",\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"Audit Event Account Tag Cloud ECS\",\"type\":\"tagcloud\"}"},"coreMigrationVersion":"8.0.0","id":"c5411910-0a87-11e7-8b04-eb22a5669f27-ecs","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"filebeat-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2021-08-04T16:33:56.442Z","version":"WzQzNTAsMV0="}
