diff --git a/x-pack/plugins/siem/public/components/page/overview/overview_host/index.tsx b/x-pack/plugins/siem/public/components/page/overview/overview_host/index.tsx index 713021fb2233a..bc687403544ca 100644 --- a/x-pack/plugins/siem/public/components/page/overview/overview_host/index.tsx +++ b/x-pack/plugins/siem/public/components/page/overview/overview_host/index.tsx @@ -37,10 +37,7 @@ export const OverviewHost = pure(({ endDate, startDate, setQu /> } title={ - + } > diff --git a/x-pack/plugins/siem/public/components/page/overview/overview_host_stats/__snapshots__/index.test.tsx.snap b/x-pack/plugins/siem/public/components/page/overview/overview_host_stats/__snapshots__/index.test.tsx.snap index 616126caf8d31..6b4f87119102c 100644 --- a/x-pack/plugins/siem/public/components/page/overview/overview_host_stats/__snapshots__/index.test.tsx.snap +++ b/x-pack/plugins/siem/public/components/page/overview/overview_host_stats/__snapshots__/index.test.tsx.snap @@ -10,6 +10,8 @@ exports[`Overview Host Stat Data rendering it renders the default OverviewHostSt "auditbeatPackage": 2003, "auditbeatProcess": 1200, "auditbeatUser": 1979, + "filebeatSystemModule": 568, + "winlogbeat": 296999, } } loading={false} diff --git a/x-pack/plugins/siem/public/components/page/overview/overview_host_stats/index.tsx b/x-pack/plugins/siem/public/components/page/overview/overview_host_stats/index.tsx index 435ded9da32fc..a33f265d0bff2 100644 --- a/x-pack/plugins/siem/public/components/page/overview/overview_host_stats/index.tsx +++ b/x-pack/plugins/siem/public/components/page/overview/overview_host_stats/index.tsx @@ -98,6 +98,27 @@ const overviewHostStats = (data: OverviewHostData) => [ /> ), }, + { + description: + has('filebeatSystemModule', data) && data.filebeatSystemModule !== null + ? numeral(data.filebeatSystemModule).format('0,0') + : getEmptyTagValue(), + title: ( + + ), + }, + { + description: + has('winlogbeat', data) && data.winlogbeat !== null + ? numeral(data.winlogbeat).format('0,0') + : getEmptyTagValue(), + title: ( + + ), + }, ]; export const DescriptionListDescription = styled(EuiDescriptionListDescription)` diff --git a/x-pack/plugins/siem/public/components/page/overview/overview_host_stats/mock.ts b/x-pack/plugins/siem/public/components/page/overview/overview_host_stats/mock.ts index 83ef1f928f6f8..a550ff49bf620 100644 --- a/x-pack/plugins/siem/public/components/page/overview/overview_host_stats/mock.ts +++ b/x-pack/plugins/siem/public/components/page/overview/overview_host_stats/mock.ts @@ -14,5 +14,7 @@ export const mockData: { OverviewHost: OverviewHostData } = { auditbeatPackage: 2003, auditbeatProcess: 1200, auditbeatUser: 1979, + filebeatSystemModule: 568, + winlogbeat: 296999, }, }; diff --git a/x-pack/plugins/siem/public/components/page/overview/overview_network/index.tsx b/x-pack/plugins/siem/public/components/page/overview/overview_network/index.tsx index 604e59254c27b..6510bb0033f7b 100644 --- a/x-pack/plugins/siem/public/components/page/overview/overview_network/index.tsx +++ b/x-pack/plugins/siem/public/components/page/overview/overview_network/index.tsx @@ -37,10 +37,7 @@ export const OverviewNetwork = pure(({ endDate, startDate, setQuery }) /> } title={ - + } > diff --git a/x-pack/plugins/siem/public/components/page/overview/overview_network_stats/__snapshots__/index.test.tsx.snap b/x-pack/plugins/siem/public/components/page/overview/overview_network_stats/__snapshots__/index.test.tsx.snap index 6a1b3f001030c..565d9f6b84397 100644 --- a/x-pack/plugins/siem/public/components/page/overview/overview_network_stats/__snapshots__/index.test.tsx.snap +++ b/x-pack/plugins/siem/public/components/page/overview/overview_network_stats/__snapshots__/index.test.tsx.snap @@ -5,10 +5,14 @@ exports[`Overview Network Stat Data rendering it renders the default OverviewNet data={ Object { "auditbeatSocket": 12, + "filebeatCisco": 999, + "filebeatNetflow": 7777, + "filebeatPanw": 66, "filebeatSuricata": 60015, "filebeatZeek": 2003, "packetbeatDNS": 10277307, "packetbeatFlow": 16, + "packetbeatTLS": 3400000, } } loading={false} diff --git a/x-pack/plugins/siem/public/components/page/overview/overview_network_stats/index.tsx b/x-pack/plugins/siem/public/components/page/overview/overview_network_stats/index.tsx index ec2d0312350dd..f04d0556a0abd 100644 --- a/x-pack/plugins/siem/public/components/page/overview/overview_network_stats/index.tsx +++ b/x-pack/plugins/siem/public/components/page/overview/overview_network_stats/index.tsx @@ -38,6 +38,42 @@ const overviewNetworkStats = (data: OverviewNetworkData) => [ /> ), }, + { + description: + has('filebeatCisco', data) && data.filebeatCisco !== null + ? numeral(data.filebeatCisco).format('0,0') + : getEmptyTagValue(), + title: ( + + ), + }, + { + description: + has('filebeatNetflow', data) && data.filebeatNetflow !== null + ? numeral(data.filebeatNetflow).format('0,0') + : getEmptyTagValue(), + title: ( + + ), + }, + { + description: + has('filebeatPanw', data) && data.filebeatPanw !== null + ? numeral(data.filebeatPanw).format('0,0') + : getEmptyTagValue(), + title: ( + + ), + }, { description: has('filebeatSuricata', data) && data.filebeatSuricata !== null @@ -83,6 +119,18 @@ const overviewNetworkStats = (data: OverviewNetworkData) => [ /> ), }, + { + description: + has('packetbeatTLS', data) && data.packetbeatTLS !== null + ? numeral(data.packetbeatTLS).format('0,0') + : getEmptyTagValue(), + title: ( + + ), + }, ]; export const DescriptionListDescription = styled(EuiDescriptionListDescription)` diff --git a/x-pack/plugins/siem/public/components/page/overview/overview_network_stats/mock.ts b/x-pack/plugins/siem/public/components/page/overview/overview_network_stats/mock.ts index eecfcdad7bb35..cc4c639f85deb 100644 --- a/x-pack/plugins/siem/public/components/page/overview/overview_network_stats/mock.ts +++ b/x-pack/plugins/siem/public/components/page/overview/overview_network_stats/mock.ts @@ -8,10 +8,14 @@ import { OverviewNetworkData } from '../../../../graphql/types'; export const mockData: { OverviewNetwork: OverviewNetworkData } = { OverviewNetwork: { - packetbeatFlow: 16, - packetbeatDNS: 10277307, + auditbeatSocket: 12, + filebeatCisco: 999, + filebeatNetflow: 7777, + filebeatPanw: 66, filebeatSuricata: 60015, filebeatZeek: 2003, - auditbeatSocket: 12, + packetbeatDNS: 10277307, + packetbeatFlow: 16, + packetbeatTLS: 3400000, }, }; diff --git a/x-pack/plugins/siem/public/containers/overview/overview_host/index.gql_query.ts b/x-pack/plugins/siem/public/containers/overview/overview_host/index.gql_query.ts index 5bfd61048a4f6..4973bd70f9f55 100644 --- a/x-pack/plugins/siem/public/containers/overview/overview_host/index.gql_query.ts +++ b/x-pack/plugins/siem/public/containers/overview/overview_host/index.gql_query.ts @@ -22,6 +22,8 @@ export const overviewHostQuery = gql` auditbeatPackage auditbeatProcess auditbeatUser + filebeatSystemModule + winlogbeat } } } diff --git a/x-pack/plugins/siem/public/containers/overview/overview_network/index.gql_query.ts b/x-pack/plugins/siem/public/containers/overview/overview_network/index.gql_query.ts index 6cefb9ff96685..424b1a71952fb 100644 --- a/x-pack/plugins/siem/public/containers/overview/overview_network/index.gql_query.ts +++ b/x-pack/plugins/siem/public/containers/overview/overview_network/index.gql_query.ts @@ -20,11 +20,15 @@ export const overviewNetworkQuery = gql` filterQuery: $filterQuery defaultIndex: $defaultIndex ) { - packetbeatFlow - packetbeatDNS + auditbeatSocket + filebeatCisco + filebeatNetflow + filebeatPanw filebeatSuricata filebeatZeek - auditbeatSocket + packetbeatDNS + packetbeatFlow + packetbeatTLS } } } diff --git a/x-pack/plugins/siem/public/graphql/introspection.json b/x-pack/plugins/siem/public/graphql/introspection.json index 79446c212466b..5587711f3480a 100644 --- a/x-pack/plugins/siem/public/graphql/introspection.json +++ b/x-pack/plugins/siem/public/graphql/introspection.json @@ -7628,7 +7628,7 @@ "description": "", "fields": [ { - "name": "packetbeatFlow", + "name": "auditbeatSocket", "description": "", "args": [], "type": { @@ -7640,7 +7640,31 @@ "deprecationReason": null }, { - "name": "packetbeatDNS", + "name": "filebeatCisco", + "description": "", + "args": [], + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "Float", "ofType": null } + }, + "isDeprecated": false, + "deprecationReason": null + }, + { + "name": "filebeatNetflow", + "description": "", + "args": [], + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "Float", "ofType": null } + }, + "isDeprecated": false, + "deprecationReason": null + }, + { + "name": "filebeatPanw", "description": "", "args": [], "type": { @@ -7667,15 +7691,47 @@ "name": "filebeatZeek", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "Float", "ofType": null } + }, "isDeprecated": false, "deprecationReason": null }, { - "name": "auditbeatSocket", + "name": "packetbeatDNS", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "Float", "ofType": null } + }, + "isDeprecated": false, + "deprecationReason": null + }, + { + "name": "packetbeatFlow", + "description": "", + "args": [], + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "Float", "ofType": null } + }, + "isDeprecated": false, + "deprecationReason": null + }, + { + "name": "packetbeatTLS", + "description": "", + "args": [], + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "Float", "ofType": null } + }, "isDeprecated": false, "deprecationReason": null } @@ -7694,7 +7750,11 @@ "name": "auditbeatAuditd", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "Float", "ofType": null } + }, "isDeprecated": false, "deprecationReason": null }, @@ -7702,7 +7762,11 @@ "name": "auditbeatFIM", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "Float", "ofType": null } + }, "isDeprecated": false, "deprecationReason": null }, @@ -7710,7 +7774,11 @@ "name": "auditbeatLogin", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "Float", "ofType": null } + }, "isDeprecated": false, "deprecationReason": null }, @@ -7718,7 +7786,11 @@ "name": "auditbeatPackage", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "Float", "ofType": null } + }, "isDeprecated": false, "deprecationReason": null }, @@ -7726,7 +7798,11 @@ "name": "auditbeatProcess", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "Float", "ofType": null } + }, "isDeprecated": false, "deprecationReason": null }, @@ -7734,7 +7810,35 @@ "name": "auditbeatUser", "description": "", "args": [], - "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "Float", "ofType": null } + }, + "isDeprecated": false, + "deprecationReason": null + }, + { + "name": "filebeatSystemModule", + "description": "", + "args": [], + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "Float", "ofType": null } + }, + "isDeprecated": false, + "deprecationReason": null + }, + { + "name": "winlogbeat", + "description": "", + "args": [], + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { "kind": "SCALAR", "name": "Float", "ofType": null } + }, "isDeprecated": false, "deprecationReason": null } diff --git a/x-pack/plugins/siem/public/graphql/types.ts b/x-pack/plugins/siem/public/graphql/types.ts index f6910d6950bac..534b300ecfef0 100644 --- a/x-pack/plugins/siem/public/graphql/types.ts +++ b/x-pack/plugins/siem/public/graphql/types.ts @@ -1180,29 +1180,41 @@ export interface NetworkDnsItem { } export interface OverviewNetworkData { - packetbeatFlow: number; + auditbeatSocket: number; - packetbeatDNS: number; + filebeatCisco: number; + + filebeatNetflow: number; + + filebeatPanw: number; filebeatSuricata: number; - filebeatZeek?: number | null; + filebeatZeek: number; + + packetbeatDNS: number; + + packetbeatFlow: number; - auditbeatSocket?: number | null; + packetbeatTLS: number; } export interface OverviewHostData { - auditbeatAuditd?: number | null; + auditbeatAuditd: number; + + auditbeatFIM: number; + + auditbeatLogin: number; - auditbeatFIM?: number | null; + auditbeatPackage: number; - auditbeatLogin?: number | null; + auditbeatProcess: number; - auditbeatPackage?: number | null; + auditbeatUser: number; - auditbeatProcess?: number | null; + filebeatSystemModule: number; - auditbeatUser?: number | null; + winlogbeat: number; } export interface UncommonProcessesData { @@ -3226,17 +3238,21 @@ export namespace GetOverviewHostQuery { export type OverviewHost = { __typename?: 'OverviewHostData'; - auditbeatAuditd?: number | null; + auditbeatAuditd: number; - auditbeatFIM?: number | null; + auditbeatFIM: number; - auditbeatLogin?: number | null; + auditbeatLogin: number; - auditbeatPackage?: number | null; + auditbeatPackage: number; - auditbeatProcess?: number | null; + auditbeatProcess: number; - auditbeatUser?: number | null; + auditbeatUser: number; + + filebeatSystemModule: number; + + winlogbeat: number; }; } @@ -3265,15 +3281,23 @@ export namespace GetOverviewNetworkQuery { export type OverviewNetwork = { __typename?: 'OverviewNetworkData'; - packetbeatFlow: number; + auditbeatSocket: number; - packetbeatDNS: number; + filebeatCisco: number; + + filebeatNetflow: number; + + filebeatPanw: number; filebeatSuricata: number; - filebeatZeek?: number | null; + filebeatZeek: number; + + packetbeatDNS: number; + + packetbeatFlow: number; - auditbeatSocket?: number | null; + packetbeatTLS: number; }; } diff --git a/x-pack/plugins/siem/server/graphql/overview/schema.gql.ts b/x-pack/plugins/siem/server/graphql/overview/schema.gql.ts index 0bbb85729fe7f..8f33dec011c0b 100644 --- a/x-pack/plugins/siem/server/graphql/overview/schema.gql.ts +++ b/x-pack/plugins/siem/server/graphql/overview/schema.gql.ts @@ -8,20 +8,26 @@ import gql from 'graphql-tag'; export const overviewSchema = gql` type OverviewNetworkData { - packetbeatFlow: Float! - packetbeatDNS: Float! + auditbeatSocket: Float! + filebeatCisco: Float! + filebeatNetflow: Float! + filebeatPanw: Float! filebeatSuricata: Float! - filebeatZeek: Float - auditbeatSocket: Float + filebeatZeek: Float! + packetbeatDNS: Float! + packetbeatFlow: Float! + packetbeatTLS: Float! } type OverviewHostData { - auditbeatAuditd: Float - auditbeatFIM: Float - auditbeatLogin: Float - auditbeatPackage: Float - auditbeatProcess: Float - auditbeatUser: Float + auditbeatAuditd: Float! + auditbeatFIM: Float! + auditbeatLogin: Float! + auditbeatPackage: Float! + auditbeatProcess: Float! + auditbeatUser: Float! + filebeatSystemModule: Float! + winlogbeat: Float! } extend type Source { diff --git a/x-pack/plugins/siem/server/graphql/types.ts b/x-pack/plugins/siem/server/graphql/types.ts index fc80479eebe01..da6beca5742a5 100644 --- a/x-pack/plugins/siem/server/graphql/types.ts +++ b/x-pack/plugins/siem/server/graphql/types.ts @@ -1209,29 +1209,41 @@ export interface NetworkDnsItem { } export interface OverviewNetworkData { - packetbeatFlow: number; + auditbeatSocket: number; - packetbeatDNS: number; + filebeatCisco: number; + + filebeatNetflow: number; + + filebeatPanw: number; filebeatSuricata: number; - filebeatZeek?: number | null; + filebeatZeek: number; - auditbeatSocket?: number | null; + packetbeatDNS: number; + + packetbeatFlow: number; + + packetbeatTLS: number; } export interface OverviewHostData { - auditbeatAuditd?: number | null; + auditbeatAuditd: number; + + auditbeatFIM: number; - auditbeatFIM?: number | null; + auditbeatLogin: number; - auditbeatLogin?: number | null; + auditbeatPackage: number; - auditbeatPackage?: number | null; + auditbeatProcess: number; - auditbeatProcess?: number | null; + auditbeatUser: number; - auditbeatUser?: number | null; + filebeatSystemModule: number; + + winlogbeat: number; } export interface UncommonProcessesData { @@ -6236,23 +6248,41 @@ export namespace NetworkDnsItemResolvers { export namespace OverviewNetworkDataResolvers { export interface Resolvers { - packetbeatFlow?: PacketbeatFlowResolver; + auditbeatSocket?: AuditbeatSocketResolver; - packetbeatDNS?: PacketbeatDnsResolver; + filebeatCisco?: FilebeatCiscoResolver; + + filebeatNetflow?: FilebeatNetflowResolver; + + filebeatPanw?: FilebeatPanwResolver; filebeatSuricata?: FilebeatSuricataResolver; - filebeatZeek?: FilebeatZeekResolver; + filebeatZeek?: FilebeatZeekResolver; + + packetbeatDNS?: PacketbeatDnsResolver; - auditbeatSocket?: AuditbeatSocketResolver; + packetbeatFlow?: PacketbeatFlowResolver; + + packetbeatTLS?: PacketbeatTlsResolver; } - export type PacketbeatFlowResolver< + export type AuditbeatSocketResolver< R = number, Parent = OverviewNetworkData, Context = SiemContext > = Resolver; - export type PacketbeatDnsResolver< + export type FilebeatCiscoResolver< + R = number, + Parent = OverviewNetworkData, + Context = SiemContext + > = Resolver; + export type FilebeatNetflowResolver< + R = number, + Parent = OverviewNetworkData, + Context = SiemContext + > = Resolver; + export type FilebeatPanwResolver< R = number, Parent = OverviewNetworkData, Context = SiemContext @@ -6263,12 +6293,22 @@ export namespace OverviewNetworkDataResolvers { Context = SiemContext > = Resolver; export type FilebeatZeekResolver< - R = number | null, + R = number, Parent = OverviewNetworkData, Context = SiemContext > = Resolver; - export type AuditbeatSocketResolver< - R = number | null, + export type PacketbeatDnsResolver< + R = number, + Parent = OverviewNetworkData, + Context = SiemContext + > = Resolver; + export type PacketbeatFlowResolver< + R = number, + Parent = OverviewNetworkData, + Context = SiemContext + > = Resolver; + export type PacketbeatTlsResolver< + R = number, Parent = OverviewNetworkData, Context = SiemContext > = Resolver; @@ -6276,46 +6316,60 @@ export namespace OverviewNetworkDataResolvers { export namespace OverviewHostDataResolvers { export interface Resolvers { - auditbeatAuditd?: AuditbeatAuditdResolver; + auditbeatAuditd?: AuditbeatAuditdResolver; + + auditbeatFIM?: AuditbeatFimResolver; + + auditbeatLogin?: AuditbeatLoginResolver; - auditbeatFIM?: AuditbeatFimResolver; + auditbeatPackage?: AuditbeatPackageResolver; - auditbeatLogin?: AuditbeatLoginResolver; + auditbeatProcess?: AuditbeatProcessResolver; - auditbeatPackage?: AuditbeatPackageResolver; + auditbeatUser?: AuditbeatUserResolver; - auditbeatProcess?: AuditbeatProcessResolver; + filebeatSystemModule?: FilebeatSystemModuleResolver; - auditbeatUser?: AuditbeatUserResolver; + winlogbeat?: WinlogbeatResolver; } export type AuditbeatAuditdResolver< - R = number | null, + R = number, Parent = OverviewHostData, Context = SiemContext > = Resolver; export type AuditbeatFimResolver< - R = number | null, + R = number, Parent = OverviewHostData, Context = SiemContext > = Resolver; export type AuditbeatLoginResolver< - R = number | null, + R = number, Parent = OverviewHostData, Context = SiemContext > = Resolver; export type AuditbeatPackageResolver< - R = number | null, + R = number, Parent = OverviewHostData, Context = SiemContext > = Resolver; export type AuditbeatProcessResolver< - R = number | null, + R = number, Parent = OverviewHostData, Context = SiemContext > = Resolver; export type AuditbeatUserResolver< - R = number | null, + R = number, + Parent = OverviewHostData, + Context = SiemContext + > = Resolver; + export type FilebeatSystemModuleResolver< + R = number, + Parent = OverviewHostData, + Context = SiemContext + > = Resolver; + export type WinlogbeatResolver< + R = number, Parent = OverviewHostData, Context = SiemContext > = Resolver; diff --git a/x-pack/plugins/siem/server/lib/overview/elastic_adapter.test.ts b/x-pack/plugins/siem/server/lib/overview/elastic_adapter.test.ts index 514264c2683ca..7ccf925e6b72d 100644 --- a/x-pack/plugins/siem/server/lib/overview/elastic_adapter.test.ts +++ b/x-pack/plugins/siem/server/lib/overview/elastic_adapter.test.ts @@ -55,6 +55,11 @@ describe('Siem Overview elasticsearch_adapter', () => { mockNoDataResponse.aggregations.unique_suricata_count.doc_count = 0; mockNoDataResponse.aggregations.unique_zeek_count.doc_count = 0; mockNoDataResponse.aggregations.unique_socket_count.doc_count = 0; + mockNoDataResponse.aggregations.unique_zeek_count.doc_count = 0; + mockNoDataResponse.aggregations.unique_packetbeat_count.unique_tls_count.doc_count = 0; + mockNoDataResponse.aggregations.unique_filebeat_count.unique_cisco_count.doc_count = 0; + mockNoDataResponse.aggregations.unique_filebeat_count.unique_netflow_count.doc_count = 0; + mockNoDataResponse.aggregations.unique_filebeat_count.unique_panw_count.doc_count = 0; const mockCallWithRequest = jest.fn(); mockCallWithRequest.mockResolvedValue(mockNoDataResponse); const mockFramework: FrameworkAdapter = { @@ -76,11 +81,15 @@ describe('Siem Overview elasticsearch_adapter', () => { mockOptionsNetwork ); expect(data).toEqual({ - packetbeatFlow: 0, - packetbeatDNS: 0, + auditbeatSocket: 0, + filebeatCisco: 0, + filebeatNetflow: 0, + filebeatPanw: 0, filebeatSuricata: 0, filebeatZeek: 0, - auditbeatSocket: 0, + packetbeatDNS: 0, + packetbeatFlow: 0, + packetbeatTLS: 0, }); }); }); @@ -119,6 +128,8 @@ describe('Siem Overview elasticsearch_adapter', () => { mockNoDataResponse.aggregations.system_module.package_count.doc_count = 0; mockNoDataResponse.aggregations.system_module.process_count.doc_count = 0; mockNoDataResponse.aggregations.system_module.user_count.doc_count = 0; + mockNoDataResponse.aggregations.system_module.filebeat_count.doc_count = 0; + mockNoDataResponse.aggregations.winlog_count.doc_count = 0; const mockCallWithRequest = jest.fn(); mockCallWithRequest.mockResolvedValue(mockNoDataResponse); const mockFramework: FrameworkAdapter = { @@ -146,6 +157,8 @@ describe('Siem Overview elasticsearch_adapter', () => { auditbeatPackage: 0, auditbeatProcess: 0, auditbeatUser: 0, + filebeatSystemModule: 0, + winlogbeat: 0, }); }); }); diff --git a/x-pack/plugins/siem/server/lib/overview/elasticsearch_adapter.ts b/x-pack/plugins/siem/server/lib/overview/elasticsearch_adapter.ts index 130dac6a9cf4c..ebc10a96b25ed 100644 --- a/x-pack/plugins/siem/server/lib/overview/elasticsearch_adapter.ts +++ b/x-pack/plugins/siem/server/lib/overview/elasticsearch_adapter.ts @@ -27,11 +27,31 @@ export class ElasticsearchOverviewAdapter implements OverviewAdapter { ); return { - packetbeatFlow: getOr(null, 'aggregations.unique_flow_count.doc_count', response), - packetbeatDNS: getOr(null, 'aggregations.unique_dns_count.doc_count', response), + auditbeatSocket: getOr(null, 'aggregations.unique_socket_count.doc_count', response), + filebeatCisco: getOr( + null, + 'aggregations.unique_filebeat_count.unique_cisco_count.doc_count', + response + ), + filebeatNetflow: getOr( + null, + 'aggregations.unique_filebeat_count.unique_netflow_count.doc_count', + response + ), + filebeatPanw: getOr( + null, + 'aggregations.unique_filebeat_count.unique_panw_count.doc_count', + response + ), filebeatSuricata: getOr(null, 'aggregations.unique_suricata_count.doc_count', response), filebeatZeek: getOr(null, 'aggregations.unique_zeek_count.doc_count', response), - auditbeatSocket: getOr(null, 'aggregations.unique_socket_count.doc_count', response), + packetbeatDNS: getOr(null, 'aggregations.unique_dns_count.doc_count', response), + packetbeatFlow: getOr(null, 'aggregations.unique_flow_count.doc_count', response), + packetbeatTLS: getOr( + null, + 'aggregations.unique_packetbeat_count.unique_tls_count.doc_count', + response + ), }; } @@ -52,6 +72,12 @@ export class ElasticsearchOverviewAdapter implements OverviewAdapter { auditbeatPackage: getOr(null, 'aggregations.system_module.package_count.doc_count', response), auditbeatProcess: getOr(null, 'aggregations.system_module.process_count.doc_count', response), auditbeatUser: getOr(null, 'aggregations.system_module.user_count.doc_count', response), + filebeatSystemModule: getOr( + null, + 'aggregations.system_module.filebeat_count.doc_count', + response + ), + winlogbeat: getOr(null, 'aggregations.winlog_count.doc_count', response), }; } } diff --git a/x-pack/plugins/siem/server/lib/overview/mock.ts b/x-pack/plugins/siem/server/lib/overview/mock.ts index 935afe2329be6..fd5389cc71a5d 100644 --- a/x-pack/plugins/siem/server/lib/overview/mock.ts +++ b/x-pack/plugins/siem/server/lib/overview/mock.ts @@ -48,6 +48,13 @@ export const mockResponseNetwork = { unique_suricata_count: { doc_count: 2375 }, unique_zeek_count: { doc_count: 456 }, unique_socket_count: { doc_count: 13 }, + unique_filebeat_count: { + doc_count: 456756, + unique_cisco_count: { doc_count: 14 }, + unique_netflow_count: { doc_count: 992 }, + unique_panw_count: { doc_count: 225 }, + }, + unique_packetbeat_count: { doc_count: 7897896, unique_tls_count: { doc_count: 2009 } }, }, }; @@ -57,6 +64,10 @@ export const mockResultNetwork = { filebeatSuricata: 2375, filebeatZeek: 456, auditbeatSocket: 13, + filebeatCisco: 14, + filebeatNetflow: 992, + filebeatPanw: 225, + packetbeatTLS: 2009, }; export const mockOptionsHost: RequestBasicOptions = { @@ -104,7 +115,9 @@ export const mockResponseHost = { package_count: { doc_count: 2003 }, process_count: { doc_count: 1200 }, user_count: { doc_count: 1979 }, + filebeat_count: { doc_count: 225 }, }, + winlog_count: { doc_count: 737 }, }, }; @@ -115,4 +128,6 @@ export const mockResultHost = { auditbeatPackage: 2003, auditbeatProcess: 1200, auditbeatUser: 1979, + filebeatSystemModule: 225, + winlogbeat: 737, }; diff --git a/x-pack/plugins/siem/server/lib/overview/query.dsl.ts b/x-pack/plugins/siem/server/lib/overview/query.dsl.ts index 1a592f156edac..e83e3908b0da8 100644 --- a/x-pack/plugins/siem/server/lib/overview/query.dsl.ts +++ b/x-pack/plugins/siem/server/lib/overview/query.dsl.ts @@ -57,6 +57,40 @@ export const buildOverviewNetworkQuery = ({ term: { 'event.dataset': 'socket' }, }, }, + unique_filebeat_count: { + filter: { + term: { 'agent.type': 'filebeat' }, + }, + aggs: { + unique_netflow_count: { + filter: { + term: { 'input.type': 'netflow' }, + }, + }, + unique_panw_count: { + filter: { + term: { 'event.module': 'panw' }, + }, + }, + unique_cisco_count: { + filter: { + term: { 'event.module': 'cisco' }, + }, + }, + }, + }, + unique_packetbeat_count: { + filter: { + term: { 'agent.type': 'packetbeat' }, + }, + aggs: { + unique_tls_count: { + filter: { + term: { 'network.protocol': 'tls' }, + }, + }, + }, + }, }, query: { bool: { @@ -111,6 +145,13 @@ export const buildOverviewHostQuery = ({ }, }, }, + winlog_count: { + filter: { + term: { + 'agent.type': 'winlogbeat', + }, + }, + }, system_module: { filter: { term: { @@ -146,6 +187,13 @@ export const buildOverviewHostQuery = ({ }, }, }, + filebeat_count: { + filter: { + term: { + 'agent.type': 'filebeat', + }, + }, + }, }, }, }, diff --git a/x-pack/plugins/siem/server/lib/overview/types.ts b/x-pack/plugins/siem/server/lib/overview/types.ts index 6d26b46d48f20..12805047701b6 100644 --- a/x-pack/plugins/siem/server/lib/overview/types.ts +++ b/x-pack/plugins/siem/server/lib/overview/types.ts @@ -35,6 +35,22 @@ export interface OverviewNetworkHit extends SearchHit { unique_socket_count: { doc_count: number; }; + unique_filebeat_count: { + unique_netflow_count: { + doc_count: number; + }; + unique_panw_count: { + doc_count: number; + }; + unique_cisco_count: { + doc_count: number; + }; + }; + unique_packetbeat_count: { + unique_tls_count: { + doc_count: number; + }; + }; }; } @@ -59,6 +75,12 @@ export interface OverviewHostHit extends SearchHit { user_count: { doc_count: number; }; + filebeat_count: { + doc_count: number; + }; + }; + winlog_count: { + doc_count: number; }; }; } diff --git a/x-pack/test/api_integration/apis/siem/overview_host.ts b/x-pack/test/api_integration/apis/siem/overview_host.ts index ce9aeafccf625..79efde3a38500 100644 --- a/x-pack/test/api_integration/apis/siem/overview_host.ts +++ b/x-pack/test/api_integration/apis/siem/overview_host.ts @@ -26,6 +26,8 @@ const overviewHostTests: KbnTestProvider = ({ getService }) => { auditbeatPackage: 3, auditbeatProcess: 7, auditbeatUser: 6, + filebeatSystemModule: 0, + winlogbeat: 0, __typename: 'OverviewHostData', }; diff --git a/x-pack/test/api_integration/apis/siem/overview_network.ts b/x-pack/test/api_integration/apis/siem/overview_network.ts index 56a150e13ba6e..1061c37f9ce9d 100644 --- a/x-pack/test/api_integration/apis/siem/overview_network.ts +++ b/x-pack/test/api_integration/apis/siem/overview_network.ts @@ -21,11 +21,15 @@ const overviewNetworkTests: KbnTestProvider = ({ getService }) => { const TO = new Date('3000-01-01T00:00:00.000Z').valueOf(); const expectedResult = { - packetbeatFlow: 0, - packetbeatDNS: 0, + auditbeatSocket: 0, + filebeatCisco: 0, + filebeatNetflow: 1273, + filebeatPanw: 0, filebeatSuricata: 4547, filebeatZeek: 0, - auditbeatSocket: 0, + packetbeatDNS: 0, + packetbeatFlow: 0, + packetbeatTLS: 0, __typename: 'OverviewNetworkData', }; @@ -57,11 +61,15 @@ const overviewNetworkTests: KbnTestProvider = ({ getService }) => { const FROM = new Date('2000-01-01T00:00:00.000Z').valueOf(); const TO = new Date('3000-01-01T00:00:00.000Z').valueOf(); const expectedResult = { - packetbeatFlow: 0, - packetbeatDNS: 0, + auditbeatSocket: 0, + filebeatCisco: 0, + filebeatNetflow: 1273, + filebeatPanw: 0, filebeatSuricata: 4547, filebeatZeek: 0, - auditbeatSocket: 0, + packetbeatDNS: 0, + packetbeatFlow: 0, + packetbeatTLS: 0, __typename: 'OverviewNetworkData', }; @@ -93,11 +101,15 @@ const overviewNetworkTests: KbnTestProvider = ({ getService }) => { const FROM = new Date('2000-01-01T00:00:00.000Z').valueOf(); const TO = new Date('3000-01-01T00:00:00.000Z').valueOf(); const expectedResult = { - packetbeatFlow: 0, - packetbeatDNS: 0, + auditbeatSocket: 0, + filebeatCisco: 0, + filebeatNetflow: 1273, + filebeatPanw: 0, filebeatSuricata: 4547, filebeatZeek: 0, - auditbeatSocket: 0, + packetbeatDNS: 0, + packetbeatFlow: 0, + packetbeatTLS: 0, __typename: 'OverviewNetworkData', };