diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 458fc7b2afe95..5d40ced0200e9 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -301,6 +301,11 @@ datadog_checks_base/datadog_checks/base/checks/windows/ @DataDog/wi /metabase/manifest.json @DataDog/saas-integrations @DataDog/documentation /metabase/assets/logs/ @DataDog/saas-integrations @DataDog/documentation @DataDog/logs-backend +/microsoft_sysmon/ @DataDog/agent-integrations +/microsoft_sysmon/*.md @DataDog/agent-integrations @DataDog/documentation +/microsoft_sysmon/manifest.json @DataDog/agent-integrations @DataDog/documentation +/microsoft_sysmon/assets/logs/ @DataDog/agent-integrations @DataDog/documentation @DataDog/logs-backend @DataDog/logs-core + /mimecast/ @DataDog/saas-integrations /mimecast/*.md @DataDog/saas-integrations @DataDog/documentation /mimecast/manifest.json @DataDog/saas-integrations @DataDog/documentation @@ -513,6 +518,11 @@ plaid/assets/logs/ @DataDog/saa /gpu/*.md @DataDog/ebpf-platform @DataDog/documentation /gpu/manifest.json @DataDog/ebpf-platform @DataDog/agent-integrations @DataDog/documentation +/openvpn/ @DataDog/agent-integrations +/openvpn/*.md @DataDog/agent-integrations @DataDog/documentation +/openvpn/manifest.json @DataDog/agent-integrations @DataDog/documentation +/openvpn/assets/logs/ @DataDog/agent-integrations @DataDog/documentation @DataDog/logs-backend @DataDog/logs-core + # To keep Security up-to-date with changes to the signing tool. /datadog_checks_dev/datadog_checks/dev/tooling/signing.py @DataDog/agent-integrations # As well as the secure downloader. diff --git a/.github/workflows/config/labeler.yml b/.github/workflows/config/labeler.yml index 3e01a834acb1b..980778ac50e1d 100644 --- a/.github/workflows/config/labeler.yml +++ b/.github/workflows/config/labeler.yml @@ -176,6 +176,8 @@ integration/dcgm: - dcgm/**/* integration/delinea_privilege_manager: - delinea_privilege_manager/**/* +integration/delinea_secret_server: +- delinea_secret_server/**/* integration/directory: - directory/**/* integration/disk: @@ -314,6 +316,8 @@ integration/jmeter: - jmeter/**/* integration/journald: - journald/**/* +integration/juniper_srx_firewall: +- juniper_srx_firewall/**/* integration/kafka: - kafka/**/* integration/kafka_consumer: @@ -390,6 +394,8 @@ integration/mesos_slave: - mesos_slave/**/* integration/metabase: - metabase/**/* +integration/microsoft_sysmon: +- microsoft_sysmon/**/* integration/milvus: - milvus/**/* integration/mimecast: @@ -440,6 +446,8 @@ integration/openstack: - openstack/**/* integration/openstack_controller: - openstack_controller/**/* +integration/openvpn: +- openvpn/**/* integration/oracle: - oracle/**/* integration/orca_security: diff --git a/.github/workflows/datadog-static-analysis.yml b/.github/workflows/datadog-static-analysis.yml index ba97546ab400d..e397feedf7ad5 100644 --- a/.github/workflows/datadog-static-analysis.yml +++ b/.github/workflows/datadog-static-analysis.yml @@ -13,8 +13,8 @@ jobs: id: datadog-static-analysis uses: DataDog/datadog-static-analyzer-github-action@v1 with: - dd_api_key: ${{ secrets.DD_API_KEY_2 }} - dd_app_key: ${{ secrets.DD_STATIC_ANALYSIS_APP_KEY_2 }} + dd_api_key: ${{ secrets.DD_API_KEY }} + dd_app_key: ${{ secrets.DD_STATIC_ANALYSIS_APP_KEY }} dd_service: integration-core dd_env: ci dd_site: datadoghq.com diff --git a/.github/workflows/flaky-tests.yml b/.github/workflows/flaky-tests.yml index d77b691be5ba1..68d0204cbe400 100644 --- a/.github/workflows/flaky-tests.yml +++ b/.github/workflows/flaky-tests.yml @@ -29,6 +29,10 @@ jobs: pytest-args: '-m flaky' secrets: inherit + # needed for codecov in test-target.yml, allows the action to get a JWT signed by Github + permissions: + id-token: write + publish-test-results: needs: - test diff --git a/.github/workflows/submit-traces.yml b/.github/workflows/submit-traces.yml index 96269a34ad7cc..865471add95d9 100644 --- a/.github/workflows/submit-traces.yml +++ b/.github/workflows/submit-traces.yml @@ -18,7 +18,7 @@ jobs: ports: - "8126:8126" env: - DD_API_KEY: "${{ secrets.DD_API_KEY_2 }}" + DD_API_KEY: "${{ secrets.DD_API_KEY }}" DD_HOSTNAME: "none" DD_INSIDE_CI: "true" DD_LOG_LEVEL: "warn" diff --git a/.github/workflows/test-agent.yml b/.github/workflows/test-agent.yml index 4cc4a86d90d06..6b952a27218aa 100644 --- a/.github/workflows/test-agent.yml +++ b/.github/workflows/test-agent.yml @@ -49,6 +49,9 @@ jobs: agent-image-windows: "${{ inputs.agent-image-windows }}" agent-image-windows-py2: "${{ inputs.agent-image-windows-py2 }}" secrets: inherit + # needed for codecov in test-target.yml, allows the action to get a JWT signed by Github + permissions: + id-token: write submit-traces: needs: diff --git a/.github/workflows/test-fips-e2e.yml b/.github/workflows/test-fips-e2e.yml index baca94ce311da..fa770b2c54f99 100644 --- a/.github/workflows/test-fips-e2e.yml +++ b/.github/workflows/test-fips-e2e.yml @@ -94,10 +94,10 @@ jobs: - name: Prepare for testing env: PYTHONUNBUFFERED: "1" - DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME_2 }} - DOCKER_ACCESS_TOKEN: ${{ secrets.DOCKER_ACCESS_TOKEN_2 }} + DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} + DOCKER_ACCESS_TOKEN: ${{ secrets.DOCKER_ACCESS_TOKEN }} ORACLE_DOCKER_USERNAME: ${{ secrets.ORACLE_DOCKER_USERNAME }} - ORACLE_DOCKER_PASSWORD: ${{ secrets.ORACLE_DOCKER_PASSWORD_2 }} + ORACLE_DOCKER_PASSWORD: ${{ secrets.ORACLE_DOCKER_PASSWORD }} DD_GITHUB_USER: ${{ github.actor }} DD_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: ddev ci setup ${{ inputs.target || 'tls' }} @@ -112,14 +112,14 @@ jobs: - name: Run E2E tests with FIPS disabled env: DDEV_E2E_AGENT: "${{ inputs.agent-image || 'datadog/agent-dev:master-py3' }}" - DD_API_KEY: "${{ secrets.DD_API_KEY_2 }}" + DD_API_KEY: "${{ secrets.DD_API_KEY }}" run: | ddev env test --base --new-env --junit ${{ inputs.target || 'tls' }} -- all -m "fips_off" - name: Run E2E tests with FIPS enabled env: DDEV_E2E_AGENT: "${{ inputs.agent-image-fips || 'datadog/agent-dev:master-fips' }}" - DD_API_KEY: "${{ secrets.DD_API_KEY_2 }}" + DD_API_KEY: "${{ secrets.DD_API_KEY }}" run: | ddev env test --base --new-env --junit ${{ inputs.target || 'tls' }} -- all -k "fips_on" diff --git a/.github/workflows/test-target.yml b/.github/workflows/test-target.yml index 798ec4341135d..7448ee1abb543 100644 --- a/.github/workflows/test-target.yml +++ b/.github/workflows/test-target.yml @@ -202,10 +202,10 @@ jobs: "DD_GITHUB_USER": "{4}", "DD_GITHUB_TOKEN": "{5}" }}', - secrets.DOCKER_USERNAME_2, - secrets.DOCKER_ACCESS_TOKEN_2, + secrets.DOCKER_USERNAME, + secrets.DOCKER_ACCESS_TOKEN, secrets.ORACLE_DOCKER_USERNAME, - secrets.ORACLE_DOCKER_PASSWORD_2, + secrets.ORACLE_DOCKER_PASSWORD, github.actor, secrets.GITHUB_TOKEN ))}} @@ -260,7 +260,7 @@ jobs: - name: Run E2E tests with latest base package if: inputs.standard && inputs.repo == 'core' && !inputs.minimum-base-package env: - DD_API_KEY: "${{ secrets.DD_API_KEY_2 }}" + DD_API_KEY: "${{ secrets.DD_API_KEY }}" run: | # '-- all' is passed for e2e tests if pytest args are provided # This is done to avoid ddev from interpreting the arguments as environments @@ -298,7 +298,7 @@ jobs: - name: Run E2E tests if: inputs.standard && inputs.repo != 'core' env: - DD_API_KEY: "${{ secrets.DD_API_KEY_2 }}" + DD_API_KEY: "${{ secrets.DD_API_KEY }}" run: | # '-- all' is passed for e2e tests if pytest args are provided # This is done to avoid ddev from interpreting the arguments as environments @@ -344,7 +344,7 @@ jobs: - name: Run E2E tests for the latest version if: inputs.latest env: - DD_API_KEY: "${{ secrets.DD_API_KEY_2 }}" + DD_API_KEY: "${{ secrets.DD_API_KEY }}" DDEV_TEST_ENABLE_TRACING: "${{ inputs.repo == 'core' && '1' || '0' }}" run: | # '-- all' is passed for e2e tests if pytest args are provided diff --git a/.github/workflows/weekly-latest.yml b/.github/workflows/weekly-latest.yml index 697fec9bbc83e..7d920e9c09897 100644 --- a/.github/workflows/weekly-latest.yml +++ b/.github/workflows/weekly-latest.yml @@ -14,6 +14,9 @@ jobs: # Options latest: true secrets: inherit + # needed for codecov in test-target.yml, allows the action to get a JWT signed by Github + permissions: + id-token: write submit-traces: needs: diff --git a/AGENT_CHANGELOG.md b/AGENT_CHANGELOG.md index 4a34d83a16599..f1deaeeef5622 100644 --- a/AGENT_CHANGELOG.md +++ b/AGENT_CHANGELOG.md @@ -1,3 +1,40 @@ +## Datadog Agent version [7.65.0](https://github.com/DataDog/datadog-agent/blob/master/CHANGELOG.rst#7650) + +* Amazon Kafka [6.4.0](https://github.com/DataDog/integrations-core/blob/master/amazon_msk/CHANGELOG.md) +* Avi Vantage [5.3.0](https://github.com/DataDog/integrations-core/blob/master/avi_vantage/CHANGELOG.md) +* Ceph [4.1.0](https://github.com/DataDog/integrations-core/blob/master/ceph/CHANGELOG.md) +* cert-manager [5.3.0](https://github.com/DataDog/integrations-core/blob/master/cert_manager/CHANGELOG.md) +* Datadog Checks Base [37.8.0](https://github.com/DataDog/integrations-core/blob/master/datadog_checks_base/CHANGELOG.md) +* Cisco ACI [4.4.0](https://github.com/DataDog/integrations-core/blob/master/cisco_aci/CHANGELOG.md) +* Cisco Secure Web Appliance [1.0.0](https://github.com/DataDog/integrations-core/blob/master/cisco_secure_web_appliance/CHANGELOG.md) +* CouchDB [8.3.0](https://github.com/DataDog/integrations-core/blob/master/couch/CHANGELOG.md) +* FoundationDB [3.2.0](https://github.com/DataDog/integrations-core/blob/master/foundationdb/CHANGELOG.md) +* HTTP [11.2.0](https://github.com/DataDog/integrations-core/blob/master/http_check/CHANGELOG.md) +* Infiniband [1.0.0](https://github.com/DataDog/integrations-core/blob/master/infiniband/CHANGELOG.md) +* Kafka Consumer [6.5.1](https://github.com/DataDog/integrations-core/blob/master/kafka_consumer/CHANGELOG.md) +* KubeVirt API [1.2.0](https://github.com/DataDog/integrations-core/blob/master/kubevirt_api/CHANGELOG.md) +* MarkLogic [6.1.1](https://github.com/DataDog/integrations-core/blob/master/marklogic/CHANGELOG.md) +* MongoDB [9.0.0](https://github.com/DataDog/integrations-core/blob/master/mongo/CHANGELOG.md) **BREAKING CHANGE** +* MySQL [14.9.0](https://github.com/DataDog/integrations-core/blob/master/mysql/CHANGELOG.md) +* Network [5.2.0](https://github.com/DataDog/integrations-core/blob/master/network/CHANGELOG.md) +* Octopus Deploy [1.0.2](https://github.com/DataDog/integrations-core/blob/master/octopus_deploy/CHANGELOG.md) +* OpenStack Controller [8.3.1](https://github.com/DataDog/integrations-core/blob/master/openstack_controller/CHANGELOG.md) +* PGBouncer [8.1.2](https://github.com/DataDog/integrations-core/blob/master/pgbouncer/CHANGELOG.md) +* Postgres [22.8.0](https://github.com/DataDog/integrations-core/blob/master/postgres/CHANGELOG.md) +* Redis [7.2.0](https://github.com/DataDog/integrations-core/blob/master/redisdb/CHANGELOG.md) +* RiakCS [4.3.0](https://github.com/DataDog/integrations-core/blob/master/riakcs/CHANGELOG.md) +* Silverstripe CMS [1.0.0](https://github.com/DataDog/integrations-core/blob/master/silverstripe_cms/CHANGELOG.md) +* Slurm [1.1.0](https://github.com/DataDog/integrations-core/blob/master/slurm/CHANGELOG.md) +* SNMP [9.2.1](https://github.com/DataDog/integrations-core/blob/master/snmp/CHANGELOG.md) +* SonarQube [5.2.1](https://github.com/DataDog/integrations-core/blob/master/sonarqube/CHANGELOG.md) +* sonatype_nexus [1.1.0](https://github.com/DataDog/integrations-core/blob/master/sonatype_nexus/CHANGELOG.md) +* Spark [6.3.0](https://github.com/DataDog/integrations-core/blob/master/spark/CHANGELOG.md) +* SQL Server [22.0.1](https://github.com/DataDog/integrations-core/blob/master/sqlserver/CHANGELOG.md) **BREAKING CHANGE** +* TLS [4.3.0](https://github.com/DataDog/integrations-core/blob/master/tls/CHANGELOG.md) +* Velero [2.0.0](https://github.com/DataDog/integrations-core/blob/master/velero/CHANGELOG.md) +* vSphere [8.2.1](https://github.com/DataDog/integrations-core/blob/master/vsphere/CHANGELOG.md) +* Windows Event Log [5.1.1](https://github.com/DataDog/integrations-core/blob/master/win32_event_log/CHANGELOG.md) + ## Datadog Agent version [7.64.2](https://github.com/DataDog/datadog-agent/blob/master/CHANGELOG.rst#7642) * MongoDB [8.6.0](https://github.com/DataDog/integrations-core/blob/master/mongo/CHANGELOG.md) diff --git a/AGENT_INTEGRATIONS.md b/AGENT_INTEGRATIONS.md index 9f864f8afdd1b..1b8527d368a8e 100644 --- a/AGENT_INTEGRATIONS.md +++ b/AGENT_INTEGRATIONS.md @@ -1,3 +1,228 @@ +## Datadog Agent version 7.65.0 + +* datadog-active-directory: 4.1.0 +* datadog-activemq-xml: 5.1.0 +* datadog-activemq: 5.0.0 +* datadog-aerospike: 4.1.0 +* datadog-airflow: 6.3.0 +* datadog-amazon-msk: 6.4.0 +* datadog-ambari: 6.1.0 +* datadog-apache: 6.1.0 +* datadog-appgate-sdp: 1.1.0 +* datadog-arangodb: 3.2.0 +* datadog-argo-rollouts: 2.2.0 +* datadog-argo-workflows: 2.3.0 +* datadog-argocd: 3.3.0 +* datadog-aspdotnet: 4.1.0 +* datadog-avi-vantage: 5.3.0 +* datadog-aws-neuron: 2.1.0 +* datadog-azure-iot-edge: 6.1.0 +* datadog-boundary: 3.2.0 +* datadog-btrfs: 4.0.0 +* datadog-cacti: 4.0.0 +* datadog-calico: 4.1.0 +* datadog-cassandra-nodetool: 3.0.0 +* datadog-cassandra: 3.0.0 +* datadog-ceph: 4.1.0 +* datadog-cert-manager: 5.3.0 +* datadog-checkpoint-quantum-firewall: 1.0.0 +* datadog-checks-base: 37.8.0 +* datadog-checks-dependency-provider: 3.0.0 +* datadog-checks-downloader: 7.1.0 +* datadog-cilium: 5.2.0 +* datadog-cisco-aci: 4.4.0 +* datadog-cisco-secure-firewall: 1.0.0 +* datadog-cisco-secure-web-appliance: 1.0.0 +* datadog-citrix-hypervisor: 5.1.0 +* datadog-clickhouse: 5.2.0 +* datadog-cloud-foundry-api: 5.2.0 +* datadog-cloudera: 3.2.0 +* datadog-cockroachdb: 5.1.0 +* datadog-confluent-platform: 3.0.0 +* datadog-consul: 4.1.0 +* datadog-coredns: 5.1.0 +* datadog-couch: 8.3.0 +* datadog-couchbase: 5.1.0 +* datadog-crio: 4.1.0 +* datadog-datadog-cluster-agent: 5.5.0 +* datadog-dcgm: 3.3.0 +* datadog-delinea-privilege-manager: 1.0.0 +* datadog-directory: 4.0.1 +* datadog-disk: 7.0.0 +* datadog-dns-check: 5.1.0 +* datadog-dotnetclr: 4.1.0 +* datadog-druid: 4.1.0 +* datadog-duckdb: 1.0.0 +* datadog-ecs-fargate: 6.1.0 +* datadog-eks-fargate: 6.1.0 +* datadog-elastic: 8.1.0 +* datadog-envoy: 5.1.0 +* datadog-esxi: 3.0.0 +* datadog-etcd: 8.1.0 +* datadog-exchange-server: 4.1.0 +* datadog-external-dns: 5.1.0 +* datadog-flink: 3.0.0 +* datadog-fluentd: 5.1.0 +* datadog-fluxcd: 2.2.0 +* datadog-fly-io: 2.1.0 +* datadog-foundationdb: 3.2.0 +* datadog-gearmand: 5.0.0 +* datadog-gitlab-runner: 6.1.0 +* datadog-gitlab: 9.1.0 +* datadog-glusterfs: 3.0.1 +* datadog-go-expvar: 4.1.0 +* datadog-gunicorn: 4.0.0 +* datadog-haproxy: 7.1.0 +* datadog-harbor: 5.1.0 +* datadog-hazelcast: 6.2.0 +* datadog-hdfs-datanode: 6.1.0 +* datadog-hdfs-namenode: 6.1.0 +* datadog-hive: 2.1.0 +* datadog-hivemq: 2.1.0 +* datadog-http-check: 11.2.0 +* datadog-hudi: 4.0.0 +* datadog-hyperv: 3.0.0 +* datadog-ibm-ace: 4.1.0 +* datadog-ibm-db2: 4.0.1 +* datadog-ibm-i: 4.1.0 +* datadog-ibm-mq: 8.1.0 +* datadog-ibm-was: 5.1.0 +* datadog-ignite: 3.1.0 +* datadog-iis: 5.1.0 +* datadog-impala: 3.2.0 +* datadog-infiniband: 1.0.0 +* datadog-istio: 8.1.0 +* datadog-ivanti-connect-secure: 1.0.0 +* datadog-jboss-wildfly: 3.1.0 +* datadog-journald: 3.0.0 +* datadog-kafka-consumer: 6.5.1 +* datadog-kafka: 4.0.0 +* datadog-karpenter: 2.2.0 +* datadog-keda: 1.0.1 +* datadog-keycloak: 1.0.0 +* datadog-kong: 5.1.0 +* datadog-kube-apiserver-metrics: 6.2.0 +* datadog-kube-controller-manager: 7.1.0 +* datadog-kube-dns: 6.1.0 +* datadog-kube-metrics-server: 5.1.0 +* datadog-kube-proxy: 8.1.0 +* datadog-kube-scheduler: 6.1.0 +* datadog-kubeflow: 1.1.0 +* datadog-kubelet: 9.1.0 +* datadog-kubernetes-cluster-autoscaler: 2.2.0 +* datadog-kubernetes-state: 10.1.0 +* datadog-kubevirt-api: 1.2.0 +* datadog-kubevirt-controller: 1.1.0 +* datadog-kubevirt-handler: 1.1.0 +* datadog-kyototycoon: 4.1.0 +* datadog-kyverno: 2.2.0 +* datadog-lighttpd: 5.1.0 +* datadog-linkerd: 6.1.0 +* datadog-linux-proc-extras: 4.0.0 +* datadog-mapr: 3.0.0 +* datadog-mapreduce: 6.1.0 +* datadog-marathon: 4.1.0 +* datadog-marklogic: 6.1.1 +* datadog-mcache: 6.1.0 +* datadog-mesos-master: 5.1.0 +* datadog-mesos-slave: 5.1.0 +* datadog-milvus: 1.2.0 +* datadog-mongo: 9.0.0 +* datadog-mysql: 14.9.0 +* datadog-nagios: 3.0.0 +* datadog-network: 5.2.0 +* datadog-nfsstat: 3.0.0 +* datadog-nginx-ingress-controller: 4.1.0 +* datadog-nginx: 8.1.0 +* datadog-nvidia-nim: 1.1.0 +* datadog-nvidia-triton: 2.2.0 +* datadog-octopus-deploy: 1.0.2 +* datadog-openldap: 3.0.0 +* datadog-openmetrics: 6.1.0 +* datadog-openstack-controller: 8.3.1 +* datadog-openstack: 4.0.0 +* datadog-oracle: 6.0.0 +* datadog-ossec-security: 2.0.0 +* datadog-palo-alto-panorama: 1.0.0 +* datadog-pan-firewall: 3.0.0 +* datadog-pdh-check: 4.1.0 +* datadog-pgbouncer: 8.1.2 +* datadog-php-fpm: 5.1.0 +* datadog-ping-federate: 2.0.0 +* datadog-postfix: 3.0.0 +* datadog-postgres: 22.8.0 +* datadog-powerdns-recursor: 4.1.0 +* datadog-presto: 3.1.0 +* datadog-process: 5.0.0 +* datadog-prometheus: 5.0.0 +* datadog-proxysql: 7.1.0 +* datadog-pulsar: 3.2.0 +* datadog-quarkus: 1.1.0 +* datadog-rabbitmq: 7.1.0 +* datadog-ray: 2.2.0 +* datadog-redisdb: 7.2.0 +* datadog-rethinkdb: 5.1.0 +* datadog-riak: 5.1.0 +* datadog-riakcs: 4.3.0 +* datadog-sap-hana: 5.1.0 +* datadog-scylla: 4.1.0 +* datadog-sidekiq: 3.0.0 +* datadog-silk: 4.1.0 +* datadog-silverstripe-cms: 1.0.0 +* datadog-singlestore: 4.1.0 +* datadog-slurm: 1.1.0 +* datadog-snmp: 9.2.1 +* datadog-snowflake: 7.4.0 +* datadog-solr: 2.1.0 +* datadog-sonarqube: 5.2.1 +* datadog-sonatype-nexus: 1.1.0 +* datadog-sonicwall-firewall: 1.0.0 +* datadog-spark: 6.3.0 +* datadog-sqlserver: 22.0.1 +* datadog-squid: 4.1.0 +* datadog-ssh-check: 4.2.0 +* datadog-statsd: 3.0.0 +* datadog-strimzi: 3.2.0 +* datadog-supabase: 1.1.1 +* datadog-supervisord: 4.0.0 +* datadog-suricata: 2.0.0 +* datadog-symantec-endpoint-protection: 1.0.0 +* datadog-system-core: 4.0.0 +* datadog-system-swap: 3.0.0 +* datadog-tcp-check: 6.0.0 +* datadog-teamcity: 6.1.0 +* datadog-tekton: 2.2.0 +* datadog-teleport: 2.3.0 +* datadog-temporal: 3.2.0 +* datadog-tenable: 3.0.0 +* datadog-teradata: 4.0.0 +* datadog-tibco-ems: 2.1.0 +* datadog-tls: 4.3.0 +* datadog-tokumx: 3.2.0 +* datadog-tomcat: 4.0.0 +* datadog-torchserve: 3.2.0 +* datadog-traefik-mesh: 2.2.0 +* datadog-traffic-server: 3.2.0 +* datadog-twemproxy: 3.0.0 +* datadog-twistlock: 5.1.0 +* datadog-varnish: 4.0.0 +* datadog-vault: 6.1.0 +* datadog-velero: 2.0.0 +* datadog-vertica: 6.1.0 +* datadog-vllm: 2.3.0 +* datadog-voltdb: 5.1.0 +* datadog-vsphere: 8.2.1 +* datadog-wazuh: 1.0.0 +* datadog-weaviate: 3.2.0 +* datadog-weblogic: 3.0.0 +* datadog-win32-event-log: 5.1.1 +* datadog-windows-performance-counters: 3.1.0 +* datadog-windows-service: 6.1.0 +* datadog-wmi-check: 3.1.0 +* datadog-yarn: 7.1.0 +* datadog-zeek: 1.0.0 +* datadog-zk: 6.1.0 + ## Datadog Agent version 7.64.2 * datadog-active-directory: 4.1.0 diff --git a/amazon_msk/CHANGELOG.md b/amazon_msk/CHANGELOG.md index 99af33d0cf4f9..472ee5ceb4880 100644 --- a/amazon_msk/CHANGELOG.md +++ b/amazon_msk/CHANGELOG.md @@ -8,7 +8,7 @@ * Update dependencies ([#19962](https://github.com/DataDog/integrations-core/pull/19962)) -## 6.4.0 / 2025-03-19 +## 6.4.0 / 2025-03-19 / Agent 7.65.0 ***Added***: diff --git a/avi_vantage/CHANGELOG.md b/avi_vantage/CHANGELOG.md index 2cd5ab2791f70..effeab6ac3619 100644 --- a/avi_vantage/CHANGELOG.md +++ b/avi_vantage/CHANGELOG.md @@ -2,7 +2,7 @@ -## 5.3.0 / 2025-03-19 +## 5.3.0 / 2025-03-19 / Agent 7.65.0 ***Added***: diff --git a/ceph/CHANGELOG.md b/ceph/CHANGELOG.md index 03cb8cffb61fd..2dc23ebabc9fa 100644 --- a/ceph/CHANGELOG.md +++ b/ceph/CHANGELOG.md @@ -2,7 +2,7 @@ -## 4.1.0 / 2025-03-19 +## 4.1.0 / 2025-03-19 / Agent 7.65.0 ***Added***: diff --git a/cert_manager/CHANGELOG.md b/cert_manager/CHANGELOG.md index 9b694fb8504e2..e0c07f67454fe 100644 --- a/cert_manager/CHANGELOG.md +++ b/cert_manager/CHANGELOG.md @@ -2,7 +2,7 @@ -## 5.3.0 / 2025-03-19 +## 5.3.0 / 2025-03-19 / Agent 7.65.0 ***Added***: diff --git a/cisco_aci/CHANGELOG.md b/cisco_aci/CHANGELOG.md index 992083e4fb792..f2ba0acfb8de4 100644 --- a/cisco_aci/CHANGELOG.md +++ b/cisco_aci/CHANGELOG.md @@ -8,7 +8,7 @@ * Update dependencies ([#19962](https://github.com/DataDog/integrations-core/pull/19962)) -## 4.4.0 / 2025-03-19 +## 4.4.0 / 2025-03-19 / Agent 7.65.0 ***Added***: diff --git a/cisco_aci/assets/monitors/cpu_high.json b/cisco_aci/assets/monitors/cpu_high.json index 51eb2acce6218..956911580d65c 100644 --- a/cisco_aci/assets/monitors/cpu_high.json +++ b/cisco_aci/assets/monitors/cpu_high.json @@ -8,7 +8,7 @@ "name": "[Cisco ACI] Avg CPU usage is high for {{device_ip.name}} in namespace {{device_namespace.name}}", "type": "query alert", "query": "avg(last_5m):avg:cisco_aci.fabric.node.cpu.avg{*} by {device_ip,device_namespace} > 90", - "message": "{{#is_alert}} \n{{device_ip.name}} in namespace {{device_namespace.name}} is reporting high CPU usage (at or above 90%).\n{{/is_alert}}\n\n{{#is_warning}}\n{{device_ip.name}} in namespace {{device_namespace.name}} is reporting higher CPU usage (at or above 80%).\n{{/is_warning}} \n\n{{#is_recovery}}\nCPU usage for {{device_ip.name}} in namespace {{device_namespace.name}} is back to normal.\n{{/is_recovery}}\n\nTo know more about the status of your device, you can have more information from the [NDM page for the device {{device_namespace.name}}:{{device_ip.name}}](/infrastructure/devices/graph?inspectedDevice={{device_namespace.name}}%3A{{device_ip.name}}).", + "message": "{{#is_alert}} \n{{device_ip.name}} in namespace {{device_namespace.name}} is reporting high CPU usage (at or above 90%).\n{{/is_alert}}\n\n{{#is_warning}}\n{{device_ip.name}} in namespace {{device_namespace.name}} is reporting higher CPU usage (at or above 80%).\n{{/is_warning}} \n\n{{#is_recovery}}\nCPU usage for {{device_ip.name}} in namespace {{device_namespace.name}} is back to normal.\n{{/is_recovery}}\n\nTo know more about the status of your device, you can have more information from the [NDM page for the device {{device_namespace.name}}:{{device_ip.name}}](/devices?inspectedDevice={{device_namespace.name}}%3A{{device_ip.name}}).", "tags": [], "options": { "thresholds": { diff --git a/cisco_aci/assets/monitors/interface_down.json b/cisco_aci/assets/monitors/interface_down.json index 24b964e0c021e..8b12e1e17e922 100644 --- a/cisco_aci/assets/monitors/interface_down.json +++ b/cisco_aci/assets/monitors/interface_down.json @@ -8,7 +8,7 @@ "name": "[Cisco ACI] Interface {{port.name}} down alert on device {{device_ip.name}} in namespace {{device_namespace.name}}", "type": "query alert", "query": "avg(last_5m):avg:cisco_aci.fabric.port.status{status:down} by {device_ip,device_namespace,port} == 1", - "message": "{{#is_alert}}\nInterface {{port.name}} of network device with IP {{device_ip.name}} in namespace {{device_namespace.name}} is reporting DOWN.\n{{/is_alert}}\n\n{{#is_alert_recovery}}\nInterface {{port.name}} of network device with IP {{device_ip.name}} in namespace {{device_namespace.name}} is back online.\n{{/is_alert_recovery}}\n\nTo know more about the status of your device, you can have more information from the [NDM page for the device {{device_namespace.name}}:{{device_ip.name}}](/infrastructure/devices/graph?inspectedDevice={{device_namespace.name}}%3A{{device_ip.name}}&detailsTab=interfaces).", + "message": "{{#is_alert}}\nInterface {{port.name}} of network device with IP {{device_ip.name}} in namespace {{device_namespace.name}} is reporting DOWN.\n{{/is_alert}}\n\n{{#is_alert_recovery}}\nInterface {{port.name}} of network device with IP {{device_ip.name}} in namespace {{device_namespace.name}} is back online.\n{{/is_alert_recovery}}\n\nTo know more about the status of your device, you can have more information from the [NDM page for the device {{device_namespace.name}}:{{device_ip.name}}](/devices?inspectedDevice={{device_namespace.name}}%3A{{device_ip.name}}&detailsTab=interfaces).", "tags": [], "options": { "thresholds": { diff --git a/cisco_sdwan/assets/monitors/device_reboot.json b/cisco_sdwan/assets/monitors/device_reboot.json index 41c7e88a44d47..7278cf6d5b903 100644 --- a/cisco_sdwan/assets/monitors/device_reboot.json +++ b/cisco_sdwan/assets/monitors/device_reboot.json @@ -11,7 +11,7 @@ "name": "[Cisco SD-WAN] Device {{device_hostname.name}} ({{device_ip.name}}) rebooted more than 3 times in the last 10 minutes", "type": "query alert", "query": "sum(last_10m):sum:cisco_sdwan.reboot.count{*} by {device_namespace,device_hostname,device_ip,device_id} > 3", - "message": "{{#is_alert}}\nSD-WAN Device {{device_hostname.name}} ({{device_ip.name}}) rebooted more than 3 times in the last 10 minutes.\n{{/is_alert}}\n\nTo know more about the status of your device, you can have more information from the [NDM page for the device {{device_namespace.name}}:{{device_ip.name}}](/infrastructure/devices/graph?inspectedDevice={{device_namespace.name}}%3A{{device_ip.name}}).", + "message": "{{#is_alert}}\nSD-WAN Device {{device_hostname.name}} ({{device_ip.name}}) rebooted more than 3 times in the last 10 minutes.\n{{/is_alert}}\n\nTo know more about the status of your device, you can have more information from the [NDM page for the device {{device_namespace.name}}:{{device_ip.name}}](/devices?inspectedDevice={{device_namespace.name}}%3A{{device_ip.name}}).", "tags": [], "options": { "thresholds": { diff --git a/cisco_sdwan/assets/monitors/device_unreachable.json b/cisco_sdwan/assets/monitors/device_unreachable.json index 0355c7270ebed..bcf0b4522d7f7 100644 --- a/cisco_sdwan/assets/monitors/device_unreachable.json +++ b/cisco_sdwan/assets/monitors/device_unreachable.json @@ -11,7 +11,7 @@ "name": "[Cisco SD-WAN] Device unreachable alert on {{device_hostname.name}} in namespace {{device_namespace.name}}", "type": "query alert", "query": "avg(last_5m):max:cisco_sdwan.device.reachable{*} by {device_hostname,device_ip,device_namespace,device_id} < 0.8", - "message": "{{#is_alert}}\nA network device {{device_hostname.name}} with IP {{device_ip.name}} in namespace {{device_namespace.name}} is unreachable.\n{{/is_alert}}\n{{#is_alert_recovery}}\nA network device {{device_hostname.name}} with IP {{device_ip.name}} in namespace {{device_namespace.name}} is reachable again.\n{{/is_alert_recovery}}\n\nTo know more about the status of your device, you can have more information from the [NDM page for the device {{device_namespace.name}}:{{device_ip.name}}](/infrastructure/devices/graph?inspectedDevice={{device_namespace.name}}%3A{{device_ip.name}}).", + "message": "{{#is_alert}}\nA network device {{device_hostname.name}} with IP {{device_ip.name}} in namespace {{device_namespace.name}} is unreachable.\n{{/is_alert}}\n{{#is_alert_recovery}}\nA network device {{device_hostname.name}} with IP {{device_ip.name}} in namespace {{device_namespace.name}} is reachable again.\n{{/is_alert_recovery}}\n\nTo know more about the status of your device, you can have more information from the [NDM page for the device {{device_namespace.name}}:{{device_ip.name}}](/devices?inspectedDevice={{device_namespace.name}}%3A{{device_ip.name}}).", "tags": [], "options": { "thresholds": { diff --git a/cisco_sdwan/assets/monitors/tunnel_down.json b/cisco_sdwan/assets/monitors/tunnel_down.json index 488e7cfb947b2..b288fae92285c 100644 --- a/cisco_sdwan/assets/monitors/tunnel_down.json +++ b/cisco_sdwan/assets/monitors/tunnel_down.json @@ -11,7 +11,7 @@ "name": "[Cisco SD-WAN] Tunnel is down between {{local_color.name}} {{hostname.name}} ({{device_ip.name}}) to {{remote_color.name}} {{remote_hostname.name}} ({{remote_device_ip.name}})", "type": "query alert", "query": "min(last_15m):min:cisco_sdwan.tunnel.status{*} by {device_id,device_namespace,device_ip,device_hostname,local_color,remote_device_ip,remote_device_hostname,remote_color} < 1", - "message": "{{#is_alert}}\nSD-WAN Tunnel is down between device {{device_hostname.name}} ({{device_ip.name}}), color {{local_color.name}} to device {{remote_device_hostname.name}} ({{remote_device_ip.name}}), color {{remote_color.name}}.\n{{/is_alert}}\n\n{{#is_alert_recovery}}\nSD-WAN Tunnel is back up between device {{device_hostname.name}} ({{device_ip.name}}), color {{local_color.name}} to device {{remote_device_hostname.name}} ({{remote_device_ip.name}}), color {{remote_color.name}}.\n{{/is_alert_recovery}}\n\nTo know more about the status of your device, you can have more information from the [NDM page for the device {{device_namespace.name}}:{{device_ip.name}}](/infrastructure/devices/graph?inspectedDevice={{device_namespace.name}}%3A{{device_ip.name}}).", + "message": "{{#is_alert}}\nSD-WAN Tunnel is down between device {{device_hostname.name}} ({{device_ip.name}}), color {{local_color.name}} to device {{remote_device_hostname.name}} ({{remote_device_ip.name}}), color {{remote_color.name}}.\n{{/is_alert}}\n\n{{#is_alert_recovery}}\nSD-WAN Tunnel is back up between device {{device_hostname.name}} ({{device_ip.name}}), color {{local_color.name}} to device {{remote_device_hostname.name}} ({{remote_device_ip.name}}), color {{remote_color.name}}.\n{{/is_alert_recovery}}\n\nTo know more about the status of your device, you can have more information from the [NDM page for the device {{device_namespace.name}}:{{device_ip.name}}](/devices?inspectedDevice={{device_namespace.name}}%3A{{device_ip.name}}).", "tags": [], "options": { "thresholds": { diff --git a/cisco_secure_web_appliance/CHANGELOG.md b/cisco_secure_web_appliance/CHANGELOG.md index e0f267ef37abc..590393e6aa0ae 100644 --- a/cisco_secure_web_appliance/CHANGELOG.md +++ b/cisco_secure_web_appliance/CHANGELOG.md @@ -2,7 +2,7 @@ -## 1.0.0 / 2025-03-19 +## 1.0.0 / 2025-03-19 / Agent 7.65.0 ***Added***: diff --git a/couch/CHANGELOG.md b/couch/CHANGELOG.md index af9164b23166a..b01c97aa5dc68 100644 --- a/couch/CHANGELOG.md +++ b/couch/CHANGELOG.md @@ -2,7 +2,7 @@ -## 8.3.0 / 2025-03-19 +## 8.3.0 / 2025-03-19 / Agent 7.65.0 ***Added***: diff --git a/datadog_checks_base/CHANGELOG.md b/datadog_checks_base/CHANGELOG.md index 1302d5515434f..5c0c7ef076c8d 100644 --- a/datadog_checks_base/CHANGELOG.md +++ b/datadog_checks_base/CHANGELOG.md @@ -29,7 +29,7 @@ * Remove unnecessary `pyyaml` usage ([#19863](https://github.com/DataDog/integrations-core/pull/19863)) -## 37.8.0 / 2025-03-19 +## 37.8.0 / 2025-03-19 / Agent 7.65.0 ***Added***: diff --git a/delinea_secret_server/CHANGELOG.md b/delinea_secret_server/CHANGELOG.md new file mode 100644 index 0000000000000..d1ba78839a18f --- /dev/null +++ b/delinea_secret_server/CHANGELOG.md @@ -0,0 +1,3 @@ +# CHANGELOG - delinea_secret_server + + diff --git a/delinea_secret_server/README.md b/delinea_secret_server/README.md new file mode 100644 index 0000000000000..8722e1e7ec122 --- /dev/null +++ b/delinea_secret_server/README.md @@ -0,0 +1,144 @@ +## Overview + +[Delinea Secret Server][4] is an enterprise-grade password management solution designed to help organizations securely store, manage, and control access to privileged credentials. It aims to improve the security of sensitive data, reduce the risk of data breaches, and streamline the password management process. + +This integration enriches and ingests the following logs: + +- **Secret Server Logs**: Represents an event where a user performs an action (such as viewing, adding, or modifying) on a stored secret, folder, group, or user. It provides details including the user's identity, the source of the action, and the item the action was performed. + +After it collects the logs, Delinea Secret Server channels them into Datadog for analysis. Using the built-in logs pipeline, these logs are parsed and enriched, allowing for effortless search and analysis. The integration provides insights into secret server logs through out-of-the-box dashboards and includes ready-to-use Cloud SIEM detection rules for improved monitoring and security. + +## Setup + +### Installation + +To install the Delinea Secret Server integration, run the following Agent installation command and the following steps. For more information, see the [Integration Management][5] documentation. + +**Note**: This step is not necessary for Agent version >= 7.65.0. + +Linux command: + + ```shell + sudo -u dd-agent -- datadog-agent integration install datadog-delinea-secret-server==1.0.0 + ``` + +### Configuration + +#### Log collection + +1. Collecting logs is disabled by default in the Datadog Agent. Enable it in the `datadog.yaml` file: + + ```yaml + logs_enabled: true + ``` + +2. Add this configuration block to your `delinea_secret_server.d/conf.yaml` file to start collecting your Delinea Secret Server logs. + + ```yaml + logs: + - type: tcp/udp + port: + source: delinea-secret-server + service: delinea-secret-server + ``` + + For available configuration options, see the [sample delinea_secret_server.d/conf.yaml][7]. Choose the appropriate protocol (either TCP or UDP) based on your Delinea Secret Server syslog forwarding configuration. + + **Note**: Do not change the service and source values, as these parameters are integral to the pipeline's operation. + +3. [Restart the Agent][1]. + +#### Configure syslog message forwarding from Delinea Secret Server + +1. Log in to the **Delinea Secret Server** platform. +2. Navigate to **Settings** > **All Settings**. +3. Navigate to **Configuration** > **General** > **Application**. +4. Click **Edit**. +5. Check **Enable Syslog/CEF Log Output**. +6. Fill out the following information: + + - **Syslog/CEF Server**: Enter Syslog/CEF Server Address. + - **Syslog/CEF Port**: Enter Syslog/CEF Server Port. + - **Syslog/CEF Protocol**: Select TCP or UDP. + - **Syslog/CEF Time Zone**: Select UTC Time. + - **Syslog/CEF DateTime Format**: Select ISO 8601. + - **Syslog/CEF Site**: Select the site that the CEF/Syslogs will run on. + +7. Click **Save**. + +### Validation + +[Run the Agent's status subcommand][2] and look for `delinea_secret_server` under the Checks section. + +## Data Collected + +### Logs + +The Delinea Secret Server integration collects Secret Server Logs. + +### Metrics + +The Delinea Secret Server integration does not include any metrics. + +### Events + +The Delinea Secret Server integration does not include any events. + +### Service Checks + +The Delinea Secret Server integration does not include any service checks. + +## Troubleshooting + +### Permission denied while port binding + +If you see a **Permission denied** error while port binding in the Agent logs, see the following instructions: + + 1. Binding to a port number under 1024 requires elevated permissions. Grant access to the port using the `setcap` command: + + - Grant access to the port using the `setcap` command: + + ```shell + sudo setcap CAP_NET_BIND_SERVICE=+ep /opt/datadog-agent/bin/agent/agent + ``` + + - Verify the setup is correct by running the `getcap` command: + + ```shell + sudo getcap /opt/datadog-agent/bin/agent/agent + ``` + + With the expected output: + + ```shell + /opt/datadog-agent/bin/agent/agent = cap_net_bind_service+ep + ``` + + **Note**: Re-run this `setcap` command every time you upgrade the Agent. + + 2. [Restart the Agent][1]. + +### Data is not being collected + +Make sure that traffic is bypassed from the configured port if the firewall is enabled. + +### Port already in use + +If you see the **Port Already in Use** error, see the following instructions. The example below is for PORT-NO = 514: + +On systems using Syslog, if the Agent listens for Delinea Secret Server logs on port 514, the following error can appear in the Agent logs: `Can't start UDP forwarder on port 514: listen udp :514: bind: address already in use`. + +By default, Syslog listens on port 514. To resolve this error, take **one** of the following steps: + +- Disable Syslog. +- Configure the Agent to listen on a different, available port. + +Need help? Contact [Datadog support][3]. + +[1]: https://docs.datadoghq.com/agent/guide/agent-commands/#start-stop-and-restart-the-agent +[2]: https://docs.datadoghq.com/agent/guide/agent-commands/#agent-status-and-information +[3]: https://docs.datadoghq.com/help/ +[4]: https://delinea.com/products/secret-server +[5]: https://docs.datadoghq.com/agent/guide/integration-management/?tab=linux#install +[6]: https://docs.delinea.com/online-help/secret-server/start.htm +[7]: https://github.com/DataDog/integrations-core/blob/master/delinea_secret_server/datadog_checks/delinea_secret_server/data/conf.yaml.example \ No newline at end of file diff --git a/delinea_secret_server/assets/configuration/spec.yaml b/delinea_secret_server/assets/configuration/spec.yaml new file mode 100644 index 0000000000000..7a2cb871ec593 --- /dev/null +++ b/delinea_secret_server/assets/configuration/spec.yaml @@ -0,0 +1,10 @@ +name: Delinea Secret Server +files: +- name: delinea_secret_server.yaml + options: + - template: logs + example: + - type: tcp/udp + port: + source: delinea-secret-server + service: delinea-secret-server diff --git a/delinea_secret_server/assets/dashboards/delinea_secret_server_overview.json b/delinea_secret_server/assets/dashboards/delinea_secret_server_overview.json new file mode 100644 index 0000000000000..3f0c5e72c3469 --- /dev/null +++ b/delinea_secret_server/assets/dashboards/delinea_secret_server_overview.json @@ -0,0 +1,6308 @@ +{ + "title": "Delinea Secret Server - Overview", + "description": "This dashboard provides information about the logs generated on Delinea Secret Server.", + "widgets": [ + { + "id": 305055884021620, + "definition": { + "title": "", + "banner_img": "https://delinea.com/hubfs/Delinea/images/delinea-image-product-secret-server.jpeg", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [] + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 1160843407582480, + "definition": { + "type": "note", + "content": "Delinea Secret Server is an enterprise-grade password management solution designed to help organizations securely store, manage, and control access to privileged credentials. It aims to improve the security of sensitive data, reduce the risk of data breaches, and streamline the password management process.\n\nThis dashboard provides information about event types, actions, users, etc logs generated on Delinea Secret Server.\n\nFor more information, see the [Delinea Secret Server Documentation](https://docs.datadoghq.com/integrations/delinea_secret_server/).\n\nTips:\n - Use the timeframe selector in the top right of the dashboard to change the default timeframe.\n - Clone this dashboard to rearrange, modify and add widgets and visualizations.", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 3 + } + }, + { + "id": 5305890332396926, + "definition": { + "title": "Overview", + "background_color": "vivid_purple", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 3961895112411296, + "definition": { + "title": "Total Logs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#79c3f1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 4 + } + }, + { + "id": 2459416900782314, + "definition": { + "title": "Logs over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Logs", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 4 + } + }, + { + "id": 2855816957010212, + "definition": { + "title": "Logs by Country", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.geoip.country.iso_code", + "limit": 250, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 250, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 12, + "height": 4 + } + }, + { + "id": 1141112763987718, + "definition": { + "title": "Log Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:delinea-secret-server service:delinea-secret-server $Event-Type $Action $User-Name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "event", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "message", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 8, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 13 + } + }, + { + "id": 8260219722920580, + "definition": { + "title": "Datadog Cloud SIEM", + "title_align": "center", + "background_color": "vivid_purple", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 2458964067277048, + "definition": { + "type": "note", + "content": "\nDatadog Cloud SIEM analyzes and correlates Delinea Secret Server logs to detect threats to your environment in real time. If you don't see signals please make sure you've enabled [Datadog Cloud SIEM](/security). ", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "center", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 5944600844896658, + "definition": { + "title": "CRITICALs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#bc303c", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server status:critical" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2 + }, + "layout": { + "x": 0, + "y": 1, + "width": 2, + "height": 2 + } + }, + { + "id": 4934927495034684, + "definition": { + "title": "HIGHs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#d33043", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server status:high" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 2, + "y": 1, + "width": 2, + "height": 2 + } + }, + { + "id": 4519204376078334, + "definition": { + "title": "Medium Security Signals", + "type": "toplist", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#e5a21c", + "palette": "custom_bg", + "value": 0 + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server status:medium" + } + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "custom_links": [], + "style": {} + }, + "layout": { + "x": 4, + "y": 1, + "width": 8, + "height": 4 + } + }, + { + "id": 8899537730756232, + "definition": { + "title": "MEDIUMs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#e5a21c", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server status:medium" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2 + }, + "layout": { + "x": 0, + "y": 3, + "width": 2, + "height": 2 + } + }, + { + "id": 6476464200309384, + "definition": { + "title": "LOWs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#ffb52b", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server status:low" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2 + }, + "layout": { + "x": 2, + "y": 3, + "width": 2, + "height": 1 + } + }, + { + "id": 501705106531496, + "definition": { + "title": "INFOs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#84c1e0", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server status:info" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2 + }, + "layout": { + "x": 2, + "y": 4, + "width": 2, + "height": 1 + } + }, + { + "id": 4510222695013596, + "definition": { + "title": "Low Security Signals", + "type": "toplist", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#ffb52b", + "palette": "custom_bg", + "value": 0 + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server status:low" + } + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "custom_links": [], + "style": {} + }, + "layout": { + "x": 0, + "y": 5, + "width": 6, + "height": 4 + } + }, + { + "id": 734446053116236, + "definition": { + "title": "Info Security Signals", + "type": "toplist", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#84c1e0", + "palette": "custom_bg", + "value": 0 + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server status:info" + } + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "custom_links": [], + "style": {} + }, + "layout": { + "x": 6, + "y": 5, + "width": 6, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 16, + "width": 12, + "height": 10 + } + }, + { + "id": 6084263381822056, + "definition": { + "title": "Secret Details", + "background_color": "vivid_purple", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 2193826191201452, + "definition": { + "title": "Total Secrets Expiring Today", + "title_size": "16", + "title_align": "left", + "time": { + "type": "live", + "unit": "day", + "value": 1 + }, + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:secret @action:expiredtoday $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#f5a3a3" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 4 + } + }, + { + "id": 3447528557041484, + "definition": { + "title": "Details of Secrets Expiring Today", + "title_size": "16", + "title_align": "left", + "time": { + "type": "live", + "unit": "day", + "value": 1 + }, + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:secret @action:expiredtoday $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@item_name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@folder_name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 1000, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "count", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 4 + } + }, + { + "id": 1206025920651760, + "definition": { + "title": "Total Secrets Expiring in a Week", + "title_size": "16", + "title_align": "left", + "time": { + "type": "live", + "unit": "week", + "value": 1 + }, + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:secret @action:expires07days $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#f5cba3" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 4, + "width": 4, + "height": 4 + } + }, + { + "id": 3995754697305448, + "definition": { + "title": "Details of Secrets Expiring in a Week", + "title_size": "16", + "title_align": "left", + "time": { + "type": "live", + "unit": "week", + "value": 1 + }, + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:secret @action:expires07days $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@item_name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@folder_name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 1000, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "count", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 4, + "y": 4, + "width": 8, + "height": 4 + } + }, + { + "id": 6939084088084102, + "definition": { + "title": "Total Secrets Expiring in a Month", + "title_size": "16", + "title_align": "left", + "time": { + "type": "live", + "unit": "week", + "value": 4 + }, + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:secret @action:expires30days $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#79c3f1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 8, + "width": 4, + "height": 4 + } + }, + { + "id": 3241557406300816, + "definition": { + "title": "Details of Secrets Expiring in a Month", + "title_size": "16", + "title_align": "left", + "time": { + "type": "live", + "unit": "month", + "value": 1 + }, + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:secret @action:expires30days $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@item_name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@folder_name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 1000, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "count", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 4, + "y": 8, + "width": 8, + "height": 4 + } + }, + { + "id": 4139713015149214, + "definition": { + "title": "Performed Operations over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:secret @action:(create OR launch OR edit OR delete OR activate OR deactivate) $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@action", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 12, + "width": 12, + "height": 4 + } + }, + { + "id": 6399308631582942, + "definition": { + "title": "Top Users who Changed Secret Policy", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:secret @action:secretpolicychange $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 16, + "width": 4, + "height": 4 + } + }, + { + "id": 5584611268921730, + "definition": { + "title": "Top Secrets with Password Change Max Attempts", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:secret @action:\"password change max attempts reached\" $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@item_name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 4, + "y": 16, + "width": 4, + "height": 4 + } + }, + { + "id": 1196713660410088, + "definition": { + "title": "Top Secrets with Max Password Change Failure", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:secret @action:secretpasswordchangefailure $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@item_name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 8, + "y": 16, + "width": 4, + "height": 4 + } + }, + { + "id": 8200418346193608, + "definition": { + "title": "Top Secrets by Log Count", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:secret $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@item_name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 20, + "width": 3, + "height": 4 + } + }, + { + "id": 1454986909360076, + "definition": { + "title": "Top Folders by Log Count", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:secret $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@folder_name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 3, + "y": 20, + "width": 3, + "height": 4 + } + }, + { + "id": 1687326049052024, + "definition": { + "title": "Secret Access Approvals vs Denials", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:secret @action:(access_approved OR access_denied) $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@action", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 20, + "width": 6, + "height": 4 + } + }, + { + "id": 284494298740066, + "definition": { + "title": "Top Secrets with permission changes", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:secret @is_permission_changed:true $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@item_name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 24, + "width": 5, + "height": 4 + } + }, + { + "id": 8268435558687120, + "definition": { + "title": "Details of Permission Changed Secrets", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:delinea-secret-server service:delinea-secret-server @event_type:secret @is_permission_changed:true $Event-Type $Action $User-Name", + "indexes": [ + "*" + ], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "item_name", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "message", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 5, + "y": 24, + "width": 7, + "height": 4 + } + }, + { + "id": 8328910282369990, + "definition": { + "title": "Top Users with Most Password Views", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:secret @action:password_displayed $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 28, + "width": 4, + "height": 4 + } + }, + { + "id": 6396380272438244, + "definition": { + "title": "Top Secrets with Most Password Views", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:secret @action:password_displayed $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@item_name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 4, + "y": 28, + "width": 4, + "height": 4 + } + }, + { + "id": 4544193936211412, + "definition": { + "title": "Top Users associated with Secrets Export", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:secret @action:exportsecret $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 8, + "y": 28, + "width": 4, + "height": 4 + } + }, + { + "id": 6573876139788192, + "definition": { + "title": "Details of Password Viewed Secrets", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:secret @action:password_displayed $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@item_name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@details", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 1000, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "Count", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 0, + "y": 32, + "width": 6, + "height": 4 + } + }, + { + "id": 1352065552286888, + "definition": { + "title": "Top Secrets Exported", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:secret @action:exportsecret $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@item_name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 32, + "width": 3, + "height": 4 + } + }, + { + "id": 1876280866372430, + "definition": { + "title": "Top Folders which Secrets Exported", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:secret @action:exportsecret $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@folder_name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 9, + "y": 32, + "width": 3, + "height": 4 + } + }, + { + "id": 20482886226734, + "definition": { + "title": "Secret Policy Change Logs over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Logs", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:secret @action:secretpolicychange $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 36, + "width": 12, + "height": 4 + } + }, + { + "id": 8494026314361176, + "definition": { + "title": "Secret Policy Audit Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:delinea-secret-server service:delinea-secret-server @event_type:secretpolicy $Event-Type $Action $User-Name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "item_name", + "width": "auto" + }, + { + "field": "action", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 40, + "width": 6, + "height": 4 + } + }, + { + "id": 8134259189709354, + "definition": { + "title": "Secret Template Audit Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:delinea-secret-server service:delinea-secret-server @event_type:secrettemplate $Event-Type $Action $User-Name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "item_name", + "width": "auto" + }, + { + "field": "action", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 6, + "y": 40, + "width": 6, + "height": 4 + } + }, + { + "id": 6834179261012088, + "definition": { + "title": "Secret Audit Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:delinea-secret-server service:delinea-secret-server @event_type:secret $Event-Type $Action $User-Name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "item_name", + "width": "auto" + }, + { + "field": "action", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "message", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 44, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 26, + "width": 12, + "height": 49 + } + }, + { + "id": 3077472653806994, + "definition": { + "title": "Folder Details", + "background_color": "vivid_purple", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 5687900831060734, + "definition": { + "title": "Total Folders Created", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:folder @action:create $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#b5f5a3" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 2 + } + }, + { + "id": 2907303148904478, + "definition": { + "title": "Folders Deleted over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Folders", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:folder @action:delete $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 4 + } + }, + { + "id": 2887502479921514, + "definition": { + "title": "Total Folders Deleted", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:folder @action:delete $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#f5a3a3" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 2, + "width": 4, + "height": 2 + } + }, + { + "id": 1172056489388302, + "definition": { + "title": "Top Users associated with Deleted Folder", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:folder @action:delete $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 4, + "height": 4 + } + }, + { + "id": 4092036982926478, + "definition": { + "title": "Top Users who Changed Secret Policy", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:folder @action:secretpolicychange $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 4, + "y": 4, + "width": 4, + "height": 4 + } + }, + { + "id": 5973060066280814, + "definition": { + "title": "Top Users who Changed Folder Permissions", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:folder @action:editpermissions $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 8, + "y": 4, + "width": 4, + "height": 4 + } + }, + { + "id": 8706321434043558, + "definition": { + "title": "Top Folders with Permission Changes", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:folder @action:editpermissions $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@item_name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 8, + "width": 4, + "height": 4 + } + }, + { + "id": 1747830232699832, + "definition": { + "title": "Folder Audit Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:delinea-secret-server service:delinea-secret-server @event_type:folder $Event-Type $Action $User-Name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "item_name", + "width": "auto" + }, + { + "field": "action", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "message", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 4, + "y": 8, + "width": 8, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 75, + "width": 12, + "height": 13 + } + }, + { + "id": 8155533023510820, + "definition": { + "title": "Authentication Details", + "background_color": "vivid_purple", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 8578531839808022, + "definition": { + "title": "Total Failed Logins", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:user @action:loginfailure $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#f5a3a3" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 3067412237583234, + "definition": { + "title": "Failed Login Attempts over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Failed Login Attempts", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:user @action:loginfailure $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 438322678628076, + "definition": { + "title": "Total Successful Logins", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:user @action:login $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#b5f5a3" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 3, + "width": 3, + "height": 3 + } + }, + { + "id": 1695379881883524, + "definition": { + "title": "Users Login/Logout over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Users", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:user @action:(login OR logout) $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@action", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 3, + "width": 9, + "height": 3 + } + }, + { + "id": 8214502162159154, + "definition": { + "title": "Top Users with Failure Logins", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:user @action:loginfailure $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 6, + "width": 4, + "height": 4 + } + }, + { + "id": 8442532310843810, + "definition": { + "title": "Top Failure Reasons", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:user @action:loginfailure $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@details", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 4, + "y": 6, + "width": 4, + "height": 4 + } + }, + { + "id": 2413168132459850, + "definition": { + "title": "Top Users with 2FA Failures", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:user @action:twofactorresetfailed $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 8, + "y": 6, + "width": 4, + "height": 4 + } + }, + { + "id": 655798338129836, + "definition": { + "title": "Failed Login Attempts by IP", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:user @action:loginfailure $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 10, + "width": 4, + "height": 4 + } + }, + { + "id": 4848370553630324, + "definition": { + "title": "Failed Login Attempts by Country", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:user @action:loginfailure $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.geoip.country.iso_code", + "limit": 250, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 4, + "y": 10, + "width": 8, + "height": 4 + } + }, + { + "id": 4721427784019530, + "definition": { + "title": "Authentication Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:delinea-secret-server service:delinea-secret-server @event_type:user @action:(logout OR login OR passwordchange OR loginfailure OR \"two factor updated\" OR twofactorreset OR twofactorresetfailed) $Event-Type $Action $User-Name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "item_name", + "width": "auto" + }, + { + "field": "action", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "message", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 14, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 88, + "width": 12, + "height": 19 + } + }, + { + "id": 2159635571186722, + "definition": { + "title": "User, Role and Group Details", + "background_color": "vivid_purple", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 925274725933258, + "definition": { + "title": "Users Created over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Users", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:user @action:create $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@action", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 4 + } + }, + { + "id": 1894274821035282, + "definition": { + "title": "Users Enabled/Disabled over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Users", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:user @action:(enable OR disable) $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@action", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 4 + } + }, + { + "id": 1599111416353004, + "definition": { + "title": "Role Permission Details", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:rolepermission $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@item_name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@action", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@role", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 10000, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "count", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 0, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 8430460231212584, + "definition": { + "title": "Role Audit Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:delinea-secret-server service:delinea-secret-server @event_type:role $Event-Type $Action $User-Name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "item_name", + "width": "auto" + }, + { + "field": "action", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 6, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 1869981894887408, + "definition": { + "title": "Group Audit Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:delinea-secret-server service:delinea-secret-server @event_type:group $Event-Type $Action $User-Name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "item_name", + "width": "auto" + }, + { + "field": "action", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "message", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 8, + "width": 12, + "height": 4 + } + }, + { + "id": 6711505436184366, + "definition": { + "title": "User Audit Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:delinea-secret-server service:delinea-secret-server @event_type:user -@action:(logout OR login OR passwordchange OR loginfailure OR \"two factor updated\" OR twofactorreset OR twofactorresetfailed) $Event-Type $Action $User-Name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "item_name", + "width": "auto" + }, + { + "field": "action", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "message", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 12, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 107, + "width": 12, + "height": 17 + } + }, + { + "id": 4700846483618596, + "definition": { + "title": "IP Address Range Details", + "background_color": "vivid_purple", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 8964293955868342, + "definition": { + "title": "Total IP Address Ranges Created", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:ipaddressrange @action:create $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#b5f5a3" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 3997657330224220, + "definition": { + "title": "Total IP Address Ranges Updated", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:ipaddressrange @action:update $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#f5cba3" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 4, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 792760318320938, + "definition": { + "title": "Total IP Address Ranges Deleted", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:ipaddressrange @action:delete $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#f5a3a3" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 8, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 679306716194568, + "definition": { + "title": "IP Address Range Operations by Action over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Logs", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:ipaddressrange $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@action", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 4 + } + }, + { + "id": 4576567240853316, + "definition": { + "title": "IP Address Range Details by Group Assignment", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:ipaddressrange @action:(\"group assign\" OR \"group unassign\") $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@item_name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@action", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@details", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 10000, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "count", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 0, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 6246736859483464, + "definition": { + "title": "IP Address Range Details by User Assignment", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:ipaddressrange @action:(\"user assign\" OR \"user unassign\") $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@item_name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@action", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@details", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 10000, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "count", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 6, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 1346576795825844, + "definition": { + "title": "Top Users by IP Address Range Operations", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:ipaddressrange $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@action", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 11, + "width": 5, + "height": 4 + } + }, + { + "id": 6322819707744338, + "definition": { + "title": "IP Address Range Audit Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:delinea-secret-server service:delinea-secret-server @event_type:ipaddressrange $Event-Type $Action $User-Name", + "indexes": [], + "storage": "hot", + "sort": { + "column": "timestamp", + "order": "desc" + } + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "item_name", + "width": "auto" + }, + { + "field": "action", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "message", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 5, + "y": 11, + "width": 7, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 124, + "width": 12, + "height": 16 + } + }, + { + "id": 2839947817274946, + "definition": { + "title": "Engine Details", + "background_color": "vivid_purple", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 5749625241647658, + "definition": { + "title": "Total Engines Created", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:engine @action:create $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#b5f5a3" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 2398306949499388, + "definition": { + "title": "Total Online Engines", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:engine @action:online $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#79bff1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 4, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 7244854573675546, + "definition": { + "title": "Total Activated Engines", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:engine @action:engineactivate $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#79c3f1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 8, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 7133360085628712, + "definition": { + "title": "Total Engines Deleted", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:engine @action:delete $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#f5a3a3" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 3, + "width": 4, + "height": 3 + } + }, + { + "id": 7244064141018270, + "definition": { + "title": "Total Offline Engines", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:engine @action:offline $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#f5a3a3" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 4, + "y": 3, + "width": 4, + "height": 3 + } + }, + { + "id": 6360599220977394, + "definition": { + "title": "Total Deactivated Engines", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:engine @action:enginedeactivate $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#f5a3a3" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 8, + "y": 3, + "width": 4, + "height": 3 + } + }, + { + "id": 5958376419676860, + "definition": { + "title": "Top Users by Engine Operations", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:engine $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@action", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 6, + "width": 4, + "height": 4 + } + }, + { + "id": 716576575228416, + "definition": { + "title": "Engine Operations by Action over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:engine $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@action", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 6, + "width": 8, + "height": 4 + } + }, + { + "id": 6973557930878168, + "definition": { + "title": "Engine Audit Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:delinea-secret-server service:delinea-secret-server @event_type:engine $Event-Type $Action $User-Name", + "indexes": [], + "storage": "hot", + "sort": { + "column": "timestamp", + "order": "desc" + } + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "action", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "message", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 10, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 140, + "width": 12, + "height": 15 + } + }, + { + "id": 2571494508056898, + "definition": { + "title": "Site and Site Connector Details", + "background_color": "vivid_purple", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 8648087611152196, + "definition": { + "title": "Total Sites Created", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:site @action:create $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#b5f5a3" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 4297686310187220, + "definition": { + "title": "Total Sites Enabled", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:site @action:enable $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#79c3f1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 4, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 4678039965818804, + "definition": { + "title": "Total Sites Disabled", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:site @action:disable $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#f5a3a3" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 8, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 3164986791641490, + "definition": { + "title": "Site Configuration Change Logs over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Logs", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:site @action:edit $Event-Type $User-Name $Action" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 4 + } + }, + { + "id": 3763711068187292, + "definition": { + "title": "Site Audit Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:delinea-secret-server service:delinea-secret-server @event_type:site $Event-Type $Action $User-Name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "action", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "message", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 2333300505556330, + "definition": { + "title": "Site Connector Audit Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:delinea-secret-server service:delinea-secret-server @event_type:siteconnector $Event-Type $Action $User-Name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "item_name", + "width": "auto" + }, + { + "field": "action", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 6, + "y": 7, + "width": 6, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 155, + "width": 12, + "height": 12 + } + }, + { + "id": 1779504385339322, + "definition": { + "title": "Script Details", + "background_color": "vivid_purple", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 2607251268133074, + "definition": { + "title": "Total Powershell Script Created", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:scriptpowershell @action:create $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#b5f5a3" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 6042117310593336, + "definition": { + "title": "Powershell Script Operations over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:scriptpowershell $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@action", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 3 + } + }, + { + "id": 3496457606284702, + "definition": { + "title": "Top Users associated with Powershell Script Operations", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:scriptpowershell -@action:view $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@action", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 5, + "height": 4 + } + }, + { + "id": 8735350916414792, + "definition": { + "title": "Powershell Script Audit Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:delinea-secret-server service:delinea-secret-server @event_type:scriptpowershell $Event-Type $Action $User-Name", + "indexes": [ + "*" + ], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "item_name", + "width": "auto" + }, + { + "field": "action", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 5, + "y": 3, + "width": 7, + "height": 4 + } + }, + { + "id": 2052389816597882, + "definition": { + "title": "Total SQL Script Created", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:scriptsql @action:create $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#b5f5a3" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 7, + "width": 4, + "height": 3 + } + }, + { + "id": 5880143716205246, + "definition": { + "title": "SQL Script Operations over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:scriptsql $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@action", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 7, + "width": 8, + "height": 3 + } + }, + { + "id": 2766229670610154, + "definition": { + "title": "Top Users associated with SQL Script Operations", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:scriptsql -@action:view $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@action", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 10, + "width": 5, + "height": 4 + } + }, + { + "id": 8379759340095852, + "definition": { + "title": "SQL Script Audit Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:delinea-secret-server service:delinea-secret-server @event_type:scriptsql $Event-Type $Action $User-Name", + "indexes": [ + "*" + ], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "item_name", + "width": "auto" + }, + { + "field": "action", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 5, + "y": 10, + "width": 7, + "height": 4 + } + }, + { + "id": 6891209099459728, + "definition": { + "title": "Total SSH Script Created", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:scriptssh @action:create $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#b5f5a3" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 14, + "width": 4, + "height": 3 + } + }, + { + "id": 6819940602402370, + "definition": { + "title": "SSH Script Operations over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:scriptssh $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@action", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 14, + "width": 8, + "height": 3 + } + }, + { + "id": 6900525902414294, + "definition": { + "title": "Top Users associated with SSH Script Operations", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:delinea-secret-server service:delinea-secret-server @event_type:scriptssh -@action:view $Event-Type $Action $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@action", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 17, + "width": 5, + "height": 4 + } + }, + { + "id": 1916840184122800, + "definition": { + "title": "SSH Script Audit Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:delinea-secret-server service:delinea-secret-server @event_type:scriptssh $Event-Type $Action $User-Name", + "indexes": [ + "*" + ], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "item_name", + "width": "auto" + }, + { + "field": "action", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 5, + "y": 17, + "width": 7, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 167, + "width": 12, + "height": 22 + } + } + ], + "template_variables": [ + { + "name": "Event-Type", + "prefix": "@event_type", + "available_values": [], + "default": "*" + }, + { + "name": "Action", + "prefix": "@action", + "available_values": [], + "default": "*" + }, + { + "name": "User-Name", + "prefix": "@usr.name", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/delinea_secret_server/assets/delinea_secret_server.svg b/delinea_secret_server/assets/delinea_secret_server.svg new file mode 100644 index 0000000000000..4fc4865799542 --- /dev/null +++ b/delinea_secret_server/assets/delinea_secret_server.svg @@ -0,0 +1,97 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/delinea_secret_server/assets/logs/delinea-secret-server.yaml b/delinea_secret_server/assets/logs/delinea-secret-server.yaml new file mode 100644 index 0000000000000..52ab96fa7344a --- /dev/null +++ b/delinea_secret_server/assets/logs/delinea-secret-server.yaml @@ -0,0 +1,413 @@ +id: delinea-secret-server +metric_id: delinea-secret-server +backend_only: false +facets: + - groups: + - Geoip + name: City Name + path: network.client.geoip.city.name + source: log + - groups: + - Geoip + name: Continent Code + path: network.client.geoip.continent.code + source: log + - groups: + - Geoip + name: Continent Name + path: network.client.geoip.continent.name + source: log + - groups: + - Geoip + name: Country ISO Code + path: network.client.geoip.country.iso_code + source: log + - groups: + - Geoip + name: Country Name + path: network.client.geoip.country.name + source: log + - groups: + - Geoip + name: Subdivision ISO Code + path: network.client.geoip.subdivision.iso_code + source: log + - groups: + - Geoip + name: Subdivision Name + path: network.client.geoip.subdivision.name + source: log + - groups: + - Web Access + name: Client IP + path: network.client.ip + source: log + - groups: + - User + name: User ID + path: usr.id + source: log + - groups: + - User + name: User Name + path: usr.name + source: log +pipeline: + type: pipeline + name: Delinea Secret Server + enabled: true + filter: + query: source:delinea-secret-server + processors: + - type: grok-parser + name: Parsing the log of Delinea Secret Server + enabled: true + source: message + samples: + - "2025-02-27T10:00:27.461Z DSS-01 CEF:0|Thycotic Software|Secret + Server|11.7.000061|10004|SECRET - VIEW|2|msg=[[SecretServer]] Event: + [Secret] Action: [View] By User: admin Item name: Test SSH KeyTemplate + (Item Id: 9) Container name: admin (Container Id: 2) suid=2 + suser=admin cs4=admin cs4Label=suser Display Name src=10.10.10.10 + rt=Feb 27 2025 10:00:26 fname=Test SSH KeyTemplate fileType=Secret + fileId=9 cs3Label=Folder cs3=admin" + - "2025-02-25T07:19:03.058Z DSS-01 CEF:0|Thycotic Software|Secret + Server|11.7.000061|10140|GROUP - CREATE|2|msg=[[SecretServer]] Event: + [Group] Action: [Create] By User: admin Item name: Dev-Team (Item Id: + 5) suid=2 suser=admin cs4=admin cs4Label=suser Display Name + src=10.10.10.10 rt=Feb 25 2025 07:19:01" + - "2025-02-26T06:46:47.420Z DSS-01 CEF:0|Thycotic Software|Secret + Server|11.7.000061|19|USER - PASSWORDCHANGE|2|msg=[[SecretServer]] + Event: [User] Action: [Password change] By User: john Item name: + john (Item Id: 4) suid=4 suser=john cs4=john cs4Label=suser + Display Name duser=john duid=4 fname=john fileType=User fileId=4 + src=10.10.10.10 rt=Feb 26 2025 06:46:37" + - "2025-02-25T07:00:33.005Z DSS-01 CEF:0|Thycotic Software|Secret + Server|11.7.000061|15|CONFIGURATION - EDIT|2|msg=[[SecretServer]] + Event: [Configuration] Action: [Edit] By User: admin + Details: AuthenticateAgainstActiveDirectory: false to true; + EnableActiveDirectoryIntegration: false to true; + AllowActiveDirectorySynchronization: false to true; + EnableAutomaticADUserDisabling: false to true; + AutomaticADUserDisablingIntervalMonths: blank to 3; suid=2 suser=admin + cs4=admin cs4Label=suser Display Name src=10.10.10.10 rt=Feb 25 2025 + 07:00:26" + - '2025-02-27T12:28:37.382Z DSS-01 CEF:0|Thycotic Software|Secret + Server|11.7.000061|10052|SECRETPOLICY - EDIT|2|msg=[[SecretServer]] + Event: [Secret policy] Action: [Edit] By User: admin Item name: Test + (Item Id: 1) Details: Require check out changed (Setting: "Not Set" + to "Enforced", Value: "< Not Set >" to "Yes"), Event pipeline policy + changed (Setting: "Not Set" to "Enforced", Value: "" to "0"), Editors + also Require Approval changed (Value: "< Not Set >" to "No"), Owners + and Approvers also Require Approval changed (Value: "< Not Set >" to + "No"), Enable session recording changed (Setting: "Not Set" to + "Enforced", Value: "< Not Set >" to "Yes"), Run Launcher using SSH Key + changed (Setting: "Not Set" to "Enforced", Value: "< None >" to + "SecretId: 9") suid=2 suser=admin cs4=admin cs4Label=suser Display + Name src=10.10.10.10 rt=Feb 27 2025 12:28:31' + grok: + supportRules: >- + extract_data_till_pipe_delimited %{regex("[^|]*")} + + extract_key_value_pair %{data::keyvalue("=","\\]\\[{}\"\" :;,/!''\\(\\)*~#&$%^?+\\\\<>`")} + matchRules: > + delinea_secret_server_rule + %{extract_data_till_pipe_delimited}\|%{extract_data_till_pipe_delimited}\|%{extract_data_till_pipe_delimited:application_name}\|%{extract_data_till_pipe_delimited:application_version}\|%{extract_data_till_pipe_delimited:action_id}\|%{extract_data_till_pipe_delimited:event}\|%{integer:syslog.severity}\|%{extract_key_value_pair} + - type: grok-parser + name: Extract action from event + enabled: true + source: event + samples: + - SECRET - ACCESS_APPROVED + - System Log + - SECRET - PASSWORD CHANGE MAX ATTEMPTS REACHED + - SECRET - EXPIRES07DAYS + grok: + supportRules: parse_event_type %{regex("[A-Za-z0-9\\s_]*")} + matchRules: >- + extract_action %{word: event_type:lowercase} - %{parse_event_type: + action:lowercase} + + + exctract_event_type %{parse_event_type: event_type:lowercase} + - type: grok-parser + name: Parsing the `rt` attribute to convert it into milliseconds + enabled: true + source: rt + samples: + - Feb 26 2025 06:47:18 + grok: + supportRules: "" + matchRules: convert_to_millisecond %{date("MMM dd yyyy HH:mm:ss"):rt} + - type: date-remapper + name: Define `rt` as the official date of the log + enabled: true + sources: + - rt + - type: pipeline + name: Extract item details + enabled: true + filter: + query: "@event_type:(secretpolicy OR secrettemplate OR siteconnector OR + ipaddressrange OR group OR site OR engine OR user OR scriptpowershell + OR scriptsql OR scriptssh)" + processors: + - type: grok-parser + name: Extract item details from msg + enabled: true + source: msg + samples: + - '[[SecretServer]] Event: [Secret policy] Action: [Create] By User: + admin Item name: Test (Item Id: 1) Details: admin created secret + policy "Test".' + - '[[SecretServer]] Event: [Secret policy] Action: [Edit] By User: + admin Item name: Test (Item Id: 1) Details: Require check out + changed (Setting: "Not Set" to "Enforced", Value: "< Not Set >" to + "Yes"), Event pipeline policy changed (Setting: "Not Set" to + "Enforced", Value: "" to "0"), Editors also Require Approval + changed (Value: "< Not Set >" to "No"), Owners and Approvers also + Require Approval changed (Value: "< Not Set >" to "No"), Enable + session recording changed (Setting: "Not Set" to "Enforced", + Value: "< Not Set >" to "Yes"), Run Launcher using SSH Key changed + (Setting: "Not Set" to "Enforced", Value: "< None >" to "SecretId: + 9")' + - "[[SecretServer]] Event: [Secret template] Action: [Create] By + User: admin Item name: Test for log creation (Item Id: 6054)" + - "[[SecretServer]] Event: [IP address range] Action: [Delete] By + User: admin Details: Test pipeline" + grok: + supportRules: skip_data %{regex(".*(?=\\])")}\] + matchRules: >- + extract_item_with_details %{regex(".*(?= Event)")} Event: + %{skip_data} Action: %{skip_data} By User: %{regex(".*(?= Item + name)")} Item name: %{regex(".*(?= \\(Item Id)"):item_name} \(Item + Id: %{integer:item_id}\)( Details:\s+%{data:details})? + + + extract_details %{regex(".*(?= Event)")} Event: %{skip_data} Action: %{skip_data} By User: %{regex(".*(?= Details)")} Details:\s+%{data:details} + - type: pipeline + name: Extract container details + enabled: true + filter: + query: "@event_type:(secret OR folder)" + processors: + - type: grok-parser + name: Extract container details from msg + enabled: true + source: msg + samples: + - "[[SecretServer]] Event: [Secret] Action: [View] By User: admin + Item name: Test Secret (Item Id: 5) Container name: Windows + (Container Id: 4) Details: Account Name: administrator Account + Domain: test-dns.local" + - "[[SecretServer]] Event: [Secret] Action: [Edit] By User: admin + Item name: Test Secret (Item Id: 5) Container name: Windows + (Container Id: 4) Details: Settings: (Inherit Secret Policy) + Account Name: administrator Account Domain: test-dns.local" + - "[[SecretServer]] Event: [Secret] Action: [Edit] By User: admin + Item name: Test Secret (Item Id: 5) Container name: admin + (Container Id: 2) Details: John Peter (Granted View) + Account Name: admin" + - "[[SecretServer]] Event: [Secret] Action: [Password displayed] By + User: admin Item name: Test Secret (Item Id: 5) Details: Fields: + (Client Secret) Account Domain: test-dns.local" + grok: + supportRules: skip_data %{regex(".*(?=\\])")}\] + matchRules: >- + extract_account_details %{regex(".*(?= Event)")} Event: + %{skip_data} Action: %{skip_data} By User: %{regex(".*(?= Item)")} + Item name: %{regex(".*(?= \\(Item Id)"):item_name} \(Item Id: + %{integer:item_id}\)( Container name: %{regex(".*(?= + \\(Container)"):folder_name} \(Container Id: + %{integer:folder_id}\))? (Details:\s+%{regex(".*(?= Account + Name)"):details} Account Name: %{regex(".*(?= Account + Domain)"):account_name} Account Domain: + %{data:account_domain}|Details:\s+%{regex(".*(?= Account + Name)"):details} Account Name: + %{data:account_name}|Details:\s+%{regex(".*(?= Account + Domain)"):details} Account Domain: %{data:account_domain}) + + + extract_details %{regex(".*(?= Event)")} Event: %{skip_data} Action: %{skip_data} By User: %{regex(".*(?= Item)")} Item name: %{regex(".*(?= \\(Item Id)"):item_name} \(Item Id: %{integer:item_id}\)( Container name: %{regex(".*(?= \\(Container)"):folder_name} \(Container Id: %{integer:folder_id}\))?( Details:\s+%{data:details})? + - type: category-processor + name: Check the log for secret's permission changes + enabled: true + categories: + - filter: + query: "@event_type:secret @action:edit @details:(*Granted* OR *Revoked*)" + name: "true" + target: is_permission_changed + - type: attribute-remapper + name: Map `fname` to `item_name` + enabled: true + sources: + - fname + sourceType: attribute + target: item_name + targetType: attribute + preserveSource: false + overrideOnConflict: true + - type: attribute-remapper + name: Map `fileId` to `item_id` + enabled: true + sources: + - fileId + sourceType: attribute + target: item_id + targetType: attribute + preserveSource: false + overrideOnConflict: true + - type: attribute-remapper + name: Map `fileType` to `item_type` + enabled: true + sources: + - fileType + sourceType: attribute + target: item_type + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `src` to `network.client.ip` + enabled: true + sources: + - src + sourceType: attribute + target: network.client.ip + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `cs1` to `role` + enabled: true + sources: + - cs1 + sourceType: attribute + target: role + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `cs2` to `group_or_user` + enabled: true + sources: + - cs2 + sourceType: attribute + target: group_or_user + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `cs3` to `folder_name` + enabled: true + sources: + - cs3 + sourceType: attribute + target: folder_name + targetType: attribute + preserveSource: false + overrideOnConflict: true + - type: attribute-remapper + name: Map `cs4` to `suser_display_name` + enabled: true + sources: + - cs4 + sourceType: attribute + target: suser_display_name + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `suser` to `usr.name` + enabled: true + sources: + - suser + sourceType: attribute + target: usr.name + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `suid` to `usr.id` + enabled: true + sources: + - suid + sourceType: attribute + target: usr.id + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `cs1Label` to `attributeLabels.cs1Label` + enabled: true + sources: + - cs1Label + sourceType: attribute + target: attributeLabels.cs1Label + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `cs2Label` to `attributeLabels.cs2Label` + enabled: true + sources: + - cs2Label + sourceType: attribute + target: attributeLabels.cs2Label + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `cs3Label` to `attributeLabels.cs3Label` + enabled: true + sources: + - cs3Label + sourceType: attribute + target: attributeLabels.cs3Label + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `cs4Label` to `attributeLabels.cs4Label` + enabled: true + sources: + - cs4Label + sourceType: attribute + target: attributeLabels.cs4Label + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: message-remapper + name: Define `msg` as the official message of the log + enabled: true + sources: + - msg + - type: category-processor + name: Categorize severity + enabled: true + categories: + - filter: + query: "@syslog.severity:[0 TO 3]" + name: info + - filter: + query: "@syslog.severity:[4 TO 6]" + name: notice + - filter: + query: "@syslog.severity:[7 TO 8]" + name: warning + - filter: + query: "@syslog.severity:[9 TO 10]" + name: critical + target: severity + - type: status-remapper + name: Define `severity` as the official status of the log + enabled: true + sources: + - severity + - type: geo-ip-parser + name: GeoIP Parser for `network.client.ip` + enabled: true + sources: + - network.client.ip + target: network.client.geoip + ip_processing_behavior: do-nothing diff --git a/delinea_secret_server/assets/logs/delinea-secret-server_tests.yaml b/delinea_secret_server/assets/logs/delinea-secret-server_tests.yaml new file mode 100644 index 0000000000000..76b52b22d10f6 --- /dev/null +++ b/delinea_secret_server/assets/logs/delinea-secret-server_tests.yaml @@ -0,0 +1,491 @@ +id: delinea-secret-server +tests: + - sample: "2025-02-26T06:47:27.458Z DSS-01 CEF:0|Thycotic Software|Secret + Server|11.7.000061|10005|SECRET - EDIT|2|msg=[[SecretServer]] Event: + [Secret] Action: [Edit] By User: admin Item name: Win-DDS-DNA (Item Id: 3) + Container name: Windows (Container Id: 4) Details: Settings: (Inherit + Secret Policy) Account Name: administrator Account Domain: + dds-dns.local suid=2 suser=admin cs4=admin cs4Label=suser Display Name + src=171.22.240.116 rt=Feb 26 2025 06:47:18 fname=Win-DDS-DNA + fileType=Secret fileId=3 cs3Label=Folder cs3=Windows" + result: + custom: + account_domain: "dds-dns.local" + account_name: "administrator" + action: "edit" + action_id: "10005" + application_name: "Secret Server" + application_version: "11.7.000061" + attributeLabels: + cs3Label: "Folder" + cs4Label: "suser Display Name" + details: "Settings: (Inherit Secret Policy)" + event: "SECRET - EDIT" + event_type: "secret" + folder_id: 4 + folder_name: "Windows" + item_id: 3 + item_name: "Win-DDS-DNA" + item_type: "Secret" + network: + client: + geoip: {} + ip: "171.22.240.116" + rt: 1740552438000 + severity: "info" + suser_display_name: "admin" + syslog: + severity: 2 + usr: + id: 2 + name: "admin" + message: "[[SecretServer]] Event: [Secret] Action: [Edit] By User: admin Item name: Win-DDS-DNA (Item Id: 3) Container name: Windows (Container Id: 4) Details: Settings: (Inherit Secret Policy) Account Name: administrator Account Domain: dds-dns.local" + status: "info" + tags: + - "source:LOGS_SOURCE" + timestamp: 1740552438000 + - sample: "2025-02-25T06:22:22.992Z DSS-01 CEF:0|Thycotic Software|Secret + Server|11.7.000061|10006|SECRET - LAUNCH|2|msg=[[SecretServer]] Event: + [Secret] Action: [Launch] By User: admin Item name: Win-DDS-DNA (Item Id: + 3) Container name: Windows (Container Id: 4) Details: Remote Desktop - + 198.20.21.10 Host: [10.20.10.20] Username: [administrator] Account Name: + administrator Account Domain: dds-dns.local suid=2 suser=admin cs4=admin + cs4Label=suser Display Name src=174.20.20.220 rt=Feb 25 2025 06:22:20 + fname=Win-DDS-DNA fileType=Secret fileId=3 cs3Label=Folder cs3=Windows" + result: + custom: + account_domain: "dds-dns.local" + account_name: "administrator" + action: "launch" + action_id: "10006" + application_name: "Secret Server" + application_version: "11.7.000061" + attributeLabels: + cs3Label: "Folder" + cs4Label: "suser Display Name" + details: "Remote Desktop - 198.20.21.10 Host: [10.20.10.20] Username: [administrator]" + event: "SECRET - LAUNCH" + event_type: "secret" + folder_id: 4 + folder_name: "Windows" + item_id: 3 + item_name: "Win-DDS-DNA" + item_type: "Secret" + network: + client: + geoip: {} + ip: "174.20.20.220" + rt: 1740464540000 + severity: "info" + suser_display_name: "admin" + syslog: + severity: 2 + usr: + id: 2 + name: "admin" + message: "[[SecretServer]] Event: [Secret] Action: [Launch] By User: admin Item name: Win-DDS-DNA (Item Id: 3) Container name: Windows (Container Id: 4) Details: Remote Desktop - 198.20.21.10 Host: [10.20.10.20] Username: [administrator] Account Name: administrator Account Domain: dds-dns.local" + status: "info" + tags: + - "source:LOGS_SOURCE" + timestamp: 1740464540000 + - sample: "2025-02-25T07:19:03.058Z DSS-01 CEF:0|Thycotic Software|Secret + Server|11.7.000061|10140|GROUP - CREATE|2|msg=[[SecretServer]] Event: + [Group] Action: [Create] By User: admin Item name: Dev-Team (Item Id: + 5) suid=2 suser=admin cs4=admin cs4Label=suser Display Name + src=198.20.21.10 rt=Feb 25 2025 07:19:01" + result: + custom: + action: "create" + action_id: "10140" + application_name: "Secret Server" + application_version: "11.7.000061" + attributeLabels: + cs4Label: "suser Display Name" + event: "GROUP - CREATE" + event_type: "group" + item_id: 5 + item_name: "Dev-Team" + network: + client: + geoip: {} + ip: "198.20.21.10" + rt: 1740467941000 + severity: "info" + suser_display_name: "admin" + syslog: + severity: 2 + usr: + id: 2 + name: "admin" + message: "[[SecretServer]] Event: [Group] Action: [Create] By User: admin Item name: Dev-Team (Item Id: 5)" + status: "info" + tags: + - "source:LOGS_SOURCE" + timestamp: 1740467941000 + - sample: "2025-03-06T10:33:17.456Z DSS-01 CEF:0|Thycotic Software|Secret + Server|11.7.000061|7|FOLDER - CREATE|2|msg=[[SecretServer]] Event: + [Folder] Action: [Create] By User: admin Item name: Test sub folder (Item + Id: 11) Container name: Test Logs (Container Id: 10) suid=2 suser=admin + cs4=admin cs4Label=suser Display Name src=171.20.12.170 rt=Mar 06 2025 + 10:33:13 fname=Test sub folder fileType=Folder fileId=11" + result: + custom: + action: "create" + action_id: "7" + application_name: "Secret Server" + application_version: "11.7.000061" + attributeLabels: + cs4Label: "suser Display Name" + event: "FOLDER - CREATE" + event_type: "folder" + folder_id: 10 + folder_name: "Test Logs" + item_id: 11 + item_name: "Test sub folder" + item_type: "Folder" + network: + client: + geoip: {} + ip: "171.20.12.170" + rt: 1741257193000 + severity: "info" + suser_display_name: "admin" + syslog: + severity: 2 + usr: + id: 2 + name: "admin" + message: "[[SecretServer]] Event: [Folder] Action: [Create] By User: admin Item name: Test sub folder (Item Id: 11) Container name: Test Logs (Container Id: 10)" + status: "info" + tags: + - "source:LOGS_SOURCE" + timestamp: 1741257193000 + - sample: "2025-02-25T06:31:43.116Z DSS-01 CEF:0|Thycotic Software|Secret + Server|11.7.000061|10|ROLE - ASSIGNUSERORGROUP|2|msg=[[SecretServer]] + Event: [Role] Action: [Assign user or group] By User: admin Item name: + User (Item Id: 3) Container name: john (Container Id: 3) suid=2 + suser=admin cs4=admin cs4Label=suser Display Name fname=User fileType=Role + fileId=3 cs2Label=Group or User cs2=john src=172.22.1.221 rt=Feb 25 + 2025 06:31:41" + result: + custom: + action: "assignuserorgroup" + action_id: "10" + application_name: "Secret Server" + application_version: "11.7.000061" + attributeLabels: + cs2Label: "Group or User" + cs4Label: "suser Display Name" + event: "ROLE - ASSIGNUSERORGROUP" + event_type: "role" + group_or_user: "john" + item_id: 3 + item_name: "User" + item_type: "Role" + network: + client: + geoip: {} + ip: "172.22.1.221" + rt: 1740465101000 + severity: "info" + suser_display_name: "admin" + syslog: + severity: 2 + usr: + id: 2 + name: "admin" + message: "[[SecretServer]] Event: [Role] Action: [Assign user or group] By User: admin Item name: User (Item Id: 3) Container name: john (Container Id: 3)" + status: "info" + tags: + - "source:LOGS_SOURCE" + timestamp: 1740465101000 + - sample: "2025-02-25T07:00:33.005Z DSS-01 CEF:0|Thycotic Software|Secret + Server|11.7.000061|15|CONFIGURATION - EDIT|2|msg=[[SecretServer]] Event: + [Configuration] Action: [Edit] By User: admin + Details: AuthenticateAgainstActiveDirectory: false to true; + EnableActiveDirectoryIntegration: false to true; + AllowActiveDirectorySynchronization: false to true; + EnableAutomaticADUserDisabling: false to true; + AutomaticADUserDisablingIntervalMonths: blank to 3; suid=2 suser=admin + cs4=admin cs4Label=suser Display Name src=172.22.1.223 rt=Feb 25 2025 + 07:00:26" + result: + custom: + action: "edit" + action_id: "15" + application_name: "Secret Server" + application_version: "11.7.000061" + attributeLabels: + cs4Label: "suser Display Name" + event: "CONFIGURATION - EDIT" + event_type: "configuration" + network: + client: + geoip: {} + ip: "172.22.1.223" + rt: 1740466826000 + severity: "info" + suser_display_name: "admin" + syslog: + severity: 2 + usr: + id: 2 + name: "admin" + message: "[[SecretServer]] Event: [Configuration] Action: [Edit] By User: admin Details: AuthenticateAgainstActiveDirectory: false to true; EnableActiveDirectoryIntegration: false to true; AllowActiveDirectorySynchronization: false to true; EnableAutomaticADUserDisabling: false to true; AutomaticADUserDisablingIntervalMonths: blank to 3;" + status: "info" + tags: + - "source:LOGS_SOURCE" + timestamp: 1740466826000 + - sample: "2025-02-26T06:36:17.395Z DSS-01 CEF:0|Thycotic Software|Secret + Server|11.7.000061|10145|DOMAIN - SYNCHRONIZE|2|msg=[[SecretServer]] + Event: [Domain] Action: [Synchronize] By User: ThycoticSystem + Details: Active Directory sync initiated suid=1 suser=ThycoticSystem + cs4=ThycoticSystem cs4Label=suser Display Name rt=Feb 26 2025 06:36:16" + result: + custom: + action: "synchronize" + action_id: "10145" + application_name: "Secret Server" + application_version: "11.7.000061" + attributeLabels: + cs4Label: "suser Display Name" + event: "DOMAIN - SYNCHRONIZE" + event_type: "domain" + rt: 1740551776000 + severity: "info" + suser_display_name: "ThycoticSystem" + syslog: + severity: 2 + usr: + id: 1 + name: "ThycoticSystem" + message: "[[SecretServer]] Event: [Domain] Action: [Synchronize] By User: ThycoticSystem Details: Active Directory sync initiated" + status: "info" + tags: + - "source:LOGS_SOURCE" + timestamp: 1740551776000 + - sample: "2025-02-25T08:57:23.004Z DSS-01 CEF:0|Thycotic Software|Secret + Server|11.7.000061|10090|SITECONNECTOR - + CREDENTIALVIEW|2|msg=[[SecretServer]] Event: [Site connector] Action: + [Credential view] By User: admin Item name: Default MemoryMq Service (Item + Id: 1) suid=2 suser=admin cs4=admin cs4Label=suser Display Name + src=171.22.1.229 rt=Feb 25 2025 08:57:14" + result: + custom: + action: "credentialview" + action_id: "10090" + application_name: "Secret Server" + application_version: "11.7.000061" + attributeLabels: + cs4Label: "suser Display Name" + event: "SITECONNECTOR - CREDENTIALVIEW" + event_type: "siteconnector" + item_id: 1 + item_name: "Default MemoryMq Service" + network: + client: + geoip: {} + ip: "171.22.1.229" + rt: 1740473834000 + severity: "info" + suser_display_name: "admin" + syslog: + severity: 2 + usr: + id: 2 + name: "admin" + message: "[[SecretServer]] Event: [Site connector] Action: [Credential view] By User: admin Item name: Default MemoryMq Service (Item Id: 1)" + status: "info" + tags: + - "source:LOGS_SOURCE" + timestamp: 1740473834000 + - sample: '2025-02-27T12:27:17.553Z DSS-01 CEF:0|Thycotic Software|Secret + Server|11.7.000061|10051|SECRETPOLICY - CREATE|2|msg=[[SecretServer]] + Event: [Secret policy] Action: [Create] By User: admin Item name: Test + (Item Id: 1) Details: admin created secret policy "Test". suid=2 + suser=admin cs4=admin cs4Label=suser Display Name src=10.20.10.20 + rt=Feb 27 2025 12:27:13' + result: + custom: + action: "create" + action_id: "10051" + application_name: "Secret Server" + application_version: "11.7.000061" + attributeLabels: + cs4Label: "suser Display Name" + details: "admin created secret policy \"Test\"." + event: "SECRETPOLICY - CREATE" + event_type: "secretpolicy" + item_id: 1 + item_name: "Test" + network: + client: + geoip: {} + ip: "10.20.10.20" + rt: 1740659233000 + severity: "info" + suser_display_name: "admin" + syslog: + severity: 2 + usr: + id: 2 + name: "admin" + message: "[[SecretServer]] Event: [Secret policy] Action: [Create] By User: admin Item name: Test (Item Id: 1) Details: admin created secret policy \"Test\"." + status: "info" + tags: + - "source:LOGS_SOURCE" + timestamp: 1740659233000 + - sample: "2025-03-06T09:09:57.532Z DSS-01 CEF:0|Thycotic Software|Secret + Server|11.7.000061|10021|SECRETTEMPLATE - CREATE|2|msg=[[SecretServer]] + Event: [Secret template] Action: [Create] By User: admin Item name: Test + for log creation (Item Id: 6054) suid=2 suser=admin cs4=admin + cs4Label=suser Display Name src=170.29.1.179 rt=Mar 06 2025 09:09:52" + result: + custom: + action: "create" + action_id: "10021" + application_name: "Secret Server" + application_version: "11.7.000061" + attributeLabels: + cs4Label: "suser Display Name" + event: "SECRETTEMPLATE - CREATE" + event_type: "secrettemplate" + item_id: 6054 + item_name: "Test for log creation" + network: + client: + geoip: {} + ip: "170.29.1.179" + rt: 1741252192000 + severity: "info" + suser_display_name: "admin" + syslog: + severity: 2 + usr: + id: 2 + name: "admin" + message: "[[SecretServer]] Event: [Secret template] Action: [Create] By User: admin Item name: Test for log creation (Item Id: 6054)" + status: "info" + tags: + - "source:LOGS_SOURCE" + timestamp: 1741252192000 + - sample: "2025-03-06T11:09:47.383Z DSS-01 CEF:0|Thycotic Software|Secret + Server|11.7.000061|10111|IPADDRESSRANGE - DELETE|2|msg=[[SecretServer]] + Event: [IP address range] Action: [Delete] By User: admin Details: Test + Log suid=2 suser=admin cs4=admin cs4Label=suser Display Name + src=171.21.1.178 rt=Mar 06 2025 11:09:41" + result: + custom: + action: "delete" + action_id: "10111" + application_name: "Secret Server" + application_version: "11.7.000061" + attributeLabels: + cs4Label: "suser Display Name" + details: "Test Log" + event: "IPADDRESSRANGE - DELETE" + event_type: "ipaddressrange" + network: + client: + geoip: {} + ip: "171.21.1.178" + rt: 1741259381000 + severity: "info" + suser_display_name: "admin" + syslog: + severity: 2 + usr: + id: 2 + name: "admin" + message: "[[SecretServer]] Event: [IP address range] Action: [Delete] By User: admin Details: Test Log" + status: "info" + tags: + - "source:LOGS_SOURCE" + timestamp: 1741259381000 + - sample: "2025-02-26T05:37:07.847Z DSS-01 CEF:0|Thycotic Software|Secret + Server|11.7.000061|500|System Log|7|msg=Archive/Delete Permission check + returned error message: Folder Path does not exist. rt=Feb 26 2025 + 05:37:07" + result: + custom: + action_id: "500" + application_name: "Secret Server" + application_version: "11.7.000061" + event: "System Log" + event_type: "system log" + rt: 1740548227000 + severity: "warning" + syslog: + severity: 7 + message: "Archive/Delete Permission check returned error message: Folder Path does not exist." + status: "warn" + tags: + - "source:LOGS_SOURCE" + timestamp: 1740548227000 + - sample: "2025-03-06T13:13:07.456Z DSS-01 CEF:0|Thycotic Software|Secret + Server|11.7.000061|10074|SITE - EDIT|2|msg=[[SecretServer]] Event: [Site] + Action: [Edit] By User: admin Details: InitializationVector: blank to + [156, 20, 239, 201, 144, 126, 197, 35, 17, 69, 223, 83, 217, 214, 208, + 251]; suid=2 suser=admin cs4=admin cs4Label=suser Display Name + src=198.20.21.113 rt=Mar 06 2025 13:12:58" + result: + custom: + action: "edit" + action_id: "10074" + application_name: "Secret Server" + application_version: "11.7.000061" + attributeLabels: + cs4Label: "suser Display Name" + details: "InitializationVector: blank to [156, 20, 239, 201, 144, 126, 197, 35, 17, 69, 223, 83, 217, 214, 208, 251];" + event: "SITE - EDIT" + event_type: "site" + network: + client: + geoip: {} + ip: "198.20.21.113" + rt: 1741266778000 + severity: "info" + suser_display_name: "admin" + syslog: + severity: 2 + usr: + id: 2 + name: "admin" + message: "[[SecretServer]] Event: [Site] Action: [Edit] By User: admin Details: InitializationVector: blank to [156, 20, 239, 201, 144, 126, 197, 35, 17, 69, 223, 83, 217, 214, 208, 251];" + status: "info" + tags: + - "source:LOGS_SOURCE" + timestamp: 1741266778000 + - sample: "2025-03-12T16:25:27.393Z de CEF:0|Thycotic Software|Secret + Server|11.7.000061|10083|ENGINE - ENGINEACTIVATE|2|msg=[[SecretServer]] + Event: [Engine] Action: [Engine activated] By User: admin Details: Engine + [de.dds-dns.local] has been activated suid=2 suser=admin cs4=admin + cs4Label=suser Display Name src=10.10.128.10 rt=Mar 12 2025 16:25:18" + result: + custom: + action: "engineactivate" + action_id: "10083" + application_name: "Secret Server" + application_version: "11.7.000061" + attributeLabels: + cs4Label: "suser Display Name" + details: "Engine [de.dds-dns.local] has been activated" + event: "ENGINE - ENGINEACTIVATE" + event_type: "engine" + network: + client: + geoip: {} + ip: "10.10.128.10" + rt: 1741796718000 + severity: "info" + suser_display_name: "admin" + syslog: + severity: 2 + usr: + id: 2 + name: "admin" + message: "[[SecretServer]] Event: [Engine] Action: [Engine activated] By User: admin Details: Engine [de.dds-dns.local] has been activated" + status: "info" + tags: + - "source:LOGS_SOURCE" + timestamp: 1741796718000 \ No newline at end of file diff --git a/delinea_secret_server/changelog.d/19857.added b/delinea_secret_server/changelog.d/19857.added new file mode 100644 index 0000000000000..aa949b47b7b41 --- /dev/null +++ b/delinea_secret_server/changelog.d/19857.added @@ -0,0 +1 @@ +Initial Release \ No newline at end of file diff --git a/delinea_secret_server/datadog_checks/__init__.py b/delinea_secret_server/datadog_checks/__init__.py new file mode 100644 index 0000000000000..a77b3f5ff63ac --- /dev/null +++ b/delinea_secret_server/datadog_checks/__init__.py @@ -0,0 +1,4 @@ +# (C) Datadog, Inc. 2025-present +# All rights reserved +# Licensed under a 3-clause BSD style license (see LICENSE) +__path__ = __import__('pkgutil').extend_path(__path__, __name__) # type: ignore diff --git a/delinea_secret_server/datadog_checks/delinea_secret_server/__about__.py b/delinea_secret_server/datadog_checks/delinea_secret_server/__about__.py new file mode 100644 index 0000000000000..1bde5986a04b2 --- /dev/null +++ b/delinea_secret_server/datadog_checks/delinea_secret_server/__about__.py @@ -0,0 +1,4 @@ +# (C) Datadog, Inc. 2025-present +# All rights reserved +# Licensed under a 3-clause BSD style license (see LICENSE) +__version__ = '0.0.1' diff --git a/delinea_secret_server/datadog_checks/delinea_secret_server/__init__.py b/delinea_secret_server/datadog_checks/delinea_secret_server/__init__.py new file mode 100644 index 0000000000000..b408666583b85 --- /dev/null +++ b/delinea_secret_server/datadog_checks/delinea_secret_server/__init__.py @@ -0,0 +1,6 @@ +# (C) Datadog, Inc. 2025-present +# All rights reserved +# Licensed under a 3-clause BSD style license (see LICENSE) +from .__about__ import __version__ + +__all__ = ['__version__'] diff --git a/delinea_secret_server/datadog_checks/delinea_secret_server/data/conf.yaml.example b/delinea_secret_server/datadog_checks/delinea_secret_server/data/conf.yaml.example new file mode 100644 index 0000000000000..270f227b55e26 --- /dev/null +++ b/delinea_secret_server/datadog_checks/delinea_secret_server/data/conf.yaml.example @@ -0,0 +1,20 @@ +## Log Section +## +## type - required - Type of log input source (tcp / udp / file / windows_event). +## port / path / channel_path - required - Set port if type is tcp or udp. +## Set path if type is file. +## Set channel_path if type is windows_event. +## source - required - Attribute that defines which integration sent the logs. +## encoding - optional - For file specifies the file encoding. Default is utf-8. Other +## possible values are utf-16-le and utf-16-be. +## service - optional - The name of the service that generates the log. +## Overrides any `service` defined in the `init_config` section. +## tags - optional - Add tags to the collected logs. +## +## Discover Datadog log collection: https://docs.datadoghq.com/logs/log_collection/ +# +# logs: +# - type: tcp/udp +# port: +# source: delinea-secret-server +# service: delinea-secret-server diff --git a/delinea_secret_server/images/delinea_secret_server_overview_1.png b/delinea_secret_server/images/delinea_secret_server_overview_1.png new file mode 100644 index 0000000000000..edb7a6a0cc8e9 Binary files /dev/null and b/delinea_secret_server/images/delinea_secret_server_overview_1.png differ diff --git a/delinea_secret_server/images/delinea_secret_server_overview_2.png b/delinea_secret_server/images/delinea_secret_server_overview_2.png new file mode 100644 index 0000000000000..f08fa93d93a8c Binary files /dev/null and b/delinea_secret_server/images/delinea_secret_server_overview_2.png differ diff --git a/delinea_secret_server/images/delinea_secret_server_overview_3.png b/delinea_secret_server/images/delinea_secret_server_overview_3.png new file mode 100644 index 0000000000000..a2143f128dd5a Binary files /dev/null and b/delinea_secret_server/images/delinea_secret_server_overview_3.png differ diff --git a/delinea_secret_server/images/delinea_secret_server_overview_4.png b/delinea_secret_server/images/delinea_secret_server_overview_4.png new file mode 100644 index 0000000000000..b1dac667f38d6 Binary files /dev/null and b/delinea_secret_server/images/delinea_secret_server_overview_4.png differ diff --git a/delinea_secret_server/manifest.json b/delinea_secret_server/manifest.json new file mode 100644 index 0000000000000..80f83721a3cb4 --- /dev/null +++ b/delinea_secret_server/manifest.json @@ -0,0 +1,69 @@ + { + "manifest_version": "2.0.0", + "app_uuid": "69a8e7df-7ed3-451c-948b-43303a5219e3", + "app_id": "delinea-secret-server", + "display_on_public_website": false, + "tile": { + "overview": "README.md#Overview", + "configuration": "README.md#Setup", + "support": "README.md#Support", + "changelog": "CHANGELOG.md", + "description": "Gain insights into Delinea Secret Server logs.", + "title": "Delinea Secret Server", + "media": [ + { + "caption": "Delinea Secret Server - Overview 1", + "image_url": "images/delinea_secret_server_overview_1.png", + "media_type": "image" + }, + { + "caption": "Delinea Secret Server - Overview 2", + "image_url": "images/delinea_secret_server_overview_2.png", + "media_type": "image" + }, + { + "caption": "Delinea Secret Server - Overview 3", + "image_url": "images/delinea_secret_server_overview_3.png", + "media_type": "image" + },{ + "caption": "Delinea Secret Server - Overview 4", + "image_url": "images/delinea_secret_server_overview_4.png", + "media_type": "image" + } + ], + "classifier_tags": [ + "Supported OS::Linux", + "Supported OS::Windows", + "Supported OS::macOS", + "Category::Log Collection", + "Category::Security", + "Offering::Integration", + "Submitted Data Type::Logs" + ] + }, + "assets": { + "integration": { + "auto_install": true, + "source_type_id": 41132309, + "source_type_name": "Delinea Secret Server", + "configuration": { + "spec": "assets/configuration/spec.yaml" + }, + "events": { + "creates_events": false + } + }, + "dashboards": { + "Delinea Secret Server - Overview": "assets/dashboards/delinea_secret_server_overview.json" + }, + "logs": { + "source": "delinea-secret-server" + } + }, + "author": { + "support_email": "help@datadoghq.com", + "name": "Datadog", + "homepage": "https://www.datadoghq.com", + "sales_email": "info@datadoghq.com" + } +} diff --git a/delinea_secret_server/pyproject.toml b/delinea_secret_server/pyproject.toml new file mode 100644 index 0000000000000..217bedd1b61cd --- /dev/null +++ b/delinea_secret_server/pyproject.toml @@ -0,0 +1,59 @@ +[build-system] +requires = [ + "hatchling>=0.13.0", +] +build-backend = "hatchling.build" + +[project] +name = "datadog-delinea-secret-server" +description = "The delinea-secret-server check" +readme = "README.md" +license = "BSD-3-Clause" +keywords = [ + "datadog", + "datadog agent", + "datadog check", + "delinea_secret_server", +] +authors = [ + { name = "Datadog", email = "packages@datadoghq.com" }, +] +classifiers = [ + "Development Status :: 5 - Production/Stable", + "Intended Audience :: Developers", + "Intended Audience :: System Administrators", + "License :: OSI Approved :: BSD License", + "Private :: Do Not Upload", + "Programming Language :: Python :: 3.11", + "Topic :: System :: Monitoring", +] +dependencies = [ + "datadog-checks-base>=4.2.0", +] +dynamic = [ + "version", +] + +[project.optional-dependencies] +deps = [] + +[project.urls] +Source = "https://github.com/DataDog/integrations-core" + +[tool.hatch.version] +path = "datadog_checks/delinea_secret_server/__about__.py" + +[tool.hatch.build.targets.sdist] +include = [ + "/datadog_checks", + "/tests", + "/manifest.json", +] + +[tool.hatch.build.targets.wheel] +include = [ + "/datadog_checks/delinea_secret_server", +] +dev-mode-dirs = [ + ".", +] diff --git a/ecs_fargate/README.md b/ecs_fargate/README.md index d8bc177ae4d05..9fad251cfe5e9 100644 --- a/ecs_fargate/README.md +++ b/ecs_fargate/README.md @@ -146,6 +146,89 @@ Lastly, include your other application containers within the `ContainerDefinitio For more information on CloudFormation templating and syntax, see the [AWS CloudFormation task definition documentation][43]. + + + +##### Datadog CDK Task Definition + +You can use the [Datadog CDK Constructs][72] to configure your ECS Fargate task definition. Use the `DatadogECSFargate` construct to instrument your containers for desired Datadog features. This is supported in TypeScript, JavaScript, Python, and Go. + + + +```typescript +const ecsDatadog = new DatadogECSFargate({ + apiKey: + site: +}); +``` + +Then, define your task definition using [`FargateTaskDefinitionProps`][65]. + +```typescript +const fargateTaskDefinition = ecsDatadog.fargateTaskDefinition( + this, + , + +); +``` + +Lastly, include your other application containers by adding your [`ContainerDefinitionOptions`][66]. + +```typescript +fargateTaskDefinition.addContainer(, ); +``` + +For more information on the `DatadogECSFargate` construct instrumentation and syntax, see the [Datadog ECS Fargate CDK documentation][67]. + + + + +##### Datadog Terraform Task Definition + +You can use the [Datadog ECS Fargate Terraform module][71] to configure your containers for Datadog. This Terraform module wraps the [`aws_ecs_task_definition`][68] resource and automatically instruments your task definition for Datadog. Pass your input arguments into the Datadog ECS Fargate Terraform module in a similiar manner as to the `aws_ecs_task_definition`. Make sure to include your task `family` and `container_definitions`. + + + +```hcl +module "ecs_fargate_task" { + source = "https://registry.terraform.io/modules/DataDog/ecs-datadog/aws/latest" + version = "1.0.0" + + # Configure Datadog + dd_api_key = + dd_site = + dd_dogstatsd = { + enabled = true, + } + dd_apm = { + enabled = true, + } + + # Configure Task Definition + family = + container_definitions = + cpu = 256 + memory = 512 + network_mode = "awsvpc" + requires_compatibilities = ["FARGATE"] +} +``` + +Lastly, include your other application containers within the `ContainerDefinitions` and deploy through Terraform. + +For more information on the Terraform module, see the [Datadog ECS Fargate Terraform documentation][43]. @@ -223,6 +306,41 @@ For more information on CloudFormation templating and syntax, see the [AWS Cloud + +##### AWS CDK Replica Service + +In the CDK code you can reference the `fargateTaskDefinition` resource created in the previous example into the `FargateService` resource being created. After this, specify your `Cluster`, `DesiredCount`, and any other parameters necessary for your application in your replica service. + +```typescript +const service = new ecs.FargateService(this, , { + , + fargateTaskDefinition, + desiredCount: 1 +}); +``` + +For more information on the CDK ECS service construct and syntax, see the [AWS CDK ECS Service documentation][69]. + + + + +##### AWS Terraform Replica Service + +In the Terraform code you can reference the `aws_ecs_task_definition` resource created in the previous example within the `aws_ecs_service` resource being created. Then, specify your `Cluster`, `DesiredCount`, and any other parameters necessary for your application in your replica service. + +```hcl +resource "aws_ecs_service" { + name = + cluster = + task_definition = module.ecs_fargate_task.arn + desired_count = 1 +} +``` + +For more information on the Terraform ECS service module and syntax, see the [AWS Terraform ECS service documentation][70]. + + + To provide your Datadog API key as a secret, see [Using secrets](#using-secrets). @@ -894,6 +1012,51 @@ partial --> For more information on CloudFormation templating and syntax, see the [AWS CloudFormation documentation][43]. + + + +##### Datadog ECS Fargate CDK Construct + +To enable logging through the [Datadog ECS Fargate CDK][67] construct, configure the `logCollection` property as seen below: + +```typescript +const ecsDatadog = new DatadogECSFargate({ + apiKey: , + site: , + logCollection: { + isEnabled: true, + } +}); +``` + + + + +##### Datadog ECS Fargate Terraform Module + +To enable logging through the [Datadog ECS Fargate Terraform][71] module, configure the `dd_log_collection` input argument as seen below: + +```hcl +module "ecs_fargate_task" { + source = "https://registry.terraform.io/modules/DataDog/ecs-datadog/aws/latest" + version = "1.0.0" + + # Configure Datadog + dd_api_key = + dd_site = + dd_log_collection = { + enabled = true, + } + + # Configure Task Definition + family = + container_definitions = + cpu = 256 + memory = 512 + network_mode = "awsvpc" + requires_compatibilities = ["FARGATE"] +} +``` @@ -1018,6 +1181,7 @@ Need help? Contact [Datadog support][18]. - Blog post: [Monitor AWS Fargate for Windows containerized apps][40] - Blog post: [Monitor processes running on AWS Fargate with Datadog][58] - Blog post: [Monitor AWS Batch on Fargate with Datadog][63] +- Documentation: [Trace API Gateway when proxying requests to ECS Fargate][73] [1]: http://docs.datadoghq.com/integrations/eks_fargate [2]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-metadata-endpoint.html @@ -1083,3 +1247,12 @@ Need help? Contact [Datadog support][18]. [62]: https://docs.datadoghq.com/containers/guide/aws-batch-ecs-fargate [63]: https://www.datadoghq.com/blog/monitor-aws-batch-on-fargate/ [64]: https://docs.datadoghq.com/getting_started/tagging/unified_service_tagging/?tab=ecs#full-configuration +[65]: https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateTaskDefinitionProps.html +[66]: https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinitionOptions.html +[67]: https://github.com/DataDog/datadog-cdk-constructs/blob/main/src/ecs/fargate/README.md +[68]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition +[69]: https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateService.html +[70]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_service +[71]: https://registry.terraform.io/modules/DataDog/ecs-datadog/aws/latest +[72]: https://github.com/datadog/datadog-cdk-constructs/ +[73]: https://docs.datadoghq.com/tracing/trace_collection/proxy_setup/apigateway diff --git a/eks_fargate/README.md b/eks_fargate/README.md index f4114ad996f96..9411d952843c6 100644 --- a/eks_fargate/README.md +++ b/eks_fargate/README.md @@ -927,6 +927,7 @@ Additional helpful documentation, links, and articles: - [Key metrics for monitoring AWS Fargate][32] - [How to collect metrics and logs from AWS Fargate workloads][27] - [AWS Fargate monitoring with Datadog][28] +- [Trace API Gateway when proxying requests to ECS Fargate][37] [1]: http://docs.datadoghq.com/integrations/ecs_fargate/ [2]: http://docs.datadoghq.com/integrations/amazon_eks/ @@ -964,3 +965,4 @@ Additional helpful documentation, links, and articles: [34]: https://docs.datadoghq.com/containers/guide/clustercheckrunners [35]: http://docs.datadoghq.com/agent/cluster_agent [36]: https://docs.datadoghq.com/containers/cluster_agent/admission_controller/?tab=operator +[37]: https://docs.datadoghq.com/tracing/trace_collection/proxy_setup/apigateway diff --git a/foundationdb/CHANGELOG.md b/foundationdb/CHANGELOG.md index 7e0a832b25089..83c99de9a58cd 100644 --- a/foundationdb/CHANGELOG.md +++ b/foundationdb/CHANGELOG.md @@ -8,7 +8,7 @@ * Honor `tags` instance configuration in FoundationDB integration ([#19771](https://github.com/DataDog/integrations-core/pull/19771)) -## 3.2.0 / 2025-03-19 +## 3.2.0 / 2025-03-19 / Agent 7.65.0 ***Added***: diff --git a/http_check/CHANGELOG.md b/http_check/CHANGELOG.md index 3e805f96487b0..4700fdbe53b29 100644 --- a/http_check/CHANGELOG.md +++ b/http_check/CHANGELOG.md @@ -9,7 +9,7 @@ * Update dependencies ([#19962](https://github.com/DataDog/integrations-core/pull/19962)) * Add defaults for `days_critical` and `days_warning` config options ([#20062](https://github.com/DataDog/integrations-core/pull/20062)) -## 11.2.0 / 2025-03-19 +## 11.2.0 / 2025-03-19 / Agent 7.65.0 ***Added***: diff --git a/infiniband/CHANGELOG.md b/infiniband/CHANGELOG.md index 43b930e731753..f391b86020d9a 100644 --- a/infiniband/CHANGELOG.md +++ b/infiniband/CHANGELOG.md @@ -8,7 +8,7 @@ * Add state and phys_state metrics ([#20070](https://github.com/DataDog/integrations-core/pull/20070)) -## 1.0.0 / 2025-03-19 +## 1.0.0 / 2025-03-19 / Agent 7.65.0 ***Added***: diff --git a/juniper_srx_firewall/CHANGELOG.md b/juniper_srx_firewall/CHANGELOG.md new file mode 100644 index 0000000000000..6bc2f030b5b26 --- /dev/null +++ b/juniper_srx_firewall/CHANGELOG.md @@ -0,0 +1,4 @@ +# CHANGELOG - juniper_srx_firewall + + + diff --git a/juniper_srx_firewall/README.md b/juniper_srx_firewall/README.md new file mode 100644 index 0000000000000..f8ada08b8294f --- /dev/null +++ b/juniper_srx_firewall/README.md @@ -0,0 +1,168 @@ +## Overview + +[Juniper SRX Firewall][3] secures your network edge, data center, and cloud applications by detecting and mitigating intrusions, malware, and other threats. + +This integration parses the following log types: + +- **Session Logs**: Track network traffic and session activities, including initiated and denied sessions, application-related traffic, and dropped packets. +- **Security Logs**: Monitor security events such as malware detections, intrusion attempts, DoS attacks, and content filtering activities. +- **Authentication Logs**: Capture authentication activities, including successful and failed login attempts. + +Get detailed visibility into these logs with out-of-the-box dashboards, and strengthen security with prebuilt Cloud SIEM detection rules for proactive threat monitoring and response. + +## Setup + +### Installation + +To install the Juniper SRX Firewall integration, run the following Agent installation command in your terminal. For more information, see the [Integration Management][4] documentation. + +**Note**: This step is not necessary for Agent version >= 7.64.0. + +```shell +sudo -u dd-agent -- datadog-agent integration install datadog-juniper_srx_firewall==1.0.0 +``` + +### Configuration + +#### Configure log collection + +1. Log collection is disabled by default in the Datadog Agent. Enable it in `datadog.yaml`: + + ```yaml + logs_enabled: true + ``` + +2. Add the following configuration block to your `juniper_srx_firewall.d/conf.yaml` file to start collecting logs. See the [sample `conf.yaml`][6] for available configuration options. + + ```yaml + logs: + - type: udp + port: + source: juniper-srx-firewall + service: juniper-srx-firewall + ``` + + **Note**: + + - `PORT`: Specify the UDP port that Datadog will listen on (default: 514). + - Do not change the `service` and `source` values, as they are integral to proper log pipeline processing. + +3. [Restart the Agent][2]. + +#### Configure syslog message forwarding from Juniper SRX Firewall + +1. Log in to the Juniper SRX Firewall CLI. + +2. Enter configuration mode: + ```shell + configure + ``` + +3. To send logs to the Datadog Agent, execute the following commands: + ```shell + set system syslog host any any + set system syslog host port + set system syslog host structured-data brief + ``` + **Note**: + - Replace `` with the Datadog Agent's IP address. + - Replace `` with the same port configured in [Log Collection][7]. + +4. Verify if `Security Logging` is enabled: + ```shell + show security log mode + ``` + If enabled, the output will display either `mode stream;` or `mode event-stream;` + +5. If `Security Logging` is enabled, configure log streaming: + ```shell + set security log stream format sd-syslog + set security log stream category all + set security log stream host + set security log stream host port + set security log transport protocol udp + ``` + +6. Apply and exit the configuration: + ``` + commit + exit + ``` + +### Validation + +[Run the Agent's status subcommand][5] and look for `juniper_srx_firewall` under the **Checks** section. + +## Data Collected + +### Log + +| Format | Event Types | +| ------------------------- | ------------------------------------------------ | +| Structured-Data(RFC 5424) | Session Logs, Security Logs, Authentication Logs | + +### Metrics + +The Juniper SRX Firewall integration does not include any metrics. + +### Events + +The Juniper SRX Firewall integration does not include any events. + +### Service Checks + +The Juniper SRX Firewall integration does not include any service checks. + +## Troubleshooting + +### Permission denied while port binding + +If you see a **Permission denied** error while port binding in the Agent logs: + +1. Binding to a port number under 1024 requires elevated permissions. Grant access to the port using the `setcap` command: + + ```shell + sudo setcap CAP_NET_BIND_SERVICE=+ep /opt/datadog-agent/bin/agent/agent + ``` + +2. Verify the setup is correct by running the `getcap` command: + + ```shell + sudo getcap /opt/datadog-agent/bin/agent/agent + ``` + + With the expected output: + + ```shell + /opt/datadog-agent/bin/agent/agent = cap_net_bind_service+ep + ``` + + **Note**: Re-run this `setcap` command every time you upgrade the Agent. + +3. [Restart the Agent][2]. + +### Data is not being collected + +Ensure firewall settings allow traffic through the configured port. + +### Port already in use + +On systems running Syslog, the Agent may fail to bind to port 514 and display the following error: + + Can't start UDP forwarder on port 514: listen udp :514: bind: address already in use + +This error occurs because Syslog uses port 514 by default. + +To resolve: + - Disable Syslog, OR + - Configure the Agent to listen on a different, available port. + +For further assistance, contact [Datadog support][1]. + +[1]: https://docs.datadoghq.com/help/ +[2]: https://docs.datadoghq.com/agent/guide/agent-commands/#start-stop-and-restart-the-agent +[3]: https://www.juniper.net/us/en/products/security/srx-series.html +[4]: https://docs.datadoghq.com/agent/guide/integration-management/?tab=linux#install +[5]: https://docs.datadoghq.com/agent/guide/agent-commands/#agent-status-and-information +[6]: https://github.com/DataDog/integrations-core/blob/master/juniper_srx_firewall/datadog_checks/juniper_srx_firewall/data/conf.yaml.example +[7]: https://docs.datadoghq.com/integrations/juniper_srx_firewall/#configure-log-collection diff --git a/juniper_srx_firewall/assets/configuration/spec.yaml b/juniper_srx_firewall/assets/configuration/spec.yaml new file mode 100644 index 0000000000000..aee9b26dcf8c1 --- /dev/null +++ b/juniper_srx_firewall/assets/configuration/spec.yaml @@ -0,0 +1,10 @@ +name: Juniper SRX Firewall +files: +- name: juniper_srx_firewall.yaml + options: + - template: logs + example: + - type: udp + port: + source: juniper-srx-firewall + service: juniper-srx-firewall diff --git a/juniper_srx_firewall/assets/dashboards/juniper_srx_firewall_authentication_logs.json b/juniper_srx_firewall/assets/dashboards/juniper_srx_firewall_authentication_logs.json new file mode 100644 index 0000000000000..1f65b2e894f2a --- /dev/null +++ b/juniper_srx_firewall/assets/dashboards/juniper_srx_firewall_authentication_logs.json @@ -0,0 +1,898 @@ +{ + "title": "Juniper SRX Firewall - Authentication Logs", + "description": "- This dashboard provides an overview of authentication activity, tracking successful and failed login attempts. It highlights authentication trends, top failing users and IPs, geo-location data, and failure reasons to enhance security monitoring and threat detection.", + "experience_type": "default", + "widgets": [ + { + "id": 3098264915522038, + "definition": { + "type": "image", + "url": "https://juniper-prod.scene7.com/is/image/junipernetworks/juniper_black-rgb-header?fmt=png8-alpha&dpr=off", + "url_dark_theme": "https://www.juniper.net/content/dam/www/assets/images/global/juniper_white-rgb-footer.svg", + "sizing": "contain", + "margin": "md", + "has_background": false, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 495983273354694, + "definition": { + "type": "note", + "content": "This dashboard offers a comprehensive summary of authentication activities on the Juniper SRX Firewall, tracking successful and failed login attempts. It provides insights into authentication trends, top failing users and IPs, geo-location data, and failure reasons to enhance security monitoring and threat detection.\n\nThis centralized overview streamlines analysis and helps detect potential issues or patterns for proactive system management.\n\nFor more information, see the [Juniper SRX Firewall Integration Documentation](https://docs.datadoghq.com/integrations/juniper_srx_firewall).\n\n**Tips**\n- Use the timeframe selector in the upper-right corner of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify, and add widgets and visualizations.", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 3 + } + }, + { + "id": 7822594049283508, + "definition": { + "title": "Authentication Logs", + "background_color": "blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 740034796599106, + "definition": { + "title": "Total Failed Logins", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:(DYNAMIC_VPN_AUTH_FAIL OR JADE_AUTH_FAILURE OR FWAUTH_FTP_USER_AUTH_FAIL OR FWAUTH_HTTPS_USER_AUTH_FAIL OR FWAUTH_HTTP_USER_AUTH_FAIL OR FWAUTH_TELNET_USER_AUTH_FAIL OR FWAUTH_WEBAUTH_FAIL OR LOGIN_FAILED OR SSHD_LOGIN_FAILED OR REMOTE_ACCESS_VPN_AUTH_FAIL OR WEB_WEBAUTH_AUTH_FAIL OR WEB_AUTH_FAIL) $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#db4343" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 2582817946954042, + "definition": { + "title": "Failed Logins by Category over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:(DYNAMIC_VPN_AUTH_FAIL OR JADE_AUTH_FAILURE OR FWAUTH_FTP_USER_AUTH_FAIL OR FWAUTH_HTTPS_USER_AUTH_FAIL OR FWAUTH_HTTP_USER_AUTH_FAIL OR FWAUTH_TELNET_USER_AUTH_FAIL OR FWAUTH_WEBAUTH_FAIL OR LOGIN_FAILED OR SSHD_LOGIN_FAILED OR REMOTE_ACCESS_VPN_AUTH_FAIL OR WEB_WEBAUTH_AUTH_FAIL OR WEB_AUTH_FAIL) $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@category", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "red", + "order_by": "values", + "color_order": "monotonic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 2243202168003744, + "definition": { + "title": "Total Successful Logins", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:(REMOTE_ACCESS_VPN_AUTH_OK OR DYNAMIC_VPN_AUTH_OK OR JADE_AUTH_SUCCESS OR WEB_WEBAUTH_AUTH_OK OR WEB_AUTH_SUCCESS OR FWAUTH_FTP_USER_AUTH_ACCEPTED OR FWAUTH_HTTPS_USER_AUTH_ACCEPTED OR FWAUTH_HTTP_USER_AUTH_ACCEPTED OR FWAUTH_TELNET_USER_AUTH_ACCEPTED OR FWAUTH_WEBAUTH_SUCCESS OR LOGIN_INFORMATION) $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_green", + "custom_bg_color": "#db4343" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 3, + "width": 3, + "height": 3 + } + }, + { + "id": 6128717263246190, + "definition": { + "title": "Successful Logins by Category over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:(REMOTE_ACCESS_VPN_AUTH_OK OR DYNAMIC_VPN_AUTH_OK OR JADE_AUTH_SUCCESS OR WEB_WEBAUTH_AUTH_OK OR WEB_AUTH_SUCCESS OR FWAUTH_FTP_USER_AUTH_ACCEPTED OR FWAUTH_HTTPS_USER_AUTH_ACCEPTED OR FWAUTH_HTTP_USER_AUTH_ACCEPTED OR FWAUTH_TELNET_USER_AUTH_ACCEPTED OR FWAUTH_WEBAUTH_SUCCESS OR LOGIN_INFORMATION) $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@category", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "green", + "order_by": "values", + "color_order": "monotonic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 3, + "width": 9, + "height": 3 + } + }, + { + "id": 68482487258244, + "definition": { + "title": "Top Users with Failed Logins", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:(DYNAMIC_VPN_AUTH_FAIL OR JADE_AUTH_FAILURE OR FWAUTH_FTP_USER_AUTH_FAIL OR FWAUTH_HTTPS_USER_AUTH_FAIL OR FWAUTH_HTTP_USER_AUTH_FAIL OR FWAUTH_TELNET_USER_AUTH_FAIL OR FWAUTH_WEBAUTH_FAIL OR LOGIN_FAILED OR SSHD_LOGIN_FAILED OR REMOTE_ACCESS_VPN_AUTH_FAIL OR WEB_WEBAUTH_AUTH_FAIL OR WEB_AUTH_FAIL) $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 6, + "width": 4, + "height": 4 + } + }, + { + "id": 1185699557300620, + "definition": { + "title": "Distribution by Category", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:(DYNAMIC_VPN_AUTH_FAIL OR JADE_AUTH_FAILURE OR FWAUTH_FTP_USER_AUTH_FAIL OR FWAUTH_HTTPS_USER_AUTH_FAIL OR FWAUTH_HTTP_USER_AUTH_FAIL OR FWAUTH_TELNET_USER_AUTH_FAIL OR FWAUTH_WEBAUTH_FAIL OR LOGIN_FAILED OR SSHD_LOGIN_FAILED OR REMOTE_ACCESS_VPN_AUTH_FAIL OR WEB_WEBAUTH_AUTH_FAIL OR WEB_AUTH_FAIL OR REMOTE_ACCESS_VPN_AUTH_OK OR DYNAMIC_VPN_AUTH_OK OR JADE_AUTH_SUCCESS OR WEB_WEBAUTH_AUTH_OK OR WEB_AUTH_SUCCESS OR FWAUTH_FTP_USER_AUTH_ACCEPTED OR FWAUTH_HTTPS_USER_AUTH_ACCEPTED OR FWAUTH_HTTP_USER_AUTH_ACCEPTED OR FWAUTH_TELNET_USER_AUTH_ACCEPTED OR FWAUTH_WEBAUTH_SUCCESS OR LOGIN_INFORMATION) $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@category", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 4, + "y": 6, + "width": 8, + "height": 4 + } + }, + { + "id": 3560372487066734, + "definition": { + "title": "Top IPs with Failed Logins", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:(DYNAMIC_VPN_AUTH_FAIL OR JADE_AUTH_FAILURE OR FWAUTH_FTP_USER_AUTH_FAIL OR FWAUTH_HTTPS_USER_AUTH_FAIL OR FWAUTH_HTTP_USER_AUTH_FAIL OR FWAUTH_TELNET_USER_AUTH_FAIL OR FWAUTH_WEBAUTH_FAIL OR LOGIN_FAILED OR SSHD_LOGIN_FAILED OR REMOTE_ACCESS_VPN_AUTH_FAIL OR WEB_WEBAUTH_AUTH_FAIL OR WEB_AUTH_FAIL) $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 10, + "width": 4, + "height": 4 + } + }, + { + "id": 2746863721009926, + "definition": { + "title": "Geo-Location of Failed Login Attempts", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:(DYNAMIC_VPN_AUTH_FAIL OR JADE_AUTH_FAILURE OR FWAUTH_FTP_USER_AUTH_FAIL OR FWAUTH_HTTPS_USER_AUTH_FAIL OR FWAUTH_HTTP_USER_AUTH_FAIL OR FWAUTH_TELNET_USER_AUTH_FAIL OR FWAUTH_WEBAUTH_FAIL OR LOGIN_FAILED OR SSHD_LOGIN_FAILED OR REMOTE_ACCESS_VPN_AUTH_FAIL OR WEB_WEBAUTH_AUTH_FAIL OR WEB_AUTH_FAIL) $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.geoip.country.iso_code", + "limit": 250, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 4, + "y": 10, + "width": 8, + "height": 4 + } + }, + { + "id": 4284411461867030, + "definition": { + "title": "Top Reasons for JADE Auth Failure", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:JADE_AUTH_FAILURE $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@error-message", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 14, + "width": 4, + "height": 4 + } + }, + { + "id": 2110825981746498, + "definition": { + "title": "Top Reasons for VPN Auth Failure", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:(DYNAMIC_VPN_AUTH_FAIL OR REMOTE_ACCESS_VPN_AUTH_FAIL) $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@error-message", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 4, + "y": 14, + "width": 4, + "height": 4 + } + }, + { + "id": 403429590286798, + "definition": { + "title": "Top Hosts for VPN Auth Failure", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:(DYNAMIC_VPN_AUTH_FAIL OR REMOTE_ACCESS_VPN_AUTH_FAIL) $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@hostname", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 8, + "y": 14, + "width": 4, + "height": 4 + } + }, + { + "id": 416534017691312, + "definition": { + "title": "Failed Login Details", + "title_size": "16", + "title_align": "left", + "time": {}, + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:(DYNAMIC_VPN_AUTH_FAIL OR JADE_AUTH_FAILURE OR FWAUTH_FTP_USER_AUTH_FAIL OR FWAUTH_HTTPS_USER_AUTH_FAIL OR FWAUTH_HTTP_USER_AUTH_FAIL OR FWAUTH_TELNET_USER_AUTH_FAIL OR FWAUTH_WEBAUTH_FAIL OR LOGIN_FAILED OR SSHD_LOGIN_FAILED OR REMOTE_ACCESS_VPN_AUTH_FAIL OR WEB_WEBAUTH_AUTH_FAIL OR WEB_AUTH_FAIL) $Client-IP $User-Name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 18, + "width": 12, + "height": 4 + } + }, + { + "id": 8800175875991554, + "definition": { + "title": "Successful Login Details", + "title_size": "16", + "title_align": "left", + "time": {}, + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:(REMOTE_ACCESS_VPN_AUTH_OK OR DYNAMIC_VPN_AUTH_OK OR JADE_AUTH_SUCCESS OR WEB_WEBAUTH_AUTH_OK OR WEB_AUTH_SUCCESS OR FWAUTH_FTP_USER_AUTH_ACCEPTED OR FWAUTH_HTTPS_USER_AUTH_ACCEPTED OR FWAUTH_HTTP_USER_AUTH_ACCEPTED OR FWAUTH_TELNET_USER_AUTH_ACCEPTED OR FWAUTH_WEBAUTH_SUCCESS OR LOGIN_INFORMATION) $Client-IP $User-Name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 22, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 27 + } + } + ], + "template_variables": [ + { + "name": "User-Name", + "prefix": "@usr.name", + "available_values": [], + "default": "*" + }, + { + "name": "Client-IP", + "prefix": "@network.client.ip", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/juniper_srx_firewall/assets/dashboards/juniper_srx_firewall_overview.json b/juniper_srx_firewall/assets/dashboards/juniper_srx_firewall_overview.json new file mode 100644 index 0000000000000..d0145151b95dd --- /dev/null +++ b/juniper_srx_firewall/assets/dashboards/juniper_srx_firewall_overview.json @@ -0,0 +1,965 @@ +{ + "title": "Juniper SRX Firewall - Overview", + "description": "- This dashboard provides centralized visibility into security logs, event trends, and network activity, enabling efficient monitoring and management.", + "experience_type": "default", + "widgets": [ + { + "id": 3098264915522038, + "definition": { + "type": "image", + "url": "https://juniper-prod.scene7.com/is/image/junipernetworks/juniper_black-rgb-header?fmt=png8-alpha&dpr=off", + "url_dark_theme": "https://www.juniper.net/content/dam/www/assets/images/global/juniper_white-rgb-footer.svg", + "sizing": "contain", + "margin": "md", + "has_background": false, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 495983273354694, + "definition": { + "type": "note", + "content": "This dashboard offers a comprehensive summary of Juniper SRX Firewall logs. It helps identify critical events, track trends over time, and monitor top hosts for better network security analysis.\n\nThis centralized overview streamlines analysis and helps detect potential issues or patterns for proactive system management.\n\nFor more information, see the [Juniper SRX Firewall Integration Documentation](https://docs.datadoghq.com/integrations/juniper_srx_firewall).\n\n**Tips**\n- Use the timeframe selector in the upper-right corner of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify, and add widgets and visualizations.", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 3 + } + }, + { + "id": 8184424141356950, + "definition": { + "title": "Overview", + "background_color": "blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 7891400334881222, + "definition": { + "title": "Total Logs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall $Event-Type $Juniper-SRX-Device $Severity" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#e7e7e7" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 8702748035003160, + "definition": { + "title": "Logs by Severity over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Count", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall $Event-Type $Juniper-SRX-Device $Severity" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "status", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "semantic", + "order_by": "values", + "color_order": "monotonic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 82935318322932, + "definition": { + "title": "Distribution by Severity", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall $Event-Type $Juniper-SRX-Device $Severity" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "status", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "semantic" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 4 + } + }, + { + "id": 6227356413653500, + "definition": { + "title": "Top Event Types", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall $Event-Type $Juniper-SRX-Device $Severity" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@syslog.msgid", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 6458529377968386, + "definition": { + "title": "Top Juniper SRX Devices ", + "title_size": "16", + "title_align": "left", + "time": {}, + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall $Event-Type $Juniper-SRX-Device $Severity" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@syslog.hostname", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 6, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 5436549861232012, + "definition": { + "title": "Log Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:juniper-srx-firewall service:juniper-srx-firewall $Event-Type $Juniper-SRX-Device $Severity", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 11, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 16 + } + }, + { + "id": 6318815126622146, + "definition": { + "title": "Datadog Cloud SIEM", + "title_align": "center", + "background_color": "blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 5913269995029142, + "definition": { + "type": "note", + "content": "\nDatadog Cloud SIEM analyzes and correlates Juniper SRX Firewall logs to detect threats to your environment in real time. If you don't see signals please make sure you've enabled [Datadog Cloud SIEM](/security). ", + "background_color": "blue", + "font_size": "14", + "text_align": "left", + "vertical_align": "center", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 2246708282476820, + "definition": { + "title": "CRITICALs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#bc303c", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall status:critical" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2 + }, + "layout": { + "x": 0, + "y": 1, + "width": 2, + "height": 2 + } + }, + { + "id": 924517000228036, + "definition": { + "title": "HIGHs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#d33043", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall status:high" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 2, + "y": 1, + "width": 2, + "height": 2 + } + }, + { + "id": 7685826796026264, + "definition": { + "title": "Critical Security Signals", + "type": "toplist", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#bc303c", + "palette": "custom_bg", + "value": 0 + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall status:critical" + } + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "custom_links": [], + "style": {} + }, + "layout": { + "x": 4, + "y": 1, + "width": 8, + "height": 4 + } + }, + { + "id": 7817209972175932, + "definition": { + "title": "MEDIUMs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#e5a21c", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall status:medium" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2 + }, + "layout": { + "x": 0, + "y": 3, + "width": 2, + "height": 2 + } + }, + { + "id": 8386591420587394, + "definition": { + "title": "LOWs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#ffb52b", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall status:low" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2 + }, + "layout": { + "x": 2, + "y": 3, + "width": 2, + "height": 1 + } + }, + { + "id": 3808261989156052, + "definition": { + "title": "INFOs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#84c1e0", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall status:info" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2 + }, + "layout": { + "x": 2, + "y": 4, + "width": 2, + "height": 1 + } + }, + { + "id": 8791604226681644, + "definition": { + "title": "High Security Signals", + "type": "toplist", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#d33043", + "palette": "custom_bg", + "value": 0 + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall status:high" + } + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "custom_links": [], + "style": {} + }, + "layout": { + "x": 0, + "y": 5, + "width": 6, + "height": 4 + } + }, + { + "id": 2412900620565832, + "definition": { + "title": "Medium Security Signals", + "type": "toplist", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#e5a21c", + "palette": "custom_bg", + "value": 0 + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall status:medium" + } + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "custom_links": [], + "style": {} + }, + "layout": { + "x": 6, + "y": 5, + "width": 6, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 19, + "width": 12, + "height": 10, + "is_column_break": true + } + } + ], + "template_variables": [ + { + "name": "Juniper-SRX-Device", + "prefix": "@syslog.hostname", + "available_values": [], + "default": "*" + }, + { + "name": "Event-Type", + "prefix": "@syslog.msgid", + "available_values": [], + "default": "*" + }, + { + "name": "Severity", + "prefix": "status", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/juniper_srx_firewall/assets/dashboards/juniper_srx_firewall_security_logs.json b/juniper_srx_firewall/assets/dashboards/juniper_srx_firewall_security_logs.json new file mode 100644 index 0000000000000..1008f1a711ff7 --- /dev/null +++ b/juniper_srx_firewall/assets/dashboards/juniper_srx_firewall_security_logs.json @@ -0,0 +1,5693 @@ +{ + "title": "Juniper SRX Firewall - Security Logs", + "description": "- This dashboard provides visibility into security threats, including malware detections, intrusion attempts, DoS attacks, and content filtering activities. It helps monitor blocked and permitted transactions for proactive threat management.", + "widgets": [ + { + "id": 3098264915522038, + "definition": { + "type": "image", + "url": "https://juniper-prod.scene7.com/is/image/junipernetworks/juniper_black-rgb-header?fmt=png8-alpha&dpr=off", + "url_dark_theme": "https://www.juniper.net/content/dam/www/assets/images/global/juniper_white-rgb-footer.svg", + "sizing": "contain", + "margin": "md", + "has_background": false, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 495983273354694, + "definition": { + "type": "note", + "content": "This dashboard offers a comprehensive summary of security events on the Juniper SRX Firewall, including malware detections, intrusion attempts, DoS attacks, and content filtering activities. It helps identify threats, monitor blocked or permitted transactions, and enhance network security posture.\n\nThis centralized overview streamlines analysis and helps detect potential issues or patterns for proactive system management.\n\nFor more information, see the [Juniper SRX Firewall Integration Documentation](https://docs.datadoghq.com/integrations/juniper_srx_firewall).\n\n**Tips**\n- Use the timeframe selector in the upper-right corner of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify, and add widgets and visualizations.", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 3 + } + }, + { + "id": 7822594049283508, + "definition": { + "title": "Malware-Infected Hosts", + "background_color": "blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 2243202168003744, + "definition": { + "title": "Total Infected Hosts", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:AAMW_HOST_INFECTED_EVENT_LOG $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#db4343" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 2582817946954042, + "definition": { + "title": "Infected Hosts over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Infected Hosts", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:AAMW_HOST_INFECTED_EVENT_LOG $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "red", + "order_by": "values", + "color_order": "monotonic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 68482487258244, + "definition": { + "title": "Top Infected Hosts by IP", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:AAMW_HOST_INFECTED_EVENT_LOG $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@hostname", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 1185699557300620, + "definition": { + "title": "Distribution by Host Status", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:AAMW_HOST_INFECTED_EVENT_LOG $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@status", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 3560372487066734, + "definition": { + "title": "Top Users Associated with Infected Hosts", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:AAMW_HOST_INFECTED_EVENT_LOG $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 4, + "height": 4 + } + }, + { + "id": 4284411461867030, + "definition": { + "title": "Average Threat Score over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Threat Score", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:AAMW_HOST_INFECTED_EVENT_LOG $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "avg", + "metric": "@juniper_srx_firewall.threat_score" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "warm", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 7, + "width": 8, + "height": 4 + } + }, + { + "id": 1040182246504560, + "definition": { + "title": "Top Host Infection Reasons", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:AAMW_HOST_INFECTED_EVENT_LOG $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@reason", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 11, + "width": 6, + "height": 4 + } + }, + { + "id": 5088861108259758, + "definition": { + "title": "Top Malware Policies", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:AAMW_HOST_INFECTED_EVENT_LOG $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@policy-name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 11, + "width": 6, + "height": 4 + } + }, + { + "id": 2760653159418122, + "definition": { + "title": "Log Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:AAMW_HOST_INFECTED_EVENT_LOG $Client-IP $User-Name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "hostname", + "width": "auto" + }, + { + "field": "@status", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "@juniper_srx_firewall.threat_score", + "width": "auto" + }, + { + "field": "reason", + "width": "auto" + }, + { + "field": "policy-name", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 15, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 1 + } + }, + { + "id": 8598194676700398, + "definition": { + "title": "Malware Detection", + "background_color": "blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 3889632997408074, + "definition": { + "title": "Total Malware Detections", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:AAMW_MALWARE_EVENT_LOG $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#db4343" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 5649576909019400, + "definition": { + "title": "Malware Detections over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Malware Detections", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:AAMW_MALWARE_EVENT_LOG $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "red", + "order_by": "values", + "color_order": "monotonic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 1890115230742134, + "definition": { + "title": "Most Frequent Malware Detected", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:AAMW_MALWARE_EVENT_LOG $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@malware-info", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 1650766393647094, + "definition": { + "title": "Top Affected Users", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:AAMW_MALWARE_EVENT_LOG $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 1399901978540598, + "definition": { + "title": "Top Source Addresses", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:AAMW_MALWARE_EVENT_LOG $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 4, + "height": 4 + } + }, + { + "id": 1018089274750064, + "definition": { + "title": "Average Malware Verdicts over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Malware Verdict", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:AAMW_MALWARE_EVENT_LOG $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "avg", + "metric": "@juniper_srx_firewall.verdict_number" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "warm", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 7, + "width": 8, + "height": 4 + } + }, + { + "id": 3790687060477222, + "definition": { + "title": "Top Malware Hashes Detected", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:AAMW_MALWARE_EVENT_LOG $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@sample-sha256", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 11, + "width": 6, + "height": 4 + } + }, + { + "id": 8483273025870466, + "definition": { + "title": "Top URLs with Malware Detection", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:AAMW_MALWARE_EVENT_LOG $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@url", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 11, + "width": 6, + "height": 4 + } + }, + { + "id": 2497385464506046, + "definition": { + "title": "Log Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:AAMW_MALWARE_EVENT_LOG $Client-IP $User-Name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "malware-info", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "@juniper_srx_firewall.verdict_number", + "width": "auto" + }, + { + "field": "hostname", + "width": "auto" + }, + { + "field": "sample-sha256", + "width": "auto" + }, + { + "field": "url", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 15, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 4, + "width": 12, + "height": 1 + } + }, + { + "id": 5436374635938978, + "definition": { + "title": "Email Spam Detection", + "background_color": "blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 2739776479097952, + "definition": { + "title": "Total Spam Detections", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:ANTISPAM_SPAM_DETECTED_MT $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#db4343" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 4871309654135244, + "definition": { + "title": "Spam Detections over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Spam Detections", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:ANTISPAM_SPAM_DETECTED_MT $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "red", + "order_by": "values", + "color_order": "monotonic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 6416705240477760, + "definition": { + "title": "Most Frequent Spam Reasons", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:ANTISPAM_SPAM_DETECTED_MT $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@reason", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 4, + "height": 4 + } + }, + { + "id": 3438086429925856, + "definition": { + "title": "Top Affected Users", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:ANTISPAM_SPAM_DETECTED_MT $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 4, + "y": 3, + "width": 4, + "height": 4 + } + }, + { + "id": 7507846602660436, + "definition": { + "title": "Top Source Addresses", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:ANTISPAM_SPAM_DETECTED_MT $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 8, + "y": 3, + "width": 4, + "height": 4 + } + }, + { + "id": 7960322370625872, + "definition": { + "title": "Actions Taken on Spam Messages", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:ANTISPAM_SPAM_DETECTED_MT $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@action", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 5616026879843078, + "definition": { + "title": "Affected Zones Details", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:ANTISPAM_SPAM_DETECTED_MT $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@source-zone", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@destination-zone", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "Count", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 6, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 8655063962573060, + "definition": { + "title": "Log Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:ANTISPAM_SPAM_DETECTED_MT $Client-IP $User-Name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "action", + "width": "auto" + }, + { + "field": "reason", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "source-zone", + "width": "auto" + }, + { + "field": "destination-zone", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 11, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 5, + "width": 12, + "height": 1 + } + }, + { + "id": 4368031180916308, + "definition": { + "title": "Virus Detection", + "background_color": "blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 1322571731615670, + "definition": { + "title": "Total Virus Detections", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:AV_VIRUS_DETECTED_MT $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#db4343" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 4423239938109566, + "definition": { + "title": "Virus Detections over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Virus Detections", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:AV_VIRUS_DETECTED_MT $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "red", + "order_by": "values", + "color_order": "monotonic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 6787709394378620, + "definition": { + "title": "Top Virus Names", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:AV_VIRUS_DETECTED_MT $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 7108802144923896, + "definition": { + "title": "Distribution by Action", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:AV_VIRUS_DETECTED_MT $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@action", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 5687251413744790, + "definition": { + "title": "Top Infected Users", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:AV_VIRUS_DETECTED_MT $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 7170315532093774, + "definition": { + "title": "Top Infected Files", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:AV_VIRUS_DETECTED_MT $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@filename", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 3841737703280906, + "definition": { + "title": "Top Affected Source Addresses with Port", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:AV_VIRUS_DETECTED_MT $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@network.client.port", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 11, + "width": 6, + "height": 4 + } + }, + { + "id": 7320856085558036, + "definition": { + "title": "Top Affected Destination Addresses with Port", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:AV_VIRUS_DETECTED_MT $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.destination.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@network.destination.port", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 11, + "width": 6, + "height": 4 + } + }, + { + "id": 6810842277647048, + "definition": { + "title": "Top URLs with Virus Detection", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:AV_VIRUS_DETECTED_MT $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@url", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 15, + "width": 6, + "height": 4 + } + }, + { + "id": 8919737803619292, + "definition": { + "title": "Affected Zones Details", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:AV_VIRUS_DETECTED_MT $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@source-zone", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@destination-zone", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "Count", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 6, + "y": 15, + "width": 6, + "height": 4 + } + }, + { + "id": 5811580136092222, + "definition": { + "title": "Log Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:AV_VIRUS_DETECTED_MT $Client-IP $User-Name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "name", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "action", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "@network.client.port", + "width": "auto" + }, + { + "field": "source-zone", + "width": "auto" + }, + { + "field": "@network.destination.ip", + "width": "auto" + }, + { + "field": "@network.destination.port", + "width": "auto" + }, + { + "field": "destination-zone", + "width": "auto" + }, + { + "field": "filename", + "width": "auto" + }, + { + "field": "url", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 19, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 6, + "width": 12, + "height": 1 + } + }, + { + "id": 1175974251813126, + "definition": { + "title": "Intrusion Detection & Prevention(IDP) Attack Logs", + "background_color": "blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 8648028336569888, + "definition": { + "title": "Total IDP Attacks Detected", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:IDP_ATTACK_LOG_EVENT $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#db4343" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 6608297278689024, + "definition": { + "title": "IDP Attacks over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "IDP Attacks", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:IDP_ATTACK_LOG_EVENT $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "red", + "order_by": "values", + "color_order": "monotonic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 2549273570563070, + "definition": { + "title": "Top Attack Name", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:IDP_ATTACK_LOG_EVENT $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@attack-name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 3213303039762064, + "definition": { + "title": "Distribution by Threat Severity", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:IDP_ATTACK_LOG_EVENT $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@threat-severity", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 578481642909238, + "definition": { + "title": "Top Attacked Applications", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:IDP_ATTACK_LOG_EVENT $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@application-name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 32838564119700, + "definition": { + "title": "Top Users", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:IDP_ATTACK_LOG_EVENT $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 444015984005176, + "definition": { + "title": "Distribution by Protocol", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:IDP_ATTACK_LOG_EVENT $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@protocol-name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 11, + "width": 6, + "height": 4 + } + }, + { + "id": 7299648851142852, + "definition": { + "title": "Distribution by Action", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:IDP_ATTACK_LOG_EVENT $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@action", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 11, + "width": 6, + "height": 4 + } + }, + { + "id": 7520441658101780, + "definition": { + "title": "Top Source Addresses with Port", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:IDP_ATTACK_LOG_EVENT $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@network.client.port", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 15, + "width": 6, + "height": 4 + } + }, + { + "id": 263552202769456, + "definition": { + "title": "Top Destination Addresses with Port", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:IDP_ATTACK_LOG_EVENT $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.destination.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@network.destination.port", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 15, + "width": 6, + "height": 4 + } + }, + { + "id": 3195784804040600, + "definition": { + "title": "Average Bytes Over Time for Inbound and Outbound Connection", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Inbound Bytes", + "formula": "query1" + }, + { + "alias": "Outbound Bytes", + "formula": "query2" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:IDP_ATTACK_LOG_EVENT $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "avg", + "metric": "@juniper_srx_firewall.inbound_bytes" + }, + "storage": "hot" + }, + { + "name": "query2", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:IDP_ATTACK_LOG_EVENT $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "avg", + "metric": "@juniper_srx_firewall.outbound_bytes" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 19, + "width": 6, + "height": 4 + } + }, + { + "id": 1866963838442444, + "definition": { + "title": "Average Packets Over Time for Inbound and Outbound Connection", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Inbound Packets", + "formula": "query1", + "number_format": { + "unit": { + "type": "canonical_unit", + "unit_name": "packet" + } + } + }, + { + "alias": "Outbound Packets", + "formula": "query2", + "number_format": { + "unit": { + "type": "canonical_unit", + "unit_name": "packet" + } + } + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:IDP_ATTACK_LOG_EVENT $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "avg", + "metric": "@juniper_srx_firewall.inbound_packets" + }, + "storage": "hot" + }, + { + "name": "query2", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:IDP_ATTACK_LOG_EVENT $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "avg", + "metric": "@juniper_srx_firewall.outbound_packets" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 6, + "y": 19, + "width": 6, + "height": 4 + } + }, + { + "id": 4804356680017424, + "definition": { + "title": "Average Elapsed Time of Attacks", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:IDP_ATTACK_LOG_EVENT $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "avg", + "metric": "@juniper_srx_firewall.elapsed_time" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#e7e7e7" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": { + "include_zero": false + }, + "type": "area" + } + }, + "layout": { + "x": 0, + "y": 23, + "width": 4, + "height": 4 + } + }, + { + "id": 1551895157076114, + "definition": { + "title": "Attack Traffic by Zones & Interfaces", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:IDP_ATTACK_LOG_EVENT $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@source-zone-name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@source-interface-name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@destination-zone-name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@destination-interface-name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "Count", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 4, + "y": 23, + "width": 8, + "height": 4 + } + }, + { + "id": 7628221505031274, + "definition": { + "title": "Log Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:IDP_ATTACK_LOG_EVENT $Client-IP $User-Name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "attack-name", + "width": "auto" + }, + { + "field": "action", + "width": "auto" + }, + { + "field": "application-name", + "width": "auto" + }, + { + "field": "protocol-name", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "@network.client.port", + "width": "auto" + }, + { + "field": "@network.destination.ip", + "width": "auto" + }, + { + "field": "@network.destination.port", + "width": "auto" + }, + { + "field": "@juniper_srx_firewall.inbound_bytes", + "width": "auto" + }, + { + "field": "@juniper_srx_firewall.outbound_bytes", + "width": "auto" + }, + { + "field": "@juniper_srx_firewall.inbound_packets", + "width": "auto" + }, + { + "field": "@juniper_srx_firewall.outbound_packets", + "width": "auto" + }, + { + "field": "@juniper_srx_firewall.elapsed_time", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 27, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 7, + "width": 12, + "height": 32 + } + }, + { + "id": 1058253677712148, + "definition": { + "title": "Denial-of-Service(DoS) Attack Logs", + "background_color": "blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 4815990295242000, + "definition": { + "title": "Total DoS Attacks", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:(RT_SCREEN_ICMP OR RT_SCREEN_TCP OR RT_SCREEN_UDP OR RT_SCREEN_IP OR RT_SCREEN_TCP_DST_IP OR RT_SCREEN_TCP_SRC_IP) $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#db4343" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 8943511771609626, + "definition": { + "title": "DoS Attacks by Category over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "DoS Attacks", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:(RT_SCREEN_ICMP OR RT_SCREEN_TCP OR RT_SCREEN_UDP OR RT_SCREEN_IP OR RT_SCREEN_TCP_DST_IP OR RT_SCREEN_TCP_SRC_IP) $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@category", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "red", + "order_by": "values", + "color_order": "monotonic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 851007433075946, + "definition": { + "title": "Top DoS Attacks", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:(RT_SCREEN_ICMP OR RT_SCREEN_TCP OR RT_SCREEN_UDP OR RT_SCREEN_IP OR RT_SCREEN_TCP_DST_IP OR RT_SCREEN_TCP_SRC_IP) $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@attack-name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 4121543576570248, + "definition": { + "title": "Distribution by Attack Category", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:(RT_SCREEN_ICMP OR RT_SCREEN_TCP OR RT_SCREEN_UDP OR RT_SCREEN_IP OR RT_SCREEN_TCP_DST_IP OR RT_SCREEN_TCP_SRC_IP) $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@category", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 827087005477792, + "definition": { + "title": "Distribution by Action", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:(RT_SCREEN_ICMP OR RT_SCREEN_TCP OR RT_SCREEN_UDP OR RT_SCREEN_IP OR RT_SCREEN_TCP_DST_IP OR RT_SCREEN_TCP_SRC_IP) $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@action", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 2929319004441282, + "definition": { + "title": "Top Interfaces Receiving Attacks", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:(RT_SCREEN_ICMP OR RT_SCREEN_TCP OR RT_SCREEN_UDP OR RT_SCREEN_IP OR RT_SCREEN_TCP_DST_IP OR RT_SCREEN_TCP_SRC_IP) $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@interface-name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 5319069619765548, + "definition": { + "title": "Top Source Zones", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:(RT_SCREEN_ICMP OR RT_SCREEN_TCP OR RT_SCREEN_UDP OR RT_SCREEN_IP OR RT_SCREEN_TCP_DST_IP OR RT_SCREEN_TCP_SRC_IP) $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@source-zone-name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 11, + "width": 5, + "height": 4 + } + }, + { + "id": 263759594511918, + "definition": { + "title": "Attack Traffic Overview", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:(RT_SCREEN_ICMP OR RT_SCREEN_TCP OR RT_SCREEN_UDP OR RT_SCREEN_IP OR RT_SCREEN_TCP_DST_IP OR RT_SCREEN_TCP_SRC_IP) $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@network.client.port", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@network.destination.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@network.destination.port", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 10000, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "Count", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 5, + "y": 11, + "width": 7, + "height": 4 + } + }, + { + "id": 848279859614198, + "definition": { + "title": "Log Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:(RT_SCREEN_ICMP OR RT_SCREEN_TCP OR RT_SCREEN_UDP OR RT_SCREEN_IP OR RT_SCREEN_TCP_DST_IP OR RT_SCREEN_TCP_SRC_IP) $Client-IP $User-Name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "attack-name", + "width": "auto" + }, + { + "field": "action", + "width": "auto" + }, + { + "field": "category", + "width": "auto" + }, + { + "field": "interface-name", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "@network.client.port", + "width": "auto" + }, + { + "field": "source-zone-name", + "width": "auto" + }, + { + "field": "@network.destination.ip", + "width": "auto" + }, + { + "field": "@network.destination.port", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 15, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 39, + "width": 12, + "height": 1 + } + }, + { + "id": 6418496546640828, + "definition": { + "title": "Blocked Transactions by Content Filtering", + "background_color": "blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 1499523302396846, + "definition": { + "title": "Total Blocked Transactions", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:CONTENT_FILTERING_BLOCKED_MT $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#db4343" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 6712922358030114, + "definition": { + "title": "Blocked Transactions over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Blocked Transactions", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:CONTENT_FILTERING_BLOCKED_MT $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "red", + "order_by": "values", + "color_order": "monotonic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 6663522747274230, + "definition": { + "title": "Top Blocked Users", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:CONTENT_FILTERING_BLOCKED_MT $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 7007984070766104, + "definition": { + "title": "Blocked Transactions by Protocol", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:CONTENT_FILTERING_BLOCKED_MT $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@argument", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 7116387885727594, + "definition": { + "title": "Most Common Blocking Reasons", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:CONTENT_FILTERING_BLOCKED_MT $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@reason", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 7230463361676282, + "definition": { + "title": "Top Blocked Files", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:CONTENT_FILTERING_BLOCKED_MT $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@filename", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 4043754076572662, + "definition": { + "title": "Top Blocked Source Addresses", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:CONTENT_FILTERING_BLOCKED_MT $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 11, + "width": 6, + "height": 4 + } + }, + { + "id": 1259928239502718, + "definition": { + "title": "Top Blocked Destination Addresses", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:CONTENT_FILTERING_BLOCKED_MT $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.destination.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 11, + "width": 6, + "height": 4 + } + }, + { + "id": 3133106174915534, + "definition": { + "title": "Log Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:CONTENT_FILTERING_BLOCKED_MT $Client-IP $User-Name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "argument", + "width": "auto" + }, + { + "field": "filename", + "width": "auto" + }, + { + "field": "reason", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "@network.destination.ip", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 15, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 40, + "width": 12, + "height": 1 + } + }, + { + "id": 8297619500642188, + "definition": { + "title": "Blocked or Permitted URLs by Content Filtering", + "background_color": "blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 5562481304213536, + "definition": { + "title": "Total Blocked or Permitted URLs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:(WEBFILTER_URL_BLOCKED OR WEBFILTER_URL_PERMITTED) $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#db4343" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 6205507016892106, + "definition": { + "title": "URLs by Action over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Blocked Transactions", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:(WEBFILTER_URL_BLOCKED OR WEBFILTER_URL_PERMITTED) $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@action", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "red", + "order_by": "values", + "color_order": "monotonic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 3919531592928180, + "definition": { + "title": "Top URLs", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:(WEBFILTER_URL_BLOCKED OR WEBFILTER_URL_PERMITTED) $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@url", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 1466480036532056, + "definition": { + "title": "Distribution by Action", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:(WEBFILTER_URL_BLOCKED OR WEBFILTER_URL_PERMITTED) $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@action", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 185492404663456, + "definition": { + "title": "Most Common Reasons", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:(WEBFILTER_URL_BLOCKED OR WEBFILTER_URL_PERMITTED) $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@reason", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 6129727407851270, + "definition": { + "title": "Distribution by Category", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:(WEBFILTER_URL_BLOCKED OR WEBFILTER_URL_PERMITTED) $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@category", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 7783431497936830, + "definition": { + "title": "Top Users", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:(WEBFILTER_URL_BLOCKED OR WEBFILTER_URL_PERMITTED) $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 11, + "width": 4, + "height": 4 + } + }, + { + "id": 2603605127328266, + "definition": { + "title": "Top Source Addresses with Port", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:(WEBFILTER_URL_BLOCKED OR WEBFILTER_URL_PERMITTED) $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@network.client.port", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 4, + "y": 11, + "width": 4, + "height": 4 + } + }, + { + "id": 8422518359228038, + "definition": { + "title": "Top Destination Addresses with Port", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:(WEBFILTER_URL_BLOCKED OR WEBFILTER_URL_PERMITTED) $Client-IP $User-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.destination.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@network.destination.port", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 8, + "y": 11, + "width": 4, + "height": 4 + } + }, + { + "id": 5598326445089504, + "definition": { + "title": "Log Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:(WEBFILTER_URL_BLOCKED OR WEBFILTER_URL_PERMITTED) $Client-IP $User-Name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "url", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "action", + "width": "auto" + }, + { + "field": "category", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "@network.client.port", + "width": "auto" + }, + { + "field": "@network.destination.ip", + "width": "auto" + }, + { + "field": "@network.destination.port", + "width": "auto" + }, + { + "field": "reason", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 15, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 41, + "width": 12, + "height": 1 + } + } + ], + "template_variables": [ + { + "name": "User-Name", + "prefix": "@usr.name", + "available_values": [], + "default": "*" + }, + { + "name": "Client-IP", + "prefix": "@network.client.ip", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/juniper_srx_firewall/assets/dashboards/juniper_srx_firewall_session_logs.json b/juniper_srx_firewall/assets/dashboards/juniper_srx_firewall_session_logs.json new file mode 100644 index 0000000000000..267bdd4db7c39 --- /dev/null +++ b/juniper_srx_firewall/assets/dashboards/juniper_srx_firewall_session_logs.json @@ -0,0 +1,3387 @@ +{ + "title": "Juniper SRX Firewall - Session Logs", + "description": "- This dashboard provides an overview of network traffic and session activities, including initiated and denied sessions, application traffic, and dropped packets.", + "widgets": [ + { + "id": 3098264915522038, + "definition": { + "type": "image", + "url": "https://juniper-prod.scene7.com/is/image/junipernetworks/juniper_black-rgb-header?fmt=png8-alpha&dpr=off", + "url_dark_theme": "https://www.juniper.net/content/dam/www/assets/images/global/juniper_white-rgb-footer.svg", + "sizing": "contain", + "margin": "md", + "has_background": false, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 495983273354694, + "definition": { + "type": "note", + "content": "This dashboard offers a comprehensive summary of network traffic and session activities in the Juniper SRX Firewall. It provides insights into initiated and denied sessions, application-related traffic, and dropped packets, enabling better visibility into network performance and potential threats.\n\nThis centralized overview streamlines analysis and helps detect potential issues or patterns for proactive system management.\n\nFor more information, see the [Juniper SRX Firewall Integration Documentation](https://docs.datadoghq.com/integrations/juniper_srx_firewall).\n\n**Tips**\n- Use the timeframe selector in the upper-right corner of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify, and add widgets and visualizations.", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 3 + } + }, + { + "id": 8184424141356950, + "definition": { + "title": "Routing Flow Session Logs", + "background_color": "blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 7891400334881222, + "definition": { + "title": "Total Initiated Sessions", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:RT_FLOW_SESSION_CREATE $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#e7e7e7" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 8702748035003160, + "definition": { + "title": "Initiated Sessions over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Initiated Sessions", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:RT_FLOW_SESSION_CREATE $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "grey", + "order_by": "values", + "color_order": "monotonic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 5630552184833260, + "definition": { + "title": "Total Denied Sessions", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:RT_FLOW_SESSION_DENY $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#db4343" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 3, + "width": 3, + "height": 3 + } + }, + { + "id": 1211457133438556, + "definition": { + "title": "Denied Sessions over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Denied Sessions", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:RT_FLOW_SESSION_DENY $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "red", + "order_by": "values", + "color_order": "monotonic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 3, + "width": 9, + "height": 3 + } + }, + { + "id": 8971065890448258, + "definition": { + "title": "Top Incoming Interfaces", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:RT_FLOW_SESSION_CREATE $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@packet-incoming-interface", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 6, + "width": 6, + "height": 4 + } + }, + { + "id": 260600794786028, + "definition": { + "title": "Distribution by Protocol", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:RT_FLOW_SESSION_CREATE $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@protocol", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 6, + "width": 6, + "height": 4 + } + }, + { + "id": 8787701388169482, + "definition": { + "title": "Top Users Associated with Sessions", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:RT_FLOW_SESSION_CREATE $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 10, + "width": 4, + "height": 4 + } + }, + { + "id": 2155922808325504, + "definition": { + "title": "Top Source Addresses with Port", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:RT_FLOW_SESSION_CREATE $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@network.client.port", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 4, + "y": 10, + "width": 4, + "height": 4 + } + }, + { + "id": 4076578552937540, + "definition": { + "title": "Top Destination Addresses with Port", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:RT_FLOW_SESSION_CREATE $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.destination.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@network.destination.port", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 8, + "y": 10, + "width": 4, + "height": 4 + } + }, + { + "id": 2031681825402384, + "definition": { + "title": "Distribution by Session Flag", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:RT_FLOW_SESSION_CLOSE $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@session-flag", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 14, + "width": 6, + "height": 4 + } + }, + { + "id": 5275632234101986, + "definition": { + "title": "Top Policies", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:RT_FLOW_SESSION_CREATE $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@policy-name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 14, + "width": 6, + "height": 4 + } + }, + { + "id": 3348147054920180, + "definition": { + "title": "Bytes Transferred to Client", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:RT_FLOW_SESSION_CLOSE $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@network.bytes_written" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 18, + "width": 4, + "height": 2 + } + }, + { + "id": 34493201515560, + "definition": { + "title": "Average Bytes Transferred over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Bytes Received", + "formula": "query1" + }, + { + "alias": "Bytes Sent", + "formula": "query2" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:RT_FLOW_SESSION_CLOSE $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "avg", + "metric": "@network.bytes_read" + }, + "storage": "hot" + }, + { + "name": "query2", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:RT_FLOW_SESSION_CLOSE $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "avg", + "metric": "@network.bytes_written" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 18, + "width": 8, + "height": 4 + } + }, + { + "id": 6932771502434534, + "definition": { + "title": "Bytes Transferred to Server", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:RT_FLOW_SESSION_CLOSE $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@network.bytes_read" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 20, + "width": 4, + "height": 2 + } + }, + { + "id": 1746605288025150, + "definition": { + "title": "Packets Transferred to Client", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:RT_FLOW_SESSION_CLOSE $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@juniper_srx_firewall.packets_from_server" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "number_format": { + "unit": { + "type": "canonical_unit", + "unit_name": "packet" + } + }, + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 22, + "width": 4, + "height": 2 + } + }, + { + "id": 7753755021518552, + "definition": { + "title": "Average Packets Transferred over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Packets Received", + "formula": "query1", + "number_format": { + "unit": { + "type": "canonical_unit", + "unit_name": "packet" + } + } + }, + { + "alias": "Packets Sent", + "formula": "query2", + "number_format": { + "unit": { + "type": "canonical_unit", + "unit_name": "packet" + } + } + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:RT_FLOW_SESSION_CLOSE $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "avg", + "metric": "@juniper_srx_firewall.packets_from_client" + }, + "storage": "hot" + }, + { + "name": "query2", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:RT_FLOW_SESSION_CLOSE $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "avg", + "metric": "@juniper_srx_firewall.packets_from_server" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 22, + "width": 8, + "height": 4 + } + }, + { + "id": 4381164678653574, + "definition": { + "title": "Packets Transferred to Server", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:RT_FLOW_SESSION_CLOSE $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@juniper_srx_firewall.packets_from_client" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1", + "number_format": { + "unit": { + "type": "canonical_unit", + "unit_name": "packet" + } + } + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 24, + "width": 4, + "height": 2 + } + }, + { + "id": 5902628133213262, + "definition": { + "title": "Top Session Closure Reasons", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:RT_FLOW_SESSION_CLOSE $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@reason", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 26, + "width": 4, + "height": 4 + } + }, + { + "id": 5648558877224682, + "definition": { + "title": "Average Elapsed Time over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "time": {}, + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Avg. Elapsed Time", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:RT_FLOW_SESSION_CLOSE $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "avg", + "metric": "@juniper_srx_firewall.elapsed_time" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 26, + "width": 8, + "height": 4 + } + }, + { + "id": 135264886436058, + "definition": { + "title": "Application Details", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:RT_FLOW_SESSION_CREATE $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@application", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@application-risk", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@application-category", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@application-sub-category", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 10000, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "Count", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 0, + "y": 30, + "width": 12, + "height": 4 + } + }, + { + "id": 188664666431306, + "definition": { + "title": "NAT Session Flow Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:RT_FLOW_SESSION_CREATE $Client-IP $Destination-IP", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "nat-source-address", + "width": "auto" + }, + { + "field": "nat-source-port", + "width": "auto" + }, + { + "field": "src-nat-rule-name", + "width": "auto" + }, + { + "field": "src-nat-rule-type", + "width": "auto" + }, + { + "field": "nat-destination-address", + "width": "auto" + }, + { + "field": "nat-destination-port", + "width": "auto" + }, + { + "field": "dst-nat-rule-name", + "width": "auto" + }, + { + "field": "dst-nat-rule-type", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 34, + "width": 12, + "height": 4 + } + }, + { + "id": 5218085156199632, + "definition": { + "title": "Log Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:(RT_FLOW_SESSION_CREATE OR RT_FLOW_SESSION_CLOSE OR RT_FLOW_SESSION_DENY) $Client-IP $Destination-IP", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "syslog.msgid", + "width": "auto" + }, + { + "field": "packet-incoming-interface", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "policy-name", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "@network.client.port", + "width": "auto" + }, + { + "field": "@network.destination.ip", + "width": "auto" + }, + { + "field": "@network.destination.port", + "width": "auto" + }, + { + "field": "@network.bytes_read", + "width": "auto" + }, + { + "field": "@network.bytes_written", + "width": "auto" + }, + { + "field": "@juniper_srx_firewall.packets_from_client", + "width": "auto" + }, + { + "field": "@juniper_srx_firewall.packets_from_server", + "width": "auto" + }, + { + "field": "@juniper_srx_firewall.elapsed_time", + "width": "auto" + }, + { + "field": "session-flag", + "width": "auto" + }, + { + "field": "reason", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 38, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 43 + } + }, + { + "id": 6557520564433322, + "definition": { + "title": "AppTrack Session Logs", + "background_color": "blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 6309083789299356, + "definition": { + "title": "Total Application related Sessions", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:APPTRACK_SESSION_CREATE $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#e7e7e7" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 6035287653104030, + "definition": { + "title": "Application related Sessions over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Application related Sessions", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:APPTRACK_SESSION_CREATE $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "grey", + "order_by": "values", + "color_order": "monotonic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 1250829825246620, + "definition": { + "title": "Top Applications", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:APPTRACK_SESSION_CREATE $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@application", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 621707279146708, + "definition": { + "title": "Distribution by Protocol", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:APPTRACK_SESSION_CREATE $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@protocol", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 8961151648963984, + "definition": { + "title": "Top Users Associated with Sessions", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:APPTRACK_SESSION_CREATE $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 4, + "height": 4 + } + }, + { + "id": 5488194333306468, + "definition": { + "title": "Top Source Addresses with Port", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:APPTRACK_SESSION_CREATE $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@network.client.port", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 4, + "y": 7, + "width": 4, + "height": 4 + } + }, + { + "id": 6681633212798854, + "definition": { + "title": "Top Destination Addresses with Port", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:APPTRACK_SESSION_CREATE $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.destination.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@network.destination.port", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 8, + "y": 7, + "width": 4, + "height": 4 + } + }, + { + "id": 1509355715207680, + "definition": { + "title": "Distribution by Category", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:APPTRACK_SESSION_CREATE $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@category", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 11, + "width": 6, + "height": 4 + } + }, + { + "id": 8837849148012478, + "definition": { + "title": "Top Destination Interfaces", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:APPTRACK_SESSION_CREATE $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@destination-interface-name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 11, + "width": 6, + "height": 4 + } + }, + { + "id": 7641820599028354, + "definition": { + "title": "Bytes Transferred to Client", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:APPTRACK_SESSION_CLOSE $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@network.bytes_written" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 15, + "width": 4, + "height": 2 + } + }, + { + "id": 6545828223475376, + "definition": { + "title": "Average Bytes Transferred over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Bytes Received", + "formula": "query1" + }, + { + "alias": "Bytes Sent", + "formula": "query2" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:APPTRACK_SESSION_CLOSE $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "avg", + "metric": "@network.bytes_read" + }, + "storage": "hot" + }, + { + "name": "query2", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:APPTRACK_SESSION_CLOSE $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "avg", + "metric": "@network.bytes_written" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 15, + "width": 8, + "height": 4 + } + }, + { + "id": 6747167989408842, + "definition": { + "title": "Bytes Transferred to Server", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:APPTRACK_SESSION_CLOSE $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@network.bytes_read" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 17, + "width": 4, + "height": 2 + } + }, + { + "id": 3270056403271228, + "definition": { + "title": "Packets Transferred to Client", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:APPTRACK_SESSION_CLOSE $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@juniper_srx_firewall.packets_from_server" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1", + "number_format": { + "unit": { + "type": "canonical_unit", + "unit_name": "packet" + } + } + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 19, + "width": 4, + "height": 2 + } + }, + { + "id": 2062744855852108, + "definition": { + "title": "Average Packets Transferred over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Packets Received", + "formula": "query1", + "number_format": { + "unit": { + "type": "canonical_unit", + "unit_name": "packet" + } + } + }, + { + "alias": "Packets Sent", + "formula": "query2", + "number_format": { + "unit": { + "type": "canonical_unit", + "unit_name": "packet" + } + } + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:APPTRACK_SESSION_CLOSE $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "avg", + "metric": "@juniper_srx_firewall.packets_from_client" + }, + "storage": "hot" + }, + { + "name": "query2", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:APPTRACK_SESSION_CLOSE $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "avg", + "metric": "@juniper_srx_firewall.packets_from_server" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 19, + "width": 8, + "height": 4 + } + }, + { + "id": 4326461337627526, + "definition": { + "title": "Packets Transferred to Server", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:APPTRACK_SESSION_CLOSE $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@juniper_srx_firewall.packets_from_client" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1", + "number_format": { + "unit": { + "type": "canonical_unit", + "unit_name": "packet" + } + } + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 21, + "width": 4, + "height": 2 + } + }, + { + "id": 4713573891190028, + "definition": { + "title": "Top Session Closure Reasons", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:APPTRACK_SESSION_CLOSE $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@reason", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 23, + "width": 4, + "height": 4 + } + }, + { + "id": 6635585169402276, + "definition": { + "title": "Average Elapsed Time over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "time": {}, + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Avg. Elapsed Time", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:APPTRACK_SESSION_CLOSE $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "avg", + "metric": "@juniper_srx_firewall.elapsed_time" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 23, + "width": 8, + "height": 4 + } + }, + { + "id": 3130810149729436, + "definition": { + "title": "NAT Session Flow Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:APPTRACK_SESSION_CREATE $Client-IP $Destination-IP", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "nat-source-address", + "width": "auto" + }, + { + "field": "nat-source-port", + "width": "auto" + }, + { + "field": "src-nat-rule-name", + "width": "auto" + }, + { + "field": "nat-destination-address", + "width": "auto" + }, + { + "field": "nat-destination-port", + "width": "auto" + }, + { + "field": "dst-nat-rule-name", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 27, + "width": 12, + "height": 4 + } + }, + { + "id": 3980936399366868, + "definition": { + "title": "Log Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:(APPTRACK_SESSION_CREATE OR APPTRACK_SESSION_CLOSE) $Client-IP $Destination-IP", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "syslog.msgid", + "width": "auto" + }, + { + "field": "destination-interface-name", + "width": "auto" + }, + { + "field": "application", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "category", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "@network.client.port", + "width": "auto" + }, + { + "field": "@network.destination.ip", + "width": "auto" + }, + { + "field": "@network.destination.port", + "width": "auto" + }, + { + "field": "@network.bytes_read", + "width": "auto" + }, + { + "field": "@network.bytes_written", + "width": "auto" + }, + { + "field": "@juniper_srx_firewall.packets_from_client", + "width": "auto" + }, + { + "field": "@juniper_srx_firewall.packets_from_server", + "width": "auto" + }, + { + "field": "@juniper_srx_firewall.elapsed_time", + "width": "auto" + }, + { + "field": "reason", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 31, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 46, + "width": 12, + "height": 36 + } + }, + { + "id": 7822594049283508, + "definition": { + "title": "Dropped Packet Logs", + "background_color": "blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 2243202168003744, + "definition": { + "title": "Total Dropped Packets", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:FLOW_LOG_PKT_DROP $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#db4343" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 2582817946954042, + "definition": { + "title": "Dropped Packets by Protocol over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Dropped Packets", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:FLOW_LOG_PKT_DROP $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@protocol", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "color_order": "monotonic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 1185699557300620, + "definition": { + "title": "Distribution by Protocol", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:FLOW_LOG_PKT_DROP $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@protocol", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 68482487258244, + "definition": { + "title": "Top Interface with Packet Drops", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:FLOW_LOG_PKT_DROP $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@interface-name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 3560372487066734, + "definition": { + "title": "Top Source Addresses with Port", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:FLOW_LOG_PKT_DROP $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@network.client.port", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 4284411461867030, + "definition": { + "title": "Top Destination Addresses with Port", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:FLOW_LOG_PKT_DROP $Client-IP $Destination-IP" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.destination.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@network.destination.port", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 4455589495437328, + "definition": { + "title": "Log Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:juniper-srx-firewall service:juniper-srx-firewall @syslog.msgid:FLOW_LOG_PKT_DROP $Client-IP $Destination-IP", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "interface-name", + "width": "auto" + }, + { + "field": "protocol", + "width": "auto" + }, + { + "field": "message", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "@network.client.port", + "width": "auto" + }, + { + "field": "@network.destination.ip", + "width": "auto" + }, + { + "field": "@network.destination.port", + "width": "auto" + }, + { + "field": "source-zone-name", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 11, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 82, + "width": 12, + "height": 16 + } + } + ], + "template_variables": [ + { + "name": "Client-IP", + "prefix": "@network.client.ip", + "available_values": [], + "default": "*" + }, + { + "name": "Destination-IP", + "prefix": "@network.destination.ip", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/juniper_srx_firewall/assets/juniper_srx_firewall.svg b/juniper_srx_firewall/assets/juniper_srx_firewall.svg new file mode 100644 index 0000000000000..d790277ae2b1a --- /dev/null +++ b/juniper_srx_firewall/assets/juniper_srx_firewall.svg @@ -0,0 +1,20 @@ + + + + + + + + + + + + + + + + + + + + diff --git a/juniper_srx_firewall/assets/logs/juniper-srx-firewall.yaml b/juniper_srx_firewall/assets/logs/juniper-srx-firewall.yaml new file mode 100644 index 0000000000000..55d846abb1c3b --- /dev/null +++ b/juniper_srx_firewall/assets/logs/juniper-srx-firewall.yaml @@ -0,0 +1,625 @@ +id: juniper-srx-firewall +metric_id: juniper-srx-firewall +backend_only: false +facets: + - groups: + - User + name: User Name + path: usr.name + source: log + - groups: + - Geoip + name: City Name + path: network.client.geoip.city.name + source: log + - groups: + - Geoip + name: Continent Code + path: network.client.geoip.continent.code + source: log + - groups: + - Geoip + name: Continent Name + path: network.client.geoip.continent.name + source: log + - groups: + - Geoip + name: Country ISO Code + path: network.client.geoip.country.iso_code + source: log + - groups: + - Geoip + name: Country Name + path: network.client.geoip.country.name + source: log + - groups: + - Geoip + name: Subdivision ISO Code + path: network.client.geoip.subdivision.iso_code + source: log + - groups: + - Geoip + name: Subdivision Name + path: network.client.geoip.subdivision.name + source: log + - groups: + - Web Access + name: Client IP + path: network.client.ip + source: log + - groups: + - Web Access + name: Client Port + path: network.client.port + source: log + - groups: + - Geoip + name: Destination City Name + path: network.destination.geoip.city.name + source: log + - groups: + - Geoip + name: Destination Continent Code + path: network.destination.geoip.continent.code + source: log + - groups: + - Geoip + name: Destination Continent Name + path: network.destination.geoip.continent.name + source: log + - groups: + - Geoip + name: Destination Country ISO Code + path: network.destination.geoip.country.iso_code + source: log + - groups: + - Geoip + name: Destination Country Name + path: network.destination.geoip.country.name + source: log + - groups: + - Geoip + name: Destination Subdivision ISO Code + path: network.destination.geoip.subdivision.iso_code + source: log + - groups: + - Geoip + name: Destination Subdivision Name + path: network.destination.geoip.subdivision.name + source: log + - groups: + - Web Access + name: Destination IP + path: network.destination.ip + source: log + - groups: + - Web Access + name: Destination Port + path: network.destination.port + source: log + - facetType: range + groups: + - Web Access + name: Network Bytes Read + path: network.bytes_read + source: log + type: double + unit: + family: bytes + name: byte + - facetType: range + groups: + - Web Access + name: Bytes Written + path: network.bytes_written + source: log + type: double + unit: + family: bytes + name: byte + - description: "" + facetType: range + groups: + - Juniper SRX Firewall + name: Elapsed Time + path: juniper_srx_firewall.elapsed_time + source: log + type: integer + unit: + family: time + name: second + - description: "" + facetType: range + groups: + - Juniper SRX Firewall + name: Inbound Bytes + path: juniper_srx_firewall.inbound_bytes + source: log + type: integer + unit: + family: bytes + name: byte + - description: "" + facetType: range + groups: + - Juniper SRX Firewall + name: Inbound Packets + path: juniper_srx_firewall.inbound_packets + source: log + type: integer + - description: "" + facetType: range + groups: + - Juniper SRX Firewall + name: Outbound Bytes + path: juniper_srx_firewall.outbound_bytes + source: log + type: integer + unit: + family: bytes + name: byte + - description: "" + facetType: range + groups: + - Juniper SRX Firewall + name: Outbound Packets + path: juniper_srx_firewall.outbound_packets + source: log + type: integer + - description: "" + facetType: range + groups: + - Juniper SRX Firewall + name: Packets From Client + path: juniper_srx_firewall.packets_from_client + source: log + type: integer + - description: "" + facetType: range + groups: + - Juniper SRX Firewall + name: Packets From Server + path: juniper_srx_firewall.packets_from_server + source: log + type: integer + - description: "" + facetType: range + groups: + - Juniper SRX Firewall + name: Threat Score + path: juniper_srx_firewall.threat_score + source: log + type: integer + - description: "" + facetType: range + groups: + - Juniper SRX Firewall + name: Verdict Number + path: juniper_srx_firewall.verdict_number + source: log + type: integer +pipeline: + type: pipeline + name: Juniper SRX Firewall + enabled: true + filter: + query: source:juniper-srx-firewall + processors: + - type: string-builder-processor + name: Building a service attribute + enabled: true + template: juniper-srx-firewall + target: service + replaceMissing: false + - type: service-remapper + name: Define `service` as the official service of the log + enabled: true + sources: + - service + - type: date-remapper + name: Define `syslog.timestamp` as the official date of the log + enabled: true + sources: + - syslog.timestamp + - type: status-remapper + name: Define `syslog.severity` as the official status of the log + enabled: true + sources: + - syslog.severity + - type: attribute-remapper + name: Map `username` to `usr.name` + enabled: true + sources: + - username + sourceType: attribute + target: usr.name + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `source-address`, `client-address`, `src-ip-str`, `b4-address` to `network.client.ip` + enabled: true + sources: + - source-address + - client-address + - src-ip-str + - b4-address + sourceType: attribute + target: network.client.ip + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `source-port` to `network.client.port` + enabled: true + sources: + - source-port + sourceType: attribute + target: network.client.port + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `destination-address` to `network.destination.ip` + enabled: true + sources: + - destination-address + sourceType: attribute + target: network.destination.ip + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `destination-port` to `network.destination.port` + enabled: true + sources: + - destination-port + sourceType: attribute + target: network.destination.port + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `bytes-from-client` to `network.bytes_read` + enabled: true + sources: + - bytes-from-client + sourceType: attribute + target: network.bytes_read + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `bytes-from-server` to `network.bytes_written` + enabled: true + sources: + - bytes-from-server + sourceType: attribute + target: network.bytes_written + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `verdict-number` to `juniper_srx_firewall.verdict_number` + enabled: true + sources: + - verdict-number + sourceType: attribute + target: juniper_srx_firewall.verdict_number + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `threat-score` to `juniper_srx_firewall.threat_score` + enabled: true + sources: + - threat-score + sourceType: attribute + target: juniper_srx_firewall.threat_score + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `elapsed-time` to `juniper_srx_firewall.elapsed_time` + enabled: true + sources: + - elapsed-time + sourceType: attribute + target: juniper_srx_firewall.elapsed_time + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `packets-from-client` to `juniper_srx_firewall.packets_from_client` + enabled: true + sources: + - packets-from-client + sourceType: attribute + target: juniper_srx_firewall.packets_from_client + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `packets-from-server` to `juniper_srx_firewall.packets_from_server` + enabled: true + sources: + - packets-from-server + sourceType: attribute + target: juniper_srx_firewall.packets_from_server + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `inbound-bytes` to `juniper_srx_firewall.inbound_bytes` + enabled: true + sources: + - inbound-bytes + sourceType: attribute + target: juniper_srx_firewall.inbound_bytes + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `outbound-bytes` to `juniper_srx_firewall.outbound_bytes` + enabled: true + sources: + - outbound-bytes + sourceType: attribute + target: juniper_srx_firewall.outbound_bytes + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `inbound-packets` to `juniper_srx_firewall.inbound_packets` + enabled: true + sources: + - inbound-packets + sourceType: attribute + target: juniper_srx_firewall.inbound_packets + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `outbound-packets` to `juniper_srx_firewall.outbound_packets` + enabled: true + sources: + - outbound-packets + sourceType: attribute + target: juniper_srx_firewall.outbound_packets + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: geo-ip-parser + name: Extracting geolocation information from the client IP + enabled: true + sources: + - network.client.ip + target: network.client.geoip + ip_processing_behavior: do-nothing + - type: geo-ip-parser + name: Extracting geolocation information from the destination IP + enabled: true + sources: + - network.destination.ip + target: network.destination.geoip + ip_processing_behavior: do-nothing + - type: category-processor + name: Category processor for create action from web content filtering logs + enabled: true + categories: + - filter: + query: "@syslog.msgid:WEBFILTER_URL_BLOCKED" + name: Blocked + - filter: + query: "@syslog.msgid:WEBFILTER_URL_PERMITTED" + name: Permitted + target: action + - type: category-processor + name: Category processor for create category from DoS attack logs + enabled: true + categories: + - filter: + query: "@syslog.msgid:RT_SCREEN_ICMP" + name: ICMP + - filter: + query: "@syslog.msgid:RT_SCREEN_TCP" + name: TCP + - filter: + query: "@syslog.msgid:RT_SCREEN_UDP" + name: UDP + - filter: + query: "@syslog.msgid:RT_SCREEN_IP" + name: IP + - filter: + query: "@syslog.msgid:RT_SCREEN_TCP_DST_IP" + name: TCP destination IP + - filter: + query: "@syslog.msgid:RT_SCREEN_TCP_SRC_IP" + name: TCP source IP + target: category + - type: category-processor + name: Category processor for create category from authentication logs + enabled: true + categories: + - filter: + query: "@syslog.msgid:(DYNAMIC_VPN_AUTH_FAIL OR DYNAMIC_VPN_AUTH_OK)" + name: Dynamic VPN Auth + - filter: + query: "@syslog.msgid:(REMOTE_ACCESS_VPN_AUTH_FAIL OR + REMOTE_ACCESS_VPN_AUTH_OK)" + name: Remote Access VPN Auth + - filter: + query: "@syslog.msgid:(JADE_AUTH_FAILURE OR JADE_AUTH_SUCCESS)" + name: JADE Auth + - filter: + query: "@syslog.msgid:(FWAUTH_WEBAUTH_FAIL OR FWAUTH_WEBAUTH_SUCCESS)" + name: Web Auth + - filter: + query: "@syslog.msgid:(FWAUTH_FTP_USER_AUTH_FAIL OR + FWAUTH_FTP_USER_AUTH_ACCEPTED)" + name: FTP User Auth + - filter: + query: "@syslog.msgid:(FWAUTH_HTTPS_USER_AUTH_FAIL OR + FWAUTH_HTTPS_USER_AUTH_ACCEPTED)" + name: HTTPs User Auth + - filter: + query: "@syslog.msgid:(FWAUTH_HTTP_USER_AUTH_FAIL OR + FWAUTH_HTTP_USER_AUTH_ACCEPTED)" + name: HTTP User Auth + - filter: + query: "@syslog.msgid:(FWAUTH_TELNET_USER_AUTH_FAIL OR + FWAUTH_TELNET_USER_AUTH_ACCEPTED)" + name: Telnet User Auth + - filter: + query: "@syslog.msgid:(WEB_AUTH_FAIL OR WEB_AUTH_SUCCESS)" + name: J-Web Auth + - filter: + query: "@syslog.msgid:SSHD_LOGIN_FAILED" + name: SSHD Auth + target: category + - name: Lookup for `protocol-id` to `protocol` + enabled: true + source: protocol-id + target: protocol + lookupTable: |- + 0,HOPOPT + 1,ICMP + 2,IGMP + 3,GGP + 4,IPv4 + 5,ST + 6,TCP + 7,CBT + 8,EGP + 9,IGP + 10,BBN-RCC-MON + 11,NVP-II + 12,PUP + 14,EMCON + 15,XNET + 16,CHAOS + 17,UDP + 18,MUX + 19,DCN-MEAS + 20,HMP + 21,PRM + 22,XNS-IDP + 23,TRUNK-1 + 24,TRUNK-2 + 25,LEAF-1 + 26,LEAF-2 + 27,RDP + 28,IRTP + 29,ISO-TP4 + 30,NETBLT + 31,MFE-NSP + 32,MERIT-INP + 33,DCCP + 34,3PC + 35,IDPR + 36,XTP + 37,DDP + 38,IDPR-CMTP + 39,TP++ + 40,IL + 41,IPv6 + 42,SDRP + 43,IPv6-Route + 44,IPv6-Frag + 45,IDRP + 46,RSVP + 47,GRE + 48,DSR + 49,BNA + 50,ESP + 51,AH + 52,I-NLSP + 54,NARP + 55,Min-IPv4 + 56,TLSP + 57,SKIP + 58,IPv6-ICMP + 59,IPv6-NoNxt + 60,IPv6-Opts + 62,CFTP + 64,SAT-EXPAK + 65,KRYPTOLAN + 66,RVD + 67,IPPC + 69,SAT-MON + 70,VISA + 71,IPCV + 72,CPNX + 73,CPHB + 74,WSN + 75,PVP + 76,BR-SAT-MON + 77,SUN-ND + 78,WB-MON + 79,WB-EXPAK + 80,ISO-IP + 81,VMTP + 82,SECURE-VMTP + 83,VINES + 84,IPTM + 85,NSFNET-IGP + 86,DGP + 87,TCF + 88,EIGRP + 89,OSPFIGP + 90,Sprite-RPC + 91,LARP + 92,MTP + 93,AX.25 + 94,IPIP + 96,SCC-SP + 97,ETHERIP + 98,ENCAP + 100,GMTP + 101,IFMP + 102,PNNI + 103,PIM + 104,ARIS + 105,SCPS + 106,QNX + 107,A/N + 108,IPComp + 109,SNP + 110,Compaq-Peer + 111,IPX-in-IP + 112,VRRP + 113,PGM + 115,L2TP + 116,DDX + 117,IATP + 118,STP + 119,SRP + 120,UTI + 121,SMP + 123,PTP + 124,ISIS over IPv4 + 125,FIRE + 126,CRTP + 127,CRUDP + 128,SSCOPMCE + 129,IPLT + 130,SPS + 131,PIPE + 132,SCTP + 133,FC + 134,RSVP-E2E-IGNORE + 135,Mobility Header + 136,UDPLite + 137,MPLS-in-IP + 138,manet + 139,HIP + 140,Shim6 + 141,WESP + 142,ROHC + 143,Ethernet + 144,AGGFRAG + 145,NSH + 146,Homa + 147,BIT-EMU + defaultLookup: UNKNOWN + type: lookup-processor diff --git a/juniper_srx_firewall/assets/logs/juniper-srx-firewall_tests.yaml b/juniper_srx_firewall/assets/logs/juniper-srx-firewall_tests.yaml new file mode 100644 index 0000000000000..876bca1e9e8ec --- /dev/null +++ b/juniper_srx_firewall/assets/logs/juniper-srx-firewall_tests.yaml @@ -0,0 +1,1030 @@ +id: "juniper-srx-firewall" +tests: + - + sample: |- + { + "tunnel-inspection" : "Off", + "user-type" : "N/A", + "reason" : "idle Timeout", + "packet-incoming-interface" : "ge-0/0/1.0", + "bytes-from-client" : "650", + "source-tenant" : "N/A", + "peer-destination-port" : "0", + "nat-connection-tag" : "0", + "src-vrf-grp" : "N/A", + "connection-tag" : "0", + "service-name" : "junos-https", + "hostname" : "NA NA", + "session-flag" : "0", + "policy-name" : "default-permit", + "destination-address" : "10.10.20.20", + "packets-from-server" : "8", + "nat-destination-port" : "443", + "src-nat-rule-name" : "snat_pat", + "nat-source-address" : "20.20.20.20", + "destination-service" : "N/A", + "peer-source-port" : "0", + "source-zone-name" : "trust", + "secure-web-proxy-session-type" : "NA", + "bytes-from-server" : "6268", + "tunnel-inspection-policy-set" : "root", + "application-characteristics" : "N/A", + "peer-source-address" : "0.0.0.0", + "session-id" : "105822", + "source-port" : "50267", + "roles" : "N/A", + "dst-nat-rule-type" : "N/A", + "nested-application" : "UNKNOWN", + "syslog" : { + "severity" : 6, + "hostname" : "dds-srx", + "appname" : "RT_FLOW", + "msgid" : "RT_FLOW_SESSION_CLOSE", + "prival" : 14, + "facility" : 1, + "version" : 1, + "timestamp" : "2025-02-19T20:15:19.289Z" + }, + "source-address" : "10.10.10.10", + "destination-zone-name" : "untrust", + "application-category" : "N/A", + "application-sub-category" : "N/A", + "src-nat-rule-type" : "source rule", + "elapsed-time" : "1803", + "nat-source-port" : "10019", + "nat-destination-address" : "30.30.30.30", + "application-risk" : "-1", + "packets-from-client" : "6", + "peer-session-id" : "0", + "dst-nat-rule-name" : "N/A", + "application" : "UNKNOWN", + "encrypted" : "UNKNOWN", + "peer-destination-address" : "0.0.0.0", + "destination-port" : "443", + "protocol-id" : "6", + "username" : "user1", + "dst-vrf-grp" : "N/A" + } + result: + custom: + application: "UNKNOWN" + application-category: "N/A" + application-characteristics: "N/A" + application-risk: "-1" + application-sub-category: "N/A" + connection-tag: "0" + destination-service: "N/A" + destination-zone-name: "untrust" + dst-nat-rule-name: "N/A" + dst-nat-rule-type: "N/A" + dst-vrf-grp: "N/A" + encrypted: "UNKNOWN" + hostname: "NA NA" + juniper_srx_firewall: + elapsed_time: "1803" + packets_from_client: "6" + packets_from_server: "8" + nat-connection-tag: "0" + nat-destination-address: "30.30.30.30" + nat-destination-port: "443" + nat-source-address: "20.20.20.20" + nat-source-port: "10019" + nested-application: "UNKNOWN" + network: + bytes_read: "650" + bytes_written: "6268" + client: + geoip: {} + ip: "10.10.10.10" + port: "50267" + destination: + geoip: {} + ip: "10.10.20.20" + port: "443" + packet-incoming-interface: "ge-0/0/1.0" + peer-destination-address: "0.0.0.0" + peer-destination-port: "0" + peer-session-id: "0" + peer-source-address: "0.0.0.0" + peer-source-port: "0" + policy-name: "default-permit" + protocol: "TCP" + protocol-id: "6" + reason: "idle Timeout" + roles: "N/A" + secure-web-proxy-session-type: "NA" + service: "juniper-srx-firewall" + service-name: "junos-https" + session-flag: "0" + session-id: "105822" + source-tenant: "N/A" + source-zone-name: "trust" + src-nat-rule-name: "snat_pat" + src-nat-rule-type: "source rule" + src-vrf-grp: "N/A" + syslog: + appname: "RT_FLOW" + facility: 1 + hostname: "dds-srx" + msgid: "RT_FLOW_SESSION_CLOSE" + prival: 14 + severity: 6 + timestamp: "2025-02-19T20:15:19.289Z" + version: 1 + tunnel-inspection: "Off" + tunnel-inspection-policy-set: "root" + user-type: "N/A" + usr: + name: "user1" + message: |- + { + "tunnel-inspection" : "Off", + "user-type" : "N/A", + "reason" : "idle Timeout", + "packet-incoming-interface" : "ge-0/0/1.0", + "bytes-from-client" : "650", + "source-tenant" : "N/A", + "peer-destination-port" : "0", + "nat-connection-tag" : "0", + "src-vrf-grp" : "N/A", + "connection-tag" : "0", + "service-name" : "junos-https", + "hostname" : "NA NA", + "session-flag" : "0", + "policy-name" : "default-permit", + "destination-address" : "10.10.20.20", + "packets-from-server" : "8", + "nat-destination-port" : "443", + "src-nat-rule-name" : "snat_pat", + "nat-source-address" : "20.20.20.20", + "destination-service" : "N/A", + "peer-source-port" : "0", + "source-zone-name" : "trust", + "secure-web-proxy-session-type" : "NA", + "bytes-from-server" : "6268", + "tunnel-inspection-policy-set" : "root", + "application-characteristics" : "N/A", + "peer-source-address" : "0.0.0.0", + "session-id" : "105822", + "source-port" : "50267", + "roles" : "N/A", + "dst-nat-rule-type" : "N/A", + "nested-application" : "UNKNOWN", + "syslog" : { + "severity" : 6, + "hostname" : "dds-srx", + "appname" : "RT_FLOW", + "msgid" : "RT_FLOW_SESSION_CLOSE", + "prival" : 14, + "facility" : 1, + "version" : 1, + "timestamp" : "2025-02-19T20:15:19.289Z" + }, + "source-address" : "10.10.10.10", + "destination-zone-name" : "untrust", + "application-category" : "N/A", + "application-sub-category" : "N/A", + "src-nat-rule-type" : "source rule", + "elapsed-time" : "1803", + "nat-source-port" : "10019", + "nat-destination-address" : "30.30.30.30", + "application-risk" : "-1", + "packets-from-client" : "6", + "peer-session-id" : "0", + "dst-nat-rule-name" : "N/A", + "application" : "UNKNOWN", + "encrypted" : "UNKNOWN", + "peer-destination-address" : "0.0.0.0", + "destination-port" : "443", + "protocol-id" : "6", + "username" : "user1", + "dst-vrf-grp" : "N/A" + } + service: "juniper-srx-firewall" + status: "info" + tags: + - "source:LOGS_SOURCE" + timestamp: 1739996119289 + - + sample: |- + { + "profile-name" : "profile-1", + "reason" : "timeout", + "source-port" : "12345", + "roles" : [ "admin" ], + "nested-application" : "NestedApp", + "bytes-from-client" : 2048, + "syslog" : { + "severity" : 5, + "hostname" : "dds-srx", + "msgid" : "APPTRACK_SESSION_CLOSE", + "prival" : 14, + "facility" : 1, + "version" : 1, + "timestamp" : "2025-02-19T20:15:19.289Z" + }, + "multipath-rule-name" : "multipath-1", + "source-address" : "10.10.10.10", + "src-vrf-grp" : "vrf-1", + "service-name" : "HTTP", + "uplink-incoming-interface-name" : "uplink-eth0", + "sub-category" : "security", + "destination-zone-name" : "external", + "dscp-value" : 10, + "policy-name" : "policy-1", + "uplink-tx-bytes" : 1024, + "uplink-rx-bytes" : 2048, + "destination-address" : "10.10.20.20", + "elapsed-time" : 300, + "nat-source-port" : "54321", + "routing-instance" : "instance-1", + "packets-from-server" : 150, + "nat-destination-address" : "10.10.20.20", + "packets-from-client" : 100, + "nat-destination-port" : "8080", + "src-nat-rule-name" : "src-rule-1", + "nat-source-address" : "10.10.10.10", + "source-zone-name" : "internal", + "bytes-from-server" : 4096, + "apbr-rule-type" : "type-1", + "dst-nat-rule-name" : "dst-rule-1", + "destination-interface-name" : "eth0", + "application" : "Web", + "encrypted" : false, + "destination-port" : "80", + "rule-name" : "rule-1", + "apbr-policy-name" : "apbr-1", + "protocol-id" : "6", + "category" : "network", + "session-id" : "sess-001", + "username" : "user1", + "dst-vrf-grp" : "vrf-2" + } + result: + custom: + apbr-policy-name: "apbr-1" + apbr-rule-type: "type-1" + application: "Web" + category: "network" + destination-interface-name: "eth0" + destination-zone-name: "external" + dscp-value: 10 + dst-nat-rule-name: "dst-rule-1" + dst-vrf-grp: "vrf-2" + encrypted: false + juniper_srx_firewall: + elapsed_time: 300 + packets_from_client: 100 + packets_from_server: 150 + multipath-rule-name: "multipath-1" + nat-destination-address: "10.10.20.20" + nat-destination-port: "8080" + nat-source-address: "10.10.10.10" + nat-source-port: "54321" + nested-application: "NestedApp" + network: + bytes_read: 2048 + bytes_written: 4096 + client: + geoip: {} + ip: "10.10.10.10" + port: "12345" + destination: + geoip: {} + ip: "10.10.20.20" + port: "80" + policy-name: "policy-1" + profile-name: "profile-1" + protocol: "TCP" + protocol-id: "6" + reason: "timeout" + roles: + - "admin" + routing-instance: "instance-1" + rule-name: "rule-1" + service: "juniper-srx-firewall" + service-name: "HTTP" + session-id: "sess-001" + source-zone-name: "internal" + src-nat-rule-name: "src-rule-1" + src-vrf-grp: "vrf-1" + sub-category: "security" + syslog: + facility: 1 + hostname: "dds-srx" + msgid: "APPTRACK_SESSION_CLOSE" + prival: 14 + severity: 5 + timestamp: "2025-02-19T20:15:19.289Z" + version: 1 + uplink-incoming-interface-name: "uplink-eth0" + uplink-rx-bytes: 2048 + uplink-tx-bytes: 1024 + usr: + name: "user1" + message: |- + { + "profile-name" : "profile-1", + "reason" : "timeout", + "source-port" : "12345", + "roles" : [ "admin" ], + "nested-application" : "NestedApp", + "bytes-from-client" : 2048, + "syslog" : { + "severity" : 5, + "hostname" : "dds-srx", + "msgid" : "APPTRACK_SESSION_CLOSE", + "prival" : 14, + "facility" : 1, + "version" : 1, + "timestamp" : "2025-02-19T20:15:19.289Z" + }, + "multipath-rule-name" : "multipath-1", + "source-address" : "10.10.10.10", + "src-vrf-grp" : "vrf-1", + "service-name" : "HTTP", + "uplink-incoming-interface-name" : "uplink-eth0", + "sub-category" : "security", + "destination-zone-name" : "external", + "dscp-value" : 10, + "policy-name" : "policy-1", + "uplink-tx-bytes" : 1024, + "uplink-rx-bytes" : 2048, + "destination-address" : "10.10.20.20", + "elapsed-time" : 300, + "nat-source-port" : "54321", + "routing-instance" : "instance-1", + "packets-from-server" : 150, + "nat-destination-address" : "10.10.20.20", + "packets-from-client" : 100, + "nat-destination-port" : "8080", + "src-nat-rule-name" : "src-rule-1", + "nat-source-address" : "10.10.10.10", + "source-zone-name" : "internal", + "bytes-from-server" : 4096, + "apbr-rule-type" : "type-1", + "dst-nat-rule-name" : "dst-rule-1", + "destination-interface-name" : "eth0", + "application" : "Web", + "encrypted" : false, + "destination-port" : "80", + "rule-name" : "rule-1", + "apbr-policy-name" : "apbr-1", + "protocol-id" : "6", + "category" : "network", + "session-id" : "sess-001", + "username" : "user1", + "dst-vrf-grp" : "vrf-2" + } + service: "juniper-srx-firewall" + status: "notice" + tags: + - "source:LOGS_SOURCE" + timestamp: 1739996119289 + - + sample: |- + { + "source-zone-name" : "trust", + "source-port" : "1234", + "destination-port" : "80", + "interface-name" : "ge-0/0/0", + "protocol-id" : "6", + "destination-address" : "10.10.10.20", + "syslog" : { + "severity" : 5, + "hostname" : "dds-srx", + "msgid" : "FLOW_LOG_PKT_DROP", + "prival" : 14, + "facility" : 1, + "version" : 1, + "timestamp" : "2025-02-19T20:15:19.289Z" + }, + "message" : "Packet dropped 10.10.10.10/1234->10.10.10.20/80 6 ge-0/0/0 trust", + "source-address" : "10.10.10.10" + } + result: + custom: + interface-name: "ge-0/0/0" + network: + client: + geoip: {} + ip: "10.10.10.10" + port: "1234" + destination: + geoip: {} + ip: "10.10.10.20" + port: "80" + protocol: "TCP" + protocol-id: "6" + service: "juniper-srx-firewall" + source-zone-name: "trust" + syslog: + facility: 1 + hostname: "dds-srx" + msgid: "FLOW_LOG_PKT_DROP" + prival: 14 + severity: 5 + timestamp: "2025-02-19T20:15:19.289Z" + version: 1 + message: "Packet dropped 10.10.10.10/1234->10.10.10.20/80 6 ge-0/0/0 trust" + service: "juniper-srx-firewall" + status: "notice" + tags: + - "source:LOGS_SOURCE" + timestamp: 1739996119289 + - + sample: |- + { + "hostname" : "dummyhost10", + "win-grp" : "dummygroup10", + "device-os" : "Windows 10", + "src-ip-str" : "10.10.10.10", + "win-domain" : "dummydomain10", + "syslog" : { + "severity" : 5, + "hostname" : "dds-srx", + "msgid" : "REMOTE_ACCESS_VPN_AUTH_OK", + "prival" : 14, + "facility" : 1, + "version" : 1, + "timestamp" : "2025-02-19T20:15:19.289Z" + }, + "realm-name" : "dummyrealm10", + "user-application" : "dummyapp10", + "device-id-str" : "dummydevice10", + "username" : "dummyuser10" + } + result: + custom: + category: "Remote Access VPN Auth" + device-id-str: "dummydevice10" + device-os: "Windows 10" + hostname: "dummyhost10" + network: + client: + geoip: {} + ip: "10.10.10.10" + realm-name: "dummyrealm10" + service: "juniper-srx-firewall" + syslog: + facility: 1 + hostname: "dds-srx" + msgid: "REMOTE_ACCESS_VPN_AUTH_OK" + prival: 14 + severity: 5 + timestamp: "2025-02-19T20:15:19.289Z" + version: 1 + user-application: "dummyapp10" + usr: + name: "dummyuser10" + win-domain: "dummydomain10" + win-grp: "dummygroup10" + message: |- + { + "hostname" : "dummyhost10", + "win-grp" : "dummygroup10", + "device-os" : "Windows 10", + "src-ip-str" : "10.10.10.10", + "win-domain" : "dummydomain10", + "syslog" : { + "severity" : 5, + "hostname" : "dds-srx", + "msgid" : "REMOTE_ACCESS_VPN_AUTH_OK", + "prival" : 14, + "facility" : 1, + "version" : 1, + "timestamp" : "2025-02-19T20:15:19.289Z" + }, + "realm-name" : "dummyrealm10", + "user-application" : "dummyapp10", + "device-id-str" : "dummydevice10", + "username" : "dummyuser10" + } + service: "juniper-srx-firewall" + status: "notice" + tags: + - "source:LOGS_SOURCE" + timestamp: 1739996119289 + - + sample: |- + { + "hostname" : "dummyhost1", + "win-grp" : "dummygroup1", + "device-os" : "Windows 10", + "error-message" : "Invalid password", + "src-ip-str" : "192.10.10.10", + "win-domain" : "dummydomain1", + "syslog" : { + "severity" : 4, + "hostname" : "dds-srx", + "msgid" : "REMOTE_ACCESS_VPN_AUTH_FAIL", + "prival" : 14, + "facility" : 1, + "version" : 1, + "timestamp" : "2025-02-19T20:15:19.289Z" + }, + "realm-name" : "dummyrealm1", + "user-application" : "dummyapp1", + "device-id-str" : "dummydevice1", + "username" : "dummyuser1" + } + result: + custom: + category: "Remote Access VPN Auth" + device-id-str: "dummydevice1" + device-os: "Windows 10" + error-message: "Invalid password" + hostname: "dummyhost1" + network: + client: + geoip: {} + ip: "192.10.10.10" + realm-name: "dummyrealm1" + service: "juniper-srx-firewall" + syslog: + facility: 1 + hostname: "dds-srx" + msgid: "REMOTE_ACCESS_VPN_AUTH_FAIL" + prival: 14 + severity: 4 + timestamp: "2025-02-19T20:15:19.289Z" + version: 1 + user-application: "dummyapp1" + usr: + name: "dummyuser1" + win-domain: "dummydomain1" + win-grp: "dummygroup1" + message: |- + { + "hostname" : "dummyhost1", + "win-grp" : "dummygroup1", + "device-os" : "Windows 10", + "error-message" : "Invalid password", + "src-ip-str" : "192.10.10.10", + "win-domain" : "dummydomain1", + "syslog" : { + "severity" : 4, + "hostname" : "dds-srx", + "msgid" : "REMOTE_ACCESS_VPN_AUTH_FAIL", + "prival" : 14, + "facility" : 1, + "version" : 1, + "timestamp" : "2025-02-19T20:15:19.289Z" + }, + "realm-name" : "dummyrealm1", + "user-application" : "dummyapp1", + "device-id-str" : "dummydevice1", + "username" : "dummyuser1" + } + service: "juniper-srx-firewall" + status: "warn" + tags: + - "source:LOGS_SOURCE" + timestamp: 1739996119289 + - + sample: |- + { + "client-address" : "10.10.10.10", + "group-name" : "dummygroup1", + "syslog" : { + "severity" : 4, + "hostname" : "dds-srx", + "msgid" : "FWAUTH_WEBAUTH_SUCCESS", + "prival" : 14, + "facility" : 1, + "version" : 1, + "timestamp" : "2025-02-19T20:15:19.289Z" + }, + "username" : "dummyuser10" + } + result: + custom: + category: "Web Auth" + group-name: "dummygroup1" + network: + client: + geoip: {} + ip: "10.10.10.10" + service: "juniper-srx-firewall" + syslog: + facility: 1 + hostname: "dds-srx" + msgid: "FWAUTH_WEBAUTH_SUCCESS" + prival: 14 + severity: 4 + timestamp: "2025-02-19T20:15:19.289Z" + version: 1 + usr: + name: "dummyuser10" + message: |- + { + "client-address" : "10.10.10.10", + "group-name" : "dummygroup1", + "syslog" : { + "severity" : 4, + "hostname" : "dds-srx", + "msgid" : "FWAUTH_WEBAUTH_SUCCESS", + "prival" : 14, + "facility" : 1, + "version" : 1, + "timestamp" : "2025-02-19T20:15:19.289Z" + }, + "username" : "dummyuser10" + } + service: "juniper-srx-firewall" + status: "warn" + tags: + - "source:LOGS_SOURCE" + timestamp: 1739996119289 + - + sample: |- + { + "client-address" : "10.10.10.10", + "group-name" : "dummygroup1", + "syslog" : { + "severity" : 4, + "hostname" : "dds-srx", + "msgid" : "FWAUTH_WEBAUTH_SUCCESS", + "prival" : 14, + "facility" : 1, + "version" : 1, + "timestamp" : "2025-02-19T20:15:19.289Z" + }, + "username" : "dummyuser10" + } + result: + custom: + category: "Web Auth" + group-name: "dummygroup1" + network: + client: + geoip: {} + ip: "10.10.10.10" + service: "juniper-srx-firewall" + syslog: + facility: 1 + hostname: "dds-srx" + msgid: "FWAUTH_WEBAUTH_SUCCESS" + prival: 14 + severity: 4 + timestamp: "2025-02-19T20:15:19.289Z" + version: 1 + usr: + name: "dummyuser10" + message: |- + { + "client-address" : "10.10.10.10", + "group-name" : "dummygroup1", + "syslog" : { + "severity" : 4, + "hostname" : "dds-srx", + "msgid" : "FWAUTH_WEBAUTH_SUCCESS", + "prival" : 14, + "facility" : 1, + "version" : 1, + "timestamp" : "2025-02-19T20:15:19.289Z" + }, + "username" : "dummyuser10" + } + service: "juniper-srx-firewall" + status: "warn" + tags: + - "source:LOGS_SOURCE" + timestamp: 1739996119289 + - + sample: |- + { + "verdict-number" : 2, + "reason" : "spyware detected", + "hostname" : "host-3", + "threat-score" : 75, + "policy-name" : "policy-3", + "state" : "cleaning", + "syslog" : { + "severity" : 3, + "hostname" : "dds-srx", + "msgid" : "AAMW_HOST_INFECTED_EVENT_LOG", + "prival" : 14, + "facility" : 1, + "version" : 1, + "timestamp" : "2025-02-19T20:17:19.289Z" + }, + "message" : "Host infected due to spyware download", + "tenant-id" : "tenant-003", + "source-address" : "10.10.10.10", + "status" : "infected", + "username" : "user3" + } + result: + custom: + hostname: "host-3" + juniper_srx_firewall: + threat_score: 75 + verdict_number: 2 + network: + client: + geoip: {} + ip: "10.10.10.10" + policy-name: "policy-3" + reason: "spyware detected" + service: "juniper-srx-firewall" + state: "cleaning" + status: "infected" + syslog: + facility: 1 + hostname: "dds-srx" + msgid: "AAMW_HOST_INFECTED_EVENT_LOG" + prival: 14 + severity: 3 + timestamp: "2025-02-19T20:17:19.289Z" + version: 1 + tenant-id: "tenant-003" + usr: + name: "user3" + message: "Host infected due to spyware download" + service: "juniper-srx-firewall" + status: "error" + tags: + - "source:LOGS_SOURCE" + timestamp: 1739996239289 + - + sample: |- + { + "outbound-bytes" : "4096", + "source-port" : "12346", + "inbound-bytes" : "2048", + "roles" : [ "user" ], + "syslog" : { + "severity" : 4, + "hostname" : "dds-srx", + "msgid" : "IDP_ATTACK_LOG_EVENT", + "prival" : 14, + "facility" : 1, + "version" : 1, + "timestamp" : "2025-02-19T20:15:19.289Z" + }, + "protocol-name" : "TCP", + "source-address" : "10.10.10.10", + "source-interface-name" : "eth1", + "repeat-count" : "2", + "service-name" : "HTTPS", + "destination-zone-name" : "external", + "inbound-packets" : "15", + "xff-header" : "10.0.0.3", + "alert" : "false", + "message-type" : "Attack log", + "policy-name" : "policy-2", + "threat-severity" : "medium", + "destination-address" : "10.10.20.20", + "action" : "block", + "elapsed-time" : "150", + "nat-source-port" : "54322", + "application-name" : "Secure Web", + "attack-name" : "Cross-Site Scripting", + "nat-destination-address" : "10.10.20.20", + "nat-destination-port" : "8443", + "cve-id" : "CVE-2021-12346", + "message" : "Attack blocked", + "nat-source-address" : "10.10.10.10", + "epoch-time" : "1672531200", + "source-zone-name" : "internal", + "outbound-packets" : "30", + "destination-interface-name" : "eth2", + "packet-log-id" : "pkt-002", + "destination-port" : "443", + "rule-name" : "rule-2", + "export-id" : "exp-002", + "rulebase-name" : "rulebase-2", + "username" : "user2", + "session-id" : "sess-002" + } + result: + custom: + action: "block" + alert: "false" + application-name: "Secure Web" + attack-name: "Cross-Site Scripting" + cve-id: "CVE-2021-12346" + destination-interface-name: "eth2" + destination-zone-name: "external" + epoch-time: "1672531200" + export-id: "exp-002" + juniper_srx_firewall: + elapsed_time: "150" + inbound_bytes: "2048" + inbound_packets: "15" + outbound_bytes: "4096" + outbound_packets: "30" + message-type: "Attack log" + nat-destination-address: "10.10.20.20" + nat-destination-port: "8443" + nat-source-address: "10.10.10.10" + nat-source-port: "54322" + network: + client: + geoip: {} + ip: "10.10.10.10" + port: "12346" + destination: + geoip: {} + ip: "10.10.20.20" + port: "443" + packet-log-id: "pkt-002" + policy-name: "policy-2" + protocol-name: "TCP" + repeat-count: "2" + roles: + - "user" + rule-name: "rule-2" + rulebase-name: "rulebase-2" + service: "juniper-srx-firewall" + service-name: "HTTPS" + session-id: "sess-002" + source-interface-name: "eth1" + source-zone-name: "internal" + syslog: + facility: 1 + hostname: "dds-srx" + msgid: "IDP_ATTACK_LOG_EVENT" + prival: 14 + severity: 4 + timestamp: "2025-02-19T20:15:19.289Z" + version: 1 + threat-severity: "medium" + usr: + name: "user2" + xff-header: "10.0.0.3" + message: "Attack blocked" + service: "juniper-srx-firewall" + status: "warn" + tags: + - "source:LOGS_SOURCE" + timestamp: 1739996119289 + - + sample: |- + { + "source-port" : "50001", + "reason" : "Malware", + "profile" : "web-protection-2", + "roles" : [ "user" ], + "source-zone" : "internal", + "nested-application" : "HTTPS", + "syslog" : { + "severity" : 4, + "hostname" : "dds-srx", + "msgid" : "WEBFILTER_URL_BLOCKED", + "prival" : 14, + "facility" : 1, + "version" : 1, + "timestamp" : "2025-02-19T20:16:19.289Z" + }, + "urlcategory-risk" : "5", + "source-address" : "10.10.10.10", + "url" : "https://example.com", + "destination-zone" : "external", + "application" : "Secure Web", + "application-sub-category" : "High Risk", + "destination-port" : "443", + "destination-address" : "10.10.20.20", + "category" : "Malicious", + "session-id" : "sess-002", + "username" : "user2" + } + result: + custom: + action: "Blocked" + application: "Secure Web" + application-sub-category: "High Risk" + category: "Malicious" + destination-zone: "external" + nested-application: "HTTPS" + network: + client: + geoip: {} + ip: "10.10.10.10" + port: "50001" + destination: + geoip: {} + ip: "10.10.20.20" + port: "443" + profile: "web-protection-2" + reason: "Malware" + roles: + - "user" + service: "juniper-srx-firewall" + session-id: "sess-002" + source-zone: "internal" + syslog: + facility: 1 + hostname: "dds-srx" + msgid: "WEBFILTER_URL_BLOCKED" + prival: 14 + severity: 4 + timestamp: "2025-02-19T20:16:19.289Z" + version: 1 + url: "https://example.com" + urlcategory-risk: "5" + usr: + name: "user2" + message: |- + { + "source-port" : "50001", + "reason" : "Malware", + "profile" : "web-protection-2", + "roles" : [ "user" ], + "source-zone" : "internal", + "nested-application" : "HTTPS", + "syslog" : { + "severity" : 4, + "hostname" : "dds-srx", + "msgid" : "WEBFILTER_URL_BLOCKED", + "prival" : 14, + "facility" : 1, + "version" : 1, + "timestamp" : "2025-02-19T20:16:19.289Z" + }, + "urlcategory-risk" : "5", + "source-address" : "10.10.10.10", + "url" : "https://example.com", + "destination-zone" : "external", + "application" : "Secure Web", + "application-sub-category" : "High Risk", + "destination-port" : "443", + "destination-address" : "10.10.20.20", + "category" : "Malicious", + "session-id" : "sess-002", + "username" : "user2" + } + service: "juniper-srx-firewall" + status: "warn" + tags: + - "source:LOGS_SOURCE" + timestamp: 1739996179289 + - + sample: |- + { + "attack-name" : "ICMP Echo", + "source-zone-name" : "untrust", + "interface-name" : "ge-0/0/1", + "destination-address" : "10.10.20.20", + "action" : "alert", + "syslog" : { + "severity" : 4, + "hostname" : "dds-srx", + "appname" : "RT_SCREEN", + "msgid" : "RT_SCREEN_ICMP", + "prival" : 14, + "facility" : 1, + "version" : 1, + "timestamp" : "2025-02-19T15:16:19.289+05:00" + }, + "source-address" : "10.10.10.10" + } + result: + custom: + action: "alert" + attack-name: "ICMP Echo" + category: "ICMP" + interface-name: "ge-0/0/1" + network: + client: + geoip: {} + ip: "10.10.10.10" + destination: + geoip: {} + ip: "10.10.20.20" + service: "juniper-srx-firewall" + source-zone-name: "untrust" + syslog: + appname: "RT_SCREEN" + facility: 1 + hostname: "dds-srx" + msgid: "RT_SCREEN_ICMP" + prival: 14 + severity: 4 + timestamp: "2025-02-19T15:16:19.289+05:00" + version: 1 + message: |- + { + "attack-name" : "ICMP Echo", + "source-zone-name" : "untrust", + "interface-name" : "ge-0/0/1", + "destination-address" : "10.10.20.20", + "action" : "alert", + "syslog" : { + "severity" : 4, + "hostname" : "dds-srx", + "appname" : "RT_SCREEN", + "msgid" : "RT_SCREEN_ICMP", + "prival" : 14, + "facility" : 1, + "version" : 1, + "timestamp" : "2025-02-19T15:16:19.289+05:00" + }, + "source-address" : "10.10.10.10" + } + service: "juniper-srx-firewall" + status: "warn" + tags: + - "source:LOGS_SOURCE" + timestamp: 1739960179289 \ No newline at end of file diff --git a/juniper_srx_firewall/changelog.d/19749.added b/juniper_srx_firewall/changelog.d/19749.added new file mode 100644 index 0000000000000..aa949b47b7b41 --- /dev/null +++ b/juniper_srx_firewall/changelog.d/19749.added @@ -0,0 +1 @@ +Initial Release \ No newline at end of file diff --git a/juniper_srx_firewall/datadog_checks/__init__.py b/juniper_srx_firewall/datadog_checks/__init__.py new file mode 100644 index 0000000000000..a77b3f5ff63ac --- /dev/null +++ b/juniper_srx_firewall/datadog_checks/__init__.py @@ -0,0 +1,4 @@ +# (C) Datadog, Inc. 2025-present +# All rights reserved +# Licensed under a 3-clause BSD style license (see LICENSE) +__path__ = __import__('pkgutil').extend_path(__path__, __name__) # type: ignore diff --git a/juniper_srx_firewall/datadog_checks/juniper_srx_firewall/__about__.py b/juniper_srx_firewall/datadog_checks/juniper_srx_firewall/__about__.py new file mode 100644 index 0000000000000..1bde5986a04b2 --- /dev/null +++ b/juniper_srx_firewall/datadog_checks/juniper_srx_firewall/__about__.py @@ -0,0 +1,4 @@ +# (C) Datadog, Inc. 2025-present +# All rights reserved +# Licensed under a 3-clause BSD style license (see LICENSE) +__version__ = '0.0.1' diff --git a/juniper_srx_firewall/datadog_checks/juniper_srx_firewall/__init__.py b/juniper_srx_firewall/datadog_checks/juniper_srx_firewall/__init__.py new file mode 100644 index 0000000000000..b408666583b85 --- /dev/null +++ b/juniper_srx_firewall/datadog_checks/juniper_srx_firewall/__init__.py @@ -0,0 +1,6 @@ +# (C) Datadog, Inc. 2025-present +# All rights reserved +# Licensed under a 3-clause BSD style license (see LICENSE) +from .__about__ import __version__ + +__all__ = ['__version__'] diff --git a/juniper_srx_firewall/datadog_checks/juniper_srx_firewall/data/conf.yaml.example b/juniper_srx_firewall/datadog_checks/juniper_srx_firewall/data/conf.yaml.example new file mode 100644 index 0000000000000..4d51f59a42f18 --- /dev/null +++ b/juniper_srx_firewall/datadog_checks/juniper_srx_firewall/data/conf.yaml.example @@ -0,0 +1,20 @@ +## Log Section +## +## type - required - Type of log input source (tcp / udp / file / windows_event). +## port / path / channel_path - required - Set port if type is tcp or udp. +## Set path if type is file. +## Set channel_path if type is windows_event. +## source - required - Attribute that defines which integration sent the logs. +## encoding - optional - For file specifies the file encoding. Default is utf-8. Other +## possible values are utf-16-le and utf-16-be. +## service - optional - The name of the service that generates the log. +## Overrides any `service` defined in the `init_config` section. +## tags - optional - Add tags to the collected logs. +## +## Discover Datadog log collection: https://docs.datadoghq.com/logs/log_collection/ +# +# logs: +# - type: udp +# port: +# source: juniper-srx-firewall +# service: juniper-srx-firewall diff --git a/juniper_srx_firewall/images/juniper_srx_firewall_authentication_logs.png b/juniper_srx_firewall/images/juniper_srx_firewall_authentication_logs.png new file mode 100644 index 0000000000000..82add5c61eb73 Binary files /dev/null and b/juniper_srx_firewall/images/juniper_srx_firewall_authentication_logs.png differ diff --git a/juniper_srx_firewall/images/juniper_srx_firewall_overview.png b/juniper_srx_firewall/images/juniper_srx_firewall_overview.png new file mode 100644 index 0000000000000..5f46ae32fe056 Binary files /dev/null and b/juniper_srx_firewall/images/juniper_srx_firewall_overview.png differ diff --git a/juniper_srx_firewall/images/juniper_srx_firewall_security_logs.png b/juniper_srx_firewall/images/juniper_srx_firewall_security_logs.png new file mode 100644 index 0000000000000..afb182bd35bef Binary files /dev/null and b/juniper_srx_firewall/images/juniper_srx_firewall_security_logs.png differ diff --git a/juniper_srx_firewall/images/juniper_srx_firewall_session_logs.png b/juniper_srx_firewall/images/juniper_srx_firewall_session_logs.png new file mode 100644 index 0000000000000..b62266f166148 Binary files /dev/null and b/juniper_srx_firewall/images/juniper_srx_firewall_session_logs.png differ diff --git a/juniper_srx_firewall/manifest.json b/juniper_srx_firewall/manifest.json new file mode 100644 index 0000000000000..bb6dd581cac71 --- /dev/null +++ b/juniper_srx_firewall/manifest.json @@ -0,0 +1,74 @@ +{ + "manifest_version": "2.0.0", + "app_uuid": "0451c670-94dc-490e-86b7-b23b5a7cdceb", + "app_id": "juniper-srx-firewall", + "display_on_public_website": false, + "tile": { + "overview": "README.md#Overview", + "configuration": "README.md#Setup", + "support": "README.md#Support", + "changelog": "CHANGELOG.md", + "description": "Gain insights into Juniper SRX Firewall logs", + "title": "Juniper SRX Firewall", + "media": [ + { + "caption": "Juniper SRX Firewall - Overview", + "image_url": "images/juniper_srx_firewall_overview.png", + "media_type": "image" + }, + { + "caption": "Juniper SRX Firewall - Session Logs", + "image_url": "images/juniper_srx_firewall_session_logs.png", + "media_type": "image" + }, + { + "caption": "Juniper SRX Firewall - Security Logs", + "image_url": "images/juniper_srx_firewall_security_logs.png", + "media_type": "image" + }, + { + "caption": "Juniper SRX Firewall - Authentication Logs", + "image_url": "images/juniper_srx_firewall_authentication_logs.png", + "media_type": "image" + } + ], + "classifier_tags": [ + "Supported OS::Linux", + "Supported OS::Windows", + "Supported OS::macOS", + "Category::Log Collection", + "Category::Security", + "Category::Network", + "Offering::Integration", + "Submitted Data Type::Logs" + ] + }, + "assets": { + "integration": { + "auto_install": true, + "source_type_id": 40625309, + "source_type_name": "Juniper SRX Firewall", + "configuration": { + "spec": "assets/configuration/spec.yaml" + }, + "events": { + "creates_events": false + } + }, + "dashboards": { + "Juniper SRX Firewall - Overview": "assets/dashboards/juniper_srx_firewall_overview.json", + "Juniper SRX Firewall - Session Logs": "assets/dashboards/juniper_srx_firewall_session_logs.json", + "Juniper SRX Firewall - Security Logs": "assets/dashboards/juniper_srx_firewall_security_logs.json", + "Juniper SRX Firewall - Authentication Logs": "assets/dashboards/juniper_srx_firewall_authentication_logs.json" + }, + "logs": { + "source": "juniper-srx-firewall" + } + }, + "author": { + "support_email": "help@datadoghq.com", + "name": "Datadog", + "homepage": "https://www.datadoghq.com", + "sales_email": "info@datadoghq.com" + } +} \ No newline at end of file diff --git a/juniper_srx_firewall/pyproject.toml b/juniper_srx_firewall/pyproject.toml new file mode 100644 index 0000000000000..f9c3bed69f474 --- /dev/null +++ b/juniper_srx_firewall/pyproject.toml @@ -0,0 +1,59 @@ +[build-system] +requires = [ + "hatchling>=0.13.0", +] +build-backend = "hatchling.build" + +[project] +name = "datadog-juniper-srx-firewall" +description = "The juniper_srx_firewall check" +readme = "README.md" +license = "BSD-3-Clause" +keywords = [ + "datadog", + "datadog agent", + "datadog check", + "juniper_srx_firewall", +] +authors = [ + { name = "Datadog", email = "packages@datadoghq.com" }, +] +classifiers = [ + "Development Status :: 5 - Production/Stable", + "Intended Audience :: Developers", + "Intended Audience :: System Administrators", + "License :: OSI Approved :: BSD License", + "Private :: Do Not Upload", + "Programming Language :: Python :: 3.12", + "Topic :: System :: Monitoring", +] +dependencies = [ + "datadog-checks-base>=4.2.0", +] +dynamic = [ + "version", +] + +[project.optional-dependencies] +deps = [] + +[project.urls] +Source = "https://github.com/DataDog/integrations-core" + +[tool.hatch.version] +path = "datadog_checks/juniper_srx_firewall/__about__.py" + +[tool.hatch.build.targets.sdist] +include = [ + "/datadog_checks", + "/tests", + "/manifest.json", +] + +[tool.hatch.build.targets.wheel] +include = [ + "/datadog_checks/juniper_srx_firewall", +] +dev-mode-dirs = [ + ".", +] diff --git a/kafka_consumer/CHANGELOG.md b/kafka_consumer/CHANGELOG.md index 6836631a83d24..7ea2e1c88d0e6 100644 --- a/kafka_consumer/CHANGELOG.md +++ b/kafka_consumer/CHANGELOG.md @@ -2,7 +2,7 @@ -## 6.5.1 / 2025-03-06 +## 6.5.1 / 2025-03-06 / Agent 7.65.0 ***Fixed***: diff --git a/kubevirt_api/CHANGELOG.md b/kubevirt_api/CHANGELOG.md index a22b4a4a53ee9..7d4f4d0d73856 100644 --- a/kubevirt_api/CHANGELOG.md +++ b/kubevirt_api/CHANGELOG.md @@ -2,7 +2,7 @@ -## 1.2.0 / 2025-03-19 +## 1.2.0 / 2025-03-19 / Agent 7.65.0 ***Added***: diff --git a/mapr/tests/conftest.py b/mapr/tests/conftest.py index 816f06643423d..9fdf8a06242c7 100644 --- a/mapr/tests/conftest.py +++ b/mapr/tests/conftest.py @@ -15,7 +15,9 @@ # customers are expected to install the package themselves. # We do that here for the e2e testing environment. 'apt-get update', - 'apt-get install -y gcc gnupg lsb-release', + 'sh -c "DEBIAN_FRONTEND=noninteractive dpkg --configure -a"', + 'sh -c "DEBIAN_FRONTEND=noninteractive apt-get install -f -y"', + 'sh -c "DEBIAN_FRONTEND=noninteractive apt-get -o Dpkg::Options::=\\\"--force-confdef\\\" -o Dpkg::Options::=\\\"--force-confnew\\\" -y install gcc gnupg lsb-release ca-certificates libssl-dev"', # noqa: E501 # mapr-streams-python requires librdkafka headers as they're not shipped with the Agent # This requires adding confluent's APT repositories. These steps are based on the docs in # - https://docs.confluent.io/platform/current/installation/installing_cp/deb-ubuntu.html#get-the-software diff --git a/marklogic/CHANGELOG.md b/marklogic/CHANGELOG.md index 20c30d79bee4c..dab52f187b40f 100644 --- a/marklogic/CHANGELOG.md +++ b/marklogic/CHANGELOG.md @@ -2,7 +2,7 @@ -## 6.1.1 / 2025-03-19 +## 6.1.1 / 2025-03-19 / Agent 7.65.0 ***Fixed***: diff --git a/microsoft_sysmon/CHANGELOG.md b/microsoft_sysmon/CHANGELOG.md new file mode 100644 index 0000000000000..b1be187b2c901 --- /dev/null +++ b/microsoft_sysmon/CHANGELOG.md @@ -0,0 +1,4 @@ +# CHANGELOG - Microsoft Sysmon + + + diff --git a/microsoft_sysmon/README.md b/microsoft_sysmon/README.md new file mode 100644 index 0000000000000..f8d171329f79a --- /dev/null +++ b/microsoft_sysmon/README.md @@ -0,0 +1,117 @@ +# Agent Integration: Microsoft Sysmon + +## Overview + +[Microsoft Sysmon][4] is a Windows system service and device driver that provides detailed logging of system activity, including process creation, network connections, file modifications, and registry changes. + +This integration enriches and ingests the [Sysmon event logs][5]. Use the pre-built dashboard to get a high-level view of the Sysmon events helping security teams monitor system activity. + +## Setup + +### Installation + +To install the Microsoft Sysmon integration, run the following Agent installation command and the steps below. For more information, see the [Integration Management][6] documentation. + +**Note**: This step is not necessary for Agent version >= 7.66.0. + +Run powershell.exe as admin and execute the following command: + ```powershell + & "$env:ProgramFiles\Datadog\Datadog Agent\bin\agent.exe" integration install datadog-microsoft_sysmon==1.0.0 + ``` + +### Configuration + +#### Configure Log Collection + +1. Collecting logs is disabled by default in the Datadog Agent. Enable it in the `datadog.yaml` file with: + + ```yaml + logs_enabled: true + ``` + +2. Add this configuration block to your `microsoft_sysmon.d/conf.yaml` file to start collecting your Microsoft Sysmon logs: + + ```yaml + logs: + - type: windows_event + channel_path: "Microsoft-Windows-Sysmon/Operational" + source: microsoft-sysmon + service: microsoft-sysmon + sourcecategory: windowsevent + ``` + +3. [Restart the Agent][3]. + +#### Configure Sysmon + +Follow these steps to install Sysmon: +1. Download the zip file from the [Sysmon download page][4]. Extract its zip file content. +2. Create an XML file for configuring Sysmon. For example, if you want to monitor processes created by apps from AppData folders, the configuration file will look like content shown below. You can add more event filters under the `EventFiltering` XML tag for other events in the same way. + + ```xml + + + + C:\Users\*\AppData\Local\Temp\ + C:\Users\*\AppData\Roaming\ + + + + ``` + +3. Execute the command as admin from the extracted folder: + + ```powershell + .\Sysmon -i [] + ``` + +**Note:** Sysmon is highly configurable using the configuration (XML) file which allows you to: +- Control which events to monitor +- Filter events based on processes, paths, etc. + +Enabling too many event types can result in excessive data ingestion. Only critical security events should be enabled based on the threat model and monitoring needs. +These events should be selectively enabled for critical system directories, processes, and users to avoid unnecessary log noise. + +For more details on configuration, please refer to the [Sysmon docs][7]. + +### Validation + +[Run the Agent's status subcommand][8] and look for `microsoft_sysmon` under the Checks section. + +## Data Collected + +### Logs + +The Microsoft Sysmon integration collects the following [Sysmon event logs][5]: +- Process activity logs +- Network activity logs +- File activity logs +- Registry activity logs +- WMI activity logs +- Sysmon service activity logs +- Named Pipe and Clipboard activity logs + +### Metrics + +The Microsoft Sysmon integration does not include any metrics. + +### Events + +The Microsoft Sysmon integration does not include any events. + +### Service Checks + +The Microsoft Sysmon integration does not include any service checks. + +## Support + +Need help? Contact [Datadog support][1]. + +[1]: https://docs.datadoghq.com/help/ +[2]: https://app.datadoghq.com/account/settings/agent/latest +[3]: https://docs.datadoghq.com/agent/configuration/agent-commands/#restart-the-agent +[4]: https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon +[5]: https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events +[6]: https://docs.datadoghq.com/agent/guide/integration-management/?tab=windowspowershell#install +[7]: https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#configuration-files +[8]: https://docs.datadoghq.com/agent/guide/agent-commands/#agent-status-and-information diff --git a/microsoft_sysmon/assets/configuration/spec.yaml b/microsoft_sysmon/assets/configuration/spec.yaml new file mode 100644 index 0000000000000..26ab13091d969 --- /dev/null +++ b/microsoft_sysmon/assets/configuration/spec.yaml @@ -0,0 +1,11 @@ +name: Microsoft Sysmon +files: +- name: microsoft_sysmon.yaml + options: + - template: logs + example: + - type: windows_event + channel_path: "Microsoft-Windows-Sysmon/Operational" + source: microsoft-sysmon + service: microsoft-sysmon + sourcecategory: windowsevent diff --git a/microsoft_sysmon/assets/dashboards/microsoft_sysmon_overview.json b/microsoft_sysmon/assets/dashboards/microsoft_sysmon_overview.json new file mode 100644 index 0000000000000..7cb8131a54f44 --- /dev/null +++ b/microsoft_sysmon/assets/dashboards/microsoft_sysmon_overview.json @@ -0,0 +1,5523 @@ +{ + "title": "Microsoft Sysmon - Overview", + "description": "This dashboard provides a high-level view of Sysmon events to help security teams monitor system activity.", + "widgets": [ + { + "id": 1359354834441998, + "definition": { + "type": "image", + "url": "https://static.datadoghq.com/static/images/logos/windows_large.svg", + "sizing": "contain", + "has_background": true, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 5, + "height": 3 + } + }, + { + "id": 4053593094949392, + "definition": { + "type": "note", + "content": "**[Microsoft Sysmon](https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon)** is a Windows system service and device driver that provides detailed logging of system activity, including process creation, network connections, file modifications, and registry changes.\n\nThis dashboard provides a high-level view of Sysmon events to help security teams monitor system activity.\n\nFor more information, see the [Microsoft Sysmon Integration Documentation](https://docs.datadoghq.com/integrations/microsoft_sysmon/).\n\n**Tip**:\n- Clone this dashboard to rearrange, modify and add widgets and visualizations.", + "background_color": "vivid_blue", + "font_size": "14", + "text_align": "left", + "vertical_align": "center", + "show_tick": true, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 5, + "y": 0, + "width": 7, + "height": 3 + } + }, + { + "id": 8775006910251794, + "definition": { + "title": "Overview", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 4450496910179988, + "definition": { + "title": "Total Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @title:* $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#65a8e6" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 4 + } + }, + { + "id": 5686703047637430, + "definition": { + "title": "Frequent Events", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @title:* $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@title", + "limit": 30, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@evt.id", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 300, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 4 + } + }, + { + "id": 3245028518486104, + "definition": { + "title": "Events over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Count", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @title:* $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 4, + "width": 12, + "height": 4 + } + }, + { + "id": 6093067266246302, + "definition": { + "title": "Event Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:microsoft-sysmon service:microsoft-sysmon @title:* $Computer_Name $Title $User_Name $Event_ID", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@title", + "width": "auto" + }, + { + "field": "@Event.System.Computer", + "width": "auto" + }, + { + "field": "@Event.EventData.Data.ProcessGuid", + "width": "auto" + }, + { + "field": "@Event.EventData.Data.ProcessId", + "width": "auto" + }, + { + "field": "@Event.EventData.Data.Image", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 8, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 13 + } + }, + { + "id": 2137447003767606, + "definition": { + "title": "Process Activity", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 842409397532442, + "definition": { + "title": "Process Creation Rate", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:1 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#65a8e6" + } + ], + "formulas": [ + { + "formula": "throughput(query1)" + } + ] + } + ], + "autoscale": false, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 4 + } + }, + { + "id": 7040279369647516, + "definition": { + "title": "Process Creations over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Count", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:1 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 4 + } + }, + { + "id": 954744721044432, + "definition": { + "title": "Process Creations by Integrity Level", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:1 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@Event.EventData.Data.IntegrityLevel", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 12, + "height": 5 + } + }, + { + "id": 7965774045947104, + "definition": { + "title": "Process Termination Rate", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:5 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ], + "formulas": [ + { + "formula": "throughput(query1)" + } + ] + } + ], + "autoscale": false, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 9, + "width": 3, + "height": 4 + } + }, + { + "id": 8850256459951302, + "definition": { + "title": "Top Users with Most Terminated Processes", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:5 @usr.name:* $Title $Computer_Name $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 3, + "y": 9, + "width": 9, + "height": 4 + } + }, + { + "id": 3789223868161956, + "definition": { + "title": "Process Accesses over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Count", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:10 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 13, + "width": 12, + "height": 4 + } + }, + { + "id": 514936812457780, + "definition": { + "title": "Top Accessed Images", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:10 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@Event.EventData.Data.TargetImage", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 17, + "width": 12, + "height": 4 + } + }, + { + "id": 887831533804294, + "definition": { + "title": "Process Tamperings", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:25 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 21, + "width": 3, + "height": 4 + } + }, + { + "id": 4834837717532224, + "definition": { + "title": "Top Tampered Images", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:25 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@Event.EventData.Data.Image", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 3, + "y": 21, + "width": 9, + "height": 4 + } + }, + { + "id": 7116822253648652, + "definition": { + "title": "Remote Thread Creations", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:8 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 25, + "width": 3, + "height": 4 + } + }, + { + "id": 3374012569984680, + "definition": { + "title": "Top Images that Created Remote Threads", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:8 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@Event.EventData.Data.SourceImage", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 3, + "y": 25, + "width": 9, + "height": 4 + } + }, + { + "id": 2088002023710630, + "definition": { + "title": "Drivers Loaded", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:6 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#65a8e6" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 29, + "width": 3, + "height": 4 + } + }, + { + "id": 3334888198070112, + "definition": { + "title": "Unsigned Drivers Loaded", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:6 @Event.EventData.Data.Signed:false $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 3, + "y": 29, + "width": 3, + "height": 4 + } + }, + { + "id": 1104311236500672, + "definition": { + "title": "Images Loaded", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:7 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#65a8e6" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 6, + "y": 29, + "width": 3, + "height": 4 + } + }, + { + "id": 4816055381091072, + "definition": { + "title": "Unsigned Images Loaded", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:7 @Event.EventData.Data.Signed:false $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 9, + "y": 29, + "width": 3, + "height": 4 + } + }, + { + "id": 1325659093595910, + "definition": { + "title": "Raw Access Reads", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:9 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 33, + "width": 3, + "height": 4 + } + }, + { + "id": 4818041979199100, + "definition": { + "title": "Top Images that Performed Raw Disk Reads", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:9 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@Event.EventData.Data.Image", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 3, + "y": 33, + "width": 9, + "height": 4 + } + }, + { + "id": 7034882706015022, + "definition": { + "title": "Top Devices Accessed via Raw Reads", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:9 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@Event.EventData.Data.Device", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 37, + "width": 12, + "height": 4 + } + }, + { + "id": 7979640528706914, + "definition": { + "title": "Process Activity Logs", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:(1 OR 5 OR 6 OR 7 OR 8 OR 9 OR 10 OR 25) $Computer_Name $Title $User_Name $Event_ID", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@title", + "width": "auto" + }, + { + "field": "@Event.System.Computer", + "width": "auto" + }, + { + "field": "@Event.EventData.Data.ProcessGuid", + "width": "auto" + }, + { + "field": "@Event.EventData.Data.ProcessId", + "width": "auto" + }, + { + "field": "@Event.EventData.Data.Image", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 41, + "width": 12, + "height": 5 + } + } + ] + }, + "layout": { + "x": 0, + "y": 16, + "width": 12, + "height": 47 + } + }, + { + "id": 4470038720351178, + "definition": { + "title": "Network Activity", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 8663538660516096, + "definition": { + "title": "Network Connection Rate", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:3 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#65a8e6" + } + ], + "formulas": [ + { + "formula": "throughput(query1)" + } + ] + } + ], + "autoscale": false, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 4 + } + }, + { + "id": 7551599805482986, + "definition": { + "title": "Network Connections over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Count", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:3 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 4 + } + }, + { + "id": 8948356989736526, + "definition": { + "title": "Top Images that Initiated Network Connections", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:3 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@Event.EventData.Data.Image", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 7, + "height": 4 + } + }, + { + "id": 1786537123062216, + "definition": { + "title": "Network Connections by Protocol", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:3 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@Event.EventData.Data.Protocol", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 7, + "y": 4, + "width": 5, + "height": 4 + } + }, + { + "id": 5090805107698444, + "definition": { + "title": "Top Source IPs of Network Connections", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:3 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@network.client.port", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 8, + "width": 6, + "height": 4 + } + }, + { + "id": 4990106558273302, + "definition": { + "title": "Top Destination IPs of Network Connections", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:3 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.destination.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@network.destination.port", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 8, + "width": 6, + "height": 4 + } + }, + { + "id": 8137887495804088, + "definition": { + "title": "Network Connections by Source", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:3 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.geoip.country.iso_code", + "limit": 250, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 250, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 0, + "y": 12, + "width": 12, + "height": 5 + } + }, + { + "id": 4508715917141142, + "definition": { + "title": "Network Connections by Destination", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:3 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.destination.geoip.country.iso_code", + "limit": 250, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 250, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 0, + "y": 17, + "width": 12, + "height": 5 + } + }, + { + "id": 3929616384458800, + "definition": { + "title": "Network Connections by User", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:3 @usr.name:* $Title $Computer_Name $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 22, + "width": 12, + "height": 4 + } + }, + { + "id": 2051235003298070, + "definition": { + "title": "DNS Queries", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:22 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#65a8e6" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 26, + "width": 3, + "height": 4 + } + }, + { + "id": 7015404077520622, + "definition": { + "title": "DNS Queries over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Count", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:22 $Title $Computer_Name $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 26, + "width": 9, + "height": 4 + } + }, + { + "id": 2999527941417396, + "definition": { + "title": "DNS Queries by Status", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:22 $Title $Computer_Name $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@Event.EventData.Data.QueryStatus", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 0, + "y": 30, + "width": 5, + "height": 4 + } + }, + { + "id": 8579596295917288, + "definition": { + "title": "Top Images that Initiated DNS Queries", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:22 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@Event.EventData.Data.Image", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 5, + "y": 30, + "width": 7, + "height": 4 + } + }, + { + "id": 3958969493532444, + "definition": { + "title": "DNS Queries by User", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:22 @usr.name:* $Title $Computer_Name $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 34, + "width": 12, + "height": 4 + } + }, + { + "id": 907150526104612, + "definition": { + "title": "Network Activity Logs", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:(3 OR 22) $Computer_Name $Title $User_Name $Event_ID", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@title", + "width": "auto" + }, + { + "field": "@Event.System.Computer", + "width": "auto" + }, + { + "field": "@Event.EventData.Data.ProcessGuid", + "width": "auto" + }, + { + "field": "@Event.EventData.Data.ProcessId", + "width": "auto" + }, + { + "field": "@Event.EventData.Data.Image", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 38, + "width": 12, + "height": 5 + } + } + ] + }, + "layout": { + "x": 0, + "y": 63, + "width": 12, + "height": 44 + } + }, + { + "id": 3831071160400802, + "definition": { + "title": "File Activity", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 75179710225556, + "definition": { + "title": "File Creation Rate", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:11 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#65a8e6" + } + ], + "formulas": [ + { + "formula": "throughput(query1)" + } + ] + } + ], + "autoscale": false, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 4 + } + }, + { + "id": 8589291774645968, + "definition": { + "title": "File Activity over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:(2 OR 11 OR 15 OR 23 OR 26 OR 27 OR 28 OR 29) $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@title", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 4 + } + }, + { + "id": 7128793110120012, + "definition": { + "title": "Top Images that Created Files", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:11 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@Event.EventData.Data.Image", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 12, + "height": 4 + } + }, + { + "id": 4914474597125216, + "definition": { + "title": "File Creation Time Changes", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:2 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 8, + "width": 3, + "height": 4 + } + }, + { + "id": 7765978934395358, + "definition": { + "title": "Top Files with Modified Creation Time", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:2 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@Event.EventData.Data.TargetFilename", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 3, + "y": 8, + "width": 9, + "height": 4 + } + }, + { + "id": 316081080154492, + "definition": { + "title": "Top Users who Modified File Creation Time", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:2 @usr.name:* $Title $Computer_Name $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 12, + "width": 6, + "height": 4 + } + }, + { + "id": 1830360562331696, + "definition": { + "title": "Top Images that Modified File Creation Time", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:2 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@Event.EventData.Data.Image", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 12, + "width": 6, + "height": 4 + } + }, + { + "id": 5428588735732450, + "definition": { + "title": "File Stream Creations", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:15 $Title $Computer_Name $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#65a8e6" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 0, + "y": 16, + "width": 3, + "height": 4 + } + }, + { + "id": 7467284189427232, + "definition": { + "title": "Top Images that Created File Streams", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:15 $Title $Computer_Name $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@Event.EventData.Data.Image", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 3, + "y": 16, + "width": 9, + "height": 4 + } + }, + { + "id": 3069436634433224, + "definition": { + "title": "File Deletions", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:26 $Title $Computer_Name $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red", + "custom_bg_color": "#65a8e6" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 20, + "width": 3, + "height": 4 + } + }, + { + "id": 4837916516428600, + "definition": { + "title": "Top Users who Performed File Deletions", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:26 @usr.name:* $Title $Computer_Name $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 3, + "y": 20, + "width": 9, + "height": 4 + } + }, + { + "id": 2202438725069178, + "definition": { + "title": "Top Images that Performed File Deletions", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:26 $Title $Computer_Name $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@Event.EventData.Data.Image", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 24, + "width": 12, + "height": 4 + } + }, + { + "id": 1448300374904474, + "definition": { + "title": "Executable File Creations Blocked", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:27 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 28, + "width": 4, + "height": 4 + } + }, + { + "id": 3536017399536434, + "definition": { + "title": "Executable File Creations Detected", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:29 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow", + "custom_bg_color": "#650000" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 4, + "y": 28, + "width": 4, + "height": 4 + } + }, + { + "id": 8889341707385534, + "definition": { + "title": "File Shredding Blocked", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:28 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 8, + "y": 28, + "width": 4, + "height": 4 + } + }, + { + "id": 7392180129379232, + "definition": { + "title": "File Activity Logs", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:(2 OR 11 OR 15 OR 23 OR 26 OR 27 OR 28 OR 29) $Computer_Name $Title $User_Name $Event_ID", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@title", + "width": "auto" + }, + { + "field": "@Event.System.Computer", + "width": "auto" + }, + { + "field": "@Event.EventData.Data.TargetFilename", + "width": "auto" + }, + { + "field": "@Event.EventData.Data.ProcessGuid", + "width": "auto" + }, + { + "field": "@Event.EventData.Data.ProcessId", + "width": "auto" + }, + { + "field": "@Event.EventData.Data.Image", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 32, + "width": 12, + "height": 5 + } + } + ] + }, + "layout": { + "x": 0, + "y": 107, + "width": 12, + "height": 38 + } + }, + { + "id": 3116370531785434, + "definition": { + "title": "Registry Activity", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 3782451328404618, + "definition": { + "title": "Registry Value Set Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:13 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#65a8e6" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 4 + } + }, + { + "id": 4362730887084108, + "definition": { + "title": "Registry Activity over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:(12 OR 13 OR 14) $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@title", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 4 + } + }, + { + "id": 4140577443890856, + "definition": { + "title": "Top Images that Performed Registry Value Set", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:13 $Title $Computer_Name $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@Event.EventData.Data.Image", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 7658243483387930, + "definition": { + "title": "Top Users who Performed Registry Value Set", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:13 @usr.name:* $Title $Computer_Name $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 1898457580254196, + "definition": { + "title": "Registry Object Modifications", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:(12 OR 14) $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#65a8e6" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 8, + "width": 3, + "height": 4 + } + }, + { + "id": 9002455183341598, + "definition": { + "title": "Top Users who Performed Registry Object Modifications", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:(12 OR 14) @usr.name:* $Title $Computer_Name $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 3, + "y": 8, + "width": 9, + "height": 4 + } + }, + { + "id": 3238793910563332, + "definition": { + "title": "Top Images that Performed Registry Object Modifications", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:(12 OR 14) $Title $Computer_Name $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@Event.EventData.Data.Image", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 12, + "width": 12, + "height": 4 + } + }, + { + "id": 5824982243863916, + "definition": { + "title": "Registry Value Set Event Logs", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:13 $Computer_Name $Title $User_Name $Event_ID", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@Event.System.Computer", + "width": "auto" + }, + { + "field": "@Event.EventData.Data.TargetObject", + "width": "auto" + }, + { + "field": "@Event.EventData.Data.Image", + "width": "auto" + }, + { + "field": "@Event.EventData.Data.Details", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 16, + "width": 12, + "height": 5 + } + }, + { + "id": 4081390399674084, + "definition": { + "title": "Registry Object Modification Event Logs", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:(12 OR 14) $Computer_Name $Title $User_Name $Event_ID", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@title", + "width": "auto" + }, + { + "field": "@Event.System.Computer", + "width": "auto" + }, + { + "field": "@Event.EventData.Data.EventType", + "width": "auto" + }, + { + "field": "@Event.EventData.Data.TargetObject", + "width": "auto" + }, + { + "field": "@Event.EventData.Data.Image", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 21, + "width": 12, + "height": 5 + } + } + ] + }, + "layout": { + "x": 0, + "y": 145, + "width": 12, + "height": 27 + } + }, + { + "id": 3519194809274696, + "definition": { + "title": "WMI Activity", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 7253838518026984, + "definition": { + "title": "WMI Event Filter Registrations", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:19 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#65a8e6" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 4 + } + }, + { + "id": 1438552064611808, + "definition": { + "title": "WMI Event Consumer Registrations", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:20 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#65a8e6" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 4, + "y": 0, + "width": 4, + "height": 4 + } + }, + { + "id": 5193460668945190, + "definition": { + "title": "WMI Event Binding Registrations", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:21 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#65a8e6" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 8, + "y": 0, + "width": 4, + "height": 4 + } + }, + { + "id": 2734641992114714, + "definition": { + "title": "WMI Activity over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:(19 OR 20 OR 21) $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@title", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 4, + "width": 12, + "height": 4 + } + }, + { + "id": 4520227112229536, + "definition": { + "title": "WMI Activity Logs", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:(19 OR 20 OR 21) $Computer_Name $Title $User_Name $Event_ID", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@title", + "width": "auto" + }, + { + "field": "@Event.System.Computer", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 8, + "width": 12, + "height": 5 + } + } + ] + }, + "layout": { + "x": 0, + "y": 172, + "width": 12, + "height": 14 + } + }, + { + "id": 5405967536001640, + "definition": { + "title": "Sysmon Service Activity", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 6635740187417476, + "definition": { + "title": "Sysmon Config State Changes", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:16 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#65a8e6" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 4 + } + }, + { + "id": 7863115130177892, + "definition": { + "title": "Sysmon Service State Changes over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:4 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@Event.EventData.Data.State", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 4 + } + }, + { + "id": 3087887806267320, + "definition": { + "title": "Sysmon Errors", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:255 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red", + "custom_bg_color": "#65a8e6" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 4, + "width": 3, + "height": 4 + } + }, + { + "id": 8767003978282064, + "definition": { + "title": "Top Error Actions in Sysmon", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:255 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@Event.EventData.Data.ID", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 3, + "y": 4, + "width": 9, + "height": 4 + } + }, + { + "id": 5686411072978390, + "definition": { + "title": "Sysmon Events over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:(4 OR 16 OR 255) $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@title", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 8, + "width": 12, + "height": 4 + } + }, + { + "id": 2466105664508810, + "definition": { + "title": "Sysmon Activity Logs", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:(4 OR 16 OR 255) $Computer_Name $Title $User_Name $Event_ID", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@title", + "width": "auto" + }, + { + "field": "@Event.System.Computer", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 12, + "width": 12, + "height": 5 + } + } + ] + }, + "layout": { + "x": 0, + "y": 186, + "width": 12, + "height": 18 + } + }, + { + "id": 6840484413844234, + "definition": { + "title": "Other Activity", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 190821596092964, + "definition": { + "title": "Named Pipe Connections", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:18 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#65a8e6" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 4 + } + }, + { + "id": 7062755195411598, + "definition": { + "title": "Named Pipe Events over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:(17 OR 18) $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@title", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 4 + } + }, + { + "id": 5162546952266062, + "definition": { + "title": "Top Images that Created Named Pipes", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:17 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@Event.EventData.Data.Image", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 832800976632690, + "definition": { + "title": "Top Users who Created Named Pipes", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:17 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 558943371936646, + "definition": { + "title": "Top Images that Initiated Named Pipe Connections", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:18 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@Event.EventData.Data.Image", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 8, + "width": 6, + "height": 4 + } + }, + { + "id": 3744509592201082, + "definition": { + "title": "Top Users who Initiated Named Pipe Connections", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:18 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 8, + "width": 6, + "height": 4 + } + }, + { + "id": 6742299296941950, + "definition": { + "title": "Clipboard Events over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Count", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:24 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 12, + "width": 12, + "height": 4 + } + }, + { + "id": 3898671770937944, + "definition": { + "title": "Top Images that Modified Clipboard", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:24 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@Event.EventData.Data.Image", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 16, + "width": 6, + "height": 4 + } + }, + { + "id": 1422738952775142, + "definition": { + "title": "Top Users who Modified Clipboard", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:24 $Computer_Name $Title $User_Name $Event_ID" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 16, + "width": 6, + "height": 4 + } + }, + { + "id": 7919797014440456, + "definition": { + "title": "Named Pipe and Clipboard Activity Logs", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:microsoft-sysmon service:microsoft-sysmon @evt.id:(17 OR 18 OR 24) $Computer_Name $Title $User_Name $Event_ID", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@title", + "width": "auto" + }, + { + "field": "@Event.System.Computer", + "width": "auto" + }, + { + "field": "@Event.EventData.Data.ProcessGuid", + "width": "auto" + }, + { + "field": "@Event.EventData.Data.ProcessId", + "width": "auto" + }, + { + "field": "@Event.EventData.Data.Image", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 20, + "width": 12, + "height": 5 + } + } + ] + }, + "layout": { + "x": 0, + "y": 204, + "width": 12, + "height": 26 + } + } + ], + "template_variables": [ + { + "name": "Computer_Name", + "prefix": "@Event.System.Computer", + "available_values": [], + "default": "*" + }, + { + "name": "Event_ID", + "prefix": "@evt.id", + "available_values": [], + "default": "*" + }, + { + "name": "Title", + "prefix": "@title", + "available_values": [], + "default": "*" + }, + { + "name": "User_Name", + "prefix": "@usr.name", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} diff --git a/microsoft_sysmon/assets/logs/microsoft-sysmon.yaml b/microsoft_sysmon/assets/logs/microsoft-sysmon.yaml new file mode 100644 index 0000000000000..81ff41d1076fb --- /dev/null +++ b/microsoft_sysmon/assets/logs/microsoft-sysmon.yaml @@ -0,0 +1,284 @@ +id: microsoft-sysmon +metric_id: microsoft-sysmon +backend_only: false +facets: + - groups: + - DNS + name: Answer Name + path: dns.answer.name + source: log + - groups: + - DNS + name: Question Name + path: dns.question.name + source: log + - groups: + - Geoip + name: City Name + path: network.client.geoip.city.name + source: log + - groups: + - Geoip + name: Continent Code + path: network.client.geoip.continent.code + source: log + - groups: + - Geoip + name: Continent Name + path: network.client.geoip.continent.name + source: log + - groups: + - Geoip + name: Country ISO Code + path: network.client.geoip.country.iso_code + source: log + - groups: + - Geoip + name: Country Name + path: network.client.geoip.country.name + source: log + - groups: + - Geoip + name: Subdivision ISO Code + path: network.client.geoip.subdivision.iso_code + source: log + - groups: + - Geoip + name: Subdivision Name + path: network.client.geoip.subdivision.name + source: log + - groups: + - Web Access + name: Client IP + path: network.client.ip + source: log + - groups: + - Web Access + name: Client Port + path: network.client.port + source: log + - groups: + - Geoip + name: Destination City Name + path: network.destination.geoip.city.name + source: log + - groups: + - Geoip + name: Destination Continent Code + path: network.destination.geoip.continent.code + source: log + - groups: + - Geoip + name: Destination Continent Name + path: network.destination.geoip.continent.name + source: log + - groups: + - Geoip + name: Destination Country ISO Code + path: network.destination.geoip.country.iso_code + source: log + - groups: + - Geoip + name: Destination Country Name + path: network.destination.geoip.country.name + source: log + - groups: + - Geoip + name: Destination Subdivision ISO Code + path: network.destination.geoip.subdivision.iso_code + source: log + - groups: + - Geoip + name: Destination Subdivision Name + path: network.destination.geoip.subdivision.name + source: log + - groups: + - Web Access + name: Destination IP + path: network.destination.ip + source: log + - groups: + - Web Access + name: Destination Port + path: network.destination.port + source: log + - groups: + - User + name: User Name + path: usr.name + source: log +pipeline: + type: pipeline + name: Microsoft Sysmon + enabled: true + filter: + query: source:microsoft-sysmon + processors: + - type: date-remapper + name: Define `Event.System.TimeCreated.SystemTime` as the official date of the + log + enabled: true + sources: + - Event.System.TimeCreated.SystemTime + - type: service-remapper + name: Define `service` as the official service of the log + enabled: true + sources: + - service + - type: status-remapper + name: Define `level` as the official status of the log + enabled: true + sources: + - level + - name: Map `Event.System.EventID` to `title` + enabled: true + source: Event.System.EventID + target: title + lookupTable: |- + 1,Process created + 2,File creation time changed + 3,Network connection detected + 4,Sysmon service state changed + 5,Process terminated + 6,Driver loaded + 7,Image loaded + 8,CreateRemoteThread detected + 9,RawAccessRead detected + 10,Process accessed + 11,File created + 12,Registry object added or deleted + 13,Registry value set + 14,Registry object renamed + 15,File stream created + 16,Sysmon config state changed + 17,Named pipe created + 18,Named pipe connected + 19,WmiEventFilter activity detected + 20,WmiEventConsumer activity detected + 21,WmiEventConsumerToFilter activity detected + 22,Dns query executed + 23,File Delete archived + 24,New content in the clipboard + 25,Process image change + 26,File Delete logged + 27,File Block Executable + 28,File Block Shredding + 29,File Executable detected + 255,Sysmon error + type: lookup-processor + - type: attribute-remapper + name: Map `Event.System.EventID` to `evt.id` + enabled: true + sources: + - Event.System.EventID + sourceType: attribute + target: evt.id + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `Event.EventData.Data.User` to `usr.name` + enabled: true + sources: + - Event.EventData.Data.User + sourceType: attribute + target: usr.name + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: pipeline + name: Process Network connection detected event logs + enabled: true + filter: + query: "@evt.id:3" + processors: + - type: attribute-remapper + name: Map `Event.EventData.Data.SourceIp` to `network.client.ip` + enabled: true + sources: + - Event.EventData.Data.SourceIp + sourceType: attribute + target: network.client.ip + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `Event.EventData.Data.DestinationIp` to `network.destination.ip` + enabled: true + sources: + - Event.EventData.Data.DestinationIp + sourceType: attribute + target: network.destination.ip + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `Event.EventData.Data.SourcePort` to `network.client.port` + enabled: true + sources: + - Event.EventData.Data.SourcePort + sourceType: attribute + target: network.client.port + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `Event.EventData.Data.DestinationPort` to `network.destination.port` + enabled: true + sources: + - Event.EventData.Data.DestinationPort + sourceType: attribute + target: network.destination.port + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: geo-ip-parser + name: Parse network.destination.ip + enabled: true + sources: + - network.destination.ip + target: network.destination.geoip + ip_processing_behavior: do-nothing + - type: pipeline + name: Process DNS query event logs + enabled: true + filter: + query: "@evt.id:22" + processors: + - type: attribute-remapper + name: Map `Event.EventData.Data.QueryName` to `dns.question.name` + enabled: true + sources: + - Event.EventData.Data.QueryName + sourceType: attribute + target: dns.question.name + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `Event.EventData.Data.QueryResults` to `dns.answer.name` + enabled: true + sources: + - Event.EventData.Data.QueryResults + sourceType: attribute + target: dns.answer.name + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `Event.EventData.Data.IpAddress` to `network.client.ip` + enabled: true + sources: + - Event.EventData.Data.IpAddress + sourceType: attribute + target: network.client.ip + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: geo-ip-parser + name: Parse network.client.ip + enabled: true + sources: + - network.client.ip + target: network.client.geoip + ip_processing_behavior: do-nothing diff --git a/microsoft_sysmon/assets/logs/microsoft-sysmon_tests.yaml b/microsoft_sysmon/assets/logs/microsoft-sysmon_tests.yaml new file mode 100644 index 0000000000000..8a04e7774ddf4 --- /dev/null +++ b/microsoft_sysmon/assets/logs/microsoft-sysmon_tests.yaml @@ -0,0 +1,214 @@ +id: microsoft-sysmon +tests: + - + sample: |- + { + "level" : "Information", + "Event" : { + "xmlns" : "http://schemas.microsoft.com/win/2004/08/events/event", + "EventData" : { + "Data" : { + "User" : "NT AUTHORITY\\NETWORK SERVICE", + "Image" : "C:\\Windows\\System32\\svchost.exe", + "SourceHostname" : "-", + "SourcePort" : "5353", + "DestinationPort" : "5353", + "DestinationHostname" : "-", + "ProcessGuid" : "{ac9e6aaa-ab97-67d2-1a00-000000001500}", + "DestinationPortName" : "-", + "SourcePortName" : "-", + "UtcTime" : "2025-03-18 11:53:54.968", + "DestinationIp" : "fe80:0:0:0:1958:16a1:813f:bbe8", + "Initiated" : "false", + "SourceIp" : "ff02:0:0:0:0:0:0:fb", + "SourceIsIpv6" : "true", + "DestinationIsIpv6" : "true", + "ProcessId" : "1400", + "Protocol" : "udp", + "RuleName" : "technique_id=T1571,technique_name=Non-Standard Port" + } + }, + "System" : { + "Correlation" : "", + "Task" : "3", + "Keywords" : "0x8000000000000000", + "Channel" : "Microsoft-Windows-Sysmon/Operational", + "Opcode" : "Info", + "Security" : { + "UserID" : "S-1-5-18" + }, + "Provider" : { + "Guid" : "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "Name" : "Microsoft-Windows-Sysmon" + }, + "TimeCreated" : { + "SystemTime" : "2025-03-18T11:53:57.0797708Z" + }, + "EventRecordID" : "126015", + "Execution" : { + "ThreadID" : "4860", + "ProcessID" : "3340" + }, + "Version" : "5", + "Computer" : "zero-test.zeroad.local", + "EventID" : "3", + "Level" : "4" + } + }, + "message" : "Network connection detected:\r\nRuleName: technique_id=T1571,technique_name=Non-Standard Port\r\nUtcTime: 2025-03-18 11:53:54.968\r\nProcessGuid: {ac9e6aaa-ab97-67d2-1a00-000000001500}\r\nProcessId: 1400\r\nImage: C:\\Windows\\System32\\svchost.exe\r\nUser: NT AUTHORITY\\NETWORK SERVICE\r\nProtocol: udp\r\nInitiated: false\r\nSourceIsIpv6: true\r\nSourceIp: ff02:0:0:0:0:0:0:fb\r\nSourceHostname: -\r\nSourcePort: 5353\r\nSourcePortName: -\r\nDestinationIsIpv6: true\r\nDestinationIp: fe80:0:0:0:1958:16a1:813f:bbe8\r\nDestinationHostname: -\r\nDestinationPort: 5353\r\nDestinationPortName: -" + } + result: + custom: + Event: + EventData: + Data: + DestinationHostname: "-" + DestinationIsIpv6: "true" + DestinationPortName: "-" + Image: "C:\\Windows\\System32\\svchost.exe" + Initiated: "false" + ProcessGuid: "{ac9e6aaa-ab97-67d2-1a00-000000001500}" + ProcessId: "1400" + Protocol: "udp" + RuleName: "technique_id=T1571,technique_name=Non-Standard Port" + SourceHostname: "-" + SourceIsIpv6: "true" + SourcePortName: "-" + UtcTime: "2025-03-18 11:53:54.968" + System: + Channel: "Microsoft-Windows-Sysmon/Operational" + Computer: "zero-test.zeroad.local" + Correlation: "" + EventRecordID: "126015" + Execution: + ProcessID: "3340" + ThreadID: "4860" + Keywords: "0x8000000000000000" + Level: "4" + Opcode: "Info" + Provider: + Guid: "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}" + Name: "Microsoft-Windows-Sysmon" + Security: + UserID: "S-1-5-18" + Task: "3" + TimeCreated: + SystemTime: "2025-03-18T11:53:57.0797708Z" + Version: "5" + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" + evt: + id: "3" + level: "Information" + network: + client: + geoip: {} + ip: "ff02:0:0:0:0:0:0:fb" + port: "5353" + destination: + geoip: {} + ip: "fe80:0:0:0:1958:16a1:813f:bbe8" + port: "5353" + title: "Network connection detected" + usr: + name: "NT AUTHORITY\\NETWORK SERVICE" + message: "Network connection detected:\r\nRuleName: technique_id=T1571,technique_name=Non-Standard Port\r\nUtcTime: 2025-03-18 11:53:54.968\r\nProcessGuid: {ac9e6aaa-ab97-67d2-1a00-000000001500}\r\nProcessId: 1400\r\nImage: C:\\Windows\\System32\\svchost.exe\r\nUser: NT AUTHORITY\\NETWORK SERVICE\r\nProtocol: udp\r\nInitiated: false\r\nSourceIsIpv6: true\r\nSourceIp: ff02:0:0:0:0:0:0:fb\r\nSourceHostname: -\r\nSourcePort: 5353\r\nSourcePortName: -\r\nDestinationIsIpv6: true\r\nDestinationIp: fe80:0:0:0:1958:16a1:813f:bbe8\r\nDestinationHostname: -\r\nDestinationPort: 5353\r\nDestinationPortName: -" + status: "info" + tags: + - "source:LOGS_SOURCE" + timestamp: 1742298837079 + - + sample: |- + { + "level" : "Information", + "Event" : { + "xmlns" : "http://schemas.microsoft.com/win/2004/08/events/event", + "EventData" : { + "Data" : { + "User" : "ZEROAD\\ddagentuser", + "ProcessId" : "6556", + "Image" : "C:\\Program Files\\Datadog\\Datadog Agent\\bin\\agent.exe", + "QueryStatus" : "0", + "ProcessGuid" : "{ac9e6aaa-ac1b-67d2-d100-000000001500}", + "QueryResults" : "type: 5 alb-logs-http-agent-shard0-1513124509.us-east-1.elb.amazonaws.com;2600:1f18:24e6:b901:bc25:8af3:b8c5:379f;2600:1f18:24e6:b900:6c95:a871:b291:a0c2;2600:1f18:24e6:b900:5514:23e8:c81c:ac65;2600:1f18:24e6:b900:954f:416b:a2f9:3e09;2600:1f18:24e6:b902:2717:60a2:f762:a702;2600:1f18:24e6:b902:8791:4c2d:6b6c:aabb;2600:1f18:24e6:b900:4e3a:a924:af85:cda6;2600:1f18:24e6:b901:b3c6:a361:fb6d:7502;::ffff:3.233.144.0;::ffff:3.233.144.52;::ffff:3.233.144.38;::ffff:3.233.144.98;::ffff:3.233.144.113;::ffff:3.233.144.39;::ffff:3.233.144.51;::ffff:3.233.144.97;", + "RuleName" : "-", + "QueryName" : "agent-http-intake.logs.datadoghq.com", + "UtcTime" : "2025-03-18 11:54:05.278" + } + }, + "System" : { + "Correlation" : "", + "Task" : "22", + "Keywords" : "0x8000000000000000", + "Channel" : "Microsoft-Windows-Sysmon/Operational", + "Opcode" : "Info", + "Security" : { + "UserID" : "S-1-5-18" + }, + "Provider" : { + "Guid" : "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "Name" : "Microsoft-Windows-Sysmon" + }, + "TimeCreated" : { + "SystemTime" : "2025-03-18T11:54:07.3147754Z" + }, + "EventRecordID" : "126021", + "Execution" : { + "ThreadID" : "4876", + "ProcessID" : "3340" + }, + "Version" : "5", + "Computer" : "zero-test.zeroad.local", + "EventID" : "22", + "Level" : "4" + } + }, + "message" : "Dns query:\r\nRuleName: -\r\nUtcTime: 2025-03-18 11:54:05.278\r\nProcessGuid: {ac9e6aaa-ac1b-67d2-d100-000000001500}\r\nProcessId: 6556\r\nQueryName: agent-http-intake.logs.datadoghq.com\r\nQueryStatus: 0\r\nQueryResults: type: 5 alb-logs-http-agent-shard0-1513124509.us-east-1.elb.amazonaws.com;2600:1f18:24e6:b901:bc25:8af3:b8c5:379f;2600:1f18:24e6:b900:6c95:a871:b291:a0c2;2600:1f18:24e6:b900:5514:23e8:c81c:ac65;2600:1f18:24e6:b900:954f:416b:a2f9:3e09;2600:1f18:24e6:b902:2717:60a2:f762:a702;2600:1f18:24e6:b902:8791:4c2d:6b6c:aabb;2600:1f18:24e6:b900:4e3a:a924:af85:cda6;2600:1f18:24e6:b901:b3c6:a361:fb6d:7502;::ffff:3.233.144.0;::ffff:3.233.144.52;::ffff:3.233.144.38;::ffff:3.233.144.98;::ffff:3.233.144.113;::ffff:3.233.144.39;::ffff:3.233.144.51;::ffff:3.233.144.97;\r\nImage: C:\\Program Files\\Datadog\\Datadog Agent\\bin\\agent.exe\r\nUser: ZEROAD\\ddagentuser" + } + result: + custom: + Event: + EventData: + Data: + Image: "C:\\Program Files\\Datadog\\Datadog Agent\\bin\\agent.exe" + ProcessGuid: "{ac9e6aaa-ac1b-67d2-d100-000000001500}" + ProcessId: "6556" + QueryStatus: "0" + RuleName: "-" + UtcTime: "2025-03-18 11:54:05.278" + System: + Channel: "Microsoft-Windows-Sysmon/Operational" + Computer: "zero-test.zeroad.local" + Correlation: "" + EventRecordID: "126021" + Execution: + ProcessID: "3340" + ThreadID: "4876" + Keywords: "0x8000000000000000" + Level: "4" + Opcode: "Info" + Provider: + Guid: "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}" + Name: "Microsoft-Windows-Sysmon" + Security: + UserID: "S-1-5-18" + Task: "22" + TimeCreated: + SystemTime: "2025-03-18T11:54:07.3147754Z" + Version: "5" + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" + dns: + answer: + name: "type: 5 alb-logs-http-agent-shard0-1513124509.us-east-1.elb.amazonaws.com;2600:1f18:24e6:b901:bc25:8af3:b8c5:379f;2600:1f18:24e6:b900:6c95:a871:b291:a0c2;2600:1f18:24e6:b900:5514:23e8:c81c:ac65;2600:1f18:24e6:b900:954f:416b:a2f9:3e09;2600:1f18:24e6:b902:2717:60a2:f762:a702;2600:1f18:24e6:b902:8791:4c2d:6b6c:aabb;2600:1f18:24e6:b900:4e3a:a924:af85:cda6;2600:1f18:24e6:b901:b3c6:a361:fb6d:7502;::ffff:3.233.144.0;::ffff:3.233.144.52;::ffff:3.233.144.38;::ffff:3.233.144.98;::ffff:3.233.144.113;::ffff:3.233.144.39;::ffff:3.233.144.51;::ffff:3.233.144.97;" + question: + name: "agent-http-intake.logs.datadoghq.com" + evt: + id: "22" + level: "Information" + title: "Dns query executed" + usr: + name: "ZEROAD\\ddagentuser" + message: "Dns query:\r\nRuleName: -\r\nUtcTime: 2025-03-18 11:54:05.278\r\nProcessGuid: {ac9e6aaa-ac1b-67d2-d100-000000001500}\r\nProcessId: 6556\r\nQueryName: agent-http-intake.logs.datadoghq.com\r\nQueryStatus: 0\r\nQueryResults: type: 5 alb-logs-http-agent-shard0-1513124509.us-east-1.elb.amazonaws.com;2600:1f18:24e6:b901:bc25:8af3:b8c5:379f;2600:1f18:24e6:b900:6c95:a871:b291:a0c2;2600:1f18:24e6:b900:5514:23e8:c81c:ac65;2600:1f18:24e6:b900:954f:416b:a2f9:3e09;2600:1f18:24e6:b902:2717:60a2:f762:a702;2600:1f18:24e6:b902:8791:4c2d:6b6c:aabb;2600:1f18:24e6:b900:4e3a:a924:af85:cda6;2600:1f18:24e6:b901:b3c6:a361:fb6d:7502;::ffff:3.233.144.0;::ffff:3.233.144.52;::ffff:3.233.144.38;::ffff:3.233.144.98;::ffff:3.233.144.113;::ffff:3.233.144.39;::ffff:3.233.144.51;::ffff:3.233.144.97;\r\nImage: C:\\Program Files\\Datadog\\Datadog Agent\\bin\\agent.exe\r\nUser: ZEROAD\\ddagentuser" + status: "info" + tags: + - "source:LOGS_SOURCE" + timestamp: 1742298847314 \ No newline at end of file diff --git a/microsoft_sysmon/assets/microsoft_sysmon.svg b/microsoft_sysmon/assets/microsoft_sysmon.svg new file mode 100644 index 0000000000000..5169682cc7698 --- /dev/null +++ b/microsoft_sysmon/assets/microsoft_sysmon.svg @@ -0,0 +1,7 @@ + + + + + + + diff --git a/microsoft_sysmon/changelog.d/19874.added b/microsoft_sysmon/changelog.d/19874.added new file mode 100644 index 0000000000000..aa949b47b7b41 --- /dev/null +++ b/microsoft_sysmon/changelog.d/19874.added @@ -0,0 +1 @@ +Initial Release \ No newline at end of file diff --git a/microsoft_sysmon/datadog_checks/__init__.py b/microsoft_sysmon/datadog_checks/__init__.py new file mode 100644 index 0000000000000..a77b3f5ff63ac --- /dev/null +++ b/microsoft_sysmon/datadog_checks/__init__.py @@ -0,0 +1,4 @@ +# (C) Datadog, Inc. 2025-present +# All rights reserved +# Licensed under a 3-clause BSD style license (see LICENSE) +__path__ = __import__('pkgutil').extend_path(__path__, __name__) # type: ignore diff --git a/microsoft_sysmon/datadog_checks/microsoft_sysmon/__about__.py b/microsoft_sysmon/datadog_checks/microsoft_sysmon/__about__.py new file mode 100644 index 0000000000000..1bde5986a04b2 --- /dev/null +++ b/microsoft_sysmon/datadog_checks/microsoft_sysmon/__about__.py @@ -0,0 +1,4 @@ +# (C) Datadog, Inc. 2025-present +# All rights reserved +# Licensed under a 3-clause BSD style license (see LICENSE) +__version__ = '0.0.1' diff --git a/microsoft_sysmon/datadog_checks/microsoft_sysmon/__init__.py b/microsoft_sysmon/datadog_checks/microsoft_sysmon/__init__.py new file mode 100644 index 0000000000000..b408666583b85 --- /dev/null +++ b/microsoft_sysmon/datadog_checks/microsoft_sysmon/__init__.py @@ -0,0 +1,6 @@ +# (C) Datadog, Inc. 2025-present +# All rights reserved +# Licensed under a 3-clause BSD style license (see LICENSE) +from .__about__ import __version__ + +__all__ = ['__version__'] diff --git a/microsoft_sysmon/datadog_checks/microsoft_sysmon/data/conf.yaml.example b/microsoft_sysmon/datadog_checks/microsoft_sysmon/data/conf.yaml.example new file mode 100644 index 0000000000000..d973d96a71206 --- /dev/null +++ b/microsoft_sysmon/datadog_checks/microsoft_sysmon/data/conf.yaml.example @@ -0,0 +1,21 @@ +## Log Section +## +## type - required - Type of log input source (tcp / udp / file / windows_event). +## port / path / channel_path - required - Set port if type is tcp or udp. +## Set path if type is file. +## Set channel_path if type is windows_event. +## source - required - Attribute that defines which integration sent the logs. +## encoding - optional - For file specifies the file encoding. Default is utf-8. Other +## possible values are utf-16-le and utf-16-be. +## service - optional - The name of the service that generates the log. +## Overrides any `service` defined in the `init_config` section. +## tags - optional - Add tags to the collected logs. +## +## Discover Datadog log collection: https://docs.datadoghq.com/logs/log_collection/ +# +# logs: +# - type: windows_event +# channel_path: Microsoft-Windows-Sysmon/Operational +# source: microsoft-sysmon +# service: microsoft-sysmon +# sourcecategory: windowsevent diff --git a/microsoft_sysmon/images/microsoft_sysmon_overview_1.png b/microsoft_sysmon/images/microsoft_sysmon_overview_1.png new file mode 100644 index 0000000000000..8e571233976d3 Binary files /dev/null and b/microsoft_sysmon/images/microsoft_sysmon_overview_1.png differ diff --git a/microsoft_sysmon/images/microsoft_sysmon_overview_2.png b/microsoft_sysmon/images/microsoft_sysmon_overview_2.png new file mode 100644 index 0000000000000..6cea6f583bc2e Binary files /dev/null and b/microsoft_sysmon/images/microsoft_sysmon_overview_2.png differ diff --git a/microsoft_sysmon/images/microsoft_sysmon_overview_3.png b/microsoft_sysmon/images/microsoft_sysmon_overview_3.png new file mode 100644 index 0000000000000..fa9e53758461d Binary files /dev/null and b/microsoft_sysmon/images/microsoft_sysmon_overview_3.png differ diff --git a/microsoft_sysmon/images/microsoft_sysmon_overview_4.png b/microsoft_sysmon/images/microsoft_sysmon_overview_4.png new file mode 100644 index 0000000000000..cc957d65d7709 Binary files /dev/null and b/microsoft_sysmon/images/microsoft_sysmon_overview_4.png differ diff --git a/microsoft_sysmon/images/microsoft_sysmon_overview_5.png b/microsoft_sysmon/images/microsoft_sysmon_overview_5.png new file mode 100644 index 0000000000000..7be2357be6d9c Binary files /dev/null and b/microsoft_sysmon/images/microsoft_sysmon_overview_5.png differ diff --git a/microsoft_sysmon/images/microsoft_sysmon_overview_6.png b/microsoft_sysmon/images/microsoft_sysmon_overview_6.png new file mode 100644 index 0000000000000..73fa4ed858cf9 Binary files /dev/null and b/microsoft_sysmon/images/microsoft_sysmon_overview_6.png differ diff --git a/microsoft_sysmon/images/microsoft_sysmon_overview_7.png b/microsoft_sysmon/images/microsoft_sysmon_overview_7.png new file mode 100644 index 0000000000000..2b84402c6745c Binary files /dev/null and b/microsoft_sysmon/images/microsoft_sysmon_overview_7.png differ diff --git a/microsoft_sysmon/images/microsoft_sysmon_overview_8.png b/microsoft_sysmon/images/microsoft_sysmon_overview_8.png new file mode 100644 index 0000000000000..558a76807dbcf Binary files /dev/null and b/microsoft_sysmon/images/microsoft_sysmon_overview_8.png differ diff --git a/microsoft_sysmon/manifest.json b/microsoft_sysmon/manifest.json new file mode 100644 index 0000000000000..74ef0fc28f1b4 --- /dev/null +++ b/microsoft_sysmon/manifest.json @@ -0,0 +1,88 @@ +{ + "manifest_version": "2.0.0", + "app_uuid": "76dd5a2d-68d8-4acf-b066-ba00c1524694", + "app_id": "microsoft-sysmon", + "display_on_public_website": false, + "tile": { + "overview": "README.md#Overview", + "configuration": "README.md#Setup", + "support": "README.md#Support", + "changelog": "CHANGELOG.md", + "description": "Gain insights into Windows system activity events.", + "title": "Microsoft Sysmon", + "media": [ + { + "caption": "Microsoft Sysmon - Overview 1", + "image_url": "images/microsoft_sysmon_overview_1.png", + "media_type": "image" + }, + { + "caption": "Microsoft Sysmon - Overview 2", + "image_url": "images/microsoft_sysmon_overview_2.png", + "media_type": "image" + }, + { + "caption": "Microsoft Sysmon - Overview 3", + "image_url": "images/microsoft_sysmon_overview_3.png", + "media_type": "image" + }, + { + "caption": "Microsoft Sysmon - Overview 4", + "image_url": "images/microsoft_sysmon_overview_4.png", + "media_type": "image" + }, + { + "caption": "Microsoft Sysmon - Overview 5", + "image_url": "images/microsoft_sysmon_overview_5.png", + "media_type": "image" + }, + { + "caption": "Microsoft Sysmon - Overview 6", + "image_url": "images/microsoft_sysmon_overview_6.png", + "media_type": "image" + }, + { + "caption": "Microsoft Sysmon - Overview 7", + "image_url": "images/microsoft_sysmon_overview_7.png", + "media_type": "image" + }, + { + "caption": "Microsoft Sysmon - Overview 8", + "image_url": "images/microsoft_sysmon_overview_8.png", + "media_type": "image" + } + ], + "classifier_tags": [ + "Supported OS::Windows", + "Category::Log Collection", + "Category::Security", + "Offering::Integration", + "Submitted Data Type::Logs" + ] + }, + "assets": { + "integration": { + "auto_install": true, + "source_type_id": 42258945, + "source_type_name": "Microsoft Sysmon", + "configuration": { + "spec": "assets/configuration/spec.yaml" + }, + "events": { + "creates_events": false + } + }, + "dashboards": { + "Microsoft Sysmon - Overview": "assets/dashboards/microsoft_sysmon_overview.json" + }, + "logs": { + "source": "microsoft-sysmon" + } + }, + "author": { + "support_email": "help@datadoghq.com", + "name": "Datadog", + "homepage": "https://www.datadoghq.com", + "sales_email": "info@datadoghq.com" + } +} diff --git a/microsoft_sysmon/pyproject.toml b/microsoft_sysmon/pyproject.toml new file mode 100644 index 0000000000000..de9d86c25a8bc --- /dev/null +++ b/microsoft_sysmon/pyproject.toml @@ -0,0 +1,59 @@ +[build-system] +requires = [ + "hatchling>=0.13.0", +] +build-backend = "hatchling.build" + +[project] +name = "datadog-microsoft-sysmon" +description = "The Microsoft Sysmon check" +readme = "README.md" +license = "BSD-3-Clause" +keywords = [ + "datadog", + "datadog agent", + "datadog check", + "microsoft_sysmon", +] +authors = [ + { name = "Datadog", email = "packages@datadoghq.com" }, +] +classifiers = [ + "Development Status :: 5 - Production/Stable", + "Intended Audience :: Developers", + "Intended Audience :: System Administrators", + "License :: OSI Approved :: BSD License", + "Private :: Do Not Upload", + "Programming Language :: Python :: 3.12", + "Topic :: System :: Monitoring", +] +dependencies = [ + "datadog-checks-base>=4.2.0", +] +dynamic = [ + "version", +] + +[project.optional-dependencies] +deps = [] + +[project.urls] +Source = "https://github.com/DataDog/integrations-core" + +[tool.hatch.version] +path = "datadog_checks/microsoft_sysmon/__about__.py" + +[tool.hatch.build.targets.sdist] +include = [ + "/datadog_checks", + "/tests", + "/manifest.json", +] + +[tool.hatch.build.targets.wheel] +include = [ + "/datadog_checks/microsoft_sysmon", +] +dev-mode-dirs = [ + ".", +] diff --git a/mongo/CHANGELOG.md b/mongo/CHANGELOG.md index aa4dafc9da117..f97d6587b5799 100644 --- a/mongo/CHANGELOG.md +++ b/mongo/CHANGELOG.md @@ -15,7 +15,7 @@ * Skip collect explain plan for shardCollection operation. ([#19990](https://github.com/DataDog/integrations-core/pull/19990)) * Skip dbstats metrics on shards primary because `db.stats` cannot run on shards. ([#19996](https://github.com/DataDog/integrations-core/pull/19996)) -## 9.0.0 / 2025-03-19 +## 9.0.0 / 2025-03-19 / Agent 7.65.0 ***Changed***: diff --git a/mysql/CHANGELOG.md b/mysql/CHANGELOG.md index 67b771aaf5e12..2acdf489e63f7 100644 --- a/mysql/CHANGELOG.md +++ b/mysql/CHANGELOG.md @@ -2,6 +2,12 @@ +## 15.3.1 / 2025-05-07 + +***Fixed***: + +* Remove duplicate idle MySQL activity rows ([#20222](https://github.com/DataDog/integrations-core/pull/20222)) + ## 15.3.0 / 2025-04-22 ***Added***: diff --git a/mysql/assets/configuration/spec.yaml b/mysql/assets/configuration/spec.yaml index 5465fe63a16b7..677164f274526 100644 --- a/mysql/assets/configuration/spec.yaml +++ b/mysql/assets/configuration/spec.yaml @@ -617,7 +617,40 @@ files: value: type: string example: mydb.cfxgae8cilcf.us-east-1.rds.amazonaws.com + - name: region + description: | + Equal to the region of the instance the agent is connecting to. + This value is used to configure IAM authentication. + value: + type: string + example: us-east-1 + - name: managed_authentication + description: | + Configure section used for AWS IAM Authentication with RDS. + + This supports using IAM database authentication to connect to your database instance. + For more information on configuration, see + https://docs.datadoghq.com/database_monitoring/guide/managed_authentication + + For more information on RDS IAM Authentication, see the AWS docs + https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Connecting.html + + To enable IAM Authentication, set `aws.managed_authentication.enabled` to `true`. + If `aws.managed_authentication.enabled` is set, then the `password` fields will be ignored. + `aws.region` is required to enable IAM Authentication. + + Optionally, you can set `aws.managed_authentication.role_arn` to specify the IAM role ARN. + This can be used to perform cross-account authentication. + value: + type: object + properties: + - name: enabled + type: boolean + example: false + - name: role_arn + type: string + example: arn:aws:iam::123456789012:role/MyRole - name: gcp description: | This block defines the configuration for Google Cloud SQL instances. diff --git a/mysql/changelog.d/20176.added b/mysql/changelog.d/20176.added new file mode 100644 index 0000000000000..79f4e15cf4ddc --- /dev/null +++ b/mysql/changelog.d/20176.added @@ -0,0 +1 @@ +Add support for IAM authentication with MySQL \ No newline at end of file diff --git a/mysql/datadog_checks/mysql/__about__.py b/mysql/datadog_checks/mysql/__about__.py index 552ee8c26eb74..0616849267b81 100644 --- a/mysql/datadog_checks/mysql/__about__.py +++ b/mysql/datadog_checks/mysql/__about__.py @@ -2,4 +2,4 @@ # All rights reserved # Licensed under a 3-clause BSD style license (see LICENSE) -__version__ = "15.3.0" +__version__ = "15.3.1" diff --git a/mysql/datadog_checks/mysql/activity.py b/mysql/datadog_checks/mysql/activity.py index 66280f2092025..6dd74df2862d8 100644 --- a/mysql/datadog_checks/mysql/activity.py +++ b/mysql/datadog_checks/mysql/activity.py @@ -266,8 +266,19 @@ def _normalize_rows(self, rows): # type: (List[Dict[str]]) -> List[Dict[str]] rows = sorted(rows, key=lambda r: self._sort_key(r)) normalized_rows = [] + seen = {} + second_pass = {} estimated_size = 0 for row in rows: + if row["thread_id"] in seen: + # `performance_schema.events_statements_current` can contain previous statements + # for the same thread. We only want the most recent one. + if row["event_timer_end"] < seen[row["thread_id"]]["event_timer_start"]: + continue + else: + second_pass[row["thread_id"]] = {"event_timer_start": row["event_timer_start"]} + else: + seen[row["thread_id"]] = {"event_timer_start": row["event_timer_start"]} if row["sql_text"] is not None: row["query_truncated"] = get_truncation_state(row["sql_text"]).value row = self._obfuscate_and_sanitize_row(row) @@ -275,8 +286,23 @@ def _normalize_rows(self, rows): if estimated_size > MySQLActivity.MAX_PAYLOAD_BYTES: return normalized_rows normalized_rows.append(row) + if second_pass: + normalized_rows = self._eliminate_duplicate_rows(normalized_rows, second_pass) return normalized_rows + @staticmethod + def _eliminate_duplicate_rows(rows, second_pass): + # type: (List[Dict[str]], Dict[str]) -> List[Dict[str]] + filtered_rows = [] + for row in rows: + if ( + row["thread_id"] in second_pass + and row["event_timer_end"] < second_pass[row["thread_id"]]["event_timer_start"] + ): + continue + filtered_rows.append(row) + return filtered_rows + @staticmethod def _sort_key(row): # type: (Dict[str]) -> int diff --git a/mysql/datadog_checks/mysql/aws.py b/mysql/datadog_checks/mysql/aws.py new file mode 100644 index 0000000000000..8f8dc3164af76 --- /dev/null +++ b/mysql/datadog_checks/mysql/aws.py @@ -0,0 +1,25 @@ +# (C) Datadog, Inc. 2025-present +# All rights reserved +# Licensed under a 3-clause BSD style license (see LICENSE) +import boto3 + + +def generate_rds_iam_token(host, port, username, region, role_arn=None): + if role_arn: + # when role_arn is defined, assume the role to generate the token + # this can be used for cross-account access + sts_client = boto3.client("sts") + assumed_role = sts_client.assume_role(RoleArn=role_arn, RoleSessionName="datadog-rds-iam-auth-session") + credentials = assumed_role["Credentials"] + session = boto3.Session( + aws_access_key_id=credentials["AccessKeyId"], + aws_secret_access_key=credentials["SecretAccessKey"], + aws_session_token=credentials["SessionToken"], + region_name=region, + ) + else: + session = boto3.Session(region_name=region) + client = session.client("rds") + token = client.generate_db_auth_token(DBHostname=host, Port=port, DBUsername=username) + + return token diff --git a/mysql/datadog_checks/mysql/config_models/instance.py b/mysql/datadog_checks/mysql/config_models/instance.py index 670dcc0869e97..afad4d47472ce 100644 --- a/mysql/datadog_checks/mysql/config_models/instance.py +++ b/mysql/datadog_checks/mysql/config_models/instance.py @@ -12,7 +12,7 @@ from types import MappingProxyType from typing import Any, Optional -from pydantic import BaseModel, ConfigDict, field_validator, model_validator +from pydantic import BaseModel, ConfigDict, Field, field_validator, model_validator from datadog_checks.base.utils.functions import identity from datadog_checks.base.utils.models import validation @@ -20,12 +20,23 @@ from . import defaults, validators +class ManagedAuthentication(BaseModel): + model_config = ConfigDict( + arbitrary_types_allowed=True, + frozen=True, + ) + enabled: Optional[bool] = Field(None, examples=[False]) + role_arn: Optional[str] = Field(None, examples=['arn:aws:iam::123456789012:role/MyRole']) + + class Aws(BaseModel): model_config = ConfigDict( arbitrary_types_allowed=True, frozen=True, ) instance_endpoint: Optional[str] = None + managed_authentication: Optional[ManagedAuthentication] = None + region: Optional[str] = None class Azure(BaseModel): diff --git a/mysql/datadog_checks/mysql/data/conf.yaml.example b/mysql/datadog_checks/mysql/data/conf.yaml.example index 1fad4e3f00db2..93e284281e556 100644 --- a/mysql/datadog_checks/mysql/data/conf.yaml.example +++ b/mysql/datadog_checks/mysql/data/conf.yaml.example @@ -577,6 +577,32 @@ instances: # # instance_endpoint: mydb.cfxgae8cilcf.us-east-1.rds.amazonaws.com + ## @param region - string - optional - default: us-east-1 + ## Equal to the region of the instance the agent is connecting to. + ## This value is used to configure IAM authentication. + # + # region: us-east-1 + + ## @param managed_authentication - mapping - optional + ## Configure section used for AWS IAM Authentication with RDS. + ## + ## This supports using IAM database authentication to connect to your database instance. + ## + ## For more information on configuration, see + ## https://docs.datadoghq.com/database_monitoring/guide/managed_authentication + ## + ## For more information on RDS IAM Authentication, see the AWS docs + ## https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Connecting.html + ## + ## To enable IAM Authentication, set `aws.managed_authentication.enabled` to `true`. + ## If `aws.managed_authentication.enabled` is set, then the `password` fields will be ignored. + ## `aws.region` is required to enable IAM Authentication. + ## + ## Optionally, you can set `aws.managed_authentication.role_arn` to specify the IAM role ARN. + ## This can be used to perform cross-account authentication. + # + # managed_authentication: {} + ## This block defines the configuration for Google Cloud SQL instances. ## ## Complete this section if you have installed the Datadog GCP Integration diff --git a/mysql/datadog_checks/mysql/mysql.py b/mysql/datadog_checks/mysql/mysql.py index 345fcc62e6f3b..2fb2dfe3322e4 100644 --- a/mysql/datadog_checks/mysql/mysql.py +++ b/mysql/datadog_checks/mysql/mysql.py @@ -25,6 +25,7 @@ resolve_db_host as agent_host_resolver, ) from datadog_checks.base.utils.serialization import json +from datadog_checks.mysql import aws from datadog_checks.mysql.cursor import CommenterCursor, CommenterDictCursor, CommenterSSCursor from .__about__ import __version__ @@ -103,7 +104,6 @@ class MySql(AgentCheck): REPLICA_SERVICE_CHECK_NAME = 'mysql.replication.replica_running' GROUP_REPLICATION_SERVICE_CHECK_NAME = 'mysql.replication.group.status' DEFAULT_MAX_CUSTOM_QUERIES = 20 - HA_SUPPORTED = True def __init__(self, name, init_config, instances): @@ -494,6 +494,20 @@ def _get_connection_args(self): return connection_args connection_args.update({'user': self._config.user, 'passwd': self._config.password}) + if 'aws' in self.cloud_metadata and 'managed_authentication' in self.cloud_metadata['aws']: + # if we are running on AWS, check if IAM auth is enabled + aws_managed_authentication = self.cloud_metadata['aws']['managed_authentication'] + if aws_managed_authentication['enabled']: + # if IAM auth is enabled, region must be set. Validation is done in the config + region = self.cloud_metadata['aws']['region'] + password = aws.generate_rds_iam_token( + host=self._config.host, + username=self._config.user, + port=self._config.port, + region=region, + role_arn=aws_managed_authentication.get('role_arn'), + ) + connection_args.update({'user': self._config.user, 'passwd': password}) if self._config.mysql_sock != '': self.service_check_tags = self._service_check_tags(self._config.mysql_sock) connection_args.update({'unix_socket': self._config.mysql_sock}) diff --git a/mysql/pyproject.toml b/mysql/pyproject.toml index f55bdafc3f4a4..7adfd8ffbbf97 100644 --- a/mysql/pyproject.toml +++ b/mysql/pyproject.toml @@ -36,6 +36,7 @@ license = "BSD-3-Clause" [project.optional-dependencies] deps = [ + "boto3==1.37.23", "cachetools==5.5.2", "cryptography==44.0.2", "pymysql==1.1.1", diff --git a/mysql/tests/test_unit.py b/mysql/tests/test_unit.py index 65261f59aebba..bbf5f79cf2973 100644 --- a/mysql/tests/test_unit.py +++ b/mysql/tests/test_unit.py @@ -11,6 +11,7 @@ import pytest from datadog_checks.mysql import MySql +from datadog_checks.mysql.activity import MySQLActivity from datadog_checks.mysql.databases_data import DatabasesData, SubmitData from datadog_checks.mysql.version_utils import get_version @@ -496,3 +497,14 @@ def test_database_identifier(template, expected, tags): check = MySql(common.CHECK_NAME, {}, instances=[config]) assert check.database_identifier == expected + + +def test__eliminate_duplicate_rows(): + rows = [ + {'thread_id': 1, 'event_timer_start': 1000, 'event_timer_end': 2000, 'sql_text': 'SELECT 1'}, + {'thread_id': 1, 'event_timer_start': 2001, 'event_timer_end': 3000, 'sql_text': 'SELECT 1'}, + ] + second_pass = {1: {'event_timer_start': 2001}} + assert MySQLActivity._eliminate_duplicate_rows(rows, second_pass) == [ + {'thread_id': 1, 'event_timer_start': 2001, 'event_timer_end': 3000, 'sql_text': 'SELECT 1'}, + ] diff --git a/network/CHANGELOG.md b/network/CHANGELOG.md index 766d7f71cd888..0654df87d802e 100644 --- a/network/CHANGELOG.md +++ b/network/CHANGELOG.md @@ -2,7 +2,7 @@ -## 5.2.0 / 2025-03-19 +## 5.2.0 / 2025-03-19 / Agent 7.65.0 ***Added***: diff --git a/octopus_deploy/CHANGELOG.md b/octopus_deploy/CHANGELOG.md index 7afd216bbeb9a..e579230617bb6 100644 --- a/octopus_deploy/CHANGELOG.md +++ b/octopus_deploy/CHANGELOG.md @@ -2,7 +2,7 @@ -## 1.0.2 / 2025-03-19 +## 1.0.2 / 2025-03-19 / Agent 7.65.0 ***Fixed***: diff --git a/openstack_controller/CHANGELOG.md b/openstack_controller/CHANGELOG.md index 1be3c4cac543f..37370c664aac5 100644 --- a/openstack_controller/CHANGELOG.md +++ b/openstack_controller/CHANGELOG.md @@ -9,7 +9,7 @@ * Update dependencies ([#19962](https://github.com/DataDog/integrations-core/pull/19962)) * Add failover support with Agent High Availability feature. ([#19992](https://github.com/DataDog/integrations-core/pull/19992)) -## 8.3.1 / 2025-03-19 +## 8.3.1 / 2025-03-19 / Agent 7.65.0 ***Fixed***: diff --git a/openvpn/CHANGELOG.md b/openvpn/CHANGELOG.md new file mode 100644 index 0000000000000..19c23b4378ed7 --- /dev/null +++ b/openvpn/CHANGELOG.md @@ -0,0 +1,4 @@ +# CHANGELOG - OpenVPN + + + diff --git a/openvpn/README.md b/openvpn/README.md new file mode 100644 index 0000000000000..7d5f1ba7e8df9 --- /dev/null +++ b/openvpn/README.md @@ -0,0 +1,150 @@ +# Agent Integration: OpenVPN + +## Overview + +[OpenVPN][4] is a free, open-source protocol that creates secure connections between devices over the internet. It's used to create virtual private networks (VPNs). + +This integration enriches and ingests the following events: + +- **Authentication Events**: Represents user login attempts, including successful and failed authentications. +- **Connection Events**: Represents instances when a client establishes or disconnects a VPN session. + +This integration seamlessly collects all of the above listed logs, channeling them into Datadog for analysis. Leveraging the built-in logs pipeline, these logs are parsed and enriched, enabling effortless search and analysis. The OpenVPN integration provides insight into authentication and connection events through the out-of-the-box dashboards. Additionally, it includes ready-to-use Cloud SIEM detection rules for enhanced monitoring and security. + +## Setup + +### Installation + +To install the OpenVPN integration, run the following Agent installation command and the steps below for log collection. For more information, see the [Integration Management][5] documentation. + +**Note**: This step is not necessary for Agent version >= 7.65.0. + +Linux command: + + ```shell + sudo -u dd-agent -- datadog-agent integration install datadog-openvpn==1.0.0 + ``` + +### Configuration + +#### Log collection + +1. Collecting logs is disabled by default in the Datadog Agent. Enable log collection in your `datadog.yaml`: + + ```yaml + logs_enabled: true + ``` + +2. Add this configuration block to your `openvpn.d/conf.yaml` file to start collecting your OpenVPN logs. + + See the sample [openvpn.d/conf.yaml][7] for available configuration options. The appropriate protocol (either TCP or UDP) should be chosen based on the OpenVPN syslog forwarding configuration. + + ```yaml + logs: + - type: tcp/udp + port: + service: openvpn + source: openvpn + ``` + + Note: + - PORT: Port should be similar to the port provided in **Configure syslog message forwarding from openvpn server**. + - It is recommended not to change the service and source values, as these parameters are integral to the pipeline's operation. + +3. [Restart the Agent][1]. + +#### Configure Syslog Message Forwarding from OpenVPN Server + + - Please follow provided link steps to configure syslog over OpenVPN: [Configure syslog over OpenVPN][6] + +### Validation + +[Run the Agent's status subcommand][2] and look for `openvpn` under the Checks section. + +## Data Collected + +### Logs + +The OpenVPN integration collects Authentication Events and Connection Events. + +### Metrics + +The OpenVPN integration does not include any metrics. + +### Events + +The OpenVPN integration does not include any events. + +### Service Checks + +The OpenVPN integration does not include any service checks. + +## Troubleshooting + +### OpenVPN + +**Permission denied while port binding:** + +If you see a **Permission denied** error while port binding in the Agent logs, see the following instructions: + + 1. Binding to a port number under 1024 requires elevated permissions. + + - Grant access to the port using the `setcap` command: + + ```shell + sudo setcap CAP_NET_BIND_SERVICE=+ep /opt/datadog-agent/bin/agent/agent + ``` + + - Verify the setup is correct by running the `getcap` command: + + ```shell + sudo getcap /opt/datadog-agent/bin/agent/agent + ``` + + Example of the expected output: + + ```shell + /opt/datadog-agent/bin/agent/agent = cap_net_bind_service+ep + ``` + + **Note**: Re-run this `setcap` command every time you upgrade the Agent. + + 2. [Restart the Agent][1]. + +**Data is not being collected:** + +Make sure that traffic is bypassed from the configured port if the firewall is enabled. + +**Port already in use:** + +If you see the **Port Already in Use** error, see the following instructions. The example below is for PORT-NO = 514: + +On systems using Syslog, if the Agent listens for events on port 514, the following error can appear in the Agent logs: `Can't start UDP forwarder on port 514: listen udp :514: bind: address already in use`. + +This error occurs because Syslog listens on port 514 by default. To resolve it, use one of the following steps: + +- Disable Syslog. +- Configure the Agent to listen on a different, available port. + +**Troubleshooting OpenVPN Logs Not Appearing in Datadog** + +If OpenVPN logs are not appearing in Datadog after setup, try restarting **openvpnas** and **rsyslog** services. + +- Run the following command to restart openvpnas service: + ```shell + service openvpnas restart + ``` +- Run the following command to restart rsyslog service: + ```shell + service rsyslog restart + ``` + +For any further assistance, contact [Datadog support][3]. + +[1]: https://docs.datadoghq.com/agent/guide/agent-commands/#start-stop-and-restart-the-agent +[2]: https://docs.datadoghq.com/agent/guide/agent-commands/#agent-status-and-information +[3]: https://docs.datadoghq.com/help/ +[4]: https://openvpn.net/access-server/ +[5]: https://docs.datadoghq.com/agent/guide/integration-management/?tab=linux#install +[6]: https://openvpn.net/as-docs/tutorials/tutorial--syslog.html#option-2--redirect-access-server-logs-to-an-external-syslog-server +[7]: https://github.com/DataDog/integrations-core/blob/master/openvpn/datadog_checks/openvpn/data/conf.yaml.example \ No newline at end of file diff --git a/openvpn/assets/configuration/spec.yaml b/openvpn/assets/configuration/spec.yaml new file mode 100644 index 0000000000000..c14edd3e73ead --- /dev/null +++ b/openvpn/assets/configuration/spec.yaml @@ -0,0 +1,10 @@ +name: OpenVPN +files: +- name: openvpn.yaml + options: + - template: logs + example: + - type: + port: + service: openvpn + source: openvpn diff --git a/openvpn/assets/dashboards/openvpn_overview.json b/openvpn/assets/dashboards/openvpn_overview.json new file mode 100644 index 0000000000000..9f73d1041286b --- /dev/null +++ b/openvpn/assets/dashboards/openvpn_overview.json @@ -0,0 +1,2316 @@ +{ + "title": "OpenVPN - Overview", + "description": "This dashboard provides an overview of OpenVPN logs.", + "experience_type": "default", + "widgets": [ + { + "id": 5128301155972842, + "definition": { + "type": "image", + "url": "data:image/svg+xml;base64,PHN2ZyB3aWR0aD0iMTM0IiBoZWlnaHQ9IjI0IiB2aWV3Qm94PSIwIDAgMTM0IDI0IiBmaWxsPSJub25lIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPgogICAgPHBhdGggZmlsbC1ydWxlPSJldmVub2RkIiBjbGlwLXJ1bGU9ImV2ZW5vZGQiIGQ9Ik0xMzMuODUgMy41QzEzMy44NSA0LjI0NTU4IDEzMy4yNDYgNC44NSAxMzIuNSA0Ljg1QzEzMS43NTQgNC44NSAxMzEuMTUgNC4yNDU1OCAxMzEuMTUgMy41QzEzMS4xNSAyLjc1NDQyIDEzMS43NTQgMi4xNSAxMzIuNSAyLjE1QzEzMy4yNDYgMi4xNSAxMzMuODUgMi43NTQ0MiAxMzMuODUgMy41Wk0xMzQgMy41QzEzNCA0LjMyODQzIDEzMy4zMjggNSAxMzIuNSA1QzEzMS42NzIgNSAxMzEgNC4zMjg0MyAxMzEgMy41QzEzMSAyLjY3MTU3IDEzMS42NzIgMiAxMzIuNSAyQzEzMy4zMjggMiAxMzQgMi42NzE1NyAxMzQgMy41Wk0xMzIuNDE2IDMuNzIzMkwxMzIuODM5IDQuNEgxMzMuMTQ2TDEzMi43MDIgMy43MTEyQzEzMi44NDMgMy42ODcyIDEzMi45NSAzLjYzMjggMTMzLjAyNCAzLjU0OEMxMzMuMDk5IDMuNDYzMiAxMzMuMTM2IDMuMzU0NCAxMzMuMTM2IDMuMjIxNkMxMzMuMTM2IDMuMDY2NCAxMzMuMDg2IDIuOTQxNiAxMzIuOTg1IDIuODQ3MkMxMzIuODg2IDIuNzUyOCAxMzIuNzQgMi43MDU2IDEzMi41NDYgMi43MDU2SDEzMS45NDhWNC40SDEzMi4yMjJWMy43MjMySDEzMi40MTZaTTEzMi41MjQgMy41Mjg4SDEzMi4yMjJWMi45NDA4SDEzMi41MjRDMTMyLjYzOCAyLjk0MDggMTMyLjcyMSAyLjk2NzIgMTMyLjc3NCAzLjAyQzEzMi44MjggMy4wNzEyIDEzMi44NTYgMy4xNDMyIDEzMi44NTYgMy4yMzZDMTMyLjg1NiAzLjQzMTIgMTMyLjc0NSAzLjUyODggMTMyLjUyNCAzLjUyODhaIiBmaWxsPSIjMUEzOTY3Ii8+CiAgICA8cGF0aCBmaWxsLXJ1bGU9ImV2ZW5vZGQiIGNsaXAtcnVsZT0iZXZlbm9kZCIgZD0iTTQwLjAwODQgMjAuMjgxNEMzNS41NjA0IDIwLjI1MDQgMzEuOTc3OCAxNi43NDI5IDMyLjAwMDEgMTIuNDQxQzMyLjAyMjQgOC4xMzkwOSAzNS42NDEyIDQuNjY2NTIgNDAuMDg5MyA0LjY3ODY1QzQ0LjUzNzQgNC42OTA3OSA0OC4xMzU5IDguMTgzMDQgNDguMTMzMSAxMi40ODVDNDguMTI0NyAxNC41NjA5IDQ3LjI2NCAxNi41NDg1IDQ1Ljc0MDMgMTguMDEwNkM0NC4yMTY3IDE5LjQ3MjcgNDIuMTU0OCAyMC4yODk1IDQwLjAwODQgMjAuMjgxNFpNNDAuMDA4NCAxNi44MDIxQzQyLjQ2ODggMTYuNzgyNCA0NC40NDg4IDE0Ljg0MDkgNDQuNDM1MiAxMi40NjE0QzQ0LjQyMTYgMTAuMDgxOCA0Mi40MTk3IDguMTYxNTMgMzkuOTU5MiA4LjE2ODA0QzM3LjQ5ODggOC4xNzQ1NiAzNS41MDc3IDEwLjEwNTQgMzUuNTA3NiAxMi40ODVDMzUuNTExOCAxMy42MzQ5IDM1Ljk4ODUgMTQuNzM2MSAzNi44MzI4IDE1LjU0NThDMzcuNjc3IDE2LjM1NTYgMzguODE5NCAxNi44MDc2IDQwLjAwODQgMTYuODAyMVoiIGZpbGw9IiNFRDdGMjIiLz4KICAgIDxwYXRoIGZpbGwtcnVsZT0iZXZlbm9kZCIgY2xpcC1ydWxlPSJldmVub2RkIiBkPSJNNDkuODQ0NSA1LjE2ODg5VjE5Ljg0NzFDNDkuODQ0NSAxOS45OTEgNDkuOTY1MiAyMC4xMDc3IDUwLjExNCAyMC4xMDc3SDUzLjA2MTdDNTMuMjAwNSAyMC4xMDQ5IDUzLjMxMjQgMTkuOTk2NyA1My4zMTUyIDE5Ljg2MjRWMTQuMjExOUg1Ni40NTg0QzU2LjQ1ODQgMTQuMjExOSA2MC43ODQ4IDEzLjk5MjIgNjAuNzg0OCA5LjUxMTU1QzYwLjc4NDggNS4wMzA5NCA1Ni4zOTUgNC44Nzc2NyA1Ni4zOTUgNC44Nzc2N0g1MC4xNjY4QzUwLjA4MjkgNC44NzAzOCA0OS45OTk4IDQuODk3OTkgNDkuOTM4MyA0Ljk1MzU5QzQ5Ljg3NjggNS4wMDkxOCA0OS44NDI3IDUuMDg3NDggNDkuODQ0NSA1LjE2ODg5Wk01NS41MDc1IDcuMTc2NzJDNTYuMTQ1NSA3LjE2MDc1IDU2Ljc1OTkgNy40MDk5OCA1Ny4xOTUyIDcuODYxMjhDNTcuNjMwNSA4LjMxMjU5IDU3Ljg0NSA4LjkyMjY4IDU3Ljc4NDMgOS41MzcwOEM1Ny44MjY3IDEwLjE0NjggNTcuNjA1OSAxMC43NDYyIDU3LjE3NDQgMTEuMTkyNkM1Ni43NDI5IDExLjYzODkgNTYuMTM5MyAxMS44OTIzIDU1LjUwNzUgMTEuODkyM0g1My4yMzA3VjcuMzI5OTlDNTMuMjMwNyA3LjEyNTYzIDUzLjM4OTIgNy4xNTExNyA1My4zODkyIDcuMTUxMTdMNTUuNTA3NSA3LjE3NjcyWiIgZmlsbD0iI0VEN0YyMiIvPgogICAgPHBhdGggZD0iTTYyLjQ2NDggMTkuODYyNEM2Mi40NjQ4IDE5Ljk5NzkgNjIuNTc4NCAyMC4xMDc3IDYyLjcxODQgMjAuMTA3N0g3My4yMDQ0QzczLjI3MjYgMjAuMTA5IDczLjMzODQgMjAuMDgzOCA3My4zODcxIDIwLjAzNzdDNzMuNDM1OCAxOS45OTE1IDczLjQ2MzMgMTkuOTI4NCA3My40NjMyIDE5Ljg2MjRWMTcuNzA2NEM3My40NjA0IDE3LjU3MDIgNzMuMzQ1MyAxNy40NjEyIDczLjIwNDQgMTcuNDYxMkg2Ni4xMDQ2QzY1Ljk2NjYgMTcuNDYxMiA2NS44NTM5IDE3LjM1NDUgNjUuODUxIDE3LjIyMTFWMTMuNzcyNUM2NS44NTM4IDEzLjYzODIgNjUuOTY1NyAxMy41MyA2Ni4xMDQ2IDEzLjUyNzJINzAuNzk1NUM3MC44NjIzIDEzLjUyODYgNzAuOTI2OCAxMy41MDM5IDcwLjk3NDUgMTMuNDU4N0M3MS4wMjIyIDEzLjQxMzYgNzEuMDQ5MSAxMy4zNTE3IDcxLjA0OTEgMTMuMjg3MVYxMS4xMzExQzcxLjA1MDUgMTEuMDY1NiA3MS4wMjQzIDExLjAwMjUgNzAuOTc2NCAxMC45NTYyQzcwLjkyODYgMTAuOTA5OSA3MC44NjMyIDEwLjg4NDUgNzAuNzk1NSAxMC44ODU5SDY2LjEwNDZDNjUuOTY0NSAxMC44ODU5IDY1Ljg1MSAxMC43NzYxIDY1Ljg1MSAxMC42NDA2VjcuNzQ4OTRDNjUuODUzOCA3LjYxNDY0IDY1Ljk2NTcgNy41MDY0MiA2Ni4xMDQ2IDcuNTAzNzFINzMuMjA0NEM3My4yNzI2IDcuNTA1MDggNzMuMzM4NCA3LjQ3OTg1IDczLjM4NzEgNy40MzM3MUM3My40MzU4IDcuMzg3NTcgNzMuNDYzMyA3LjMyNDQxIDczLjQ2MzIgNy4yNTg0N1Y1LjExMjY4QzczLjQ2MDQgNC45NzM2IDczLjM0MyA0Ljg2MjMxIDczLjE5OTEgNC44NjIzNEg2Mi43MjM3QzYyLjY1NTUgNC44NjA5NyA2Mi41ODk3IDQuODg2MiA2Mi41NDEgNC45MzIzNEM2Mi40OTIzIDQuOTc4NDggNjIuNDY0OCA1LjA0MTY0IDYyLjQ2NDggNS4xMDc1N1YxOS44NjI0WiIgZmlsbD0iI0VEN0YyMiIvPgogICAgPHBhdGggZD0iTTg0LjUxNDUgNC44NzI1Nkg4Ni43Mjc5Qzg2LjczMTQgNC44NzI0OSA4Ni43MzQ5IDQuODcyNDkgODYuNzM4NSA0Ljg3MjU2Qzg2LjgwMTQgNC44NzM4NiA4Ni44NjE3IDQuODk4MjcgODYuOTA2OSA0Ljk0MTA2Qzg2Ljk1NDYgNC45ODYyNCA4Ni45ODE1IDUuMDQ4MSA4Ni45ODE0IDUuMTEyNjhWMTkuODc3OEM4Ni45ODE0IDE5Ljk0NDEgODYuOTU0MiAyMC4wMDc4IDg2LjkwNTYgMjAuMDU0OEM4Ni44NTcxIDIwLjEwMTcgODYuNzkxMiAyMC4xMjgxIDg2LjcyMjYgMjAuMTI4MUg4NC43NTc1VjIwLjA5MjNMNzguMzAyMSA5LjMwNzE5VjE5Ljg3NzhDNzguMzAyMSAxOS45NDUgNzguMjc0MSAyMC4wMDk1IDc4LjIyNDQgMjAuMDU2NkM3OC4xNzQ3IDIwLjEwMzcgNzguMTA3NSAyMC4xMjk1IDc4LjAzOCAyMC4xMjgxSDc1Ljc5ODFDNzUuNjU4MSAyMC4xMjgxIDc1LjU0NDYgMjAuMDE4MyA3NS41NDQ2IDE5Ljg4MjlWNS4xNjg4OEM3NS41NDc0IDUuMDA0NCA3NS42ODYxIDQuODcyNTQgNzUuODU2MiA0Ljg3MjU2SDc4LjU5MjZMODQuMjU1NiAxNC4yNzgzVjUuMTIyOUM4NC4yNTU2IDQuOTg0NjQgODQuMzcxNSA0Ljg3MjU2IDg0LjUxNDUgNC44NzI1NloiIGZpbGw9IiNFRDdGMjIiLz4KICAgIDxwYXRoIGQ9Ik0xMjYuNzIxIDQuODUyMjhDMTI2LjU3OCA0Ljg1MjI4IDEyNi40NjIgNC45NjQzNiAxMjYuNDYyIDUuMTAyNjJWMTQuMjU4TDEyMC43OTkgNC44NTIyOEgxMTguMDczQzExNy45ODMgNC44NTA4OCAxMTcuODk2IDQuODg0ODggMTE3LjgzMyA0Ljk0NjUxQzExNy43NjkgNS4wMDgxMyAxMTcuNzM0IDUuMDkyMTEgMTE3LjczNSA1LjE3OTI1VjE5Ljg2MjZDMTE3LjczNCAxOS45MjcxIDExNy43NTkgMTkuOTg5NSAxMTcuODA2IDIwLjAzNTdDMTE3Ljg1MyAyMC4wODE4IDExNy45MTcgMjAuMTA3OCAxMTcuOTg0IDIwLjEwNzhIMTIwLjIyOUMxMjAuMzcyIDIwLjEwNzggMTIwLjQ4OCAxOS45OTU3IDEyMC40ODggMTkuODU3NVY5LjI4NjlMMTI2Ljk2NCAyMC4wNzJWMjAuMTA3OEgxMjguOTI5QzEyOS4wNzIgMjAuMTA3OCAxMjkuMTg4IDE5Ljk5NTcgMTI5LjE4OCAxOS44NTc1VjUuMDkyNEMxMjkuMTg4IDUuMDI3ODIgMTI5LjE2MSA0Ljk2NTk2IDEyOS4xMTMgNC45MjA3N0MxMjkuMDY4IDQuODc3OTggMTI5LjAwOCA0Ljg1MzU3IDEyOC45NDUgNC44NTIyOEgxMjYuNzIxWiIgZmlsbD0iIzFBMzk2NyIvPgogICAgPHBhdGggZmlsbC1ydWxlPSJldmVub2RkIiBjbGlwLXJ1bGU9ImV2ZW5vZGQiIGQ9Ik0xMDQuNzI5IDE5Ljg0MjFWNS4xNjM5M0MxMDQuNzI4IDUuMDgyNTIgMTA0Ljc2MiA1LjAwNDIyIDEwNC44MjMgNC45NDg2M0MxMDQuODg1IDQuODkzMDMgMTA0Ljk2OCA0Ljg2NTQzIDEwNS4wNTIgNC44NzI3MUgxMTEuMjg1QzExMS4yODUgNC44NzI3MSAxMTUuNjcgNS4wMjU5OCAxMTUuNjcgOS41MDY2QzExNS42NyAxMy45ODcyIDExMS4zNDMgMTQuMjA2OSAxMTEuMzQzIDE0LjIwNjlIMTA4LjE3NFYxOS44NTc1QzEwOC4xNzQgMTkuOTkyOSAxMDguMDYgMjAuMTAyNyAxMDcuOTIgMjAuMTAyN0gxMDQuOTk5QzEwNC44NSAyMC4xMDI3IDEwNC43MjkgMTkuOTg2MSAxMDQuNzI5IDE5Ljg0MjFaTTExMi4wODIgNy44NTYxN0MxMTEuNjQ2IDcuNDA1MDkgMTExLjAzMSA3LjE1NjAxIDExMC4zOTIgNy4xNzE3OUwxMDguMjc0IDcuMTQ2MjVDMTA4LjI3NCA3LjE0NjI1IDEwOC4xMTYgNy4xMjA3IDEwOC4xMTYgNy4zMjUwNlYxMS44ODc0SDExMC4zOTJDMTExLjAyNSAxMS44ODczIDExMS42MjkgMTEuNjM0MSAxMTIuMDYxIDExLjE4NzlDMTEyLjQ5MyAxMC43NDE3IDExMi43MTUgMTAuMTQyNCAxMTIuNjc0IDkuNTMyMTZDMTEyLjczNCA4LjkxNzI0IDExMi41MTggOC4zMDcyNiAxMTIuMDgyIDcuODU2MTdaIiBmaWxsPSIjMUEzOTY3Ii8+CiAgICA8cGF0aCBkPSJNMTAyLjQ2OSA1LjIwNDgxTDk2LjgwMDMgMTkuOTIzOUg5Ni44MjE1Qzk2Ljc4MDcgMjAuMDIyMSA5Ni42ODI2IDIwLjA4NjcgOTYuNTczMiAyMC4wODc0SDk0LjkwOTJDOTQuODAxNyAyMC4wODQ3IDk0LjcwNjIgMjAuMDIwNCA5NC42NjYyIDE5LjkyMzlMODguOTk3OSA1LjIwNDgxQzg4Ljk2OCA1LjEyODUxIDg4Ljk3OTMgNS4wNDI4MyA4OS4wMjggNC45NzYyMkM4OS4wNzY4IDQuOTA5NjIgODkuMTU2NiA0Ljg3MDgyIDg5LjI0MDkgNC44NzI3Mkg5MS43ODE4QzkxLjg4NzUgNC44NzI0OCA5MS45ODIyIDQuOTM1NTggOTIuMDE5NiA1LjAzMTFMOTUuNzQzOCAxNC42NzY5TDk5LjQ0MTYgNS4wMzExQzk5LjQ4MjIgNC45MzU3MSA5OS41NzggNC44NzMyMyA5OS42ODQ2IDQuODcyNzJIMTAyLjIyNkMxMDIuMzEgNC44NzA4MiAxMDIuMzkgNC45MDk2MiAxMDIuNDM4IDQuOTc2MjJDMTAyLjQ4NyA1LjA0MjgzIDEwMi40OTggNS4xMjg1MSAxMDIuNDY5IDUuMjA0ODFaIiBmaWxsPSIjMUEzOTY3Ii8+CiAgICA8cGF0aCBkPSJNMTYgMTEuNzgwNEMxNi4wMDg5IDkuODcyNjEgMTQuNDk5MyA4LjI2MDMyIDEyLjQ4NjkgOC4wMjgyM0MxMC40NzQ1IDcuNzk2MTMgOC41OTU3OSA5LjAxNzY1IDguMTE0OCAxMC44NzFDNy42MzM4MSAxMi43MjQzIDguNzAyNjYgMTQuNjIzMiAxMC42MDIzIDE1LjI5TDkuMDYzOTMgMjNIMTQuOTYzNkwxMy40NTIzIDE1LjI3NDhDMTQuOTg1OSAxNC43MTU2IDE1Ljk5NzYgMTMuMzI4IDE2IDExLjc4MDRaIiBmaWxsPSIjMUEzOTY3Ii8+CiAgICA8cGF0aCBkPSJNMjQgMTEuNzI5OEMyMy44NjQ5IDUuMjEyNzMgMTguNTMyMSAwIDEyIDBDNS40Njc5NCAwIDAuMTM1MTQyIDUuMjEyNzMgNi4yNzI4NmUtMDkgMTEuNzI5OEMtMC4wMDAxMzcxOTMgMTUuOTU0IDIuMjUwMzMgMTkuODU5NyA1LjkwODggMjEuOTg0Nkw2LjY3OTUxIDE2Ljg4OEM1LjQ5NTggMTUuNTk0OSA0LjgzOTY2IDEzLjkwNjggNC44NDAwOCAxMi4xNTU0QzQuOTQ0MDEgOC4yODM4MiA4LjExODk4IDUuMTk5MiAxMiA1LjE5OTJDMTUuODgxIDUuMTk5MiAxOS4wNTYgOC4yODM4MiAxOS4xNTk5IDEyLjE1NTRDMTkuMTYwNiAxMy45MjA3IDE4LjQ5NDYgMTUuNjIxNSAxNy4yOTQ4IDE2LjkxODdMMTguMDYwNCAyMkMyMS43Mzg2IDE5Ljg4MzMgMjQuMDAzNSAxNS45NjcgMjQgMTEuNzI5OFoiIGZpbGw9IiNFRDdGMjIiLz4KPC9zdmc+Cg==", + "url_dark_theme": "data:image/svg+xml;base64,PHN2ZyB3aWR0aD0iMTM0IiBoZWlnaHQ9IjI0IiB2aWV3Qm94PSIwIDAgMTM0IDI0IiBmaWxsPSJub25lIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPgogICAgPHBhdGggZmlsbC1ydWxlPSJldmVub2RkIiBjbGlwLXJ1bGU9ImV2ZW5vZGQiIGQ9Ik0xMzMuODUgMy41QzEzMy44NSA0LjI0NTU4IDEzMy4yNDYgNC44NSAxMzIuNSA0Ljg1QzEzMS43NTQgNC44NSAxMzEuMTUgNC4yNDU1OCAxMzEuMTUgMy41QzEzMS4xNSAyLjc1NDQyIDEzMS43NTQgMi4xNSAxMzIuNSAyLjE1QzEzMy4yNDYgMi4xNSAxMzMuODUgMi43NTQ0MiAxMzMuODUgMy41Wk0xMzQgMy41QzEzNCA0LjMyODQzIDEzMy4zMjggNSAxMzIuNSA1QzEzMS42NzIgNSAxMzEgNC4zMjg0MyAxMzEgMy41QzEzMSAyLjY3MTU3IDEzMS42NzIgMiAxMzIuNSAyQzEzMy4zMjggMiAxMzQgMi42NzE1NyAxMzQgMy41Wk0xMzIuNDE2IDMuNzIzMkwxMzIuODM5IDQuNEgxMzMuMTQ2TDEzMi43MDIgMy43MTEyQzEzMi44NDMgMy42ODcyIDEzMi45NSAzLjYzMjggMTMzLjAyNCAzLjU0OEMxMzMuMDk5IDMuNDYzMiAxMzMuMTM2IDMuMzU0NCAxMzMuMTM2IDMuMjIxNkMxMzMuMTM2IDMuMDY2NCAxMzMuMDg2IDIuOTQxNiAxMzIuOTg1IDIuODQ3MkMxMzIuODg2IDIuNzUyOCAxMzIuNzQgMi43MDU2IDEzMi41NDYgMi43MDU2SDEzMS45NDhWNC40SDEzMi4yMjJWMy43MjMySDEzMi40MTZaTTEzMi41MjQgMy41Mjg4SDEzMi4yMjJWMi45NDA4SDEzMi41MjRDMTMyLjYzOCAyLjk0MDggMTMyLjcyMSAyLjk2NzIgMTMyLjc3NCAzLjAyQzEzMi44MjggMy4wNzEyIDEzMi44NTYgMy4xNDMyIDEzMi44NTYgMy4yMzZDMTMyLjg1NiAzLjQzMTIgMTMyLjc0NSAzLjUyODggMTMyLjUyNCAzLjUyODhaIiBmaWxsPSIjMUEzOTY3Ii8+CiAgICA8cGF0aCBmaWxsLXJ1bGU9ImV2ZW5vZGQiIGNsaXAtcnVsZT0iZXZlbm9kZCIgZD0iTTQwLjAwODQgMjAuMjgxNEMzNS41NjA0IDIwLjI1MDQgMzEuOTc3OCAxNi43NDI5IDMyLjAwMDEgMTIuNDQxQzMyLjAyMjQgOC4xMzkwOSAzNS42NDEyIDQuNjY2NTIgNDAuMDg5MyA0LjY3ODY1QzQ0LjUzNzQgNC42OTA3OSA0OC4xMzU5IDguMTgzMDQgNDguMTMzMSAxMi40ODVDNDguMTI0NyAxNC41NjA5IDQ3LjI2NCAxNi41NDg1IDQ1Ljc0MDMgMTguMDEwNkM0NC4yMTY3IDE5LjQ3MjcgNDIuMTU0OCAyMC4yODk1IDQwLjAwODQgMjAuMjgxNFpNNDAuMDA4NCAxNi44MDIxQzQyLjQ2ODggMTYuNzgyNCA0NC40NDg4IDE0Ljg0MDkgNDQuNDM1MiAxMi40NjE0QzQ0LjQyMTYgMTAuMDgxOCA0Mi40MTk3IDguMTYxNTMgMzkuOTU5MiA4LjE2ODA0QzM3LjQ5ODggOC4xNzQ1NiAzNS41MDc3IDEwLjEwNTQgMzUuNTA3NiAxMi40ODVDMzUuNTExOCAxMy42MzQ5IDM1Ljk4ODUgMTQuNzM2MSAzNi44MzI4IDE1LjU0NThDMzcuNjc3IDE2LjM1NTYgMzguODE5NCAxNi44MDc2IDQwLjAwODQgMTYuODAyMVoiIGZpbGw9IiNFRDdGMjIiLz4KICAgIDxwYXRoIGZpbGwtcnVsZT0iZXZlbm9kZCIgY2xpcC1ydWxlPSJldmVub2RkIiBkPSJNNDkuODQ0NSA1LjE2ODg5VjE5Ljg0NzFDNDkuODQ0NSAxOS45OTEgNDkuOTY1MiAyMC4xMDc3IDUwLjExNCAyMC4xMDc3SDUzLjA2MTdDNTMuMjAwNSAyMC4xMDQ5IDUzLjMxMjQgMTkuOTk2NyA1My4zMTUyIDE5Ljg2MjRWMTQuMjExOUg1Ni40NTg0QzU2LjQ1ODQgMTQuMjExOSA2MC43ODQ4IDEzLjk5MjIgNjAuNzg0OCA5LjUxMTU1QzYwLjc4NDggNS4wMzA5NCA1Ni4zOTUgNC44Nzc2NyA1Ni4zOTUgNC44Nzc2N0g1MC4xNjY4QzUwLjA4MjkgNC44NzAzOCA0OS45OTk4IDQuODk3OTkgNDkuOTM4MyA0Ljk1MzU5QzQ5Ljg3NjggNS4wMDkxOCA0OS44NDI3IDUuMDg3NDggNDkuODQ0NSA1LjE2ODg5Wk01NS41MDc1IDcuMTc2NzJDNTYuMTQ1NSA3LjE2MDc1IDU2Ljc1OTkgNy40MDk5OCA1Ny4xOTUyIDcuODYxMjhDNTcuNjMwNSA4LjMxMjU5IDU3Ljg0NSA4LjkyMjY4IDU3Ljc4NDMgOS41MzcwOEM1Ny44MjY3IDEwLjE0NjggNTcuNjA1OSAxMC43NDYyIDU3LjE3NDQgMTEuMTkyNkM1Ni43NDI5IDExLjYzODkgNTYuMTM5MyAxMS44OTIzIDU1LjUwNzUgMTEuODkyM0g1My4yMzA3VjcuMzI5OTlDNTMuMjMwNyA3LjEyNTYzIDUzLjM4OTIgNy4xNTExNyA1My4zODkyIDcuMTUxMTdMNTUuNTA3NSA3LjE3NjcyWiIgZmlsbD0iI0VEN0YyMiIvPgogICAgPHBhdGggZD0iTTYyLjQ2NDggMTkuODYyNEM2Mi40NjQ4IDE5Ljk5NzkgNjIuNTc4NCAyMC4xMDc3IDYyLjcxODQgMjAuMTA3N0g3My4yMDQ0QzczLjI3MjYgMjAuMTA5IDczLjMzODQgMjAuMDgzOCA3My4zODcxIDIwLjAzNzdDNzMuNDM1OCAxOS45OTE1IDczLjQ2MzMgMTkuOTI4NCA3My40NjMyIDE5Ljg2MjRWMTcuNzA2NEM3My40NjA0IDE3LjU3MDIgNzMuMzQ1MyAxNy40NjEyIDczLjIwNDQgMTcuNDYxMkg2Ni4xMDQ2QzY1Ljk2NjYgMTcuNDYxMiA2NS44NTM5IDE3LjM1NDUgNjUuODUxIDE3LjIyMTFWMTMuNzcyNUM2NS44NTM4IDEzLjYzODIgNjUuOTY1NyAxMy41MyA2Ni4xMDQ2IDEzLjUyNzJINzAuNzk1NUM3MC44NjIzIDEzLjUyODYgNzAuOTI2OCAxMy41MDM5IDcwLjk3NDUgMTMuNDU4N0M3MS4wMjIyIDEzLjQxMzYgNzEuMDQ5MSAxMy4zNTE3IDcxLjA0OTEgMTMuMjg3MVYxMS4xMzExQzcxLjA1MDUgMTEuMDY1NiA3MS4wMjQzIDExLjAwMjUgNzAuOTc2NCAxMC45NTYyQzcwLjkyODYgMTAuOTA5OSA3MC44NjMyIDEwLjg4NDUgNzAuNzk1NSAxMC44ODU5SDY2LjEwNDZDNjUuOTY0NSAxMC44ODU5IDY1Ljg1MSAxMC43NzYxIDY1Ljg1MSAxMC42NDA2VjcuNzQ4OTRDNjUuODUzOCA3LjYxNDY0IDY1Ljk2NTcgNy41MDY0MiA2Ni4xMDQ2IDcuNTAzNzFINzMuMjA0NEM3My4yNzI2IDcuNTA1MDggNzMuMzM4NCA3LjQ3OTg1IDczLjM4NzEgNy40MzM3MUM3My40MzU4IDcuMzg3NTcgNzMuNDYzMyA3LjMyNDQxIDczLjQ2MzIgNy4yNTg0N1Y1LjExMjY4QzczLjQ2MDQgNC45NzM2IDczLjM0MyA0Ljg2MjMxIDczLjE5OTEgNC44NjIzNEg2Mi43MjM3QzYyLjY1NTUgNC44NjA5NyA2Mi41ODk3IDQuODg2MiA2Mi41NDEgNC45MzIzNEM2Mi40OTIzIDQuOTc4NDggNjIuNDY0OCA1LjA0MTY0IDYyLjQ2NDggNS4xMDc1N1YxOS44NjI0WiIgZmlsbD0iI0VEN0YyMiIvPgogICAgPHBhdGggZD0iTTg0LjUxNDUgNC44NzI1Nkg4Ni43Mjc5Qzg2LjczMTQgNC44NzI0OSA4Ni43MzQ5IDQuODcyNDkgODYuNzM4NSA0Ljg3MjU2Qzg2LjgwMTQgNC44NzM4NiA4Ni44NjE3IDQuODk4MjcgODYuOTA2OSA0Ljk0MTA2Qzg2Ljk1NDYgNC45ODYyNCA4Ni45ODE1IDUuMDQ4MSA4Ni45ODE0IDUuMTEyNjhWMTkuODc3OEM4Ni45ODE0IDE5Ljk0NDEgODYuOTU0MiAyMC4wMDc4IDg2LjkwNTYgMjAuMDU0OEM4Ni44NTcxIDIwLjEwMTcgODYuNzkxMiAyMC4xMjgxIDg2LjcyMjYgMjAuMTI4MUg4NC43NTc1VjIwLjA5MjNMNzguMzAyMSA5LjMwNzE5VjE5Ljg3NzhDNzguMzAyMSAxOS45NDUgNzguMjc0MSAyMC4wMDk1IDc4LjIyNDQgMjAuMDU2NkM3OC4xNzQ3IDIwLjEwMzcgNzguMTA3NSAyMC4xMjk1IDc4LjAzOCAyMC4xMjgxSDc1Ljc5ODFDNzUuNjU4MSAyMC4xMjgxIDc1LjU0NDYgMjAuMDE4MyA3NS41NDQ2IDE5Ljg4MjlWNS4xNjg4OEM3NS41NDc0IDUuMDA0NCA3NS42ODYxIDQuODcyNTQgNzUuODU2MiA0Ljg3MjU2SDc4LjU5MjZMODQuMjU1NiAxNC4yNzgzVjUuMTIyOUM4NC4yNTU2IDQuOTg0NjQgODQuMzcxNSA0Ljg3MjU2IDg0LjUxNDUgNC44NzI1NloiIGZpbGw9IiNFRDdGMjIiLz4KICAgIDxwYXRoIGQ9Ik0xMjYuNzIxIDQuODUyMjhDMTI2LjU3OCA0Ljg1MjI4IDEyNi40NjIgNC45NjQzNiAxMjYuNDYyIDUuMTAyNjJWMTQuMjU4TDEyMC43OTkgNC44NTIyOEgxMTguMDczQzExNy45ODMgNC44NTA4OCAxMTcuODk2IDQuODg0ODggMTE3LjgzMyA0Ljk0NjUxQzExNy43NjkgNS4wMDgxMyAxMTcuNzM0IDUuMDkyMTEgMTE3LjczNSA1LjE3OTI1VjE5Ljg2MjZDMTE3LjczNCAxOS45MjcxIDExNy43NTkgMTkuOTg5NSAxMTcuODA2IDIwLjAzNTdDMTE3Ljg1MyAyMC4wODE4IDExNy45MTcgMjAuMTA3OCAxMTcuOTg0IDIwLjEwNzhIMTIwLjIyOUMxMjAuMzcyIDIwLjEwNzggMTIwLjQ4OCAxOS45OTU3IDEyMC40ODggMTkuODU3NVY5LjI4NjlMMTI2Ljk2NCAyMC4wNzJWMjAuMTA3OEgxMjguOTI5QzEyOS4wNzIgMjAuMTA3OCAxMjkuMTg4IDE5Ljk5NTcgMTI5LjE4OCAxOS44NTc1VjUuMDkyNEMxMjkuMTg4IDUuMDI3ODIgMTI5LjE2MSA0Ljk2NTk2IDEyOS4xMTMgNC45MjA3N0MxMjkuMDY4IDQuODc3OTggMTI5LjAwOCA0Ljg1MzU3IDEyOC45NDUgNC44NTIyOEgxMjYuNzIxWiIgZmlsbD0iIzFBMzk2NyIvPgogICAgPHBhdGggZmlsbC1ydWxlPSJldmVub2RkIiBjbGlwLXJ1bGU9ImV2ZW5vZGQiIGQ9Ik0xMDQuNzI5IDE5Ljg0MjFWNS4xNjM5M0MxMDQuNzI4IDUuMDgyNTIgMTA0Ljc2MiA1LjAwNDIyIDEwNC44MjMgNC45NDg2M0MxMDQuODg1IDQuODkzMDMgMTA0Ljk2OCA0Ljg2NTQzIDEwNS4wNTIgNC44NzI3MUgxMTEuMjg1QzExMS4yODUgNC44NzI3MSAxMTUuNjcgNS4wMjU5OCAxMTUuNjcgOS41MDY2QzExNS42NyAxMy45ODcyIDExMS4zNDMgMTQuMjA2OSAxMTEuMzQzIDE0LjIwNjlIMTA4LjE3NFYxOS44NTc1QzEwOC4xNzQgMTkuOTkyOSAxMDguMDYgMjAuMTAyNyAxMDcuOTIgMjAuMTAyN0gxMDQuOTk5QzEwNC44NSAyMC4xMDI3IDEwNC43MjkgMTkuOTg2MSAxMDQuNzI5IDE5Ljg0MjFaTTExMi4wODIgNy44NTYxN0MxMTEuNjQ2IDcuNDA1MDkgMTExLjAzMSA3LjE1NjAxIDExMC4zOTIgNy4xNzE3OUwxMDguMjc0IDcuMTQ2MjVDMTA4LjI3NCA3LjE0NjI1IDEwOC4xMTYgNy4xMjA3IDEwOC4xMTYgNy4zMjUwNlYxMS44ODc0SDExMC4zOTJDMTExLjAyNSAxMS44ODczIDExMS42MjkgMTEuNjM0MSAxMTIuMDYxIDExLjE4NzlDMTEyLjQ5MyAxMC43NDE3IDExMi43MTUgMTAuMTQyNCAxMTIuNjc0IDkuNTMyMTZDMTEyLjczNCA4LjkxNzI0IDExMi41MTggOC4zMDcyNiAxMTIuMDgyIDcuODU2MTdaIiBmaWxsPSIjMUEzOTY3Ii8+CiAgICA8cGF0aCBkPSJNMTAyLjQ2OSA1LjIwNDgxTDk2LjgwMDMgMTkuOTIzOUg5Ni44MjE1Qzk2Ljc4MDcgMjAuMDIyMSA5Ni42ODI2IDIwLjA4NjcgOTYuNTczMiAyMC4wODc0SDk0LjkwOTJDOTQuODAxNyAyMC4wODQ3IDk0LjcwNjIgMjAuMDIwNCA5NC42NjYyIDE5LjkyMzlMODguOTk3OSA1LjIwNDgxQzg4Ljk2OCA1LjEyODUxIDg4Ljk3OTMgNS4wNDI4MyA4OS4wMjggNC45NzYyMkM4OS4wNzY4IDQuOTA5NjIgODkuMTU2NiA0Ljg3MDgyIDg5LjI0MDkgNC44NzI3Mkg5MS43ODE4QzkxLjg4NzUgNC44NzI0OCA5MS45ODIyIDQuOTM1NTggOTIuMDE5NiA1LjAzMTFMOTUuNzQzOCAxNC42NzY5TDk5LjQ0MTYgNS4wMzExQzk5LjQ4MjIgNC45MzU3MSA5OS41NzggNC44NzMyMyA5OS42ODQ2IDQuODcyNzJIMTAyLjIyNkMxMDIuMzEgNC44NzA4MiAxMDIuMzkgNC45MDk2MiAxMDIuNDM4IDQuOTc2MjJDMTAyLjQ4NyA1LjA0MjgzIDEwMi40OTggNS4xMjg1MSAxMDIuNDY5IDUuMjA0ODFaIiBmaWxsPSIjMUEzOTY3Ii8+CiAgICA8cGF0aCBkPSJNMTYgMTEuNzgwNEMxNi4wMDg5IDkuODcyNjEgMTQuNDk5MyA4LjI2MDMyIDEyLjQ4NjkgOC4wMjgyM0MxMC40NzQ1IDcuNzk2MTMgOC41OTU3OSA5LjAxNzY1IDguMTE0OCAxMC44NzFDNy42MzM4MSAxMi43MjQzIDguNzAyNjYgMTQuNjIzMiAxMC42MDIzIDE1LjI5TDkuMDYzOTMgMjNIMTQuOTYzNkwxMy40NTIzIDE1LjI3NDhDMTQuOTg1OSAxNC43MTU2IDE1Ljk5NzYgMTMuMzI4IDE2IDExLjc4MDRaIiBmaWxsPSIjMUEzOTY3Ii8+CiAgICA8cGF0aCBkPSJNMjQgMTEuNzI5OEMyMy44NjQ5IDUuMjEyNzMgMTguNTMyMSAwIDEyIDBDNS40Njc5NCAwIDAuMTM1MTQyIDUuMjEyNzMgNi4yNzI4NmUtMDkgMTEuNzI5OEMtMC4wMDAxMzcxOTMgMTUuOTU0IDIuMjUwMzMgMTkuODU5NyA1LjkwODggMjEuOTg0Nkw2LjY3OTUxIDE2Ljg4OEM1LjQ5NTggMTUuNTk0OSA0LjgzOTY2IDEzLjkwNjggNC44NDAwOCAxMi4xNTU0QzQuOTQ0MDEgOC4yODM4MiA4LjExODk4IDUuMTk5MiAxMiA1LjE5OTJDMTUuODgxIDUuMTk5MiAxOS4wNTYgOC4yODM4MiAxOS4xNTk5IDEyLjE1NTRDMTkuMTYwNiAxMy45MjA3IDE4LjQ5NDYgMTUuNjIxNSAxNy4yOTQ4IDE2LjkxODdMMTguMDYwNCAyMkMyMS43Mzg2IDE5Ljg4MzMgMjQuMDAzNSAxNS45NjcgMjQgMTEuNzI5OFoiIGZpbGw9IiNFRDdGMjIiLz4KPC9zdmc+Cg==", + "sizing": "contain", + "margin": "md", + "has_background": false, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 4 + } + }, + { + "id": 6980405278649262, + "definition": { + "type": "note", + "content": "OpenVPN is a free, open-source protocol that creates secure connections between devices over the internet. It's used to create virtual private networks (VPNs).\n\n\nThe OpenVPN Overview dashboard provides an overall insights of the logs generated by OpenVPN.\n\n\nFor more information, see the [OpenVPN Integration Documentation](https://docs.datadoghq.com/integrations/openvpn/).\n\n**Tips**\n- Use the timeframe selector in the top right of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify and add widgets and visualizations. ", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 4 + } + }, + { + "id": 3199366113094822, + "definition": { + "title": "Datadog Cloud SIEM", + "title_align": "center", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 849757788175700, + "definition": { + "type": "note", + "content": "Datadog Cloud SIEM analyzes and correlates the OpenVPN logs to detect threats to your environment in real time. If you don't see signals please make sure you've enabled [Datadog Cloud SIEM](/security).", + "background_color": "vivid_blue", + "font_size": "14", + "text_align": "left", + "vertical_align": "center", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 2525358113144420, + "definition": { + "title": "CRITICALs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:openvpn status:critical" + } + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#bc303c" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 0, + "y": 1, + "width": 2, + "height": 2 + } + }, + { + "id": 3185895093779766, + "definition": { + "title": "HIGHs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:openvpn status:high" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#d33043" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 2, + "y": 1, + "width": 2, + "height": 2 + } + }, + { + "id": 5035002585947108, + "definition": { + "title": "Critical Security Signals", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:openvpn status:critical" + } + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#bc303c" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 4, + "y": 1, + "width": 8, + "height": 4 + } + }, + { + "id": 1776816054704386, + "definition": { + "title": "MEDIUMs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:openvpn status:medium" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#e5a21c" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 3, + "width": 2, + "height": 2 + } + }, + { + "id": 5517607185870874, + "definition": { + "title": "LOWs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:openvpn status:low" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#ffb52b" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 2, + "y": 3, + "width": 2, + "height": 1 + } + }, + { + "id": 6239972357185070, + "definition": { + "title": "INFOs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:openvpn status:info" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#84c1e0" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 2, + "y": 4, + "width": 2, + "height": 1 + } + }, + { + "id": 8701718476249416, + "definition": { + "title": "High Security Signals", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:openvpn status:high" + } + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#d33043" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 5, + "width": 6, + "height": 4 + } + }, + { + "id": 7305144020883176, + "definition": { + "title": "Medium Security Signals", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:openvpn status:medium" + } + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#e5a21c" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 5, + "width": 6, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 4, + "width": 12, + "height": 10 + } + }, + { + "id": 234735012286588, + "definition": { + "title": "Overview", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 5151514656998292, + "definition": { + "title": "Total OpenVPN Logs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:openvpn @syslog.process_name:openvpnas $User $Client-IP $Log-Type $Authentication-Method $OS $Host-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 4 + } + }, + { + "id": 3497719803283602, + "definition": { + "title": "Top OpenVPN Log Types", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:openvpn $User $Client-IP $Log-Type $Authentication-Method $OS $Host-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@log_type", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 4 + } + }, + { + "id": 5793853177104614, + "definition": { + "title": "OpenVPN Logs Over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "openvpn_logs", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:openvpn @syslog.process_name:openvpnas $User $Client-IP $Log-Type $Authentication-Method $OS $Host-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 4, + "width": 12, + "height": 4 + } + }, + { + "id": 3762650802140286, + "definition": { + "title": "Log Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:openvpn @syslog.process_name:openvpnas $User $Client-IP $Log-Type $Authentication-Method $OS $Host-Name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "host", + "width": "auto" + }, + { + "field": "service", + "width": "auto" + }, + { + "field": "content", + "width": "compact" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 8, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 14, + "width": 12, + "height": 13 + } + }, + { + "id": 5217660444813094, + "definition": { + "title": "Client VPN Authentication and Connection Logs", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 6380611790870688, + "definition": { + "title": "Total Successful Client VPN Logins", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:openvpn @log_type:\"AUTH SUCCESS\" $User $Client-IP $Log-Type $Authentication-Method $OS $Host-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 4 + } + }, + { + "id": 8620848088408466, + "definition": { + "title": "Successful Client VPN Logins Over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "successful_vpn_login", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:openvpn @log_type:\"AUTH SUCCESS\" $User $Client-IP $Log-Type $Authentication-Method $OS $Host-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 4 + } + }, + { + "id": 2113262363742108, + "definition": { + "title": "Successful Client VPN Logins by Authentication Method", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:openvpn @log_type:\"AUTH SUCCESS\" $User $Client-IP $Log-Type $Authentication-Method $OS $Host-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@auth_method", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 12, + "height": 4 + } + }, + { + "id": 2836136406182442, + "definition": { + "title": "Successful Client VPN Login Attempts", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:openvpn @log_type:\"AUTH SUCCESS\" $User $Client-IP $Log-Type $Authentication-Method $OS $Host-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@os", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@client_connect_version", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 1000, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "count", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 0, + "y": 8, + "width": 12, + "height": 4 + } + }, + { + "id": 1832051261250332, + "definition": { + "title": "Total Failed Client VPN Login Attempts", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:openvpn @log_type:\"VPN Auth Failed\" $User $Client-IP $Log-Type $Authentication-Method $OS $Host-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 12, + "width": 4, + "height": 4 + } + }, + { + "id": 5601566508202872, + "definition": { + "title": "Failed Client VPN Logins Over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "failed_vpn_login", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:openvpn @log_type:\"VPN Auth Failed\" $User $Client-IP $Log-Type $Authentication-Method $OS $Host-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 12, + "width": 8, + "height": 4 + } + }, + { + "id": 892037220315928, + "definition": { + "title": "Top Blocked Users", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:openvpn @reason:\"DENY: user in deny list.\" @log_type:\"AUTH ERROR\" $User $Client-IP $Log-Type $Authentication-Method $OS $Host-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "dog_classic" + } + }, + "layout": { + "x": 0, + "y": 16, + "width": 6, + "height": 4 + } + }, + { + "id": 8558402412393498, + "definition": { + "title": "Top Users with Missing Password Digest Causing Local Auth Failures", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:openvpn @reason:\"local auth failed: no stored password digest found in authcred attributes.\" @log_type:\"AUTH ERROR\" $User $Client-IP $Log-Type $Authentication-Method $OS $Host-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "dog_classic" + } + }, + "layout": { + "x": 6, + "y": 16, + "width": 6, + "height": 4 + } + }, + { + "id": 659945948973358, + "definition": { + "title": "Total Peer Connection Initiated", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:openvpn @log_type:\"Peer Connection Initiated\" $User $Client-IP $Log-Type $Authentication-Method $OS $Host-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 20, + "width": 4, + "height": 4 + } + }, + { + "id": 4477458026105630, + "definition": { + "title": "Peer Connection Initiated Details", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:openvpn @log_type:\"Peer Connection Initiated\" $User $Client-IP $Log-Type $Authentication-Method $OS $Host-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@network.client.port", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@server_ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 10000, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "count", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 4, + "y": 20, + "width": 8, + "height": 4 + } + }, + { + "id": 6689276054520678, + "definition": { + "title": "Virtual IP Assigned to Clients", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:openvpn @log_type:\"Assigning virtual IP\" $User $Client-IP $Log-Type $Authentication-Method $OS $Host-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@virtual_ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 1000, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "count", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 0, + "y": 24, + "width": 12, + "height": 4 + } + }, + { + "id": 2229600259696240, + "definition": { + "title": "Geo Distribution of Client IP", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:openvpn @log_type:\"Assigning virtual IP\" $User $Client-IP $Log-Type $Authentication-Method $OS $Host-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.geoip.country.iso_code", + "limit": 250, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 250, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 0, + "y": 28, + "width": 12, + "height": 4 + } + }, + { + "id": 1192443444573994, + "definition": { + "title": "Common Reasons of Client VPN Login Failures", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:openvpn @log_type:\"VPN Auth Failed\" $User $Client-IP $Log-Type $Authentication-Method $OS $Host-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@reason", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "count", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 0, + "y": 32, + "width": 12, + "height": 4 + } + }, + { + "id": 3949609861994360, + "definition": { + "title": "Signal Termination Distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:openvpn @log_type:\"client-instance exiting\" $User $Client-IP $Log-Type $Authentication-Method $OS $Host-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@termination_signal", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 36, + "width": 12, + "height": 4 + } + }, + { + "id": 6618903770465208, + "definition": { + "title": "Client VPN Log Details", + "title_size": "16", + "title_align": "left", + "time": {}, + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:openvpn @log_type:(\"VPN Auth Failed\" OR \"AUTH SUCCESS\" OR \"AUTH ERROR\" OR \"Peer Connection Initiated\" OR \"client-instance exiting\" OR \"Assigning virtual IP\") $User $Client-IP $Log-Type $Authentication-Method $OS $Host-Name", + "indexes": [], + "storage": "hot", + "sort": { + "order": "desc", + "column": "timestamp" + } + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "usr.name", + "width": "auto" + }, + { + "field": "log_type", + "width": "auto" + }, + { + "field": "os", + "width": "auto" + }, + { + "field": "client_connect_version", + "width": "auto" + }, + { + "field": "reason", + "width": "auto" + }, + { + "field": "network.client.ip", + "width": "auto" + }, + { + "field": "virtual_ip", + "width": "auto" + }, + { + "field": "server_ip", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 40, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 27, + "width": 12, + "height": 45 + } + }, + { + "id": 166072887996452, + "definition": { + "title": "Web Portal Authentication Logs", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 5016493448783584, + "definition": { + "title": "Failed Web Portal Authentication Attempts", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:openvpn @log_type:\"Web login authentication failed\" $User $Client-IP $Log-Type $Authentication-Method $OS $Host-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 4 + } + }, + { + "id": 5691009810024244, + "definition": { + "title": "Top Users with Most Web Portal Login Failures", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:openvpn @log_type:\"Web login authentication failed\" $User $Client-IP $Log-Type $Authentication-Method $OS $Host-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 4 + } + }, + { + "id": 8524427115520686, + "definition": { + "title": "Failed Web Portal Authentication Attempts Over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "failed_web_login", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:openvpn @log_type:\"Web login authentication failed\" $User $Client-IP $Log-Type $Authentication-Method $OS $Host-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 4, + "width": 12, + "height": 4 + } + }, + { + "id": 6945616568143748, + "definition": { + "title": "Web Portal Login Failures by Authentication Method", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:openvpn @log_type:\"Web login authentication failed\" $User $Client-IP $Log-Type $Authentication-Method $OS $Host-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@auth_method", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 8, + "width": 12, + "height": 4 + } + }, + { + "id": 21699253574070, + "definition": { + "title": "Web Portal Login Failure Details", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:openvpn @log_type:\"Web login authentication failed\" $User $Client-IP $Log-Type $Authentication-Method $OS $Host-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@reason", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@auth_method", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 1000, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "count", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 0, + "y": 12, + "width": 12, + "height": 5 + } + }, + { + "id": 4929123947269502, + "definition": { + "title": "Web Portal Log Details", + "title_size": "16", + "title_align": "left", + "time": {}, + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:openvpn @log_type:\"Web login authentication failed\" $User $Client-IP $Log-Type $Authentication-Method $OS $Host-Name", + "indexes": [], + "storage": "hot", + "sort": { + "order": "desc", + "column": "timestamp" + } + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "usr.name", + "width": "auto" + }, + { + "field": "log_type", + "width": "auto" + }, + { + "field": "reason", + "width": "auto" + }, + { + "field": "auth_method", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 17, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 72, + "width": 12, + "height": 22, + "is_column_break": true + } + } + ], + "template_variables": [ + { + "name": "Authentication-Method", + "prefix": "@auth_method", + "available_values": [], + "default": "*" + }, + { + "name": "Client-IP", + "prefix": "@network.client.ip", + "available_values": [], + "default": "*" + }, + { + "name": "Host-Name", + "prefix": "@syslog.hostname", + "available_values": [], + "default": "*" + }, + { + "name": "Log-Type", + "prefix": "@log_type", + "available_values": [], + "default": "*" + }, + { + "name": "OS", + "prefix": "@os", + "available_values": [], + "default": "*" + }, + { + "name": "User", + "prefix": "@usr.name", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/openvpn/assets/logs/openvpn.yaml b/openvpn/assets/logs/openvpn.yaml new file mode 100644 index 0000000000000..76e95990f48ad --- /dev/null +++ b/openvpn/assets/logs/openvpn.yaml @@ -0,0 +1,315 @@ +id: openvpn +metric_id: openvpn +backend_only: false +facets: + - groups: + - User + name: User Name + path: usr.name + source: log + - groups: + - Geoip + name: City Name + path: network.client.geoip.city.name + source: log + - groups: + - Geoip + name: Continent Code + path: network.client.geoip.continent.code + source: log + - groups: + - Geoip + name: Continent Name + path: network.client.geoip.continent.name + source: log + - groups: + - Geoip + name: Country ISO Code + path: network.client.geoip.country.iso_code + source: log + - groups: + - Geoip + name: Country Name + path: network.client.geoip.country.name + source: log + - groups: + - Geoip + name: Subdivision ISO Code + path: network.client.geoip.subdivision.iso_code + source: log + - groups: + - Geoip + name: Subdivision Name + path: network.client.geoip.subdivision.name + source: log + - groups: + - Web Access + name: Client IP + path: network.client.ip + source: log + - groups: + - Web Access + name: Client Port + path: network.client.port + source: log +pipeline: + type: pipeline + name: OpenVPN + enabled: true + filter: + query: source:openvpn + processors: + - type: grok-parser + name: Parsing Header + enabled: true + source: message + samples: + - "<14>Feb 20 12:15:47 openvpnas2 openvpnas: [-] VPN Auth Failed: 'local + auth failed: password verification failed' [None]" + - "<14>Feb 20 12:17:1 openvpnas2 openvpnas: [-] AUTH SUCCESS {'status': + 0, 'user': 'openvpn', 'reason': 'local auth succeeded', 'auth method': + 'local', 'proplist': {'prop_autogenerate': 'true', 'conn_group': + 'test1', 'prop_superuser': 'true', 'prop_autologin': 'false', + 'prop_deny': 'false', 'type': 'user_compile', 'pvt_password_digest': + '[redacted]', 'user_auth_type': 'local', 'pvt_google_auth_secret': + '[redacted]', 'pvt_google_auth_secret_locked': 'false'}, + 'common_name': 'openvpn', 'serial': '5735787958742102047', + 'serial_list': []} cli='win'/'3.8connect1'/'OCWindows_3.4.0-3121'" + - "<14>Feb 20 12:48:43 openvpnas2 openvpnas:[-] AUTH ERROR: DENY: user + in deny list. user=test" + grok: + supportRules: "" + matchRules: rule (<(%{integer})>)?(%{date("MMM d H:m:s"):timestamp}|%{date("MMM + d H:m:s"):timestamp}) %{notSpace:syslog.hostname} + %{notSpace:syslog.process_name}:(\s+)?%{data:syslog_message} + - type: date-remapper + name: Define `timestamp` as the official date of the log + enabled: true + sources: + - timestamp + - type: pipeline + name: Processing OpenVPN Access Server Logs + enabled: true + filter: + query: "@syslog.process_name:openvpnas" + processors: + - type: grok-parser + name: Parsing Authentication Success Logs + enabled: true + source: syslog_message + samples: + - "[-] AUTH SUCCESS {'status': 0, 'user': 'openvpn', 'reason': + 'local auth succeeded', 'auth method': 'local', 'proplist': + {'prop_autogenerate': 'true', 'prop_superuser': 'true', 'type': + 'user_compile', 'pvt_password_digest': '[redacted]', + 'user_auth_type': 'local', 'pvt_google_auth_secret': '[redacted]', + 'pvt_google_auth_secret_locked': 'false'}, 'common_name': + 'openvpn', 'serial': '4596440362163920331', 'serial_list': []} + cli='win'/'3.8connect1'/'OCWindows_3.4.0-3121'" + - "[-] AUTH SUCCESS {'status': 0, 'user': 'test', 'reason': + 'SESSION_ID HMAC session continuation succeeded', 'session_id': + '[redacted]', 'create_new_session': True, 'proplist': + {'prop_autogenerate': 'true', 'type': 'user_connect'}, + 'common_name': 'test', 'serial': '2625112669000384146', + 'serial_list': []} cli='mac'/'3.6.7'/'OCmacOS_3.4.2-4547'" + - "[-] AUTH SUCCESS {'status': 0, 'user': 'test', 'reason': + 'SESSION_ID auth succeeded', 'session_id': '[redacted]', 'auth + method': 'ldap', 'proplist': {'prop_autogenerate': 'true', 'type': + 'user_connect'}, 'common_name': 'test', 'serial': + '6084254746989972980', 'serial_list': []} + cli='ios'/'3.10.5'/'net.openvpn.connect.ios_3.5.1-6211'" + - "[-] AUTH SUCCESS {'status': 0, 'user': 'openvpn', 'reason': + 'local auth succeeded', 'auth method': 'local', 'proplist': + {'prop_autogenerate': 'true', 'conn_group': 'test1', + 'prop_superuser': 'true', 'prop_autologin': 'false', 'prop_deny': + 'false', 'type': 'user_compile', 'pvt_password_digest': + '[redacted]', 'user_auth_type': 'local', 'pvt_google_auth_secret': + '[redacted]', 'pvt_google_auth_secret_locked': 'false'}, + 'common_name': 'openvpn', 'serial': '5735787958742102047', + 'serial_list': []} cli='win'/'3.8connect1'/'OCWindows_3.4.0-3121'" + grok: + supportRules: "" + matchRules: >- + rule1 (\[\-\])(\s+)?%{regex("AUTH + SUCCESS"):log_type}\s+\{%{data::keyvalue(": ",", ")}, 'auth + method': '%{regex("(.*?)(?=\\')"):auth_method}', + %{data::keyvalue(": ",", ")} + cli='%{word:os}'/'%{regex("(.*?)(?=\\')")}'/'%{regex("(.*?)(?=_)")}_%{notSpace:client_connect_version}' + + + rule2 (\[\-\])(\s+)?%{regex("AUTH SUCCESS"):log_type}\s+\{%{data::keyvalue(": ",", ")} cli='%{word:os}'/'%{regex("(.*?)(?=\\')"):data}'/'%{regex("(.*?)(?=_)")}_%{notSpace:client_connect_version}' + - type: grok-parser + name: Parsing VPN Logs + enabled: true + source: syslog_message + samples: + - "[-] VPN Auth Failed: 'LICENSE: Access Server license failure: + Connection exceeds currently allocated connection to this server + (2)' ['LICENSE: Access Server license failure: Connection exceeds + currently allocated connection to this server (2)']" + - "[-] VPN Auth Failed: 'local auth failed: password verification + failed' [None]" + - "[-] VPN Auth Failed: 'The user is not enrolled in the + Authenticator yet.' ['You must enroll this user in Authenticator + first before you are allowed to retrieve a connection profile.']" + grok: + supportRules: "" + matchRules: "rule (\\[\\-\\])(\\s+)?%{regex(\"VPN Auth Failed\"):log_type}: + '%{regex(\"(.*?)(?=\\\\')\"):reason}'%{data}" + - type: grok-parser + name: Parsing Web Portal Login Authentication Failed Logs + enabled: true + source: syslog_message + samples: + - "[-] [WEB] OUT: \"2025-02-11T11:12:28+0000 [stdout#info] Web login + authentication failed: {'status': 1, 'user': 'openvpn', 'reason': + 'local auth failed: password verification failed', 'auth method': + 'local'}\"" + - "[-] [WEB] OUT: \"2025-02-11T11:12:28+0000 [stdout#info] Web login + authentication failed: {'status': 1, 'user': 'openvpn', 'reason': + 'local auth failed: password verification failed'}\"" + - "[-] [WEB] OUT: '2025-03-11T12:59:46+0000 [stdout#info] Web login + authentication failed: {\\'status\\': 2, \\'user\\': \\'abc\\', + \\'reason\\': \"Cannot connect to LDAP server ldap://10.10.10.10: + socket connection error while opening: [Errno 113] No route to + host (facility=\\'initialize [10.10.10.10]\\')\", \\'auth + method\\': \\'ldap\\'}'" + - "[-] [WEB] OUT: '2025-03-11T12:59:46+0000 [stdout#info] Web login + authentication failed: {\\'status\\': 2, \\'user\\': \\'abc\\', + \\'reason\\': \"Cannot connect to LDAP server ldap://10.10.10.10: + socket connection error while opening: [Errno 113] No route to + host (facility=\\'initialize [10.10.10.10.10]\\')\"}'" + grok: + supportRules: "" + matchRules: "rule %{regex(\"(.*?)(?=:)\")}:(\\s+)?(\\\"|\\')%{notSpace} + %{notSpace} %{regex(\"Web login authentication + failed\"):log_type}: + %{regex(\"(.*)(?:})\"):authentication_info}(\\\"|\\')" + - type: grok-parser + name: Parsing of authentication infomation + enabled: true + source: authentication_info + samples: + - "{'status': 1, 'user': 'openvpn', 'reason': 'local auth failed: + password verification failed', 'auth method': 'local'}" + - "{\\'status\\': 2, \\'user\\': \\'abc\\', \\'reason\\': \"Cannot + connect to LDAP server ldap://10.10.10.10: socket connection + error while opening: [Errno 113] No route to host + (facility=\\'initialize [10.10.10.10]\\')\", \\'auth method\\': + \\'ldap\\'}" + - "{\\'status\\': 2, \\'user\\': \\'abc\\', \\'reason\\': \"Cannot + connect to LDAP server ldap://10.10.10.10: socket connection + error while opening: [Errno 113] No route to host + (facility=\\'initialize [10.10.10.10]\\')\"}" + - "{'status': 1, 'user': 'openvpn', 'reason': 'local auth failed: + password verification failed'}" + grok: + supportRules: "" + matchRules: >- + rule_1 \{%{data::keyvalue(": ",", ")}, 'auth method': + '%{regex("(.*?)(?=\\')"):auth_method}'%{data::keyvalue(": ",", ")} + + + rule_2 \{\\'status\\': %{integer:status}, \\'user\\': \\'%{regex("(.*)(?=\\\\')"):user}\\', \\'reason\\': "%{regex("(.*)(?=\")"):reason}"(, \\'auth method\\': \\'%{regex("(.*?)(?=\\\\')"):auth_method}\\')?} + + + rule_3 \{%{data::keyvalue(": ",", ")} + - type: grok-parser + name: Parsing Peer Connection Logs + enabled: true + source: syslog_message + samples: + - "[-] [OVPN 2] OUT: '2025-02-11 12:34:01 10.10.10.10:49152 + [openvpn] Peer Connection Initiated with + [AF_INET]10.10.10.10:49152 (via [AF_INET]11.50.13.24%ens32)'" + - "[-] [OVPN 2] OUT: '2025-2-1 1:3:0 10.10.10.10:49152 [openvpn] + Peer Connection Initiated with [AF_INET]10.10.10.10:49152 (via + [AF_INET]2001:db8:3333:4444:5555:6666:7777:8888%ens32)'" + grok: + supportRules: "" + matchRules: rule %{regex("(.*?)(?=:)")}:(\s+)?\'%{date("yyyy-M-d H:m:s"):date} + %{ip:network.client.ip}:%{port:network.client.port} + \[%{notSpace:user}\] %{regex("Peer Connection + Initiated"):log_type}\s+with%{regex("(.*?)(?=\\()")}\(%{regex("(.*?)(?=])")}\]%{ip:server_ip}[%]%{data} + - type: grok-parser + name: Parsing Virtual IP Logs + enabled: true + source: syslog_message + samples: + - "[-] [OVPN 2] OUT: '2025-02-12 13:16:02 test/10.10.10.10:49152 + MULTI: primary virtual IP for + test/10.10.10.10:49152: 10.10.10.10'" + grok: + supportRules: "" + matchRules: "rule %{regex(\"(.*?)(?=:)\")}:(\\s+)?\\'%{date(\"yyyy-M-d + H:m:s\"):date} + %{notSpace:user}/%{ip:network.client.ip}:%{port:network.client.po\ + rt} %{notSpace:client_mode}: %{regex(\"primary virtual + IP\"):log_type} + for%{regex(\"(.*?)(?=:[\\\\s])\")}:\\s+%{ip:virtual_ip}'" + - type: grok-parser + name: Parsing User Deny Logs + enabled: true + source: syslog_message + samples: + - "[-] AUTH ERROR: DENY: user in deny list. user=test" + - "[-] AUTH ERROR: local auth failed: no stored password digest + found in authcred attributes. user=test" + grok: + supportRules: "" + matchRules: 'rule \[%{regex("(.*?)(?=])")}\](\s+)?%{regex("AUTH + ERROR"):log_type}: %{regex(".*?\\."):reason} + user=%{notSpace:user}' + - type: grok-parser + name: Parsing Signal Termination Logs + enabled: true + source: syslog_message + samples: + - "[-] [OVPN 3] OUT: '2025-02-14 12:38:25 test/10.10.10.10:49152 + SIGTERM[soft,delayed-exit] received, client-instance exiting'" + - "[-] [OVPN 0] OUT: '2025-02-14 09:17:54 10.10.10.10:49152 + SIGTERM[soft,port-share-redirect] received, client-instance + exiting'" + - "[-] [OVPN 0] OUT: '2025-02-14 09:48:49 10.10.10.10:49152 + SIGTERM[soft,port-share-redirect] received, client-instance + exiting'" + grok: + supportRules: "" + matchRules: rule %{regex("(.*?)(?=:)")}:(\s+)?\'%{date("yyyy-M-d H:m:s"):date}( + (%{notSpace:user}/)?%{ip:network.client.ip}:%{port:network.client.port})? + %{regex("(.*?)(?=)"):signal_details} received, + %{regex("client-instance exiting"):log_type}' + - type: grok-parser + name: Parsing Terminating Signal + enabled: true + source: signal_details + samples: + - SIGTERM[soft,management-exit] + grok: + supportRules: "" + matchRules: rule SIGTERM\[%{regex("(.*?)(?=])"):termination_signal}\] + - type: attribute-remapper + name: Map `user` to `usr.name` + enabled: true + sources: + - user + sourceType: attribute + target: usr.name + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: geo-ip-parser + name: Define `network.client.ip` as default geoip attribute for source + enabled: true + sources: + - network.client.ip + target: network.client.geoip + ip_processing_behavior: do-nothing + - type: category-processor + name: Define `log_type` for Primary Virtual IP + enabled: true + categories: + - filter: + query: '@log_type:"primary virtual IP"' + name: Assigning virtual IP + target: log_type diff --git a/openvpn/assets/logs/openvpn_tests.yaml b/openvpn/assets/logs/openvpn_tests.yaml new file mode 100644 index 0000000000000..3cc73f3ffdd22 --- /dev/null +++ b/openvpn/assets/logs/openvpn_tests.yaml @@ -0,0 +1,201 @@ +id: openvpn +tests: + - sample: "<14>Feb 24 05:11:20 openvpnas2 openvpnas: [-] [OVPN 2] OUT: '2025-02-24 + 05:11:20 10.10.10.10:50540 [openvpn] Peer Connection Initiated with + [AF_INET]10.10.10.10:50546 (via [AF_INET]198.51.100.20%ens32)'" + result: + custom: + date: 1740373880000 + log_type: "Peer Connection Initiated" + network: + client: + geoip: {} + ip: "10.10.10.10" + port: "50540" + server_ip: "198.51.100.20" + syslog: + hostname: "openvpnas2" + process_name: "openvpnas" + syslog_message: "[-] [OVPN 2] OUT: '2025-02-24 05:11:20 10.10.10.10:50540 [openvpn] Peer Connection Initiated with [AF_INET]10.10.10.10:50546 (via [AF_INET]198.51.100.20%ens32)'" + timestamp: 36220280000 + usr: + name: "openvpn" + message: "<14>Feb 24 05:11:20 openvpnas2 openvpnas: [-] [OVPN 2] OUT: '2025-02-24 05:11:20 10.10.10.10:50540 [openvpn] Peer Connection Initiated with [AF_INET]10.10.10.10:50546 (via [AF_INET]198.51.100.20%ens32)'" + tags: + - "source:LOGS_SOURCE" + timestamp: 36220280000 + - sample: "<14>Feb 24 05:11:20 openvpnas2 openvpnas: [-] AUTH SUCCESS {'status': + 0, 'user': 'openvpn', 'reason': 'local auth succeeded', 'auth method': + 'local', 'proplist': {'prop_autogenerate': 'true', 'conn_group': 'test1', + 'prop_superuser': 'true', 'prop_autologin': 'false', 'prop_deny': 'false', + 'type': 'user_compile', 'pvt_password_digest': '[redacted]', + 'user_auth_type': 'local', 'pvt_google_auth_secret': '[redacted]', + 'pvt_google_auth_secret_locked': 'false'}, 'common_name': 'openvpn', + 'serial': '5735787958742102040', 'serial_list': []} + cli='win'/'3.8connect1'/'OCWindows_3.4.0-3121'" + result: + custom: + auth_method: "local" + client_connect_version: "3.4.0-3121" + common_name: "openvpn" + conn_group: "test1" + log_type: "AUTH SUCCESS" + os: "win" + prop_autogenerate: "true" + prop_autologin: "false" + prop_deny: "false" + prop_superuser: "true" + pvt_google_auth_secret: "[redacted]" + pvt_google_auth_secret_locked: "false" + pvt_password_digest: "[redacted]" + reason: "local auth succeeded" + serial: "5735787958742102040" + status: 0 + syslog: + hostname: "openvpnas2" + process_name: "openvpnas" + syslog_message: "[-] AUTH SUCCESS {'status': 0, 'user': 'openvpn', 'reason': 'local auth succeeded', 'auth method': 'local', 'proplist': {'prop_autogenerate': 'true', 'conn_group': 'test1', 'prop_superuser': 'true', 'prop_autologin': 'false', 'prop_deny': 'false', 'type': 'user_compile', 'pvt_password_digest': '[redacted]', 'user_auth_type': 'local', 'pvt_google_auth_secret': '[redacted]', 'pvt_google_auth_secret_locked': 'false'}, 'common_name': 'openvpn', 'serial': '5735787958742102040', 'serial_list': []} cli='win'/'3.8connect1'/'OCWindows_3.4.0-3121'" + timestamp: 36220280000 + type: "user_compile" + user_auth_type: "local" + usr: + name: "openvpn" + message: "<14>Feb 24 05:11:20 openvpnas2 openvpnas: [-] AUTH SUCCESS {'status': 0, 'user': 'openvpn', 'reason': 'local auth succeeded', 'auth method': 'local', 'proplist': {'prop_autogenerate': 'true', 'conn_group': 'test1', 'prop_superuser': 'true', 'prop_autologin': 'false', 'prop_deny': 'false', 'type': 'user_compile', 'pvt_password_digest': '[redacted]', 'user_auth_type': 'local', 'pvt_google_auth_secret': '[redacted]', 'pvt_google_auth_secret_locked': 'false'}, 'common_name': 'openvpn', 'serial': '5735787958742102040', 'serial_list': []} cli='win'/'3.8connect1'/'OCWindows_3.4.0-3121'" + tags: + - "source:LOGS_SOURCE" + timestamp: 36220280000 + - sample: "<14>Feb 24 05:11:13 openvpnas2 openvpnas: [-] VPN Auth Failed: 'local + auth failed: password verification failed' [None]" + result: + custom: + log_type: "VPN Auth Failed" + reason: "local auth failed: password verification failed" + syslog: + hostname: "openvpnas2" + process_name: "openvpnas" + syslog_message: "[-] VPN Auth Failed: 'local auth failed: password verification failed' [None]" + timestamp: 36220273000 + message: "<14>Feb 24 05:11:13 openvpnas2 openvpnas: [-] VPN Auth Failed: 'local auth failed: password verification failed' [None]" + tags: + - "source:LOGS_SOURCE" + timestamp: 36220273000 + - sample: "<14>Feb 24 05:12:14 openvpnas2 openvpnas: [-] [WEB] OUT: \"2025-02-24T05:12:14+0000 [stdout#info] Web login authentication failed: {'status': 1, 'user': 'openvpn', 'reason': 'local auth failed: password verification failed', 'auth method': 'local'}\"" + result: + custom: + auth_method: "local" + authentication_info: "{'status': 1, 'user': 'openvpn', 'reason': 'local auth failed: password verification failed', 'auth method': 'local'}" + log_type: "Web login authentication failed" + reason: "local auth failed: password verification failed" + status: 1 + syslog: + hostname: "openvpnas2" + process_name: "openvpnas" + syslog_message: "[-] [WEB] OUT: \"2025-02-24T05:12:14+0000 [stdout#info] Web login authentication failed: {'status': 1, 'user': 'openvpn', 'reason': 'local auth failed: password verification failed', 'auth method': 'local'}\"" + timestamp: 36220334000 + usr: + name: "openvpn" + message: "<14>Feb 24 05:12:14 openvpnas2 openvpnas: [-] [WEB] OUT: \"2025-02-24T05:12:14+0000 [stdout#info] Web login authentication failed: {'status': 1, 'user': 'openvpn', 'reason': 'local auth failed: password verification failed', 'auth method': 'local'}\"" + tags: + - "source:LOGS_SOURCE" + timestamp: 36220334000 + - sample: "<14>Feb 24 04:50:22 openvpnas2 openvpnas: [-] [OVPN 2] OUT: '2025-02-24 + 04:50:22 openvpn/10.10.10.10:51820 MULTI: primary virtual IP for + openvpn/10.10.10.10:51820: 10.10.10.10'" + result: + custom: + client_mode: "MULTI" + date: 1740372622000 + log_type: "Assigning virtual IP" + network: + client: + geoip: {} + ip: "10.10.10.10" + port: "51820" + syslog: + hostname: "openvpnas2" + process_name: "openvpnas" + syslog_message: "[-] [OVPN 2] OUT: '2025-02-24 04:50:22 openvpn/10.10.10.10:51820 MULTI: primary virtual IP for openvpn/10.10.10.10:51820: 10.10.10.10'" + timestamp: 36219022000 + usr: + name: "openvpn" + virtual_ip: "10.10.10.10" + message: "<14>Feb 24 04:50:22 openvpnas2 openvpnas: [-] [OVPN 2] OUT: '2025-02-24 04:50:22 openvpn/10.10.10.10:51820 MULTI: primary virtual IP for openvpn/10.10.10.10:51820: 10.10.10.10'" + tags: + - "source:LOGS_SOURCE" + timestamp: 36219022000 + - sample: "<14>Feb 24 08:43:52 openvpnas2 openvpnas: [-] AUTH ERROR: DENY: user in + deny list. user=test5" + result: + custom: + log_type: "AUTH ERROR" + reason: "DENY: user in deny list." + syslog: + hostname: "openvpnas2" + process_name: "openvpnas" + syslog_message: "[-] AUTH ERROR: DENY: user in deny list. user=test5" + timestamp: 36233032000 + usr: + name: "test5" + message: "<14>Feb 24 08:43:52 openvpnas2 openvpnas: [-] AUTH ERROR: DENY: user in deny list. user=test5" + tags: + - "source:LOGS_SOURCE" + timestamp: 36233032000 + - sample: "<14>Feb 24 08:41:52 openvpnas2 openvpnas: [-] AUTH ERROR: local auth + failed: no stored password digest found in authcred attributes. user=test" + result: + custom: + log_type: "AUTH ERROR" + reason: "local auth failed: no stored password digest found in authcred attributes." + syslog: + hostname: "openvpnas2" + process_name: "openvpnas" + syslog_message: "[-] AUTH ERROR: local auth failed: no stored password digest found in authcred attributes. user=test" + timestamp: 36232912000 + usr: + name: "test" + message: "<14>Feb 24 08:41:52 openvpnas2 openvpnas: [-] AUTH ERROR: local auth failed: no stored password digest found in authcred attributes. user=test" + tags: + - "source:LOGS_SOURCE" + timestamp: 36232912000 + - sample: "<14>Feb 24 05:11:19 openvpnas2 openvpnas: [-] [OVPN 2] OUT: '2025-02-24 + 05:11:19 172.20.4.202:58075 SIGTERM[soft,delayed-exit] received, + client-instance exiting'" + result: + custom: + date: 1740373879000 + log_type: "client-instance exiting" + network: + client: + geoip: {} + ip: "172.20.4.202" + port: "58075" + signal_details: "SIGTERM[soft,delayed-exit]" + syslog: + hostname: "openvpnas2" + process_name: "openvpnas" + syslog_message: "[-] [OVPN 2] OUT: '2025-02-24 05:11:19 172.20.4.202:58075 SIGTERM[soft,delayed-exit] received, client-instance exiting'" + termination_signal: "soft,delayed-exit" + timestamp: 36220279000 + message: "<14>Feb 24 05:11:19 openvpnas2 openvpnas: [-] [OVPN 2] OUT: '2025-02-24 05:11:19 172.20.4.202:58075 SIGTERM[soft,delayed-exit] received, client-instance exiting'" + tags: + - "source:LOGS_SOURCE" + timestamp: 36220279000 + - sample: "<14>Mar 11 12:59:46 openvpnas2 openvpnas: [-] [WEB] OUT: '2025-03-11T12:59:46+0000 [stdout#info] Web login authentication failed: {\\'status\\': 2, \\'user\\': \\'abc\\', \\'reason\\': \"Cannot connect to LDAP server ldap://10.10.10.10: socket connection error while opening: [Errno 113] No route to host (facility=\\'initialize [10.10.10.10]\\')\", \\'auth method\\': \\'ldap\\'}'" + result: + custom: + auth_method: "ldap" + authentication_info: "{\\'status\\': 2, \\'user\\': \\'abc\\', \\'reason\\': \"Cannot connect to LDAP server ldap://10.10.10.10: socket connection error while opening: [Errno 113] No route to host (facility=\\'initialize [10.10.10.10]\\')\", \\'auth method\\': \\'ldap\\'}" + log_type: "Web login authentication failed" + reason: "Cannot connect to LDAP server ldap://10.10.10.10: socket connection error while opening: [Errno 113] No route to host (facility=\\'initialize [10.10.10.10]\\')" + status: 2 + syslog: + hostname: "openvpnas2" + process_name: "openvpnas" + syslog_message: "[-] [WEB] OUT: '2025-03-11T12:59:46+0000 [stdout#info] Web login authentication failed: {\\'status\\': 2, \\'user\\': \\'abc\\', \\'reason\\': \"Cannot connect to LDAP server ldap://10.10.10.10: socket connection error while opening: [Errno 113] No route to host (facility=\\'initialize [10.10.10.10]\\')\", \\'auth method\\': \\'ldap\\'}'" + timestamp: 37544386000 + usr: + name: "abc" + message: "<14>Mar 11 12:59:46 openvpnas2 openvpnas: [-] [WEB] OUT: '2025-03-11T12:59:46+0000 [stdout#info] Web login authentication failed: {\\'status\\': 2, \\'user\\': \\'abc\\', \\'reason\\': \"Cannot connect to LDAP server ldap://10.10.10.10: socket connection error while opening: [Errno 113] No route to host (facility=\\'initialize [10.10.10.10]\\')\", \\'auth method\\': \\'ldap\\'}'" + tags: + - "source:LOGS_SOURCE" + timestamp: 37544386000 diff --git a/openvpn/assets/openvpn.svg b/openvpn/assets/openvpn.svg new file mode 100644 index 0000000000000..4da0d455e513c --- /dev/null +++ b/openvpn/assets/openvpn.svg @@ -0,0 +1,3 @@ + + + \ No newline at end of file diff --git a/openvpn/changelog.d/19811.added b/openvpn/changelog.d/19811.added new file mode 100644 index 0000000000000..aa949b47b7b41 --- /dev/null +++ b/openvpn/changelog.d/19811.added @@ -0,0 +1 @@ +Initial Release \ No newline at end of file diff --git a/openvpn/datadog_checks/__init__.py b/openvpn/datadog_checks/__init__.py new file mode 100644 index 0000000000000..a77b3f5ff63ac --- /dev/null +++ b/openvpn/datadog_checks/__init__.py @@ -0,0 +1,4 @@ +# (C) Datadog, Inc. 2025-present +# All rights reserved +# Licensed under a 3-clause BSD style license (see LICENSE) +__path__ = __import__('pkgutil').extend_path(__path__, __name__) # type: ignore diff --git a/openvpn/datadog_checks/openvpn/__about__.py b/openvpn/datadog_checks/openvpn/__about__.py new file mode 100644 index 0000000000000..1bde5986a04b2 --- /dev/null +++ b/openvpn/datadog_checks/openvpn/__about__.py @@ -0,0 +1,4 @@ +# (C) Datadog, Inc. 2025-present +# All rights reserved +# Licensed under a 3-clause BSD style license (see LICENSE) +__version__ = '0.0.1' diff --git a/openvpn/datadog_checks/openvpn/__init__.py b/openvpn/datadog_checks/openvpn/__init__.py new file mode 100644 index 0000000000000..b408666583b85 --- /dev/null +++ b/openvpn/datadog_checks/openvpn/__init__.py @@ -0,0 +1,6 @@ +# (C) Datadog, Inc. 2025-present +# All rights reserved +# Licensed under a 3-clause BSD style license (see LICENSE) +from .__about__ import __version__ + +__all__ = ['__version__'] diff --git a/openvpn/datadog_checks/openvpn/data/conf.yaml.example b/openvpn/datadog_checks/openvpn/data/conf.yaml.example new file mode 100644 index 0000000000000..46bc4b9a56c6e --- /dev/null +++ b/openvpn/datadog_checks/openvpn/data/conf.yaml.example @@ -0,0 +1,20 @@ +## Log Section +## +## type - required - Type of log input source (tcp / udp / file / windows_event). +## port / path / channel_path - required - Set port if type is tcp or udp. +## Set path if type is file. +## Set channel_path if type is windows_event. +## source - required - Attribute that defines which integration sent the logs. +## encoding - optional - For file specifies the file encoding. Default is utf-8. Other +## possible values are utf-16-le and utf-16-be. +## service - optional - The name of the service that generates the log. +## Overrides any `service` defined in the `init_config` section. +## tags - optional - Add tags to the collected logs. +## +## Discover Datadog log collection: https://docs.datadoghq.com/logs/log_collection/ +# +# logs: +# - type: +# port: +# service: openvpn +# source: openvpn diff --git a/openvpn/images/openvpn_overview.png b/openvpn/images/openvpn_overview.png new file mode 100644 index 0000000000000..c9f92715fdebe Binary files /dev/null and b/openvpn/images/openvpn_overview.png differ diff --git a/openvpn/manifest.json b/openvpn/manifest.json new file mode 100644 index 0000000000000..93d6ad7414526 --- /dev/null +++ b/openvpn/manifest.json @@ -0,0 +1,55 @@ +{ + "manifest_version": "2.0.0", + "app_uuid": "98802736-bf53-4d20-bf5c-9e7936212a14", + "app_id": "openvpn", + "display_on_public_website": false, + "tile": { + "overview": "README.md#Overview", + "configuration": "README.md#Setup", + "support": "README.md#Support", + "changelog": "CHANGELOG.md", + "description": "Gain insights into OpenVPN events", + "title": "OpenVPN", + "media": [ + { + "caption": "OpenVPN - Overview", + "image_url": "images/openvpn_overview.png", + "media_type": "image" + } + ], + "classifier_tags": [ + "Supported OS::Linux", + "Supported OS::Windows", + "Supported OS::macOS", + "Category::Log Collection", + "Category::Security", + "Offering::Integration", + "Submitted Data Type::Logs" + ] + }, + "assets": { + "integration": { + "auto_install": true, + "source_type_id": 40374141, + "source_type_name": "OpenVPN", + "configuration": { + "spec": "assets/configuration/spec.yaml" + }, + "events": { + "creates_events": false + } + }, + "dashboards": { + "OpenVPN - Overview":"assets/dashboards/openvpn_overview.json" + }, + "logs": { + "source": "openvpn" + } + }, + "author": { + "support_email": "help@datadoghq.com", + "name": "Datadog", + "homepage": "https://www.datadoghq.com", + "sales_email": "info@datadoghq.com" + } +} diff --git a/openvpn/pyproject.toml b/openvpn/pyproject.toml new file mode 100644 index 0000000000000..2cd9b88640e13 --- /dev/null +++ b/openvpn/pyproject.toml @@ -0,0 +1,59 @@ +[build-system] +requires = [ + "hatchling>=0.13.0", +] +build-backend = "hatchling.build" + +[project] +name = "datadog-openvpn" +description = "The OpenVPN check" +readme = "README.md" +license = "BSD-3-Clause" +keywords = [ + "datadog", + "datadog agent", + "datadog check", + "openvpn", +] +authors = [ + { name = "Datadog", email = "packages@datadoghq.com" }, +] +classifiers = [ + "Development Status :: 5 - Production/Stable", + "Intended Audience :: Developers", + "Intended Audience :: System Administrators", + "License :: OSI Approved :: BSD License", + "Private :: Do Not Upload", + "Programming Language :: Python :: 3.12", + "Topic :: System :: Monitoring", +] +dependencies = [ + "datadog-checks-base>=4.2.0", +] +dynamic = [ + "version", +] + +[project.optional-dependencies] +deps = [] + +[project.urls] +Source = "https://github.com/DataDog/integrations-core" + +[tool.hatch.version] +path = "datadog_checks/openvpn/__about__.py" + +[tool.hatch.build.targets.sdist] +include = [ + "/datadog_checks", + "/tests", + "/manifest.json", +] + +[tool.hatch.build.targets.wheel] +include = [ + "/datadog_checks/openvpn", +] +dev-mode-dirs = [ + ".", +] diff --git a/pgbouncer/CHANGELOG.md b/pgbouncer/CHANGELOG.md index bbeda9a749784..611914c2cac91 100644 --- a/pgbouncer/CHANGELOG.md +++ b/pgbouncer/CHANGELOG.md @@ -2,7 +2,7 @@ -## 8.1.2 / 2025-03-19 +## 8.1.2 / 2025-03-19 / Agent 7.65.0 ***Fixed***: diff --git a/plaid/README.md b/plaid/README.md index 1896dc13471fe..65294d6f2297a 100644 --- a/plaid/README.md +++ b/plaid/README.md @@ -22,18 +22,36 @@ Here are some insights that can be drawn from your Plaid dashboard: ### Configuration Configure the Datadog endpoint to forward Plaid logs to Datadog. -1. Navigate to Plaid. -2. Add your Plaid credentials. +1. Log in to [Plaid Dashboard](https://dashboard.plaid.com/) +2. Navigate to the **Developers** section in the left pane. +3. Extend the drop-down menu and click on **Keys** +4. Obtain the client_id and Secret. + +#### To obtain Access Token, follow these steps: + 1. **Get institution_id from Plaid**: + Hit Plaid API **/institutions/get** endpoint to obtain institution_id. Reference [link](https://plaid.com/docs/api/institutions/#institutionsget) + 2. **Create a Public Token**: + You will need to create a public token. Use the institution_id that you retrieved from Step 1 and hit **/public_token/create** endpoint. Reference [link](https://plaid.com/docs/api/sandbox/#sandboxpublic_tokencreate) + 3. **Obtain the Access token**: + Now, use the public_token you obtained from Step 2 to exchange it for an access_token. Send the public_token to this **/item/public_token/** exchange . Reference [link](https://plaid.com/docs/api/items/#itempublic_tokenexchange) + + + 4. **Store the Access Token Securely**: + + | Plaid Parameters | Description | |----------|----------| | Client ID | Client of the Plaid account. | | Secret | Secret of the Plaid account | +| Access Token | Access Token of the Plaid account | + ## Data Collected -The crawler will implement data collection of Plaid logs for the List of Transfer events, remove sensitive data and send it to Datadog. +The crawler will implement data collection of Plaid logs for the List of Transfer events, Recurring Transfer events, Investment transactions +events and Auth metrics. Sensitive data are removed and sent to Datadog. ## Troubleshooting diff --git a/plaid/assets/dashboards/plaid_overview.json b/plaid/assets/dashboards/plaid_overview.json index 71fc8288c819d..f76b814381a6c 100644 --- a/plaid/assets/dashboards/plaid_overview.json +++ b/plaid/assets/dashboards/plaid_overview.json @@ -32,7 +32,7 @@ { "id": 8289666179599236, "definition": { - "title": "Total Events", + "title": "Total number of Plaid Logs", "title_size": "16", "title_align": "left", "type": "query_value", @@ -69,196 +69,275 @@ "layout": { "x": 0, "y": 0, - "width": 6, - "height": 2 + "width": 3, + "height": 3 } }, { - "id": 5495912710157440, + "id": 5198861967020346, "definition": { - "title": "Transfer Error Count", + "title": "Networks Used", "title_size": "16", "title_align": "left", - "type": "query_value", + "type": "toplist", "requests": [ { - "formulas": [ - { - "formula": "query2" - } - ], + "style": { + "palette": "dog_classic" + }, + "response_format": "scalar", "queries": [ { + "name": "query1", "data_source": "logs", - "name": "query2", + "search": { + "query": "source:plaid_logs" + }, "indexes": [ "*" ], + "group_by": [ + { + "facet": "@network", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], "compute": { "aggregation": "count" }, - "group_by": [], - "search": { - "query": "source:plaid_logs @failure_reason.description:*" - }, "storage": "hot" } ], - "response_format": "scalar" + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } } ], - "autoscale": true, - "precision": 2, - "timeseries_background": { - "yaxis": { - "include_zero": true - }, - "type": "area" + "custom_links": [], + "style": { + "scaling": "relative" } }, "layout": { - "x": 0, - "y": 2, + "x": 3, + "y": 0, "width": 3, "height": 3 } }, { - "id": 2734456775436858, + "id": 1901817483012866, "definition": { - "title": "Transaction Error Rate (%)", + "title": "Currencies used", "title_size": "16", "title_align": "left", - "type": "query_value", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", "requests": [ { "formulas": [ { - "formula": "(query1 / query2) * 100" + "alias": "Plaid Transfer", + "formula": "query2" + }, + { + "alias": "Plaid Recurring Transfer", + "formula": "query1" + }, + { + "alias": "Plaid Investment Transactions", + "formula": "query3" } ], "queries": [ { + "name": "query2", "data_source": "logs", - "name": "query1", + "search": { + "query": "source:plaid_logs @label:plaid_transfer" + }, "indexes": [ "*" ], + "group_by": [ + { + "facet": "@iso_currency_code", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "iso_currency_code" + }, + "should_exclude_missing": true + } + ], "compute": { - "aggregation": "count" - }, - "group_by": [], - "search": { - "query": "source:plaid_logs @failure_reason.description:*" + "aggregation": "count", + "metric": "iso_currency_code" }, "storage": "hot" }, { + "name": "query1", "data_source": "logs", - "name": "query2", + "search": { + "query": "source:plaid_logs @label:plaid_recurring_transfer" + }, "indexes": [ "*" ], + "group_by": [ + { + "facet": "@iso_currency_code", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "iso_currency_code" + }, + "should_exclude_missing": true + } + ], "compute": { - "aggregation": "count" + "aggregation": "count", + "metric": "iso_currency_code" }, - "group_by": [], + "storage": "hot" + }, + { + "name": "query3", + "data_source": "logs", "search": { - "query": "source:plaid_logs" + "query": "source:plaid_logs @label:plaid_investment_transactions" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@iso_currency_code", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "iso_currency_code" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count", + "metric": "iso_currency_code" }, "storage": "hot" } ], - "response_format": "scalar" + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "bars" } ], - "autoscale": true, - "precision": 2, - "timeseries_background": { - "type": "area", - "yaxis": { - "include_zero": true - } - } + "custom_links": [] }, "layout": { - "x": 3, - "y": 2, - "width": 3, - "height": 3 + "x": 0, + "y": 3, + "width": 6, + "height": 4 } }, { - "id": 6974604515654690, + "id": 491873656711604, "definition": { - "title": "Description along with Failure reason", + "title": "Plaid logs timeline", "title_size": "16", "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", "requests": [ { - "response_format": "scalar", "formulas": [ { + "alias": "Count", "formula": "query1" } ], "queries": [ { - "data_source": "logs", "name": "query1", + "data_source": "logs", + "search": { + "query": "source:plaid_logs" + }, "indexes": [ "*" ], + "group_by": [], "compute": { "aggregation": "count" }, - "group_by": [ - { - "facet": "@description", - "limit": 10, - "sort": { - "order": "desc", - "aggregation": "count" - } - }, - { - "facet": "@failure_reason.description", - "limit": 10, - "sort": { - "order": "desc", - "aggregation": "count" - } - } - ], - "search": { - "query": "source:plaid_logs @failure_reason.description:*" - }, "storage": "hot" } ], + "response_format": "timeseries", "style": { - "palette": "classic" + "palette": "dog_classic", + "line_type": "solid", + "line_width": "normal" }, - "sort": { - "count": 500, - "order_by": [ - { - "type": "formula", - "index": 0, - "order": "desc" - } - ] - } + "display_type": "line" } ], - "type": "sunburst", - "legend": { - "type": "automatic" - } + "yaxis": { + "scale": "linear", + "label": "", + "include_zero": true, + "min": "auto", + "max": "auto" + }, + "markers": [] }, "layout": { "x": 0, - "y": 5, + "y": 7, "width": 6, "height": 4 } @@ -269,21 +348,21 @@ "x": 6, "y": 0, "width": 6, - "height": 10 + "height": 12 } }, { - "id": 7753683597743458, + "id": 6888657947628120, "definition": { "type": "note", "content": "Plaid specializes in financial technology by offering APIs that allow developers to integrate banking services into their applications. By connecting users' bank accounts to apps, Plaid enables features like account verification, transaction history retrieval, and balance checks. This functionality is crucial for various applications, including budgeting tools, personal finance management, and payment processing.", - "background_color": "transparent", + "background_color": "orange", "font_size": "14", "text_align": "left", "vertical_align": "center", - "show_tick": false, + "show_tick": true, "tick_pos": "50%", - "tick_edge": "left", + "tick_edge": "top", "has_padding": true }, "layout": { @@ -338,41 +417,39 @@ } }, { - "id": 5352405555753252, + "id": 6396584169657892, "definition": { - "title": "Networks Used", + "title": "Currencies used", "title_size": "16", "title_align": "left", "requests": [ { "response_format": "scalar", - "formulas": [ - { - "formula": "query1" - } - ], "queries": [ { - "data_source": "logs", "name": "query1", + "data_source": "logs", + "search": { + "query": "source:plaid_logs" + }, "indexes": [ "*" ], - "compute": { - "aggregation": "count" - }, "group_by": [ { - "facet": "@network", + "facet": "@iso_currency_code", "limit": 10, "sort": { + "aggregation": "count", "order": "desc", - "aggregation": "count" - } + "metric": "iso_currency_code" + }, + "should_exclude_missing": true } ], - "search": { - "query": "source:plaid_logs" + "compute": { + "aggregation": "count", + "metric": "iso_currency_code" }, "storage": "hot" } @@ -380,8 +457,13 @@ "style": { "palette": "datadog16" }, + "formulas": [ + { + "formula": "query1" + } + ], "sort": { - "count": 500, + "count": 10, "order_by": [ { "type": "formula", @@ -399,21 +481,29 @@ }, "layout": { "x": 0, - "y": 0, - "width": 6, - "height": 4, - "is_column_break": true + "y": 10, + "width": 2, + "height": 2 } }, { - "id": 4936592794883656, + "id": 6872091701376976, "definition": { - "title": "Status Distribution", + "title": "Transfer Timelines", "title_size": "16", "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", "requests": [ { - "response_format": "scalar", "formulas": [ { "formula": "query1" @@ -421,260 +511,1764 @@ ], "queries": [ { - "data_source": "logs", "name": "query1", + "data_source": "logs", + "search": { + "query": "source:plaid_logs" + }, "indexes": [ "*" ], - "compute": { - "aggregation": "count" - }, "group_by": [ { - "facet": "@status", + "facet": "@type", "limit": 10, "sort": { + "aggregation": "count", "order": "desc", - "aggregation": "count" + "metric": "count" } } ], - "search": { - "query": "source:plaid_logs" + "compute": { + "aggregation": "count" }, "storage": "hot" } ], + "response_format": "timeseries", "style": { - "palette": "datadog16" + "palette": "dog_classic", + "line_type": "solid", + "line_width": "normal" }, - "sort": { - "count": 500, - "order_by": [ - { - "type": "formula", - "index": 0, - "order": "desc" - } - ] - } + "display_type": "line" } ], - "type": "sunburst", - "legend": { - "type": "automatic" - } + "yaxis": { + "scale": "linear", + "label": "", + "include_zero": true, + "min": "auto", + "max": "auto" + }, + "markers": [] }, "layout": { - "x": 6, - "y": 0, - "width": 6, - "height": 4 + "x": 2, + "y": 10, + "width": 4, + "height": 2 } }, { - "id": 2256059020192036, + "id": 6507797404373716, "definition": { - "title": "Unswept Status Rate (%)", - "title_size": "16", - "title_align": "left", - "type": "query_value", - "requests": [ + "title": "Plaid Investment Transactions", + "title_align": "center", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ { - "formulas": [ - { - "formula": "(query1 / query2) * 100", - "number_format": { - "unit": { - "type": "canonical_unit", - "unit_name": "percent" - } - } - } - ], - "queries": [ - { - "data_source": "logs", - "name": "query1", - "indexes": [ - "*" - ], - "compute": { - "aggregation": "count" - }, - "group_by": [], - "search": { - "query": "source:plaid_logs @sweep_status:unswept" - }, - "storage": "hot" - }, - { - "data_source": "logs", - "name": "query2", - "indexes": [ - "*" - ], - "compute": { - "aggregation": "count" - }, - "group_by": [], - "search": { - "query": "source:plaid_logs @sweep_status:*" + "id": 7690725951466864, + "definition": { + "type": "note", + "content": "The Investments product allows you to obtain holding, security, and transactions data for investment-type accounts in financial institutions within the United States and Canada. This data can be used for personal financial management tools and wealth management analysis.", + "background_color": "orange", + "font_size": "14", + "text_align": "left", + "vertical_align": "center", + "show_tick": true, + "tick_pos": "50%", + "tick_edge": "top", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 2 + } + }, + { + "id": 7996023834699400, + "definition": { + "title": "Total number of Investment transactions logs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:plaid_logs @label:plaid_investment_transactions" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 1 + } + }, + { + "id": 3785939928442116, + "definition": { + "title": "Distribution of the transactions by subtype.", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:plaid_logs @label:plaid_investment_transactions" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@subtype", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 6, + "y": 1, + "width": 6, + "height": 3 + } + }, + { + "id": 1041903857507390, + "definition": { + "title": "Investment Transactions Logs", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:plaid_logs @label:plaid_investment_transactions", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "host", + "width": "auto" + }, + { + "field": "service", + "width": "auto" + }, + { + "field": "content", + "width": "full" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 2, + "width": 6, + "height": 4 + } + }, + { + "id": 5152333920839504, + "definition": { + "title": "Count of Investment Transactions over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Count", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:plaid_logs @label:plaid_investment_transactions" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "bars" + } + ], + "yaxis": { + "scale": "linear", + "label": "", + "include_zero": true, + "min": "auto", + "max": "auto" + }, + "markers": [] + }, + "layout": { + "x": 6, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 7366483526900876, + "definition": { + "title": "Top list of Account Types.", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:plaid_logs @label:plaid_investment_transactions" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@type", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 6, + "width": 6, + "height": 2 + } + } + ] + }, + "layout": { + "x": 0, + "y": 12, + "width": 12, + "height": 9 + } + }, + { + "id": 652365151769232, + "definition": { + "title": "Plaid Transfer Logs", + "title_align": "center", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 3363459086507342, + "definition": { + "type": "note", + "content": "Plaid Transfer (US only) is a flexible multi-rail payment platform designed for companies looking to add or improve their bank payment solution. Transfer provides all of the necessary tools to easily send and manage ACH, RTP and FedNow transactions, including:\n\n\n1. Fast settlement, simplified reconciliation: Sweep transaction funds into your treasury account quickly and balance your books with an intuitive reconciliation report.\n\n2. Multi-rail routing: Dynamic routing between RTP and FedNow. Fall back to same day ACH if needed\n\n3. Streamlined operational support: Manage daily operations with dashboards to easily monitor transfer activity.\n\n4. Payment risk reduction: reduce your return rates by using Plaid's risk engine.", + "background_color": "orange", + "font_size": "14", + "text_align": "left", + "vertical_align": "center", + "show_tick": true, + "tick_pos": "50%", + "tick_edge": "top", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 2 + } + }, + { + "id": 4216355682334136, + "definition": { + "title": "Total number of Transfer logs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:plaid_logs @label:plaid_transfer" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 6, + "y": 0, + "width": 3, + "height": 1 + } + }, + { + "id": 1006113490567224, + "definition": { + "title": "Count of Refunds", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:plaid_logs @label:plaid_transfer @refunds.id:*" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": { + "include_zero": false }, - "storage": "hot" + "type": "area" + } + }, + "layout": { + "x": 9, + "y": 0, + "width": 3, + "height": 1 + } + }, + { + "id": 4707654362742308, + "definition": { + "title": "Count of Failed Transfers", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:plaid_logs @label:plaid_transfer @status:failed" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 6, + "y": 1, + "width": 3, + "height": 1 + } + }, + { + "id": 5746707889039122, + "definition": { + "title": "Rate of Failed Transfers", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1 * 100 / query2", + "number_format": { + "unit": { + "type": "canonical_unit", + "unit_name": "percent" + } + } + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:plaid_logs @label:plaid_transfer @status:failed" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + }, + { + "name": "query2", + "data_source": "logs", + "search": { + "query": "source:plaid_logs @label:plaid_transfer" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 9, + "y": 1, + "width": 3, + "height": 1 + } + }, + { + "id": 1898575658151360, + "definition": { + "title": "Distribution of the status of refunds", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:plaid_logs @label:plaid_transfer" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@refunds.status", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 2, + "width": 6, + "height": 4 + } + }, + { + "id": 2969310121977812, + "definition": { + "title": "Count of Unswept transfers", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:plaid_logs @sweep_status:unswept" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 6, + "y": 2, + "width": 3, + "height": 1 + } + }, + { + "id": 4639822590053068, + "definition": { + "title": "Count of Successful transfers", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:plaid_logs @label:plaid_transfer !@status:failed" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 9, + "y": 2, + "width": 3, + "height": 1 + } + }, + { + "id": 2650168106140842, + "definition": { + "title": "Number of refunds over a time period", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Count", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:plaid_logs @label:plaid_transfer @refunds.id:*" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "bars" + } + ], + "yaxis": { + "scale": "linear", + "label": "", + "include_zero": true, + "min": "auto", + "max": "auto" + }, + "markers": [] + }, + "layout": { + "x": 6, + "y": 3, + "width": 6, + "height": 2 + } + }, + { + "id": 2503574499969062, + "definition": { + "title": "Top reasons for failed refunds", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:plaid_logs @label:plaid_transfer" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@refunds.failure_reason.description", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 5, + "width": 3, + "height": 2 + } + }, + { + "id": 5887611767399214, + "definition": { + "title": "Distribution of failed transfers by description", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:plaid_logs @label:plaid_transfer" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@failure_reason.description", + "limit": 10, + "sort": { + "aggregation": "cardinality", + "order": "desc", + "metric": "source" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "cardinality", + "metric": "source" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 9, + "y": 5, + "width": 3, + "height": 2 + } + }, + { + "id": 732336393932538, + "definition": { + "title": " Distribution of the transactions by Account Type.", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:plaid_logs @label:plaid_transfer" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@type", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 6, + "width": 6, + "height": 2 + } + }, + { + "id": 8104647410697636, + "definition": { + "title": "Count of currencies used for transfers", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:plaid_logs @label:plaid_transfer" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@iso_currency_code", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ], + "yaxis": { + "scale": "linear", + "include_zero": true, + "min": "auto", + "max": "auto" + } + }, + "layout": { + "x": 6, + "y": 7, + "width": 6, + "height": 2 + } + }, + { + "id": 5561341637093252, + "definition": { + "title": "Top networks used for transfers", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:plaid_logs @label:plaid_transfer" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } } - ], - "response_format": "scalar" - } - ], - "autoscale": true, - "precision": 2, - "timeseries_background": { - "type": "area", - "yaxis": { - "include_zero": true + }, + "layout": { + "x": 0, + "y": 8, + "width": 6, + "height": 2 + } + }, + { + "id": 5715489024571678, + "definition": { + "title": "Number of types of transfers over a time period", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:plaid_logs @label:plaid_transfer" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@type", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ], + "yaxis": { + "scale": "linear", + "include_zero": true, + "min": "auto", + "max": "auto" + } + }, + "layout": { + "x": 6, + "y": 9, + "width": 6, + "height": 2 + } + }, + { + "id": 2883319279943518, + "definition": { + "title": "Status of transfers over a time period", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:plaid_logs @label:plaid_transfer" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@status", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ], + "yaxis": { + "scale": "linear", + "include_zero": true, + "min": "auto", + "max": "auto" + } + }, + "layout": { + "x": 0, + "y": 10, + "width": 6, + "height": 3 + } + }, + { + "id": 2217330694014924, + "definition": { + "title": "Distribution of currencies used for transfers", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:plaid_logs @label:plaid_transfer" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@iso_currency_code", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 6, + "y": 11, + "width": 6, + "height": 2 + } } - } + ] }, "layout": { "x": 0, - "y": 4, - "width": 3, - "height": 3 + "y": 21, + "width": 12, + "height": 14, + "is_column_break": true } }, { - "id": 8461972634481036, + "id": 47687444627418, "definition": { - "title": "Types of Transfer", - "title_size": "16", - "title_align": "left", - "requests": [ + "title": "Plaid Recurring Transfers", + "title_align": "center", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ { - "response_format": "scalar", - "formulas": [ - { - "formula": "query1" - } - ], - "queries": [ - { - "data_source": "logs", - "name": "query1", - "indexes": [ - "*" - ], - "compute": { - "aggregation": "count" - }, - "group_by": [ - { - "facet": "@type", - "limit": 10, - "sort": { - "order": "desc", - "aggregation": "count" + "id": 2618835281195602, + "definition": { + "type": "note", + "content": "Recurring transfers allow you to automatically originate fixed amount ACH transactions with a regular interval according to a schedule you define. Plaid currently supports intervals with an arbitrary number of weeks or months.\n\nOnce you set up the recurring transfer, Plaid automatically originates the ACH transaction on the planned date, defined by the recurring schedule. You can look up and cancel recurring transfers. You may also receive updates about the recurring transfer itself, as well as each individual transfer originated by the recurring transfer.", + "background_color": "orange", + "font_size": "14", + "text_align": "left", + "vertical_align": "center", + "show_tick": true, + "tick_pos": "50%", + "tick_edge": "top", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 3 + } + }, + { + "id": 5067077707489416, + "definition": { + "title": "Total number of Recurring Transfers logs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:plaid_logs @label:plaid_recurring_transfer" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 1 + } + }, + { + "id": 891342897945468, + "definition": { + "title": "Distribution of the recurring transfers by status.", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:plaid_logs @label:plaid_recurring_transfer" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@status", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] } - ], - "search": { - "query": "source:plaid_logs" - }, - "storage": "hot" + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" } - ], - "style": { - "palette": "datadog16" }, - "sort": { - "count": 500, - "order_by": [ + "layout": { + "x": 6, + "y": 1, + "width": 6, + "height": 2 + } + }, + { + "id": 3970705828026586, + "definition": { + "title": "Recurring Transfer Logs", + "title_size": "16", + "title_align": "left", + "requests": [ { - "type": "formula", - "index": 0, - "order": "desc" + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:plaid_logs @label:plaid_recurring_transfer", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "host", + "width": "auto" + }, + { + "field": "service", + "width": "auto" + }, + { + "field": "content", + "width": "full" + } + ] } - ] + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 3, + "width": 6, + "height": 4 } - } - ], - "type": "sunburst", - "legend": { - "type": "automatic" - } - }, - "layout": { - "x": 3, - "y": 4, - "width": 5, - "height": 3 - } - }, - { - "id": 5682008564150520, - "definition": { - "title": "Different Currency Used", - "title_size": "16", - "title_align": "left", - "requests": [ + }, { - "response_format": "scalar", - "formulas": [ - { - "formula": "query1" - } - ], - "queries": [ - { - "data_source": "logs", - "name": "query1", - "indexes": [ - "*" - ], - "compute": { - "aggregation": "count" - }, - "group_by": [ - { - "facet": "@iso_currency_code", - "limit": 10, - "sort": { - "order": "desc", - "aggregation": "count" + "id": 3184454323637298, + "definition": { + "title": "Count of recurring transfers over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Count", + "formula": "query1" } - } - ], - "search": { - "query": "source:plaid_logs" - }, - "storage": "hot" - } - ], - "style": { - "palette": "datadog16" + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:plaid_logs @label:plaid_recurring_transfer" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "bars" + } + ], + "yaxis": { + "scale": "linear", + "label": "", + "include_zero": true, + "min": "auto", + "max": "auto" + }, + "markers": [] }, - "sort": { - "count": 500, - "order_by": [ + "layout": { + "x": 6, + "y": 3, + "width": 6, + "height": 2 + } + }, + { + "id": 1407447907889578, + "definition": { + "title": " Top list of Account Types of Recurring transfers ", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ { - "type": "formula", - "index": 0, - "order": "desc" + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:plaid_logs @label:plaid_recurring_transfer" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@type", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } } - ] + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 5, + "width": 6, + "height": 2 } } - ], - "type": "sunburst", - "legend": { - "type": "automatic" - } + ] }, "layout": { - "x": 8, - "y": 4, - "width": 4, - "height": 3 + "x": 0, + "y": 35, + "width": 12, + "height": 8 } } ], diff --git a/plaid/assets/logs/plaid.yaml b/plaid/assets/logs/plaid.yaml index f0e475c139f71..de69e4d62381c 100644 --- a/plaid/assets/logs/plaid.yaml +++ b/plaid/assets/logs/plaid.yaml @@ -6,11 +6,12 @@ metric_id: plaid # If id and app_id already match, this field can be left blank. backend_only: false facets: - - facetType: list + - description: "" + facetType: list groups: - Plaid - name: Account id - path: plaid_account_id + name: Log Label + path: label source: log type: string pipeline: @@ -21,7 +22,7 @@ pipeline: query: "source:plaid" processors: - type: attribute-remapper - name: "Map `created` to `timestamp`" + name: Map `created` to `timestamp` enabled: true sources: - created diff --git a/plaid/assets/logs/plaid_tests.yaml b/plaid/assets/logs/plaid_tests.yaml index b11b574c44239..d0e37ee789668 100644 --- a/plaid/assets/logs/plaid_tests.yaml +++ b/plaid/assets/logs/plaid_tests.yaml @@ -4,74 +4,236 @@ tests: sample: |- { "amount" : "12.34", - "authorization_id" : "128ff9dc-6634-22f3-a8d7-0902fc8dd99a", - "created" : "2024-12-20T12:04:24.386329Z", + "authorization_id" : "3e77aebb-444e-9a71-4c70-9cde604c0689", + "created" : "2025-04-15T04:31:55.577677Z", "description" : "posted", + "failure_reason" : { + "ach_return_code" : "R01", + "failure_code" : "R01", + "description" : "Insufficient funds" + }, "type" : "debit", "cancellable" : false, - "standard_return_window" : "2024-12-26", "network" : "ach", - "originator_client_id" : "66d5881a2972360019c5e068", + "originator_client_id" : "66dec76ee40771001aff0759", "sweep_status" : "unswept", - "account_id" : "dLaW3JympPiWRaz9NGPwUB98VNmDPLcJ3AXxr", + "account_id" : "yngxaDxQXXT8Eok5Aw7RIx3qwmXzjQF4RbrPE", "ach_class" : "ppd", "iso_currency_code" : "USD", "origination_account_id" : "", - "unauthorized_return_window" : "2025-03-21", - "id" : "6ed7708c-9e7a-9a79-13fc-a65e2f771a76", - "ledger_id" : "4b15ee7e-a39f-4c94-a84e-bfa3982a7737", + "id" : "54ad77b7-b08b-06f1-3d2d-86d7a0c6e25e", + "ledger_id" : "2ec67c41-a3c6-4501-a31e-757b362fa0be", "user" : { - "legal_name" : "Anne Charleston" + "legal_name" : "Alberta Bobbeth Charleson" }, - "status" : "posted" + "status" : "failed" } result: custom: - account_id: "dLaW3JympPiWRaz9NGPwUB98VNmDPLcJ3AXxr" + account_id: "yngxaDxQXXT8Eok5Aw7RIx3qwmXzjQF4RbrPE" ach_class: "ppd" amount: "12.34" - authorization_id: "128ff9dc-6634-22f3-a8d7-0902fc8dd99a" + authorization_id: "3e77aebb-444e-9a71-4c70-9cde604c0689" cancellable: false - created: "2024-12-20T12:04:24.386329Z" + created: "2025-04-15T04:31:55.577677Z" description: "posted" - id: "6ed7708c-9e7a-9a79-13fc-a65e2f771a76" + failure_reason: + ach_return_code: "R01" + description: "Insufficient funds" + failure_code: "R01" + id: "54ad77b7-b08b-06f1-3d2d-86d7a0c6e25e" iso_currency_code: "USD" - ledger_id: "4b15ee7e-a39f-4c94-a84e-bfa3982a7737" + ledger_id: "2ec67c41-a3c6-4501-a31e-757b362fa0be" network: "ach" origination_account_id: "" - originator_client_id: "66d5881a2972360019c5e068" - standard_return_window: "2024-12-26" - status: "posted" + originator_client_id: "66dec76ee40771001aff0759" + status: "failed" sweep_status: "unswept" - timestamp: "2024-12-20T12:04:24.386329Z" + timestamp: "2025-04-15T04:31:55.577677Z" type: "debit" - unauthorized_return_window: "2025-03-21" user: - legal_name: "Anne Charleston" + legal_name: "Alberta Bobbeth Charleson" message: |- { "amount" : "12.34", - "authorization_id" : "128ff9dc-6634-22f3-a8d7-0902fc8dd99a", - "created" : "2024-12-20T12:04:24.386329Z", + "authorization_id" : "3e77aebb-444e-9a71-4c70-9cde604c0689", + "created" : "2025-04-15T04:31:55.577677Z", "description" : "posted", + "failure_reason" : { + "ach_return_code" : "R01", + "failure_code" : "R01", + "description" : "Insufficient funds" + }, "type" : "debit", "cancellable" : false, - "standard_return_window" : "2024-12-26", "network" : "ach", - "originator_client_id" : "66d5881a2972360019c5e068", + "originator_client_id" : "66dec76ee40771001aff0759", "sweep_status" : "unswept", - "account_id" : "dLaW3JympPiWRaz9NGPwUB98VNmDPLcJ3AXxr", + "account_id" : "yngxaDxQXXT8Eok5Aw7RIx3qwmXzjQF4RbrPE", + "ach_class" : "ppd", + "iso_currency_code" : "USD", + "origination_account_id" : "", + "id" : "54ad77b7-b08b-06f1-3d2d-86d7a0c6e25e", + "ledger_id" : "2ec67c41-a3c6-4501-a31e-757b362fa0be", + "user" : { + "legal_name" : "Alberta Bobbeth Charleson" + }, + "status" : "failed" + } + tags: + - "source:LOGS_SOURCE" + timestamp: 1744691515577 + - + sample: |- + { + "amount" : "12.34", + "created" : "2025-04-15T07:10:31.960472Z", + "description" : "payment", + "type" : "credit", + "network" : "ach", + "funding_account_id" : "", + "schedule" : { + "end_date" : "2025-04-22", + "interval_count" : 1, + "interval_unit" : "week", + "interval_execution_day" : 5, + "start_date" : "2025-04-15" + }, + "account_id" : "yngxaDxQXXT8Eok5Aw7RIx3qwmXzjQF4RbrPE", + "ach_class" : "ppd", + "next_origination_date" : "2025-04-18", + "iso_currency_code" : "USD", + "origination_account_id" : "", + "recurring_transfer_id" : "fbba61d8-085a-0a9f-1bd1-2fe4efb4638e", + "user" : { + "address" : { + "country" : "US", + "city" : "San Francisco", + "street" : "123 Main St.", + "postal_code" : "94053", + "region" : "CA" + }, + "email_address" : "acharleston@email.com", + "phone_number" : "510-555-0128", + "legal_name" : "Anne Charleston" + }, + "status" : "active" + } + result: + custom: + account_id: "yngxaDxQXXT8Eok5Aw7RIx3qwmXzjQF4RbrPE" + ach_class: "ppd" + amount: "12.34" + created: "2025-04-15T07:10:31.960472Z" + description: "payment" + funding_account_id: "" + iso_currency_code: "USD" + network: "ach" + next_origination_date: "2025-04-18" + origination_account_id: "" + recurring_transfer_id: "fbba61d8-085a-0a9f-1bd1-2fe4efb4638e" + schedule: + end_date: "2025-04-22" + interval_count: 1 + interval_execution_day: 5 + interval_unit: "week" + start_date: "2025-04-15" + status: "active" + timestamp: "2025-04-15T07:10:31.960472Z" + type: "credit" + user: + address: + city: "San Francisco" + country: "US" + postal_code: "94053" + region: "CA" + street: "123 Main St." + email_address: "acharleston@email.com" + legal_name: "Anne Charleston" + phone_number: "510-555-0128" + message: |- + { + "amount" : "12.34", + "created" : "2025-04-15T07:10:31.960472Z", + "description" : "payment", + "type" : "credit", + "network" : "ach", + "funding_account_id" : "", + "schedule" : { + "end_date" : "2025-04-22", + "interval_count" : 1, + "interval_unit" : "week", + "interval_execution_day" : 5, + "start_date" : "2025-04-15" + }, + "account_id" : "yngxaDxQXXT8Eok5Aw7RIx3qwmXzjQF4RbrPE", "ach_class" : "ppd", + "next_origination_date" : "2025-04-18", "iso_currency_code" : "USD", "origination_account_id" : "", - "unauthorized_return_window" : "2025-03-21", - "id" : "6ed7708c-9e7a-9a79-13fc-a65e2f771a76", - "ledger_id" : "4b15ee7e-a39f-4c94-a84e-bfa3982a7737", + "recurring_transfer_id" : "fbba61d8-085a-0a9f-1bd1-2fe4efb4638e", "user" : { + "address" : { + "country" : "US", + "city" : "San Francisco", + "street" : "123 Main St.", + "postal_code" : "94053", + "region" : "CA" + }, + "email_address" : "acharleston@email.com", + "phone_number" : "510-555-0128", "legal_name" : "Anne Charleston" }, - "status" : "posted" + "status" : "active" + } + tags: + - "source:LOGS_SOURCE" + timestamp: 1744701031960 + - + sample: |- + { + "date" : "2025-04-17", + "amount" : -2066.58, + "fees" : 0, + "account_id" : "6EPMwLMZ33UpbKq4zal9HRDm5rj7QAc87prQp", + "quantity" : -49.02909689729298, + "subtype" : "sell", + "investment_transaction_id" : "ln4LXJLrGGTWEXpnV8g9s8K5wxakjXcpAy6GB", + "price" : 41.62, + "iso_currency_code" : "USD", + "name" : "SELL iShares Inc MSCI Brazil", + "type" : "sell", + "security_id" : "abJamDazkgfvBkVGgnnLUWXoxnomp5up8llg4" + } + result: + custom: + account_id: "6EPMwLMZ33UpbKq4zal9HRDm5rj7QAc87prQp" + amount: -2066.58 + date: "2025-04-17" + fees: 0 + investment_transaction_id: "ln4LXJLrGGTWEXpnV8g9s8K5wxakjXcpAy6GB" + iso_currency_code: "USD" + name: "SELL iShares Inc MSCI Brazil" + price: 41.62 + quantity: -49.02909689729298 + security_id: "abJamDazkgfvBkVGgnnLUWXoxnomp5up8llg4" + subtype: "sell" + type: "sell" + message: |- + { + "date" : "2025-04-17", + "amount" : -2066.58, + "fees" : 0, + "account_id" : "6EPMwLMZ33UpbKq4zal9HRDm5rj7QAc87prQp", + "quantity" : -49.02909689729298, + "subtype" : "sell", + "investment_transaction_id" : "ln4LXJLrGGTWEXpnV8g9s8K5wxakjXcpAy6GB", + "price" : 41.62, + "iso_currency_code" : "USD", + "name" : "SELL iShares Inc MSCI Brazil", + "type" : "sell", + "security_id" : "abJamDazkgfvBkVGgnnLUWXoxnomp5up8llg4" } tags: - "source:LOGS_SOURCE" - timestamp: 1734696264386 \ No newline at end of file + timestamp: 1 \ No newline at end of file diff --git a/plaid/images/plaid_other_logs.png b/plaid/images/plaid_other_logs.png index 888f8e41bb2d2..6a0d1176df7fa 100644 Binary files a/plaid/images/plaid_other_logs.png and b/plaid/images/plaid_other_logs.png differ diff --git a/plaid/images/plaid_overview.png b/plaid/images/plaid_overview.png index 9eb80998ad432..d6df97edbcf28 100644 Binary files a/plaid/images/plaid_overview.png and b/plaid/images/plaid_overview.png differ diff --git a/plaid/manifest.json b/plaid/manifest.json index 87668cecf5ef0..cb06991fceca5 100644 --- a/plaid/manifest.json +++ b/plaid/manifest.json @@ -18,7 +18,7 @@ }, { "media_type": "image", - "caption": "Overview of other logs visualized", + "caption": "Overview of other Plaid Logs", "image_url": "images/plaid_other_logs.png" } ], @@ -30,24 +30,24 @@ }, "assets": { "integration": { - "auto_install": true, - "source_type_id": 30173459, - "source_type_name": "plaid", - "events": { - "creates_events": false - }, - "service_checks": { - "metadata_path": "assets/service_checks.json" + "auto_install": true, + "source_type_id": 30173459, + "source_type_name": "plaid", + "events": { + "creates_events": false + }, + "service_checks": { + "metadata_path": "assets/service_checks.json" + } + }, + "dashboards": { + "Plaid logs Overview": "assets/dashboards/plaid_overview.json" } }, - "dashboards": { - "Plaid logs Overview": "assets/dashboards/plaid_overview.json" - } -}, "author": { "support_email": "help@datadoghq.com", "name": "Datadog", "homepage": "https://www.datadoghq.com", "sales_email": "info@datadoghq.com" } -} +} \ No newline at end of file diff --git a/postgres/CHANGELOG.md b/postgres/CHANGELOG.md index 812626338b0c4..b18065ddcd149 100644 --- a/postgres/CHANGELOG.md +++ b/postgres/CHANGELOG.md @@ -29,7 +29,7 @@ * Add handling for IndeterminateDatatype error in explain plan collection ([#19969](https://github.com/DataDog/integrations-core/pull/19969)) * Add handling for UndefinedFunction error in explain plan collection ([#19998](https://github.com/DataDog/integrations-core/pull/19998)) -## 22.8.0 / 2025-03-19 +## 22.8.0 / 2025-03-19 / Agent 7.65.0 ***Added***: diff --git a/redisdb/CHANGELOG.md b/redisdb/CHANGELOG.md index 322c288db877f..bd3b1848a4dd7 100644 --- a/redisdb/CHANGELOG.md +++ b/redisdb/CHANGELOG.md @@ -2,7 +2,7 @@ -## 7.2.0 / 2025-03-19 +## 7.2.0 / 2025-03-19 / Agent 7.65.0 ***Added***: diff --git a/redisdb/changelog.d/20227.added b/redisdb/changelog.d/20227.added new file mode 100644 index 0000000000000..65aa7b0546fe7 --- /dev/null +++ b/redisdb/changelog.d/20227.added @@ -0,0 +1 @@ +Add support of Redis 8 diff --git a/redisdb/datadog_checks/redisdb/redisdb.py b/redisdb/datadog_checks/redisdb/redisdb.py index cbfaaf5d19531..8b5c8274598e0 100644 --- a/redisdb/datadog_checks/redisdb/redisdb.py +++ b/redisdb/datadog_checks/redisdb/redisdb.py @@ -23,7 +23,7 @@ class Redis(AgentCheck): - db_key_pattern = re.compile(r'^db\d+') + db_key_pattern = re.compile(r'^db\d+$') slave_key_pattern = re.compile(r'^slave\d+') subkeys = ['keys', 'expires'] diff --git a/redisdb/hatch.toml b/redisdb/hatch.toml index b4f02e3d707e8..c3a0c2a58420f 100644 --- a/redisdb/hatch.toml +++ b/redisdb/hatch.toml @@ -2,12 +2,12 @@ [[envs.default.matrix]] python = ["3.12"] -version = ["5.0", "6.0", "7.0", "cloud"] +version = ["5.0", "6.0", "7.0", "8.0", "cloud"] [envs.default.overrides] matrix.version.env-vars = [ - { key = "REDIS_VERSION", if = ["5.0", "6.0", "7.0"] }, - { key = "CLOUD_ENV", value = "false", if = ["5.0", "6.0", "7.0"] }, + { key = "REDIS_VERSION", if = ["5.0", "6.0", "7.0", "8.0"] }, + { key = "CLOUD_ENV", value = "false", if = ["5.0", "6.0", "7.0", "8.0"] }, { key = "REDIS_VERSION", value="7.0", if = ["cloud"] }, { key = "CLOUD_ENV", value = "true", if = ["cloud"] }, ] diff --git a/requirements-agent-release.txt b/requirements-agent-release.txt index 3d8b9af35fa90..321e76e153a2b 100644 --- a/requirements-agent-release.txt +++ b/requirements-agent-release.txt @@ -130,7 +130,7 @@ datadog-mesos-master==5.1.0; sys_platform != 'win32' datadog-mesos-slave==5.1.0; sys_platform != 'win32' datadog-milvus==1.2.0 datadog-mongo==9.1.0 -datadog-mysql==15.3.0 +datadog-mysql==15.3.1 datadog-nagios==3.0.0 datadog-network==5.2.0 datadog-nfsstat==3.0.0; sys_platform == 'linux2' diff --git a/riakcs/CHANGELOG.md b/riakcs/CHANGELOG.md index ef8db22ba9227..54749189c399a 100644 --- a/riakcs/CHANGELOG.md +++ b/riakcs/CHANGELOG.md @@ -8,7 +8,7 @@ * Update dependencies ([#19962](https://github.com/DataDog/integrations-core/pull/19962)) -## 4.3.0 / 2025-03-19 +## 4.3.0 / 2025-03-19 / Agent 7.65.0 ***Added***: diff --git a/silverstripe_cms/CHANGELOG.md b/silverstripe_cms/CHANGELOG.md index 67d801f73391b..0562f17f6535b 100644 --- a/silverstripe_cms/CHANGELOG.md +++ b/silverstripe_cms/CHANGELOG.md @@ -2,7 +2,7 @@ -## 1.0.0 / 2025-03-19 +## 1.0.0 / 2025-03-19 / Agent 7.65.0 ***Added***: diff --git a/slurm/CHANGELOG.md b/slurm/CHANGELOG.md index 5d72901d2f98c..a4567f2279eb2 100644 --- a/slurm/CHANGELOG.md +++ b/slurm/CHANGELOG.md @@ -2,7 +2,7 @@ -## 1.1.0 / 2025-03-19 +## 1.1.0 / 2025-03-19 / Agent 7.65.0 ***Added***: diff --git a/slurm/changelog.d/20225.added b/slurm/changelog.d/20225.added new file mode 100644 index 0000000000000..5e606e879e03b --- /dev/null +++ b/slurm/changelog.d/20225.added @@ -0,0 +1 @@ +Add slurm node memory metrics diff --git a/slurm/changelog.d/20230.fixed b/slurm/changelog.d/20230.fixed new file mode 100644 index 0000000000000..61bdcb5800c68 --- /dev/null +++ b/slurm/changelog.d/20230.fixed @@ -0,0 +1 @@ +Fix averss, maxrss, avecpu from sacct metric set that weren't getting parsed diff --git a/slurm/changelog.d/20231.added b/slurm/changelog.d/20231.added new file mode 100644 index 0000000000000..b5e2ba92b4dd9 --- /dev/null +++ b/slurm/changelog.d/20231.added @@ -0,0 +1 @@ +Added metrics for disk reads for sacct metrics set diff --git a/slurm/datadog_checks/slurm/check.py b/slurm/datadog_checks/slurm/check.py index f4ab6ca764f62..c7c928012608a 100644 --- a/slurm/datadog_checks/slurm/check.py +++ b/slurm/datadog_checks/slurm/check.py @@ -235,9 +235,9 @@ def process_squeue(self, output): self.gauge('squeue.enabled', 1) def process_sacct(self, output): - # JobID |JobName |Partition|Account|AllocCPUS|AllocTRES |Elapsed |CPUTimeRAW|MaxRSS|MaxVMSize|AveCPU|AveRSS |State |ExitCode|Start |End |NodeList # noqa: E501 - # 36 |test.py |normal |root |1 |billing=1,cpu=1,mem=500M,node=1 |00:00:03 |3 | | | | |RUNNING |0:0 |2024-09-24T12:00:01 |Unknown |c1 # noqa: E501 - # 36.batch |batch | |root |1 |cpu=1,mem=500M,node=1 |00:00:03 |3 | | | | |RUNNING |0:0 |2024-09-24T12:00:01 |Unknown |c1 # noqa: E501 + # JobID |JobName |Partition|Account|AllocCPUS|AllocTRES |Elapsed |CPUTimeRAW|MaxRSS|MaxVMSize|AveCPU|AveRSS |State |ExitCode|Start |End |NodeList | AveDiskRead | MaxDiskRead # noqa: E501 + # 36 |test.py |normal |root |1 |billing=1,cpu=1,mem=500M,node=1 |00:00:03 |3 | | | | |RUNNING |0:0 |2024-09-24T12:00:01 |Unknown |c1 | 0.000000 | 0.000000 # noqa: E501 + # 36.batch |batch | |root |1 |cpu=1,mem=500M,node=1 |00:00:03 |3 | | | | |RUNNING |0:0 |2024-09-24T12:00:01 |Unknown |c1 | 0.000000 | 0.000000 # noqa: E501 lines = output.strip().split('\n') if self.debug_sacct_stats: @@ -264,11 +264,13 @@ def process_sacct(self, output): self._process_metrics(job_data, SACCT_MAP, tags) duration = parse_duration(job_data[6]) + ave_cpu = parse_duration(job_data[10]) if not duration: self.log.debug("Invalid duration for job '%s'. Skipping. Assigning duration as 0.", job_id) duration = 0 self.gauge('sacct.job.duration', duration, tags=tags) + self.gauge('sacct.slurm_job_avgcpu', ave_cpu, tags=tags) self.gauge('sacct.job.info', 1, tags=tags) self.gauge('sacct.enabled', 1) @@ -449,8 +451,17 @@ def _process_metrics(self, data, metrics_map, tags): self.log.debug("Empty metric value for '%s'. Skipping.", metric_info["name"]) continue + value = metric_value_str.strip().upper() + multiplier = 1 + if value.endswith('K'): + multiplier = 1000 + value = value[:-1] + elif value.endswith('M'): + multiplier = 1000000 + value = value[:-1] + try: - metric_value = float(metric_value_str) + metric_value = float(value) * multiplier except ValueError: self.log.debug("Invalid metric value '%s' for '%s'. Skipping.", metric_value_str, metric_info["name"]) continue diff --git a/slurm/datadog_checks/slurm/constants.py b/slurm/datadog_checks/slurm/constants.py index c5a721706830e..39a56c59a155c 100644 --- a/slurm/datadog_checks/slurm/constants.py +++ b/slurm/datadog_checks/slurm/constants.py @@ -6,14 +6,14 @@ "Partition:|,NodeList:|,CPUs:|,Available:|,Memory:|,Cluster:|,NodeAIOT:|,StateLong:|,Nodes:", ] SINFO_NODE_PARAMS = ["-haNO", "PartitionName:|,Available:|,NodeList:|,CPUsState:|,Memory:|,Cluster:"] -SINFO_ADDITIONAL_NODE_PARAMS = "|,CPUsLoad:|,FreeMem:|,Disk:|,StateLong:|,Reason:|,features_act:|,Threads:" +SINFO_ADDITIONAL_NODE_PARAMS = "|,CPUsLoad:|,FreeMem:|,Disk:|,StateLong:|,Reason:|,Features_act:|,Threads:|,AllocMem:" GPU_PARAMS = "|,Gres:|,GresUsed:" SQUEUE_PARAMS = ["-aho", "%A|%u|%j|%T|%N|%C|%R|%m|%P"] SSHARE_PARAMS = ["-alnPU"] SACCT_PARAMS = [ "-anpo", - "JobID,JobName%40,Partition,Account,AllocCPUs,AllocTRES%40,Elapsed,CPUTimeRAW,MaxRSS,MaxVMSize,AveCPU,AveRSS,State,ExitCode,Start,End,NodeList", - "--units=M", + "JobID,JobName%40,Partition,Account,AllocCPUs,AllocTRES%40,Elapsed,CPUTimeRAW,MaxRSS,MaxVMSize,AveCPU,AveRSS,State,ExitCode,Start,End,NodeList,AveDiskRead,MaxDiskRead", + "--units=K", ] SCONTROL_PARAMS = ["listpid"] @@ -47,9 +47,11 @@ {"name": "slurm_node_threads", "index": 12}, ], "metrics": [ + {"name": "node.memory", "index": 4}, {"name": "node.cpu_load", "index": 6}, {"name": "node.free_mem", "index": 7}, {"name": "node.tmp_disk", "index": 8}, + {"name": "node.alloc_mem", "index": 13}, ], } @@ -87,7 +89,6 @@ {"name": "slurm_job_account", "index": 3}, {"name": "slurm_job_cpus", "index": 4}, {"name": "slurm_job_tres_per_node", "index": 5}, - {"name": "slurm_job_maxvm", "index": 9}, {"name": "slurm_job_state", "index": 12}, {"name": "slurm_job_exitcode", "index": 13}, {"name": "slurm_job_node_list", "index": 16}, @@ -95,8 +96,10 @@ "metrics": [ {"name": "sacct.slurm_job_cputime", "index": 7}, {"name": "sacct.slurm_job_maxrss", "index": 8}, - {"name": "sacct.slurm_job_avgcpu", "index": 10}, + {"name": "sacct.slurm_job_maxvm", "index": 9}, {"name": "sacct.slurm_job_avgrss", "index": 11}, + {"name": "sacct.slurm_job_ave_disk_read", "index": 17}, + {"name": "sacct.slurm_job_max_disk_read", "index": 18}, ], } diff --git a/slurm/metadata.csv b/slurm/metadata.csv index ee09386864151..22e08c145dc4c 100644 --- a/slurm/metadata.csv +++ b/slurm/metadata.csv @@ -1,4 +1,5 @@ metric_name,metric_type,interval,unit_name,per_unit_name,description,orientation,integration,short_name,curated_metric,sample_tags +slurm.node.alloc_mem,gauge,,megabyte,,Number of megabytes allocated on the node.,1,slurm,slurm_node_alloc_mem,, slurm.node.cpu.allocated,gauge,,cpu,,Number of CPUs allocated on the node for job-related tasks.,1,slurm,slurm_node_cpu_alloc,, slurm.node.cpu.idle,gauge,,cpu,,Number of idle CPUs on the node.,1,slurm,slurm_node_cpu_idle,, slurm.node.cpu.other,gauge,,cpu,,Number of CPUs performing other or non-job-related tasks on the node.,1,slurm,slurm_node_cpu_other,, @@ -8,6 +9,7 @@ slurm.node.free_mem,gauge,,megabyte,,Free memory on the node as reported by the slurm.node.gpu_total,gauge,,,,Total number of GPUs on the node.,1,slurm,slurm_node_gpu_total,, slurm.node.gpu_used,gauge,,,,Number of GPUs used on the node.,1,slurm,slurm_node_gpu_used,, slurm.node.info,gauge,,,,Information about the Slurm node.,1,slurm,slurm_node_info,, +slurm.node.memory,gauge,,megabyte,,Total memory on the node as reported by the OS.,1,slurm,slurm_node_memory,, slurm.node.tmp_disk,gauge,,megabyte,,Temporary disk space on the node as reported by the OS.,1,slurm,slurm_node_tmp_disk,, slurm.partition.cpu.allocated,gauge,,cpu,,Number of CPUs allocated on the partition for job-related tasks.,1,slurm,slurm_partition_cpu_alloc,, slurm.partition.cpu.idle,gauge,,cpu,,Number of idle CPUs on the partition.,1,slurm,slurm_partition_cpu_idle,, diff --git a/slurm/tests/common.py b/slurm/tests/common.py index 6a8f79c5a3686..ca8b7a5dd2223 100644 --- a/slurm/tests/common.py +++ b/slurm/tests/common.py @@ -45,8 +45,8 @@ def mock_output(filename): 'tags': [], }, # Node metrics - # PARTITION |AVAIL |NODELIST |NODES(A/I/O/T) |MEMORY |CLUSTER |CPU_LOAD |FREE_MEM |TMP_DISK |STATE |REASON |ACTIVE_FEATURES |THREADS |GRES |GRES_USED # noqa: E501 - # normal* |up |c1 |0/1/0/1 | 1000 |N/A | 1.46 | 4076 | 0 |idle |none |(null) | 1 |gpu:tesla:4 |gpu:tesla:3(IDX:0,2-3) # noqa: E501 + # PARTITION |AVAIL |NODELIST |CPUSTATE(A/I/O/T) |MEMORY |CLUSTER |CPU_LOAD |FREE_MEM |TMP_DISK |STATE |REASON |ACTIVE_FEATURES |THREADS |ALLOCMEM|GRES |GRES_USED # noqa: E501 + # normal* |up |c1 |0/1/0/1 | 1000 |N/A | 1.46 | 4076 | 0 |idle |none |(null) | 1 |0 |gpu:tesla:4 |gpu:tesla:3(IDX:0,2-3) # noqa: E501 { 'name': 'slurm.node.cpu.allocated', 'value': 0, @@ -155,6 +155,42 @@ def mock_output(filename): 'slurm_default_partition:true', ], }, + { + 'name': 'slurm.node.memory', + 'value': 1000, + 'tags': [ + 'slurm_node_active_features:null', + 'slurm_node_availability:up', + 'slurm_node_cluster:N/A', + 'slurm_node_memory:1000', + 'slurm_node_name:c1', + 'slurm_node_state_reason:none', + 'slurm_node_state:idle', + 'slurm_node_threads:1', + 'slurm_partition_name:normal', + 'slurm_partition_gpu_type:tesla', + 'slurm_partition_gpu_used_idx:0,2-3', + 'slurm_default_partition:true', + ], + }, + { + 'name': 'slurm.node.alloc_mem', + 'value': 0, + 'tags': [ + 'slurm_node_active_features:null', + 'slurm_node_availability:up', + 'slurm_node_cluster:N/A', + 'slurm_node_memory:1000', + 'slurm_node_name:c1', + 'slurm_node_state_reason:none', + 'slurm_node_state:idle', + 'slurm_node_threads:1', + 'slurm_partition_name:normal', + 'slurm_partition_gpu_type:tesla', + 'slurm_partition_gpu_used_idx:0,2-3', + 'slurm_default_partition:true', + ], + }, { 'name': 'slurm.node.gpu_total', 'value': 4, @@ -227,8 +263,8 @@ def mock_output(filename): 'slurm_default_partition:true', ], }, - # PARTITION |AVAIL |NODELIST |NODES(A/I/O/T) |MEMORY |CLUSTER |CPU_LOAD |FREE_MEM |TMP_DISK |STATE |REASON |ACTIVE_FEATURES |THREADS |GRES |GRES_USED # noqa: E501 - # normal* |up |c2 |0/1/0/1 | 1000 |N/A | 1.46 | 4076 | 0 |idle# |none |(null) | 1 |gpu:tesla:4 |gpu:tesla:4(IDX:0-3) # noqa: E501 + # PARTITION |AVAIL |NODELIST |CPUSTATE(A/I/O/T) |MEMORY |CLUSTER |CPU_LOAD |FREE_MEM |TMP_DISK |STATE |REASON |ACTIVE_FEATURES |THREADS |ALLOCMEM|GRES |GRES_USED # noqa: E501 + # normal* |up |c2 |0/1/0/1 | 1000 |N/A | 1.46 | 4076 | 0 |idle# |none |(null) | 1 |0 |gpu:tesla:4 |gpu:tesla:4(IDX:0-3) # noqa: E501 { 'name': 'slurm.node.cpu.allocated', 'value': 0, @@ -343,6 +379,44 @@ def mock_output(filename): 'slurm_default_partition:true', ], }, + { + 'name': 'slurm.node.memory', + 'value': 1000, + 'tags': [ + 'slurm_node_active_features:null', + 'slurm_node_availability:up', + 'slurm_node_cluster:N/A', + 'slurm_node_memory:1000', + 'slurm_node_name:c2', + 'slurm_node_state_reason:none', + 'slurm_node_state:idle', + 'slurm_node_threads:1', + 'slurm_partition_name:normal', + 'slurm_partition_gpu_type:tesla', + 'slurm_partition_gpu_used_idx:0-3', + 'sinfo_state_code:powering_up_configured', + 'slurm_default_partition:true', + ], + }, + { + 'name': 'slurm.node.alloc_mem', + 'value': 0, + 'tags': [ + 'slurm_node_active_features:null', + 'slurm_node_availability:up', + 'slurm_node_cluster:N/A', + 'slurm_node_memory:1000', + 'slurm_node_name:c2', + 'slurm_node_state_reason:none', + 'slurm_node_state:idle', + 'slurm_node_threads:1', + 'slurm_partition_name:normal', + 'slurm_partition_gpu_type:tesla', + 'slurm_partition_gpu_used_idx:0-3', + 'sinfo_state_code:powering_up_configured', + 'slurm_default_partition:true', + ], + }, { 'name': 'slurm.node.gpu_total', 'value': 4, @@ -419,8 +493,8 @@ def mock_output(filename): 'slurm_default_partition:true', ], }, - # PARTITION |AVAIL |NODELIST |NODES(A/I/O/T) |MEMORY |CLUSTER |CPU_LOAD |FREE_MEM |TMP_DISK |STATE |REASON |ACTIVE_FEATURES |THREADS |GRES |GRES_USED # noqa: E501 - # buz |up |c3 |1/2/3/4 | 5000 |bar | 2.46 | 5076 | 5 |idle$ |test |foo | 6 |(null) |(null) # noqa: E501 + # PARTITION |AVAIL |NODELIST |CPUSTATE(A/I/O/T) |MEMORY |CLUSTER |CPU_LOAD |FREE_MEM |TMP_DISK |STATE |REASON |ACTIVE_FEATURES |THREADS |ALLOCMEM|GRES |GRES_USED # noqa: E501 + # buz |up |c3 |1/2/3/4 | 5000 |bar | 2.46 | 5076 | 5 |idle$ |test |foo | 6 |0 |(null) |(null) # noqa: E501 { 'name': 'slurm.node.cpu.allocated', 'value': 1, @@ -529,6 +603,42 @@ def mock_output(filename): 'sinfo_state_code:maintenance', ], }, + { + 'name': 'slurm.node.memory', + 'value': 5000, + 'tags': [ + 'slurm_node_active_features:foo', + 'slurm_node_availability:up', + 'slurm_node_cluster:bar', + 'slurm_node_memory:5000', + 'slurm_node_name:c3', + 'slurm_node_state_reason:test', + 'slurm_node_state:idle', + 'slurm_node_threads:6', + 'slurm_partition_name:buz', + 'slurm_partition_gpu_type:null', + 'slurm_partition_gpu_used_idx:null', + 'sinfo_state_code:maintenance', + ], + }, + { + 'name': 'slurm.node.alloc_mem', + 'value': 0, + 'tags': [ + 'slurm_node_active_features:foo', + 'slurm_node_availability:up', + 'slurm_node_cluster:bar', + 'slurm_node_memory:5000', + 'slurm_node_name:c3', + 'slurm_node_state_reason:test', + 'slurm_node_state:idle', + 'slurm_node_threads:6', + 'slurm_partition_name:buz', + 'slurm_partition_gpu_type:null', + 'slurm_partition_gpu_used_idx:null', + 'sinfo_state_code:maintenance', + ], + }, { 'name': 'slurm.node.info', 'value': 1, @@ -895,8 +1005,8 @@ def mock_output(filename): 'value': 1, 'tags': [], }, - # JobID |JobName |Partition |Account |AllocCPUS |AllocTRES |Elapsed |CPUTimeRAW |MaxRSS |MaxVMSize |AveCPU |AveRSS |State |ExitCode |Start |End |NodeList | # noqa: E501 - # 56 |wrap |normal |root | 1 |billing=1,cpu=1,mem=500M,node=1 |00:12:34 | 10 | 11 | 12 | 13 | 14 |COMPLETED |0:0 |2024-10-20T22:14:25 |2024-10-20T22:14:25 |c1 | # noqa: E501 + # JobID |JobName |Partition |Account |AllocCPUS |AllocTRES |Elapsed |CPUTimeRAW |MaxRSS | MaxVMSize | AveCPU | AveRSS |State |ExitCode |Start |End |NodeList | AveDiskRead| MaxDiskRead, # noqa: E501 + # 56 |wrap |normal |root | 1 |billing=1,cpu=1,mem=500M,node=1 |00:12:34 | 10 | 11K | 12K | 00:07:56 | 14K |COMPLETED |0:0 |2024-10-20T22:14:25 |2024-10-20T22:14:25 |c1 | 0.9M | 0.9M # noqa: E501 { 'name': 'slurm.sacct.job.duration', 'value': 754, @@ -905,7 +1015,6 @@ def mock_output(filename): 'slurm_job_cpus:1', 'slurm_job_exitcode:0:0', 'slurm_job_id:56', - 'slurm_job_maxvm:12', 'slurm_job_name:wrap', 'slurm_job_node_list:c1', 'slurm_job_partition:normal', @@ -922,7 +1031,6 @@ def mock_output(filename): 'slurm_job_cpus:1', 'slurm_job_exitcode:0:0', 'slurm_job_id:56', - 'slurm_job_maxvm:12', 'slurm_job_name:wrap', 'slurm_job_node_list:c1', 'slurm_job_partition:normal', @@ -939,7 +1047,6 @@ def mock_output(filename): 'slurm_job_cpus:1', 'slurm_job_exitcode:0:0', 'slurm_job_id:56', - 'slurm_job_maxvm:12', 'slurm_job_name:wrap', 'slurm_job_node_list:c1', 'slurm_job_partition:normal', @@ -950,13 +1057,12 @@ def mock_output(filename): }, { 'name': 'slurm.sacct.slurm_job_maxrss', - 'value': 11, + 'value': 11000, 'tags': [ 'slurm_job_account:root', 'slurm_job_cpus:1', 'slurm_job_exitcode:0:0', 'slurm_job_id:56', - 'slurm_job_maxvm:12', 'slurm_job_name:wrap', 'slurm_job_node_list:c1', 'slurm_job_partition:normal', @@ -967,13 +1073,12 @@ def mock_output(filename): }, { 'name': 'slurm.sacct.slurm_job_avgcpu', - 'value': 13, + 'value': 476, 'tags': [ 'slurm_job_account:root', 'slurm_job_cpus:1', 'slurm_job_exitcode:0:0', 'slurm_job_id:56', - 'slurm_job_maxvm:12', 'slurm_job_name:wrap', 'slurm_job_node_list:c1', 'slurm_job_partition:normal', @@ -984,13 +1089,60 @@ def mock_output(filename): }, { 'name': 'slurm.sacct.slurm_job_avgrss', - 'value': 14, + 'value': 14000, + 'tags': [ + 'slurm_job_account:root', + 'slurm_job_cpus:1', + 'slurm_job_exitcode:0:0', + 'slurm_job_id:56', + 'slurm_job_name:wrap', + 'slurm_job_node_list:c1', + 'slurm_job_partition:normal', + 'slurm_partition_name:normal', + 'slurm_job_state:COMPLETED', + 'slurm_job_tres_per_node:billing=1,cpu=1,mem=500M,node=1', + ], + }, + { + 'name': 'slurm.sacct.slurm_job_ave_disk_read', + 'value': 900000, + 'tags': [ + 'slurm_job_account:root', + 'slurm_job_cpus:1', + 'slurm_job_exitcode:0:0', + 'slurm_job_id:56', + 'slurm_job_name:wrap', + 'slurm_job_node_list:c1', + 'slurm_job_partition:normal', + 'slurm_partition_name:normal', + 'slurm_job_state:COMPLETED', + 'slurm_job_tres_per_node:billing=1,cpu=1,mem=500M,node=1', + ], + }, + { + 'name': 'slurm.sacct.slurm_job_max_disk_read', + 'value': 900000, + 'tags': [ + 'slurm_job_account:root', + 'slurm_job_cpus:1', + 'slurm_job_exitcode:0:0', + 'slurm_job_id:56', + 'slurm_job_name:wrap', + 'slurm_job_node_list:c1', + 'slurm_job_partition:normal', + 'slurm_partition_name:normal', + 'slurm_job_state:COMPLETED', + 'slurm_job_tres_per_node:billing=1,cpu=1,mem=500M,node=1', + ], + }, + { + 'name': 'slurm.sacct.slurm_job_maxvm', + 'value': 12000, 'tags': [ 'slurm_job_account:root', 'slurm_job_cpus:1', 'slurm_job_exitcode:0:0', 'slurm_job_id:56', - 'slurm_job_maxvm:12', 'slurm_job_name:wrap', 'slurm_job_node_list:c1', 'slurm_job_partition:normal', @@ -999,8 +1151,8 @@ def mock_output(filename): 'slurm_job_tres_per_node:billing=1,cpu=1,mem=500M,node=1', ], }, - # JobID |JobName |Partition |Account |AllocCPUS |AllocTRES |Elapsed |CPUTimeRAW |MaxRSS |MaxVMSize |AveCPU |AveRSS |State |ExitCode |Start |End |NodeList | # noqa: E501 - # 56.batch |batch | |root | 1 |cpu=1,mem=500M,node=1 |01:23:45 | 20 | 21 | 22 | 23 | 24 |COMPLETED |0:0 |2024-10-20T22:14:25 |2024-10-20T22:14:25 |c1 | # noqa: E501 + # JobID |JobName |Partition |Account |AllocCPUS |AllocTRES |Elapsed |CPUTimeRAW |MaxRSS |MaxVMSize |AveCPU |AveRSS |State |ExitCode |Start |End |NodeList | AveDiskRead| MaxDiskRead, # noqa: E501 + # 56.batch |batch | |root | 1 |cpu=1,mem=500M,node=1 |01:23:45 | 20 | 21K | 22K | 00:09:56 | 24K |COMPLETED |0:0 |2024-10-20T22:14:25 |2024-10-20T22:14:25 |c1 | 0.9M | 0.9M # noqa: E501 { 'name': 'slurm.sacct.job.duration', 'value': 5025, @@ -1010,7 +1162,6 @@ def mock_output(filename): 'slurm_job_exitcode:0:0', 'slurm_job_id:56', 'slurm_job_id_suffix:batch', - 'slurm_job_maxvm:22', 'slurm_job_name:batch', 'slurm_job_node_list:c1', 'slurm_job_partition:null', @@ -1028,7 +1179,6 @@ def mock_output(filename): 'slurm_job_exitcode:0:0', 'slurm_job_id:56', 'slurm_job_id_suffix:batch', - 'slurm_job_maxvm:22', 'slurm_job_name:batch', 'slurm_job_node_list:c1', 'slurm_job_partition:null', @@ -1046,7 +1196,6 @@ def mock_output(filename): 'slurm_job_exitcode:0:0', 'slurm_job_id:56', 'slurm_job_id_suffix:batch', - 'slurm_job_maxvm:22', 'slurm_job_name:batch', 'slurm_job_node_list:c1', 'slurm_job_partition:null', @@ -1057,14 +1206,13 @@ def mock_output(filename): }, { 'name': 'slurm.sacct.slurm_job_maxrss', - 'value': 21, + 'value': 21000, 'tags': [ 'slurm_job_account:root', 'slurm_job_cpus:1', 'slurm_job_exitcode:0:0', 'slurm_job_id:56', 'slurm_job_id_suffix:batch', - 'slurm_job_maxvm:22', 'slurm_job_name:batch', 'slurm_job_node_list:c1', 'slurm_job_partition:null', @@ -1075,14 +1223,13 @@ def mock_output(filename): }, { 'name': 'slurm.sacct.slurm_job_avgcpu', - 'value': 23, + 'value': 596, 'tags': [ 'slurm_job_account:root', 'slurm_job_cpus:1', 'slurm_job_exitcode:0:0', 'slurm_job_id:56', 'slurm_job_id_suffix:batch', - 'slurm_job_maxvm:22', 'slurm_job_name:batch', 'slurm_job_node_list:c1', 'slurm_job_partition:null', @@ -1093,14 +1240,64 @@ def mock_output(filename): }, { 'name': 'slurm.sacct.slurm_job_avgrss', - 'value': 24, + 'value': 24000, + 'tags': [ + 'slurm_job_account:root', + 'slurm_job_cpus:1', + 'slurm_job_exitcode:0:0', + 'slurm_job_id:56', + 'slurm_job_id_suffix:batch', + 'slurm_job_name:batch', + 'slurm_job_node_list:c1', + 'slurm_job_partition:null', + 'slurm_partition_name:null', + 'slurm_job_state:COMPLETED', + 'slurm_job_tres_per_node:cpu=1,mem=500M,node=1', + ], + }, + { + 'name': 'slurm.sacct.slurm_job_ave_disk_read', + 'value': 900000, + 'tags': [ + 'slurm_job_account:root', + 'slurm_job_cpus:1', + 'slurm_job_exitcode:0:0', + 'slurm_job_id:56', + 'slurm_job_id_suffix:batch', + 'slurm_job_name:batch', + 'slurm_job_node_list:c1', + 'slurm_job_partition:null', + 'slurm_partition_name:null', + 'slurm_job_state:COMPLETED', + 'slurm_job_tres_per_node:cpu=1,mem=500M,node=1', + ], + }, + { + 'name': 'slurm.sacct.slurm_job_max_disk_read', + 'value': 900000, + 'tags': [ + 'slurm_job_account:root', + 'slurm_job_cpus:1', + 'slurm_job_exitcode:0:0', + 'slurm_job_id:56', + 'slurm_job_id_suffix:batch', + 'slurm_job_name:batch', + 'slurm_job_node_list:c1', + 'slurm_job_partition:null', + 'slurm_partition_name:null', + 'slurm_job_state:COMPLETED', + 'slurm_job_tres_per_node:cpu=1,mem=500M,node=1', + ], + }, + { + 'name': 'slurm.sacct.slurm_job_maxvm', + 'value': 22000, 'tags': [ 'slurm_job_account:root', 'slurm_job_cpus:1', 'slurm_job_exitcode:0:0', 'slurm_job_id:56', 'slurm_job_id_suffix:batch', - 'slurm_job_maxvm:22', 'slurm_job_name:batch', 'slurm_job_node_list:c1', 'slurm_job_partition:null', @@ -1112,7 +1309,6 @@ def mock_output(filename): ] } - SDIAG_MAP = { 'metrics': [ { diff --git a/slurm/tests/fixtures/sacct.txt b/slurm/tests/fixtures/sacct.txt index 49bcbf3ac71f5..5da3f60e92ca9 100644 --- a/slurm/tests/fixtures/sacct.txt +++ b/slurm/tests/fixtures/sacct.txt @@ -1,2 +1,2 @@ -56|wrap|normal|root|1|billing=1,cpu=1,mem=500M,node=1|00:12:34|10|11|12|13|14|COMPLETED|0:0|2024-10-20T22:14:25|2024-10-20T22:14:25|c1| -56.batch|batch||root|1|cpu=1,mem=500M,node=1|01:23:45|20|21|22|23|24|COMPLETED|0:0|2024-10-20T22:14:25|2024-10-20T22:14:25|c1| \ No newline at end of file +56|wrap|normal|root|1|billing=1,cpu=1,mem=500M,node=1|00:12:34|10|11K|12K|00:07:56|14K|COMPLETED|0:0|2024-10-20T22:14:25|2024-10-20T22:14:25|c1|0.9M|0.9M +56.batch|batch||root|1|cpu=1,mem=500M,node=1|01:23:45|20|21K|22K|00:09:56|24K|COMPLETED|0:0|2024-10-20T22:14:25|2024-10-20T22:14:25|c1|0.9M|0.9M \ No newline at end of file diff --git a/slurm/tests/fixtures/sinfo.txt b/slurm/tests/fixtures/sinfo.txt index f660688677225..0b6dabf232e8a 100644 --- a/slurm/tests/fixtures/sinfo.txt +++ b/slurm/tests/fixtures/sinfo.txt @@ -1,3 +1,3 @@ -normal*|up|c1|0/1/0/1|1000|N/A|1.46|4076|0|idle|none|(null)|1|gpu:tesla:4|gpu:tesla:3(IDX:0,2-3) -normal*|up|c2|0/1/0/1|1000|N/A|1.46|4076|0|idle#|none|(null)|1|gpu:tesla:4|gpu:tesla:4(IDX:0-3) -buz|up|c3|1/2/3/4|5000|bar|2.46|5076|5|idle$|test|foo|6|(null)|(null) \ No newline at end of file +normal*|up|c1|0/1/0/1|1000|N/A|1.46|4076|0|idle|none|(null)|1|0|gpu:tesla:4|gpu:tesla:3(IDX:0,2-3) +normal*|up|c2|0/1/0/1|1000|N/A|1.46|4076|0|idle#|none|(null)|1|0|gpu:tesla:4|gpu:tesla:4(IDX:0-3) +buz|up|c3|1/2/3/4|5000|bar|2.46|5076|5|idle$|test|foo|6|0|(null)|(null) \ No newline at end of file diff --git a/snmp/CHANGELOG.md b/snmp/CHANGELOG.md index 06e212fcc1ee9..fd3efb0b31735 100644 --- a/snmp/CHANGELOG.md +++ b/snmp/CHANGELOG.md @@ -12,7 +12,7 @@ * Update dependencies ([#19962](https://github.com/DataDog/integrations-core/pull/19962)) -## 9.2.1 / 2025-03-19 +## 9.2.1 / 2025-03-19 / Agent 7.65.0 ***Fixed***: diff --git a/snmp/assets/monitors/device_down.json b/snmp/assets/monitors/device_down.json index be63034b76f57..40ed4082fae75 100644 --- a/snmp/assets/monitors/device_down.json +++ b/snmp/assets/monitors/device_down.json @@ -8,7 +8,7 @@ ], "description": "A device is a networked entity with an SNMP agent that can be monitored and managed using SNMP protocols. This monitor tracks the status of each device in each namespace to avoid availability problems. Requires Datadog Agent 7.32+ or 6.32+.", "definition": { - "message": "{{#is_alert}} \nA network device with IP {{snmp_device.name}} in namespace {{device_namespace.name}} is reporting CRITICAL and can't be monitored anymore.\n{{/is_alert}}\n\n{{#is_alert_recovery}}\nA network device with IP {{snmp_device.name}} in namespace {{device_namespace.name}} is back online.\n{{/is_alert_recovery}}\n\nTo know more about the status of your device, you can have more information from the [NDM page for the device {{device_namespace.name}}:{{snmp_device.name}}](/infrastructure/devices/graph?inspectedDevice={{device_namespace.name}}%3A{{snmp_device.name}}).", + "message": "{{#is_alert}} \nA network device with IP {{snmp_device.name}} in namespace {{device_namespace.name}} is reporting CRITICAL and can't be monitored anymore.\n{{/is_alert}}\n\n{{#is_alert_recovery}}\nA network device with IP {{snmp_device.name}} in namespace {{device_namespace.name}} is back online.\n{{/is_alert_recovery}}\n\nTo know more about the status of your device, you can have more information from the [NDM page for the device {{device_namespace.name}}:{{snmp_device.name}}](/devices?inspectedDevice={{device_namespace.name}}%3A{{snmp_device.name}}).", "name": "[SNMP] Device down alert on {{snmp_device.name}} in namespace {{device_namespace.name}}", "options": { "avalanche_window": 10, diff --git a/snmp/assets/monitors/device_unreachable.json b/snmp/assets/monitors/device_unreachable.json index 311ab2433ca15..69f332ba7fd90 100644 --- a/snmp/assets/monitors/device_unreachable.json +++ b/snmp/assets/monitors/device_unreachable.json @@ -8,7 +8,7 @@ ], "description": "A device is a networked entity with an SNMP agent that can be monitored and managed using SNMP protocols. This monitor checks the reachability of network devices, alerting if a specific network device within a namespace is unreachable. Requires Datadog Agent 7.43+ or 6.43+.", "definition": { - "message": "{{#is_alert}}\nA network device with IP {{snmp_device.name}} in namespace {{device_namespace.name}} is unreachable and can't be monitored anymore.\n{{/is_alert}}\n\n{{#is_alert_recovery}}\nA network device with IP {{snmp_device.name}} in namespace {{device_namespace.name}} is reachable again.\n{{/is_alert_recovery}}\n\nTo know more about the status of your device, you can have more information from the [NDM page for the device {{device_namespace.name}}:{{snmp_device.name}}](/infrastructure/devices/graph?inspectedDevice={{device_namespace.name}}%3A{{snmp_device.name}}).", + "message": "{{#is_alert}}\nA network device with IP {{snmp_device.name}} in namespace {{device_namespace.name}} is unreachable and can't be monitored anymore.\n{{/is_alert}}\n\n{{#is_alert_recovery}}\nA network device with IP {{snmp_device.name}} in namespace {{device_namespace.name}} is reachable again.\n{{/is_alert_recovery}}\n\nTo know more about the status of your device, you can have more information from the [NDM page for the device {{device_namespace.name}}:{{snmp_device.name}}](/devices?inspectedDevice={{device_namespace.name}}%3A{{snmp_device.name}}).", "name": "[SNMP] Device unreachable alert on {{snmp_device.name}} in namespace {{device_namespace.name}}", "options": { "include_tags": false, diff --git a/snmp/assets/monitors/interface_down.json b/snmp/assets/monitors/interface_down.json index 179acbb68948b..4cb43f71428d5 100644 --- a/snmp/assets/monitors/interface_down.json +++ b/snmp/assets/monitors/interface_down.json @@ -8,7 +8,7 @@ ], "description": "A device is a networked entity with an SNMP agent that can be monitored and managed using SNMP protocols. This monitor checks the operational status of network interfaces, alerting if one report as 'down' across devices. Requires Datadog Agent 7.43+ or 6.43+.", "definition": { - "message": "{{#is_alert}}\nInterface {{interface.name}} of network device with IP {{snmp_device.name}} in namespace {{device_namespace.name}} is reporting DOWN.\n{{/is_alert}}\n\n{{#is_alert_recovery}}\nInterface {{interface.name}} of network device with IP {{snmp_device.name}} in namespace {{device_namespace.name}} is back online.\n{{/is_alert_recovery}}\n\nTo know more about the status of your device, you can have more information from the [NDM page for the device {{device_namespace.name}}:{{snmp_device.name}}](/infrastructure/devices/graph?inspectedDevice={{device_namespace.name}}%3A{{snmp_device.name}}\u0026detailsTab=interfaces).", + "message": "{{#is_alert}}\nInterface {{interface.name}} of network device with IP {{snmp_device.name}} in namespace {{device_namespace.name}} is reporting DOWN.\n{{/is_alert}}\n\n{{#is_alert_recovery}}\nInterface {{interface.name}} of network device with IP {{snmp_device.name}} in namespace {{device_namespace.name}} is back online.\n{{/is_alert_recovery}}\n\nTo know more about the status of your device, you can have more information from the [NDM page for the device {{device_namespace.name}}:{{snmp_device.name}}](/devices?inspectedDevice={{device_namespace.name}}%3A{{snmp_device.name}}\u0026detailsTab=interfaces).", "name": "[SNMP] Interface {{interface.name}} down alert on device {{snmp_device.name}} in namespace {{device_namespace.name}}", "options": { "include_tags": false, diff --git a/snmp/assets/monitors/traps_linkDown.json b/snmp/assets/monitors/traps_linkDown.json index 8167d48768b8c..efd4d59b1bac0 100644 --- a/snmp/assets/monitors/traps_linkDown.json +++ b/snmp/assets/monitors/traps_linkDown.json @@ -8,7 +8,7 @@ ], "description": "An SNMP trap is an event dispatched by a device. This monitor tracks instances where the interface of any network device within a specified namespace reports a shutdown (via linkDown trap). You can use this monitor as a template for setting up any traps monitor.", "definition": { - "message": "{{#is_alert}} \nA network device with IP {{snmp_device.name}} in namespace {{device_namespace.name}} is reporting CRITICAL and can't be monitored anymore.\n{{/is_alert}}\n\n{{#is_alert_recovery}}\nA network device with IP {{snmp_device.name}} in namespace {{device_namespace.name}} is back online.\n{{/is_alert_recovery}}\n\nTo know more about the status of your device, you can have more information from the [NDM page for the device {{device_namespace.name}}:{{snmp_device.name}}](/infrastructure/devices/graph?inspectedDevice={{device_namespace.name}}%3A{{snmp_device.name}}).", + "message": "{{#is_alert}} \nA network device with IP {{snmp_device.name}} in namespace {{device_namespace.name}} is reporting CRITICAL and can't be monitored anymore.\n{{/is_alert}}\n\n{{#is_alert_recovery}}\nA network device with IP {{snmp_device.name}} in namespace {{device_namespace.name}} is back online.\n{{/is_alert_recovery}}\n\nTo know more about the status of your device, you can have more information from the [NDM page for the device {{device_namespace.name}}:{{snmp_device.name}}](/devices?inspectedDevice={{device_namespace.name}}%3A{{snmp_device.name}}).", "name": "[SNMP-Traps] Interface went down on device {{snmp_device.name}}", "options": { "enable_logs_sample": true, diff --git a/sonarqube/CHANGELOG.md b/sonarqube/CHANGELOG.md index 92fd5e119f2d3..485c4c88e729f 100644 --- a/sonarqube/CHANGELOG.md +++ b/sonarqube/CHANGELOG.md @@ -2,7 +2,7 @@ -## 5.2.1 / 2025-03-19 +## 5.2.1 / 2025-03-19 / Agent 7.65.0 ***Fixed***: diff --git a/sonatype_nexus/CHANGELOG.md b/sonatype_nexus/CHANGELOG.md index 9d3b989b78acf..e80392c69cd46 100644 --- a/sonatype_nexus/CHANGELOG.md +++ b/sonatype_nexus/CHANGELOG.md @@ -2,7 +2,7 @@ -## 1.1.0 / 2025-04-17 +## 1.1.0 / 2025-04-17 / Agent 7.65.0 ***Added***: diff --git a/spark/CHANGELOG.md b/spark/CHANGELOG.md index bd09055cdd6b4..4dccb3bcb0a34 100644 --- a/spark/CHANGELOG.md +++ b/spark/CHANGELOG.md @@ -2,7 +2,7 @@ -## 6.3.0 / 2025-03-19 +## 6.3.0 / 2025-03-19 / Agent 7.65.0 ***Added***: diff --git a/sqlserver/metadata.csv b/sqlserver/metadata.csv index 080be077f03e4..6a8dfdb134b4e 100644 --- a/sqlserver/metadata.csv +++ b/sqlserver/metadata.csv @@ -107,16 +107,16 @@ sqlserver.queries.count,count,,query,,Total count of executed queries per query sqlserver.queries.dop,count,,,,The total sum of degree of parallelism used by executions of this query per query (DBM only),0,sql_server,query dop,, sqlserver.queries.duration.max,gauge,,nanosecond,,"The age of the longest running query per user, db, and app. (DBM only)",0,sql_server,queries duration max,, sqlserver.queries.duration.sum,gauge,,nanosecond,,"The sum of the age of all running queries per user, db, and app. (DBM only)",0,sql_server,queries duration sum,, -sqlserver.queries.ideal_memory_grant,count,,byte,,The total amount of ideal memory grant estimated by executions of this query per query (DBM only),0,sql_server,query ideal grant kb,, +sqlserver.queries.ideal_memory_grant,count,,kilobyte,,The total amount of ideal memory grant estimated by executions of this query per query (DBM only),0,sql_server,query ideal grant kb,, sqlserver.queries.logical_reads,count,,read,,Total number of logical reads performed by executed queries per query (DBM only),0,sql_server,query logical reads,, sqlserver.queries.logical_writes,count,,write,,Total number of logical writes performed by executed queries per query (DBM only),0,sql_server,query logical writes,, -sqlserver.queries.memory_grant,count,,byte,,The total amount of reserved memory received by executions of this query per query. It will always be 0 for querying a memory-optimized table (DBM only).,0,sql_server,query grant kb,, +sqlserver.queries.memory_grant,count,,kilobyte,,The total amount of reserved memory received by executions of this query per query. It will always be 0 for querying a memory-optimized table (DBM only).,0,sql_server,query grant kb,, sqlserver.queries.physical_reads,count,,read,,Total number of physical reads performed by executed queries per query (DBM only),0,sql_server,query physical reads,, sqlserver.queries.reserved_threads,count,,thread,,The total sum of reserved parallel threads used by executions of this query per query (DBM only),0,sql_server,query reserved threads,, sqlserver.queries.rows,count,,row,,Total number of rows returned by executed queries per query (DBM only),0,sql_server,query rows,, sqlserver.queries.spills,count,,,,The total number of pages spilled by execution of this query per query (DBM only),0,sql_server,query spills,, sqlserver.queries.time,count,,nanosecond,,Total elapsed time for executed queries per query (DBM only),0,sql_server,query time,, -sqlserver.queries.used_memory_grant,count,,byte,,The total amount of reserved memory used by executions of this query per query. It will always be 0 for querying a memory-optimized table (DBM only).,0,sql_server,query used grant kb,, +sqlserver.queries.used_memory_grant,count,,kilobyte,,The total amount of reserved memory used by executions of this query per query. It will always be 0 for querying a memory-optimized table (DBM only).,0,sql_server,query used grant kb,, sqlserver.queries.used_threads,count,,thread,,The total sum of used parallel threads used by executions of this query per query (DBM only),0,sql_server,query used threads,, sqlserver.queries.worker_time,count,,nanosecond,,Total CPU time consumed by executed queries per query (DBM only),0,sql_server,query worker time,, sqlserver.replica.flow_control_sec,gauge,,,,Number of times flow-control initiated in the last second. Flow Control Time (ms/sec) divided by Flow Control/sec is the average time per wait. (Perf. Counter: `Database Replica - Flow Control/sec`),0,sql_server,flow control,, diff --git a/tls/CHANGELOG.md b/tls/CHANGELOG.md index 1cc7602b207e9..3d389805f4d98 100644 --- a/tls/CHANGELOG.md +++ b/tls/CHANGELOG.md @@ -8,7 +8,7 @@ * Update dependencies ([#19962](https://github.com/DataDog/integrations-core/pull/19962)) -## 4.3.0 / 2025-03-19 +## 4.3.0 / 2025-03-19 / Agent 7.65.0 ***Added***: diff --git a/velero/CHANGELOG.md b/velero/CHANGELOG.md index fcbfcfd03762d..4a8376a65f7c4 100644 --- a/velero/CHANGELOG.md +++ b/velero/CHANGELOG.md @@ -2,7 +2,7 @@ -## 2.0.0 / 2025-03-21 +## 2.0.0 / 2025-03-21 / Agent 7.65.0 ***Changed***: diff --git a/vsphere/CHANGELOG.md b/vsphere/CHANGELOG.md index 35d36a6a0a9f4..ef248a154fbba 100644 --- a/vsphere/CHANGELOG.md +++ b/vsphere/CHANGELOG.md @@ -12,7 +12,7 @@ * Don't submit property metrics with unknown hostname. ([#19944](https://github.com/DataDog/integrations-core/pull/19944)) -## 8.2.1 / 2025-03-19 +## 8.2.1 / 2025-03-19 / Agent 7.65.0 ***Fixed***: diff --git a/win32_event_log/CHANGELOG.md b/win32_event_log/CHANGELOG.md index 8813f2e68ee02..bd6c595419337 100644 --- a/win32_event_log/CHANGELOG.md +++ b/win32_event_log/CHANGELOG.md @@ -8,7 +8,7 @@ * Update dependencies ([#19962](https://github.com/DataDog/integrations-core/pull/19962)) -## 5.1.1 / 2025-03-19 +## 5.1.1 / 2025-03-19 / Agent 7.65.0 ***Fixed***: