mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 17:22:49 +01:00
Merge pull request #14327 from Security-Onion-Solutions/dougburks-patch-1
FIX: Elastic Agent Security Events dashboard should reference user.effective.name #14325
This commit is contained in:
Doug Burks
GitHub
@@ -1256,7 +1256,7 @@ soc:
|
|||||||
- soc_timestamp
|
- soc_timestamp
|
||||||
- event.dataset
|
- event.dataset
|
||||||
- host.name
|
- host.name
|
||||||
- user.name
|
- user.effective.name
|
||||||
- process.executable
|
- process.executable
|
||||||
- event.action
|
- event.action
|
||||||
- event.outcome
|
- event.outcome
|
||||||
@@ -1918,7 +1918,7 @@ soc:
|
|||||||
query: 'event.dataset:endpoint.events.registry | groupby host.name | groupby -sankey host.name user.name | groupby user.name | groupby -sankey user.name process.name | groupby process.name | groupby event.action | groupby registry.path'
|
query: 'event.dataset:endpoint.events.registry | groupby host.name | groupby -sankey host.name user.name | groupby user.name | groupby -sankey user.name process.name | groupby process.name | groupby event.action | groupby registry.path'
|
||||||
- name: Elastic Agent Security Events
|
- name: Elastic Agent Security Events
|
||||||
description: Security events from Elastic Agents
|
description: Security events from Elastic Agents
|
||||||
query: 'event.dataset:endpoint.events.security | groupby host.name | groupby -sankey host.name user.name | groupby user.name | groupby -sankey user.name process.executable | groupby process.executable | groupby event.action | groupby event.outcome'
|
query: 'event.dataset:endpoint.events.security | groupby host.name | groupby -sankey host.name user.effective.name | groupby user.effective.name | groupby -sankey user.effective.name process.executable | groupby process.executable | groupby event.action | groupby event.outcome'
|
||||||
- name: Host Overview
|
- name: Host Overview
|
||||||
description: Overview of all host data types
|
description: Overview of all host data types
|
||||||
query: '((event.category:registry OR event.category:host OR event.category:process OR event.category:driver OR event.category:configuration) OR (event.category:file AND _exists_:process.executable) OR (event.category:network AND _exists_:host.name)) | groupby event.dataset* event.category* event.action* | groupby event.type | groupby -sankey event.type host.name | groupby host.name | groupby user.name | groupby file.name | groupby process.executable'
|
query: '((event.category:registry OR event.category:host OR event.category:process OR event.category:driver OR event.category:configuration) OR (event.category:file AND _exists_:process.executable) OR (event.category:network AND _exists_:host.name)) | groupby event.dataset* event.category* event.action* | groupby event.type | groupby -sankey event.type host.name | groupby host.name | groupby user.name | groupby file.name | groupby process.executable'
|
||||||
|
|||||||
Reference in New Issue
Block a user