diff --git a/server/adaptors/integrations/__data__/repository/amazon_vpc_flow/amazon_vpc_flow-1.0.0.json b/server/adaptors/integrations/__data__/repository/amazon_vpc_flow/amazon_vpc_flow-1.0.0.json index 08091fefc..760c93ee2 100644 --- a/server/adaptors/integrations/__data__/repository/amazon_vpc_flow/amazon_vpc_flow-1.0.0.json +++ b/server/adaptors/integrations/__data__/repository/amazon_vpc_flow/amazon_vpc_flow-1.0.0.json @@ -5,7 +5,7 @@ "description": "Monitor IP traffic with VPC Flow Logs.", "license": "Apache-2.0", "type": "logs_vpc", - "labels": ["Observability", "Logs", "AWS", "Cloud", "Flint S3"], + "labels": ["Security Lake", "Observability", "Logs", "AWS", "Cloud", "Flint S3"], "author": "Haidong Wang", "sourceUrl": "https://github.com/opensearch-project/dashboards-observability/tree/main/server/adaptors/integrations/__data__/repository/aws_vpc_flow/info", "workflows": [ @@ -38,6 +38,18 @@ "label": "Refreshing and populate the pre-aggregated projections ", "description": "This step populate the pre-aggregated projections by enabling the REFRESH command to run, this step depends on selection of the previous `flint-pre-agg-dashboards` step", "enabled_by_default": false + }, + { + "name": "queries-security-lake", + "label": "Queries (recommended)", + "description": "Tables and pre-written queries for quickly getting insights on your data.", + "enabled_by_default": true + }, + { + "name": "dashboards-security-lake", + "label": "Dashboards & Visualizations", + "description": "Dashboards and indices that enable you to easily visualize important metrics.", + "enabled_by_default": true } ], "statics": { @@ -179,6 +191,20 @@ "extension": "sql", "type": "query", "workflows": ["flint-pre-agg-refresh"] + }, + { + "name": "aws_vpc_mv_schema_security_lake_2_0", + "version": "1.0.0", + "extension": "sql", + "type": "query", + "workflows": ["dashboards-security-lake"] + }, + { + "name": "aws_vpc_flow_security_lake_2_0", + "version": "1.0.0", + "extension": "ndjson", + "type": "savedObjectBundle", + "workflows": ["dashboards-security-lake"] } ], "sampleData": { diff --git a/server/adaptors/integrations/__data__/repository/amazon_vpc_flow/assets/aws_vpc_flow_security_lake_2_0-1.0.0.ndjson b/server/adaptors/integrations/__data__/repository/amazon_vpc_flow/assets/aws_vpc_flow_security_lake_2_0-1.0.0.ndjson new file mode 100644 index 000000000..c5a53de4b --- /dev/null +++ b/server/adaptors/integrations/__data__/repository/amazon_vpc_flow/assets/aws_vpc_flow_security_lake_2_0-1.0.0.ndjson @@ -0,0 +1,18 @@ +{"attributes":{"fields":"[{\"count\":0,\"name\":\"@message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_score\",\"type\":\"number\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_type\",\"type\":\"string\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"attributes.data_stream.dataset\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"attributes.data_stream.namespace\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"attributes.data_stream.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":2,\"name\":\"aws.s3.bucket\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"aws.s3.copy_source\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"aws.s3.delete\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"aws.s3.key\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"aws.s3.part_number\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"aws.s3.upload_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":1,\"name\":\"aws.vpc.account-id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":1,\"name\":\"aws.vpc.action\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"aws.vpc.az-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"aws.vpc.az-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"aws.vpc.az-id\"}}},{\"count\":1,\"name\":\"aws.vpc.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":3,\"name\":\"aws.vpc.dstaddr\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":1,\"name\":\"aws.vpc.dstport\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"aws.vpc.end\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":1,\"name\":\"aws.vpc.flow-direction\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"aws.vpc.flow-direction\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"aws.vpc.flow-direction\"}}},{\"count\":0,\"name\":\"aws.vpc.instance-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"aws.vpc.instance-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"aws.vpc.instance-id\"}}},{\"count\":0,\"name\":\"aws.vpc.interface-id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":1,\"name\":\"aws.vpc.log-status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"aws.vpc.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"aws.vpc.pkt-dst-aws-service\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"aws.vpc.pkt-dst-aws-service\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"aws.vpc.pkt-dst-aws-service\"}}},{\"count\":1,\"name\":\"aws.vpc.pkt-src-aws-service\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"aws.vpc.pkt-src-aws-service\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"aws.vpc.pkt-src-aws-service\"}}},{\"count\":0,\"name\":\"aws.vpc.protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"aws.vpc.region\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"aws.vpc.region.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"aws.vpc.region\"}}},{\"count\":1,\"name\":\"aws.vpc.srcaddr\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":1,\"name\":\"aws.vpc.srcport\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"aws.vpc.start\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"aws.vpc.subnet-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"aws.vpc.subnet-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"aws.vpc.subnet-id\"}}},{\"count\":0,\"name\":\"aws.vpc.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":1,\"name\":\"aws.vpc.vpc-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"aws.vpc.vpc-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"aws.vpc.vpc-id\"}}},{\"count\":0,\"name\":\"body\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"cloud.account.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.availability_zone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.platform\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.provider\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.region\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.resource_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"communication.destination.address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"communication.destination.address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"communication.destination.address\"}}},{\"count\":0,\"name\":\"communication.destination.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"communication.destination.domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"communication.destination.domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"communication.destination.domain\"}}},{\"count\":0,\"name\":\"communication.destination.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"communication.destination.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"communication.destination.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"communication.destination.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"communication.destination.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"communication.destination.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"communication.destination.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"communication.destination.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"communication.sock.family\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"communication.source.address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"communication.source.address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"communication.source.address\"}}},{\"count\":0,\"name\":\"communication.source.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"communication.source.domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"communication.source.domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"communication.source.domain\"}}},{\"count\":0,\"name\":\"communication.source.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"communication.source.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"communication.source.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"communication.source.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.category\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.exception.message\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.exception.stacktrace\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"event.exception.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.kind\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.result\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.source\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"instrumentationScope.dropped_attributes_count\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"instrumentationScope.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"instrumentationScope.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"instrumentationScope.name\"}}},{\"count\":0,\"name\":\"instrumentationScope.schemaUrl\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"instrumentationScope.schemaUrl.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"instrumentationScope.schemaUrl\"}}},{\"count\":0,\"name\":\"instrumentationScope.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"instrumentationScope.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"instrumentationScope.version\"}}},{\"count\":0,\"name\":\"observedTimestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observerTime\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"schemaUrl\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"schemaUrl.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"schemaUrl\"}}},{\"count\":0,\"name\":\"severity.number\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"severity.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"severity.text.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"severity.text\"}}},{\"count\":0,\"name\":\"spanId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"traceId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]","timeFieldName":"@timestamp","title":"flint_zeroetl_default_amazon_vpc_flow_new_release__*"},"id":"cfee1484-73a2-406b-b291-1a7eb46bf660","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2024-05-22T06:13:26.555Z","version":"WzU0NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"[AWS VPC Flow Logs 1.0] Total Requests","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"[AWS VPC Flow Logs 1.0] Total Requests\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Total Requests\"},\"schema\":\"metric\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}}}"},"id":"dc6cedd8-8eec-4db7-8a6a-722050aadf65","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"cfee1484-73a2-406b-b291-1a7eb46bf660","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2024-05-22T06:13:26.555Z","version":"WzU0NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"[AWS VPC Flow Logs 1.0] Request History","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"[AWS VPC Flow Logs 1.0] Request History\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"2023-07-19T02:48:00.000Z\",\"to\":\"2023-07-19T02:48:10.000Z\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}"},"id":"73fcebfb-fc36-4c3c-92d8-354b003d3079","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"cfee1484-73a2-406b-b291-1a7eb46bf660","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2024-05-22T06:13:26.555Z","version":"WzU0OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"[AWS VPC Flow Logs 1.0] Requests by Direction","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"[AWS VPC Flow Logs 1.0] Requests by Direction\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"aws.vpc.flow-direction\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"row\":true}}"},"id":"9d75d3b9-3093-4120-bbce-7bbfdd283045","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"cfee1484-73a2-406b-b291-1a7eb46bf660","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2024-05-22T06:13:26.555Z","version":"WzU0OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"[AWS VPC Flow Logs 1.0] Bytes","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"[AWS VPC Flow Logs 1.0] Bytes\",\"type\":\"line\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"params\":{\"field\":\"aws.vpc.bytes\",\"customLabel\":\"Bytes\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-15d\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"}],\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Bytes\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Bytes\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}"},"id":"c25cf44b-016b-4796-a5e8-bc018b28bc1a","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"cfee1484-73a2-406b-b291-1a7eb46bf660","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2024-05-22T06:13:26.555Z","version":"WzU1MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"[AWS VPC Flow Logs 1.0] Packets","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"[AWS VPC Flow Logs 1.0] Packets\",\"type\":\"line\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"params\":{\"field\":\"aws.vpc.packets\",\"customLabel\":\"Packets\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-15d\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"}],\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Packets\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Packets\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}"},"id":"8bc28feb-9149-40fb-b7f2-495008f5102c","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"cfee1484-73a2-406b-b291-1a7eb46bf660","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2024-05-22T06:13:26.555Z","version":"WzU1MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"negate\":true,\"type\":\"phrase\",\"key\":\"aws.vpc.pkt-src-aws-service\",\"params\":{\"query\":\"-\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"aws.vpc.pkt-src-aws-service\":\"-\"}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"[AWS VPC Flow Logs 1.0] Top Source AWS Services","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"[AWS VPC Flow Logs 1.0] Top Source AWS Services\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"aws.vpc.pkt-src-aws-service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"row\":true}}"},"id":"e7e44e10-b9bf-4e37-a1fa-8b9a7c18fafa","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"cfee1484-73a2-406b-b291-1a7eb46bf660","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"cfee1484-73a2-406b-b291-1a7eb46bf660","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"visualization","updated_at":"2024-05-22T06:13:26.555Z","version":"WzU1MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"negate\":true,\"type\":\"phrase\",\"key\":\"aws.vpc.pkt-dst-aws-service\",\"params\":{\"query\":\"-\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"aws.vpc.pkt-dst-aws-service\":\"-\"}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"[AWS VPC Flow Logs 1.0] Top Destination AWS Services","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"[AWS VPC Flow Logs 1.0] Top Destination AWS Services\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"aws.vpc.pkt-dst-aws-service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100}}}"},"id":"e37b37ff-2926-4da7-a177-4a1b2e2c2de7","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"cfee1484-73a2-406b-b291-1a7eb46bf660","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"cfee1484-73a2-406b-b291-1a7eb46bf660","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"visualization","updated_at":"2024-05-22T06:13:26.555Z","version":"WzU1MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"[AWS VPC Flow Logs 1.0] Requests by Direction Metric","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"[AWS VPC Flow Logs 1.0] Requests by Direction Metric\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Requests\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"aws.vpc.flow-direction\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"\"},\"schema\":\"group\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}}}"},"id":"d0a7db2b-8a19-4978-87be-1f21aef48b31","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"cfee1484-73a2-406b-b291-1a7eb46bf660","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2024-05-22T06:13:26.555Z","version":"WzU1NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"[AWS VPC Flow Logs 1.0] Top Destination Bytes","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"[AWS VPC Flow Logs 1.0] Top Destination Bytes\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"params\":{\"field\":\"aws.vpc.bytes\",\"customLabel\":\"Bytes\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"aws.vpc.dstaddr\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Address\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}"},"id":"51a7564f-b392-4faa-92b8-909ad827252e","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"cfee1484-73a2-406b-b291-1a7eb46bf660","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2024-05-22T06:13:26.555Z","version":"WzU1NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"[AWS VPC Flow Logs 1.0] Top Source Bytes","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"[AWS VPC Flow Logs 1.0] Top Source Bytes\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"params\":{\"field\":\"aws.vpc.bytes\",\"customLabel\":\"Bytes\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"aws.vpc.srcaddr\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Address\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}"},"id":"a8296e29-b0e4-4287-a723-4ddfc7cb3fcf","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"cfee1484-73a2-406b-b291-1a7eb46bf660","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2024-05-22T06:13:26.555Z","version":"WzU1NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"[AWS VPC Flow Logs 1.0] Top Sources","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"[AWS VPC Flow Logs 1.0] Top Sources\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Requests\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"aws.vpc.srcaddr\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Address\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}"},"id":"6382feef-2b3a-4123-8167-3581d6d3c933","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"cfee1484-73a2-406b-b291-1a7eb46bf660","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2024-05-22T06:13:26.555Z","version":"WzU1NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"[AWS VPC Flow Logs 1.0] Top Destinations","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"[AWS VPC Flow Logs 1.0] Top Destinations\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Requests\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"aws.vpc.dstaddr\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Address\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}"},"id":"e150d97c-ceb8-4a38-82a1-9154fa9064f6","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"cfee1484-73a2-406b-b291-1a7eb46bf660","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2024-05-22T06:13:26.555Z","version":"WzU1OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"title":"[AWS VPC Flow Logs 1.0] Flow","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"[AWS VPC Flow Logs 1.0] Flow\",\"type\":\"vega\",\"aggs\":[],\"params\":{\"spec\":\"{ \\n $schema: https://vega.github.io/schema/vega/v5.json\\n data: [\\n\\t{\\n \\t// query OpenSearch based on the currently selected time range and filter string\\n \\tname: rawData\\n \\turl: {\\n \\tindex: flint_*vpc*__live_mview\\n \\tbody: {\\n \\tsize: 0\\n \\taggs: {\\n \\ttable: {\\n \\tcomposite: {\\n \\tsize: 10000\\n \\tsources: [\\n \\t{\\n \\tstk1: {\\n \\tterms: {field: \\\"aws.vpc.srcaddr\\\"}\\n \\t}\\n \\t}\\n \\t{\\n \\tstk2: {\\n \\tterms: {field: \\\"aws.vpc.dstaddr\\\"}\\n \\t}\\n \\t}\\n \\t]\\n \\t}\\n \\t}\\n \\t}\\n \\t}\\n \\t}\\n \\t// From the result, take just the data we are interested in\\n \\tformat: {property: \\\"aggregations.table.buckets\\\"}\\n \\t// Convert key.stk1 -> stk1 for simpler access below\\n \\ttransform: [\\n \\t{type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\n \\t{type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\n \\t{type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\n \\t]\\n\\t}\\n\\t{\\n \\tname: nodes\\n \\tsource: rawData\\n \\ttransform: [\\n \\t// when a country is selected, filter out unrelated data\\n \\t{\\n \\ttype: filter\\n \\texpr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\n \\t}\\n \\t// Set new key for later lookups - identifies each node\\n \\t{type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\n \\t// instead of each table row, create two new rows,\\n \\t// one for the source (stack=stk1) and one for destination node (stack=stk2).\\n \\t// The country code stored in stk1 and stk2 fields is placed into grpId field.\\n \\t{\\n \\ttype: fold\\n \\tfields: [\\\"stk1\\\", \\\"stk2\\\"]\\n \\tas: [\\\"stack\\\", \\\"grpId\\\"]\\n \\t}\\n \\t// Create a sortkey, different for stk1 and stk2 stacks.\\n \\t{\\n \\ttype: formula\\n \\texpr: datum.stack == 'stk1' ? datum.stk1+datum.stk2 : datum.stk2+datum.stk1\\n \\tas: sortField\\n \\t}\\n \\t// Calculate y0 and y1 positions for stacking nodes one on top of the other,\\n \\t// independently for each stack, and ensuring they are in the proper order,\\n \\t// alphabetical from the top (reversed on the y axis)\\n \\t{\\n \\ttype: stack\\n \\tgroupby: [\\\"stack\\\"]\\n \\tsort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\n \\tfield: size\\n \\t}\\n \\t// calculate vertical center point for each node, used to draw edges\\n \\t{type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\n \\t]\\n\\t}\\n\\t{\\n \\tname: groups\\n \\tsource: nodes\\n \\ttransform: [\\n \\t// combine all nodes into country groups, summing up the doc counts\\n \\t{\\n \\ttype: aggregate\\n \\tgroupby: [\\\"stack\\\", \\\"grpId\\\"]\\n \\tfields: [\\\"size\\\"]\\n \\tops: [\\\"sum\\\"]\\n \\tas: [\\\"total\\\"]\\n \\t}\\n \\t// re-calculate the stacking y0,y1 values\\n \\t{\\n \\ttype: stack\\n \\tgroupby: [\\\"stack\\\"]\\n \\tsort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\n \\tfield: total\\n \\t}\\n \\t// project y0 and y1 values to screen coordinates\\n \\t// doing it once here instead of doing it several times in marks\\n \\t{type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\n \\t{type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\n \\t// boolean flag if the label should be on the right of the stack\\n \\t{type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\n \\t// Calculate traffic percentage for this country using \\\"y\\\" scale\\n \\t// domain upper bound, which represents the total traffic\\n \\t{\\n \\ttype: formula\\n \\texpr: datum.total/domain('y')[1]\\n \\tas: percentage\\n \\t}\\n \\t]\\n\\t}\\n\\t{\\n \\t// This is a temp lookup table with all the 'stk2' stack nodes\\n \\tname: destinationNodes\\n \\tsource: nodes\\n \\ttransform: [\\n \\t{type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\n \\t]\\n\\t}\\n\\t{\\n \\tname: edges\\n \\tsource: nodes\\n \\ttransform: [\\n \\t// we only want nodes from the left stack\\n \\t{type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\n \\t// find corresponding node from the right stack, keep it as \\\"target\\\"\\n \\t{\\n \\ttype: lookup\\n \\tfrom: destinationNodes\\n \\tkey: key\\n \\tfields: [\\\"key\\\"]\\n \\tas: [\\\"target\\\"]\\n \\t}\\n \\t// calculate SVG link path between stk1 and stk2 stacks for the node pair\\n \\t{\\n \\ttype: linkpath\\n \\torient: horizontal\\n \\tshape: diagonal\\n \\tsourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\n \\tsourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\n \\ttargetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\n \\ttargetX: {expr: \\\"scale('x', 'stk2')\\\"}\\n \\t}\\n \\t// A little trick to calculate the thickness of the line.\\n \\t// The value needs to be the same as the hight of the node, but scaling\\n \\t// size to screen's height gives inversed value because screen's Y\\n \\t// coordinate goes from the top to the bottom, whereas the graph's Y=0\\n \\t// is at the bottom. So subtracting scaled doc count from screen height\\n \\t// (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\n \\t{\\n \\ttype: formula\\n \\texpr: range('y')[0]-scale('y', datum.size)\\n \\tas: strokeWidth\\n \\t}\\n \\t// Tooltip needs individual link's percentage of all traffic\\n \\t{\\n \\ttype: formula\\n \\texpr: datum.size/domain('y')[1]\\n \\tas: percentage\\n \\t}\\n \\t]\\n\\t}\\n ]\\n scales: [\\n\\t{\\n \\t// calculates horizontal stack positioning\\n \\tname: x\\n \\ttype: band\\n \\trange: width\\n \\tdomain: [\\\"stk1\\\", \\\"stk2\\\"]\\n \\tpaddingOuter: 0.05\\n \\tpaddingInner: 0.95\\n\\t}\\n\\t{\\n \\t// this scale goes up as high as the highest y1 value of all nodes\\n \\tname: y\\n \\ttype: linear\\n \\trange: height\\n \\tdomain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\n\\t}\\n\\t{\\n \\t// use rawData to ensure the colors stay the same when clicking.\\n \\tname: color\\n \\ttype: ordinal\\n \\trange: category\\n \\tdomain: {data: \\\"rawData\\\", field: \\\"stk1\\\"}\\n\\t}\\n\\t{\\n \\t// this scale is used to map internal ids (stk1, stk2) to stack names\\n \\tname: stackNames\\n \\ttype: ordinal\\n \\trange: [\\\"Source\\\", \\\"Destination\\\"]\\n \\tdomain: [\\\"stk1\\\", \\\"stk2\\\"]\\n\\t}\\n ]\\n axes: [\\n\\t{\\n \\t// x axis should use custom label formatting to print proper stack names\\n \\torient: bottom\\n \\tscale: x\\n \\tencode: {\\n \\tlabels: {\\n \\tupdate: {\\n \\ttext: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\n \\t}\\n \\t}\\n \\t}\\n\\t}\\n\\t{orient: \\\"left\\\", scale: \\\"y\\\"}\\n ]\\n marks: [\\n\\t{\\n \\t// draw the connecting line between stacks\\n \\ttype: path\\n \\tname: edgeMark\\n \\tfrom: {data: \\\"edges\\\"}\\n \\t// this prevents some autosizing issues with large strokeWidth for paths\\n \\tclip: true\\n \\tencode: {\\n \\tupdate: {\\n \\t// By default use color of the left node, except when showing traffic\\n \\t// from just one country, in which case use destination color.\\n \\tstroke: [\\n \\t{\\n \\ttest: groupSelector && groupSelector.stack=='stk1'\\n \\tscale: color\\n \\tfield: stk2\\n \\t}\\n \\t{scale: \\\"color\\\", field: \\\"stk1\\\"}\\n \\t]\\n \\tstrokeWidth: {field: \\\"strokeWidth\\\"}\\n \\tpath: {field: \\\"path\\\"}\\n \\t// when showing all traffic, and hovering over a country,\\n \\t// highlight the traffic from that country.\\n \\tstrokeOpacity: {\\n \\tsignal: !groupSelector && (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\n \\t}\\n \\t// Ensure that the hover-selected edges show on top\\n \\tzindex: {\\n \\tsignal: !groupSelector && (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\n \\t}\\n \\t// format tooltip string\\n \\ttooltip: {\\n \\tsignal: datum.stk1 + ' → ' + datum.stk2 + '\\t' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\n \\t}\\n \\t}\\n \\t// Simple mouseover highlighting of a single line\\n \\thover: {\\n \\tstrokeOpacity: {value: 1}\\n \\t}\\n \\t}\\n\\t}\\n\\t{\\n \\t// draw stack groups (countries)\\n \\ttype: rect\\n \\tname: groupMark\\n \\tfrom: {data: \\\"groups\\\"}\\n \\tencode: {\\n \\tenter: {\\n \\tfill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\n \\twidth: {scale: \\\"x\\\", band: 1}\\n \\t}\\n \\tupdate: {\\n \\tx: {scale: \\\"x\\\", field: \\\"stack\\\"}\\n \\ty: {field: \\\"scaledY0\\\"}\\n \\ty2: {field: \\\"scaledY1\\\"}\\n \\tfillOpacity: {value: 0.6}\\n \\ttooltip: {\\n \\tsignal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\n \\t}\\n \\t}\\n \\thover: {\\n \\tfillOpacity: {value: 1}\\n \\t}\\n \\t}\\n\\t}\\n\\t{\\n \\t// draw country code labels on the inner side of the stack\\n \\ttype: text\\n \\tfrom: {data: \\\"groups\\\"}\\n \\t// don't process events for the labels - otherwise line mouseover is unclean\\n \\tinteractive: false\\n \\tencode: {\\n \\tupdate: {\\n \\t// depending on which stack it is, position x with some padding\\n \\tx: {\\n \\tsignal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\n \\t}\\n \\t// middle of the group\\n \\tyc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\n \\talign: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\n \\tbaseline: {value: \\\"middle\\\"}\\n \\tfontWeight: {value: \\\"bold\\\"}\\n \\t// only show text label if the group's height is large enough\\n \\ttext: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) > 13 ? datum.grpId : ''\\\"}\\n \\t}\\n \\t}\\n\\t}\\n\\t{\\n \\t// Create a \\\"show all\\\" button. Shown only when a country is selected.\\n \\ttype: group\\n \\tdata: [\\n \\t// We need to make the button show only when groupSelector signal is true.\\n \\t// Each mark is drawn as many times as there are elements in the backing data.\\n \\t// Which means that if values list is empty, it will not be drawn.\\n \\t// Here I create a data source with one empty object, and filter that list\\n \\t// based on the signal value. This can only be done in a group.\\n \\t{\\n \\tname: dataForShowAll\\n \\tvalues: [{}]\\n \\ttransform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\n \\t}\\n \\t]\\n \\t// Set button size and positioning\\n \\tencode: {\\n \\tenter: {\\n \\txc: {signal: \\\"width/2\\\"}\\n \\ty: {value: 30}\\n \\twidth: {value: 80}\\n \\theight: {value: 30}\\n \\t}\\n \\t}\\n \\tmarks: [\\n \\t{\\n \\t// This group is shown as a button with rounded corners.\\n \\ttype: group\\n \\t// mark name allows signal capturing\\n \\tname: groupReset\\n \\t// Only shows button if dataForShowAll has values.\\n \\tfrom: {data: \\\"dataForShowAll\\\"}\\n \\tencode: {\\n \\tenter: {\\n \\tcornerRadius: {value: 6}\\n \\tfill: {value: \\\"#F5F7FA\\\"}\\n \\tstroke: {value: \\\"#c1c1c1\\\"}\\n \\tstrokeWidth: {value: 2}\\n \\t// use parent group's size\\n \\theight: {\\n \\tfield: {group: \\\"height\\\"}\\n \\t}\\n \\twidth: {\\n \\tfield: {group: \\\"width\\\"}\\n \\t}\\n \\t}\\n \\tupdate: {\\n \\t// groups are transparent by default\\n \\topacity: {value: 1}\\n \\t}\\n \\thover: {\\n \\topacity: {value: 0.7}\\n \\t}\\n \\t}\\n \\tmarks: [\\n \\t{\\n \\ttype: text\\n \\t// if true, it will prevent clicking on the button when over text.\\n \\tinteractive: false\\n \\tencode: {\\n \\tenter: {\\n \\t// center text in the paren group\\n \\txc: {\\n \\tfield: {group: \\\"width\\\"}\\n \\tmult: 0.5\\n \\t}\\n \\tyc: {\\n \\tfield: {group: \\\"height\\\"}\\n \\tmult: 0.5\\n \\toffset: 2\\n \\t}\\n \\talign: {value: \\\"center\\\"}\\n \\tbaseline: {value: \\\"middle\\\"}\\n \\tfontWeight: {value: \\\"bold\\\"}\\n \\ttext: {value: \\\"Show All\\\"}\\n \\t}\\n \\t}\\n \\t}\\n \\t]\\n \\t}\\n \\t]\\n\\t}\\n ]\\n signals: [\\n\\t{\\n \\t// used to highlight traffic to/from the same country\\n \\tname: groupHover\\n \\tvalue: {}\\n \\ton: [\\n \\t{\\n \\tevents: @groupMark:mouseover\\n \\tupdate: \\\"{stk1:datum.stack=='stk1' && datum.grpId, stk2:datum.stack=='stk2' && datum.grpId}\\\"\\n \\t}\\n \\t{events: \\\"mouseout\\\", update: \\\"{}\\\"}\\n \\t]\\n\\t}\\n\\t// used to filter only the data related to the selected country\\n\\t{\\n \\tname: groupSelector\\n \\tvalue: false\\n \\ton: [\\n \\t{\\n \\t// Clicking groupMark sets this signal to the filter values\\n \\tevents: @groupMark:click!\\n \\tupdate: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' && datum.grpId, stk2:datum.stack=='stk2' && datum.grpId}\\\"\\n \\t}\\n \\t{\\n \\t// Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\n \\tevents: [\\n \\t{type: \\\"click\\\", markname: \\\"groupReset\\\"}\\n \\t{type: \\\"dblclick\\\"}\\n \\t]\\n \\tupdate: \\\"false\\\"\\n \\t}\\n \\t]\\n\\t}\\n ]\\n}\\n\"}}"},"id":"0e694bb1-ded3-454f-8d12-dd9234a3b91b","migrationVersion":{"visualization":"7.10.0"},"references":[],"type":"visualization","updated_at":"2024-05-23T01:41:20.805Z","version":"WzEwMDcsMV0="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"type\":\"phrase\",\"key\":\"aws.vpc.dstaddr\",\"params\":{\"query\":\"-\"},\"disabled\":false,\"negate\":true,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"aws.vpc.dstaddr\":\"-\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"type\":\"phrase\",\"key\":\"aws.vpc.srcaddr\",\"params\":{\"query\":\"-\"},\"disabled\":false,\"negate\":true,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"query\":{\"match_phrase\":{\"aws.vpc.srcaddr\":\"-\"}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"[AWS VPC Flow Logs 1.0] Heat Map","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"[AWS VPC Flow Logs 1.0] Heat Map\",\"type\":\"heatmap\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"aws.vpc.dstaddr\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Address\"},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"aws.vpc.srcaddr\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source Address\"},\"schema\":\"group\"}],\"params\":{\"type\":\"heatmap\",\"addTooltip\":true,\"addLegend\":true,\"enableHover\":false,\"legendPosition\":\"right\",\"times\":[],\"colorsNumber\":4,\"colorSchema\":\"Greens\",\"setColorRange\":false,\"colorsRange\":[],\"invertColors\":false,\"percentageMode\":false,\"valueAxes\":[{\"show\":false,\"id\":\"ValueAxis-1\",\"type\":\"value\",\"scale\":{\"type\":\"linear\",\"defaultYExtents\":false},\"labels\":{\"show\":false,\"rotate\":0,\"overwriteColor\":false,\"color\":\"black\"}}]}}"},"id":"8fa03bc9-aac3-4303-be9e-dab6fdb919d6","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"cfee1484-73a2-406b-b291-1a7eb46bf660","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"cfee1484-73a2-406b-b291-1a7eb46bf660","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"},{"id":"cfee1484-73a2-406b-b291-1a7eb46bf660","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index","type":"index-pattern"}],"type":"visualization","updated_at":"2024-05-22T06:13:26.555Z","version":"WzU2MCwxXQ=="} +{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"highlightAll\":true,\"version\":true,\"aggs\":{\"2\":{\"date_histogram\":{\"field\":\"interval_start_time\",\"calendar_interval\":\"1d\",\"time_zone\":\"America/Vancouver\",\"min_doc_count\":1}}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[],"title":"VPC - Live Raw Search","version":1},"id":"a4b45e7a-8eee-45d3-8d48-c21bd17c5c25","migrationVersion":{"search":"7.9.3"},"references":[{"id":"cfee1484-73a2-406b-b291-1a7eb46bf660","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2024-05-22T06:13:26.555Z","version":"WzU2MSwxXQ=="} +{"attributes":{"description":"VPC Flow Logs dashboard only using live MV queries projection","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"h\":13,\"i\":\"ea07e9f4-6719-4c34-bfb8-ca48e9fda75b\",\"w\":11,\"x\":0,\"y\":0},\"panelIndex\":\"ea07e9f4-6719-4c34-bfb8-ca48e9fda75b\",\"version\":\"2.13.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":13,\"i\":\"9931d8df-e493-4649-9934-0a24c8b091f8\",\"w\":25,\"x\":11,\"y\":0},\"panelIndex\":\"9931d8df-e493-4649-9934-0a24c8b091f8\",\"version\":\"2.13.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":13,\"i\":\"816b48d0-7c09-42e9-97be-a19c17634fc5\",\"w\":11,\"x\":36,\"y\":0},\"panelIndex\":\"816b48d0-7c09-42e9-97be-a19c17634fc5\",\"version\":\"2.13.0\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":13,\"i\":\"6b04df64-559d-4d48-b454-ddeec66690d1\",\"w\":22,\"x\":0,\"y\":13},\"panelIndex\":\"6b04df64-559d-4d48-b454-ddeec66690d1\",\"version\":\"2.13.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":13,\"i\":\"fb0eb25c-f2b3-484c-9125-4bc201e97b3f\",\"w\":25,\"x\":22,\"y\":13},\"panelIndex\":\"fb0eb25c-f2b3-484c-9125-4bc201e97b3f\",\"version\":\"2.13.0\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"79b5d7c5-7e66-4f92-b8ad-80a42167d181\",\"w\":15,\"x\":0,\"y\":26},\"panelIndex\":\"79b5d7c5-7e66-4f92-b8ad-80a42167d181\",\"version\":\"2.13.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"8bbe7594-e52c-4fa6-8432-f265d0db5fd8\",\"w\":14,\"x\":15,\"y\":26},\"panelIndex\":\"8bbe7594-e52c-4fa6-8432-f265d0db5fd8\",\"version\":\"2.13.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"4ea77bab-a48b-4ccf-b8e0-6b2f5b5c337a\",\"w\":18,\"x\":29,\"y\":26},\"panelIndex\":\"4ea77bab-a48b-4ccf-b8e0-6b2f5b5c337a\",\"version\":\"2.13.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"d9e75376-2d8c-49f4-babb-335e73c99dee\",\"w\":12,\"x\":0,\"y\":41},\"panelIndex\":\"d9e75376-2d8c-49f4-babb-335e73c99dee\",\"version\":\"2.13.0\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"8844e89c-9c06-4141-899f-b1f6fdde901b\",\"w\":12,\"x\":12,\"y\":41},\"panelIndex\":\"8844e89c-9c06-4141-899f-b1f6fdde901b\",\"version\":\"2.13.0\",\"panelRefName\":\"panel_9\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"b4d94532-59cf-454e-98a2-beb15b8a752f\",\"w\":12,\"x\":24,\"y\":41},\"panelIndex\":\"b4d94532-59cf-454e-98a2-beb15b8a752f\",\"version\":\"2.13.0\",\"panelRefName\":\"panel_10\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"505c0278-0d96-4617-9976-7bd9a8787e3a\",\"w\":12,\"x\":36,\"y\":41},\"panelIndex\":\"505c0278-0d96-4617-9976-7bd9a8787e3a\",\"version\":\"2.13.0\",\"panelRefName\":\"panel_11\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":27,\"i\":\"fb0edb10-2e2a-4b3f-99a5-22ffe95e3250\",\"w\":24,\"x\":0,\"y\":56},\"panelIndex\":\"fb0edb10-2e2a-4b3f-99a5-22ffe95e3250\",\"version\":\"2.13.0\",\"panelRefName\":\"panel_12\"},{\"embeddableConfig\":{\"vis\":null},\"gridData\":{\"h\":27,\"i\":\"5392e5cd-13cc-4904-abe7-1e183dc59478\",\"w\":24,\"x\":24,\"y\":56},\"panelIndex\":\"5392e5cd-13cc-4904-abe7-1e183dc59478\",\"version\":\"2.13.0\",\"panelRefName\":\"panel_13\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":13,\"i\":\"291bd66b-062e-4019-90e7-e2b0da7c284a\",\"w\":48,\"x\":0,\"y\":83},\"panelIndex\":\"291bd66b-062e-4019-90e7-e2b0da7c284a\",\"version\":\"2.13.0\",\"panelRefName\":\"panel_14\"}]","timeRestore":false,"title":"AWS VPC Flow Logs Only-Live Overview","version":1},"id":"797eceae-7fff-45e9-948f-354368937cbd","migrationVersion":{"dashboard":"7.9.3"},"references":[{"id":"dc6cedd8-8eec-4db7-8a6a-722050aadf65","name":"panel_0","type":"visualization"},{"id":"73fcebfb-fc36-4c3c-92d8-354b003d3079","name":"panel_1","type":"visualization"},{"id":"9d75d3b9-3093-4120-bbce-7bbfdd283045","name":"panel_2","type":"visualization"},{"id":"c25cf44b-016b-4796-a5e8-bc018b28bc1a","name":"panel_3","type":"visualization"},{"id":"8bc28feb-9149-40fb-b7f2-495008f5102c","name":"panel_4","type":"visualization"},{"id":"e7e44e10-b9bf-4e37-a1fa-8b9a7c18fafa","name":"panel_5","type":"visualization"},{"id":"e37b37ff-2926-4da7-a177-4a1b2e2c2de7","name":"panel_6","type":"visualization"},{"id":"d0a7db2b-8a19-4978-87be-1f21aef48b31","name":"panel_7","type":"visualization"},{"id":"51a7564f-b392-4faa-92b8-909ad827252e","name":"panel_8","type":"visualization"},{"id":"a8296e29-b0e4-4287-a723-4ddfc7cb3fcf","name":"panel_9","type":"visualization"},{"id":"6382feef-2b3a-4123-8167-3581d6d3c933","name":"panel_10","type":"visualization"},{"id":"e150d97c-ceb8-4a38-82a1-9154fa9064f6","name":"panel_11","type":"visualization"},{"id":"0e694bb1-ded3-454f-8d12-dd9234a3b91b","name":"panel_12","type":"visualization"},{"id":"8fa03bc9-aac3-4303-be9e-dab6fdb919d6","name":"panel_13","type":"visualization"},{"id":"a4b45e7a-8eee-45d3-8d48-c21bd17c5c25","name":"panel_14","type":"search"}],"type":"dashboard","updated_at":"2024-05-23T01:41:47.481Z","version":"WzEwMDgsMV0="} +{"exportedCount":17,"missingRefCount":0,"missingReferences":[]} diff --git a/server/adaptors/integrations/__data__/repository/amazon_vpc_flow/assets/aws_vpc_mv_schema_security_lake_2_0-1.0.0.sql b/server/adaptors/integrations/__data__/repository/amazon_vpc_flow/assets/aws_vpc_mv_schema_security_lake_2_0-1.0.0.sql new file mode 100644 index 000000000..4439a09e3 --- /dev/null +++ b/server/adaptors/integrations/__data__/repository/amazon_vpc_flow/assets/aws_vpc_mv_schema_security_lake_2_0-1.0.0.sql @@ -0,0 +1,40 @@ +CREATE MATERIALIZED VIEW {table_name}__live_mview_2 AS + SELECT + CAST(IFNULL(`src_endpoint.port`, 0) AS LONG) AS `aws.vpc.srcport`, + CAST(IFNULL(`src_endpoint.ip`, 'Unknown') AS STRING) AS `aws.vpc.pkt-src-aws-service`, + CAST(IFNULL(`src_endpoint.ip`, '0.0.0.0') AS STRING) AS `aws.vpc.srcaddr`, + CAST(IFNULL(`src_endpoint.interface_uid`, 'Unknown') AS STRING) AS `aws.vpc.src-interface_uid`, + CAST(IFNULL(src_endpoint.vpc_uid, 'Unknown') AS STRING) AS `aws.vpc.src-vpc_uid`, + CAST(IFNULL(src_endpoint.instance_uid, 'Unknown') AS STRING) AS `aws.vpc.src-instance_uid`, + CAST(IFNULL(src_endpoint.subnet_uid, 'Unknown') AS STRING) AS `aws.vpc.src-subnet_uid`, + CAST(IFNULL(dst_endpoint.port, 0) AS LONG) AS `aws.vpc.dstport`, + CAST(IFNULL(dst_endpoint.ip, 'Unknown') AS STRING) AS `aws.vpc.pkt-dst-aws-service`, + CAST(IFNULL(dst_endpoint.ip, '0.0.0.0') AS STRING) AS `aws.vpc.dstaddr`, + CAST(IFNULL(connection_info.direction, 'Unknown') AS STRING) AS `aws.vpc.flow-direction`, + CAST(IFNULL(connection_info.tcp_flags, '0') AS STRING) AS `aws.vpc.connection.tcp_flags`, + CAST(IFNULL(traffic.packets, 0) AS LONG) AS `aws.vpc.packets`, + CAST(IFNULL(traffic.bytes, 0) AS LONG) AS `aws.vpc.bytes`, + CAST(start_time_dt AS TIMESTAMP) AS `@timestamp`, + CAST(start_time_dt AS TIMESTAMP) AS `start_time`, + CAST(start_time_dt AS TIMESTAMP) AS `interval_start_time`, + CAST(end_time_dt AS TIMESTAMP) AS `end_time`, + CAST(IFNULL(status_code, 'Unknown') AS STRING) AS `aws.vpc.status_code`, + CAST(IFNULL(metadata.product.version, 0) AS LONG) AS `aws.vpc.version`, + CAST(IFNULL(connection_info.protocol_ver, 'Unknown') AS STRING) AS `aws.vpc.type_name`, + CAST(IFNULL(connection_info.boundary_id, 0) AS LONG) AS `aws.vpc.traffic_path`, + CAST(IFNULL(cloud.zone, 'Unknown') AS STRING) AS `aws.vpc.az_id`, + CAST(IFNULL(activity_name, 'Unknown') AS STRING) AS `aws.vpc.action`, + CAST(IFNULL(cloud.region, 'Unknown') AS STRING) AS `aws.vpc.region`, + CAST(IFNULL(cloud.account.uid, 'Unknown') AS STRING) AS `aws.vpc.account-id`, + CAST(IFNULL(unmapped['sublocation_type'], 'Unknown') AS STRING) AS `aws.vpc.sublocation_type`, + CAST(IFNULL(unmapped['sublocation_id'], 'Unknown') AS STRING) AS `aws.vpc.sublocation_id` + + FROM + {table_name} +WITH ( + auto_refresh = true, + refresh_interval = '15 Minute', + checkpoint_location = '{s3_checkpoint_location}', + watermark_delay = '1 Minute', + extra_options = '{ "{table_name}": { "maxFilesPerTrigger": "10" }}' +) diff --git a/server/adaptors/integrations/__data__/repository/aws_cloudtrail/assets/create_mv_cloud-trail_security_lake_2_0-1.0.0.sql b/server/adaptors/integrations/__data__/repository/aws_cloudtrail/assets/create_mv_cloud-trail_security_lake_2_0-1.0.0.sql new file mode 100644 index 000000000..c6ba77f63 --- /dev/null +++ b/server/adaptors/integrations/__data__/repository/aws_cloudtrail/assets/create_mv_cloud-trail_security_lake_2_0-1.0.0.sql @@ -0,0 +1,53 @@ +CREATE MATERIALIZED VIEW {table_name}__mview AS +SELECT + CAST(IFNULL(`actor.user.type`, 'Unknown') AS STRING) AS `aws.cloudtrail.userIdentity.type`, + CAST(IFNULL(`actor.user.uid_alt`, 'Unknown') AS STRING) AS `aws.cloudtrail.userIdentity.principalId`, + CAST(IFNULL(`actor.user.uid`, 'Unknown') AS STRING) AS `aws.cloudtrail.userIdentity.arn`, + CAST(IFNULL(`actor.user.account.uid`, 'Unknown') AS STRING) AS `aws.cloudtrail.userIdentity.accountId`, + CAST(IFNULL(`actor.invoked_by`, 'Unknown') AS STRING) AS `aws.cloudtrail.userIdentity.invokedBy`, + CAST(IFNULL(`actor.user.credential_uid`, 'Unknown') AS STRING) AS `aws.cloudtrail.userIdentity.accessKeyId`, + CAST(IFNULL(`actor.user.name`, 'Unknown') AS STRING) AS `aws.cloudtrail.userIdentity.userName`, + CAST(IFNULL(`actor.session.is_mfa`, False) AS BOOLEAN) AS `aws.cloudtrail.userIdentity.sessionContext.attributes.mfaAuthenticated`, + CAST( actor.session.created_time_dt AS TIMESTAMP) AS `aws.cloudtrail.userIdentity.sessionContext.attributes.creationDate`, + CAST(IFNULL(unmapped['userIdentity.sessionContext.sessionIssuer.type'], 'Unknown') AS STRING) AS `aws.cloudtrail.userIdentity.sessionContext.sessionIssuer.type`, + CAST(IFNULL(unmapped['userIdentity.sessionContext.sessionIssuer.principalId'], 'Unknown') AS STRING) AS `aws.cloudtrail.userIdentity.sessionContext.sessionIssuer.principalId`, + CAST(IFNULL(`actor.session.issuer`, 'Unknown') AS STRING) AS `aws.cloudtrail.userIdentity.sessionContext.sessionIssuer.arn`, + CAST(IFNULL(unmapped['userIdentity.sessionContext.sessionIssuer.accountId'], 'Unknown') AS STRING) AS `aws.cloudtrail.userIdentity.sessionContext.sessionIssuer.accountId`, + CAST(IFNULL(unmapped['userIdentity.sessionContext.sessionIssuer.userName'], 'Unknown') AS STRING) AS `aws.cloudtrail.userIdentity.sessionContext.sessionIssuer.userName`, + CAST(IFNULL(unmapped['userIdentity.sessionContext.ec2RoleDelivery'], 'Unknown') AS STRING) AS `aws.cloudtrail.userIdentity.sessionContext.ec2RoleDelivery`, + + CAST(IFNULL(`metadata.product.version`, 'Unknown') AS STRING) AS `aws.cloudtrail.eventVersion`, + CAST( time AS TIMESTAMP) AS `@timestamp`, + CAST(IFNULL(`api.service.name`, 'Unknown') AS STRING) AS `aws.cloudtrail.eventSource`, + CAST(IFNULL(`api.operation`, 'Unknown') AS STRING) AS `aws.cloudtrail.eventName`, + CAST(IFNULL(`metadata.product.feature.name`, 'Unknown') AS STRING) AS `aws.cloudtrail.eventCategory`, + CAST(IFNULL(`metadata.event_code`, 'Unknown') AS STRING) AS `aws.cloudtrail.eventType`, + CAST(IFNULL(`metadata.uid`, 'Unknown') AS STRING) AS `aws.cloudtrail.eventId`, + + CAST(IFNULL(`cloud.region`, 'Unknown') AS STRING) AS `aws.cloudtrail.awsRegion`, + CAST(IFNULL(`src_endpoint.ip`, '0.0.0.0') AS STRING) AS `aws.cloudtrail.sourceIPAddress`, + CAST(IFNULL(`http_request.user_agent`, 'Unknown') AS STRING) AS `aws.cloudtrail.userAgent`, + CAST(IFNULL(`api.response.error`, 'Unknown') AS STRING) AS `errorCode`, + CAST(IFNULL(`api.response.message`, 'Unknown') AS STRING) AS `errorMessage`, + CAST(IFNULL(`api.request.data`, 'Unknown') AS STRING) AS `aws.cloudtrail.requestParameter`, + CAST(IFNULL(`api.response.data`, 'Unknown') AS STRING) AS `aws.cloudtrail.responseElements`, + CAST(IFNULL(`dst_endpoint.svc_name`, 'Unknown') AS STRING) AS `aws.cloudtrail.additionalEventData`, + CAST(IFNULL(`api.request.uid`, 'Unknown') AS STRING) AS `aws.cloudtrail.requestId`, + resources AS `aws.cloudtrail.resources`, + CAST(IFNULL(`api.version`, 'Unknown') AS STRING) AS `aws.cloudtrail.apiVersion`, + CAST(IFNULL(unmapped['readOnly'], False) AS BOOLEAN) AS `aws.cloudtrail.readOnly`, + CAST(IFNULL(unmapped['recipientAccountId'], 0) AS LONG) AS `aws.cloudtrail.recipientAccountId`, + CAST(IFNULL(unmapped['sharedEventId'], 'Unknown') AS STRING) AS `aws.cloudtrail.sharedEventId`, + CAST(IFNULL(`src_endpoint.uid`, 'Unknown') AS STRING) AS `aws.cloudtrail.vpcEndpointId`, + CAST(IFNULL(unmapped['tlsDetails.tlsVersion'], 'Unknown') AS STRING) AS `aws.cloudtrail.tlsDetails.tls_version`, + CAST(IFNULL(unmapped['tlsDetails.cipherSuite'], 'Unknown') AS STRING) AS `aws.cloudtrail.tlsDetailscipher_suite`, + CAST(IFNULL(unmapped['tlsDetails.clientProvidedHostHeader'], 'Unknown') AS STRING) AS `aws.cloudtrail.tlsDetailsclient_provided_host_header` +FROM + {table_name} +WITH ( + auto_refresh = true, + refresh_interval = '15 Minute', + checkpoint_location = '{s3_checkpoint_location}', + watermark_delay = '1 Minute', + extra_options = '{ "{table_name}": { "maxFilesPerTrigger": "10" }}' +) diff --git a/server/adaptors/integrations/__data__/repository/aws_cloudtrail/aws_cloudtrail-1.0.0.json b/server/adaptors/integrations/__data__/repository/aws_cloudtrail/aws_cloudtrail-1.0.0.json index 4eb06e16c..2bae149c8 100644 --- a/server/adaptors/integrations/__data__/repository/aws_cloudtrail/aws_cloudtrail-1.0.0.json +++ b/server/adaptors/integrations/__data__/repository/aws_cloudtrail/aws_cloudtrail-1.0.0.json @@ -5,7 +5,7 @@ "description": "Analyze CloudTrail events.", "license": "Apache-2.0", "type": "logs-aws_cloudtrail", - "labels": ["Observability", "Logs", "AWS", "Cloud", "Flint S3"], + "labels": ["Security Lake", "Observability", "Logs", "AWS", "Cloud", "Flint S3"], "author": "OpenSearch", "sourceUrl": "https://github.com/opensearch-project/dashboards-observability/tree/main/server/adaptors/integrations/__data__/repository/aws_cloudtrail/info", "workflows": [ @@ -15,6 +15,12 @@ "description": "Tables and pre-written queries for quickly getting insights on your data.", "enabled_by_default": true }, + { + "name": "queries-security-lake", + "label": "Queries (recommended)", + "description": "Tables and pre-written queries for quickly getting insights on your data.", + "enabled_by_default": true + }, { "name": "dashboards", "label": "Dashboards & Visualizations", @@ -26,6 +32,12 @@ "label": "Dashboards & Visualizations adapted to Flint", "description": "Dashboards and visualizations adapted to Flint S3 datasource that enable you to easily visualize data residing on S3", "enabled_by_default": false + }, + { + "name": "dashboards-security-lake", + "label": "Dashboards & Visualizations", + "description": "Dashboards and indices that enable you to easily visualize important security related metrics.", + "enabled_by_default": true } ], "statics": { @@ -71,7 +83,7 @@ "version": "1.0.0", "extension": "ndjson", "type": "savedObjectBundle", - "workflows": ["dashboards-flint"] + "workflows": ["dashboards-flint", "dashboards-security-lake"] }, { "name": "create_skipping_index", @@ -85,7 +97,7 @@ "version": "1.0.0", "extension": "ndjson", "type": "savedObjectBundle", - "workflows": ["queries"] + "workflows": ["queries", "queries-security-lake"] }, { "name": "create_table_cloud-trail", @@ -100,6 +112,13 @@ "extension": "sql", "type": "query", "workflows": ["dashboards-flint"] + }, + { + "name": "create_mv_cloud-trail_security_lake_2_0", + "version": "1.0.0", + "extension": "sql", + "type": "query", + "workflows": ["dashboards-security-lake"] } ], "sampleData": { diff --git a/server/adaptors/integrations/__data__/repository/aws_waf/assets/create_mv_security_lake_2_0-1.0.0.sql b/server/adaptors/integrations/__data__/repository/aws_waf/assets/create_mv_security_lake_2_0-1.0.0.sql new file mode 100644 index 000000000..4f230c5fd --- /dev/null +++ b/server/adaptors/integrations/__data__/repository/aws_waf/assets/create_mv_security_lake_2_0-1.0.0.sql @@ -0,0 +1,26 @@ +CREATE MATERIALIZED VIEW {table_name}__mview AS +SELECT + CAST(FROM_UNIXTIME(`time`/ 1000) AS TIMESTAMP) AS `@timestamp`, + CAST(IFNULL(`metadata.product.version`, 'Unknown') AS STRING) AS `aws.waf.formatVersion`, + CAST(IFNULL(`metadata.product.feature.uid`, 'Unknown') AS STRING) AS `aws.waf.webaclId`, + CAST(IFNULL(`firewall_rule.uid`, 'Unknown') AS STRING) AS `aws.waf.terminatingRuleId`, + CAST(IFNULL(`firewall_rule.type`, 'Unknown') AS STRING) AS `aws.waf.terminatingRuleType`, + CAST(IFNULL(action, 'Unknown') AS STRING) AS `aws.waf.action`, + CAST(IFNULL(`src_endpoint.svc_name`, 'Unknown') AS STRING) AS `aws.waf.httpSourceName`, + CAST(IFNULL(`src_endpoint.uid`, 'Unknown') AS STRING) AS `aws.waf.httpSourceId`, + ruleGroupList AS `aws.waf.ruleGroupList`, + unmapped['rateBasedRuleList'] AS `aws.waf.rateBasedRuleList`, + nonTerminatingMatchingRules AS `aws.waf.nonTerminatingMatchingRules`, + CAST(IFNULL(`http_status`, 0) AS LONG) AS `aws.waf.responseCodeSent`, + httpRequest AS `aws.waf.httpRequest`, + metadata.labels AS `aws.waf.labels`, + unmapped['captchaResponse'] AS `aws.waf.captchaResponse` +FROM + {table_name} +WITH ( + auto_refresh = true, + refresh_interval = '15 Minute', + checkpoint_location = '{s3_checkpoint_location}', + watermark_delay = '1 Minute', + extra_options = '{ "{table_name}": { "maxFilesPerTrigger": "10" }}' +) diff --git a/server/adaptors/integrations/__data__/repository/aws_waf/aws_waf-1.0.0.json b/server/adaptors/integrations/__data__/repository/aws_waf/aws_waf-1.0.0.json index f6f6eb6f6..0a897b6a1 100644 --- a/server/adaptors/integrations/__data__/repository/aws_waf/aws_waf-1.0.0.json +++ b/server/adaptors/integrations/__data__/repository/aws_waf/aws_waf-1.0.0.json @@ -15,11 +15,23 @@ "description": "Tables and pre-written queries for quickly getting insights on your data.", "enabled_by_default": true }, + { + "name": "queries-security-lake", + "label": "Queries (recommended)", + "description": "Tables and pre-written queries for quickly getting insights on your data.", + "enabled_by_default": true + }, { "name": "dashboards", "label": "Dashboards & Visualizations", "description": "Dashboards and indices that enable you to easily visualize important metrics.", "enabled_by_default": false + }, + { + "name": "dashboards-security-lake", + "label": "Dashboards & Visualizations", + "description": "Dashboards and indices that enable you to easily visualize important metrics.", + "enabled_by_default": true } ], "statics": { @@ -58,7 +70,7 @@ "version": "1.0.0", "extension": "ndjson", "type": "savedObjectBundle", - "workflows": ["dashboards"] + "workflows": ["dashboards", "dashboards-security-lake"] }, { "name": "create_table", @@ -74,6 +86,13 @@ "workflows": ["dashboards"] }, + { + "name": "create_mv_security_lake_2_0", + "version": "1.0.0", + "extension": "sql", + "type": "query", + "workflows": ["dashboards-security-lake"] + }, { "name": "create_skipping_index", "version": "1.0.0", @@ -86,7 +105,7 @@ "version": "1.0.0", "extension": "ndjson", "type": "savedObjectBundle", - "workflows": ["queries"] + "workflows": ["queries", "queries-security-lake"] } ], "sampleData": {