diff --git a/examples/multi-cloud-setup/.gitattributes b/examples/multi-cloud-setup/.gitattributes
new file mode 100644
index 000000000..dfe077042
--- /dev/null
+++ b/examples/multi-cloud-setup/.gitattributes
@@ -0,0 +1,2 @@
+# Auto detect text files and perform LF normalization
+* text=auto
diff --git a/examples/multi-cloud-setup/AWS/.gitignore b/examples/multi-cloud-setup/AWS/.gitignore
new file mode 100644
index 000000000..cbc93ad91
--- /dev/null
+++ b/examples/multi-cloud-setup/AWS/.gitignore
@@ -0,0 +1,8 @@
+
+.vs/slnx.sqlite
+*.tfstate
+*.backup
+terraform/*.tfstate
+terraform/.terraform
+*.hcl
+local_env
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/AWS/README.md b/examples/multi-cloud-setup/AWS/README.md
new file mode 100644
index 000000000..544cc81af
--- /dev/null
+++ b/examples/multi-cloud-setup/AWS/README.md
@@ -0,0 +1,29 @@
+# AWS environment
+
+```json
+{
+	"aws_region" : "eu-west-2",	 
+	"aws_access_key" : "<YOUR ACCESS KEY>",
+	"aws_secret_key" : "<YOUR SECRET KEY>"
+}
+```
+
+List of other optional parameters that can be added to terraform.tfvars.json 
+| Parameter Name  | Default value | Example | Description |
+| ------------- | ------------- | ------------- | ------------- |
+| elastic_version  | latest  | 8.4.1  | Used to define the Elastic Search version  |
+| elastic_region  | aws-eu-west-2  | aws-eu-west-2  | Used to set the Elastic Cloud region for the AWS deployment  |
+| elastic_deployment_name  | AWS Observe and Protect  | AWS Observe and Protect  | Used to define the name for the Elastic deployment  |
+
+
+#### Create AWS Access credentials
+
+1. Visit the [IAM Management Console](https://us-east-1.console.aws.amazon.com/iam/home) in AWS
+2. Navigate to the user you want to use for the setup
+3. Click on "Security credentials"
+4. Click on "Create access key" and save the credentials in your `terraform.tfvars.json` file
+
+Hint: The credentials you choose here will also be used to authenticate the Elastic Agent against your AWS Environment. In production ready setups you might want to change that. Elastic also offers other authentication mechanisms for the Elastic Agent. This terraform script does not ATM.
+
+
+ 
diff --git a/examples/multi-cloud-setup/AWS/dashboards/CloudTrail Summary.ndjson b/examples/multi-cloud-setup/AWS/dashboards/CloudTrail Summary.ndjson
new file mode 100644
index 000000000..fc9a36c5f
--- /dev/null
+++ b/examples/multi-cloud-setup/AWS/dashboards/CloudTrail Summary.ndjson	
@@ -0,0 +1,17 @@
+{"attributes":{"fieldAttrs":"{\"event.action\":{\"count\":1},\"event.provider\":{\"count\":1},\"aws.cloudtrail.response_elements\":{\"count\":1},\"source.address\":{\"count\":2}}","fieldFormatMap":"{}","fields":"[]","name":"AWS Cloudtrail","runtimeFieldMap":"{}","sourceFilters":"[]","timeFieldName":"@timestamp","title":"logs-aws.cloudtrail*","typeMeta":"{}"},"coreMigrationVersion":"8.4.3","id":"5f946950-7fc8-11ea-945d-8d0868f4a377","migrationVersion":{"index-pattern":"8.0.0"},"references":[],"type":"index-pattern","updated_at":"2022-10-12T09:20:35.387Z","version":"WzQzOTMsMV0="}
+{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"CloudTrail - AWS Account(Bar)","uiStateJSON":"{}","version":1,"visState":"{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"cloud.account.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"cloud.account.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#34130C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true,\"legendSize\":\"auto\"},\"title\":\"CloudTrail - AWS Account(Bar)\"}"},"coreMigrationVersion":"8.4.3","id":"38b0cd00-8609-11ea-8ea1-d5ea957d0a7d","migrationVersion":{"visualization":"8.3.0"},"references":[{"id":"5f946950-7fc8-11ea-945d-8d0868f4a377","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2022-10-12T08:36:45.271Z","version":"WzMwOTcsMV0="}
+{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"CloudTrail - Source Countries","uiStateJSON":"{}","version":1,"visState":"{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"source.geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true,\"legendDisplay\":\"show\",\"legendSize\":\"auto\"},\"title\":\"CloudTrail - Source Countries\"}"},"coreMigrationVersion":"8.4.3","id":"5fdde8a0-87cf-11ea-b9a0-7b688d6c40a7","migrationVersion":{"visualization":"8.3.0"},"references":[{"id":"5f946950-7fc8-11ea-945d-8d0868f4a377","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2022-10-12T08:36:45.271Z","version":"WzMwOTksMV0="}
+{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"},"title":"CloudTrail - Region(Bar)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"CloudTrail - Region(Bar)\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#34130C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true,\"legendSize\":\"auto\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"cloud.region\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"cloud.region\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"coreMigrationVersion":"8.4.3","id":"70cd1ea0-8609-11ea-8ea1-d5ea957d0a7d","migrationVersion":{"visualization":"8.3.0"},"references":[{"id":"5f946950-7fc8-11ea-945d-8d0868f4a377","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2022-10-12T08:36:45.271Z","version":"WzMwOTgsMV0="}
+{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"CloudTrail - User Agent Browser","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"CloudTrail - User Agent Browser\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"user_agent.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":15,\"otherBucket\":true,\"otherBucketLabel\":\"Other2\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true,\"legendDisplay\":\"show\",\"legendSize\":\"auto\"}}"},"coreMigrationVersion":"8.4.3","id":"2a1575e0-1d1d-11ed-aa58-67d455528b1d","migrationVersion":{"visualization":"8.3.0"},"references":[{"id":"5f946950-7fc8-11ea-945d-8d0868f4a377","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2022-10-12T08:36:45.271Z","version":"WzMxMjMsMV0="}
+{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"CloudTrail - Source Countries(Geo)","uiStateJSON":"{\"mapZoom\":2,\"mapCenter\":[21.453068633086783,26.3558692421991]}","version":1,"visState":"{\"type\":\"region_map\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"emsHotLink\":\"https://maps.elastic.co/v7.7?locale=en#file/world_countries\",\"isDisplayWarning\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapZoom\":2,\"outlineWeight\":1,\"selectedJoinField\":{\"description\":\"ISO 3166-1 alpha-2 Code\",\"name\":\"iso2\",\"type\":\"id\"},\"selectedLayer\":{\"attribution\":\"<a href=\\\"http://www.naturalearthdata.com/about/terms-of-use\\\">Made with NaturalEarth</a>\",\"created_at\":\"2017-04-26T17:12:15.978370\",\"fields\":[{\"description\":\"ISO 3166-1 alpha-2 Code\",\"name\":\"iso2\",\"type\":\"id\"},{\"description\":\"ISO 3166-1 alpha-3 Code\",\"name\":\"iso3\",\"type\":\"id\"},{\"description\":\"Name\",\"name\":\"name\",\"type\":\"name\"}],\"format\":{\"type\":\"geojson\"},\"id\":\"world_countries\",\"isEMS\":true,\"layerId\":\"elastic_maps_service.World Countries\",\"name\":\"World Countries\",\"origin\":\"elastic_maps_service\"},\"showAllShapes\":true,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"attribution\":\"<a rel=\\\"noreferrer noopener\\\" href=\\\"https://www.openstreetmap.org/copyright\\\">Map data &#169; OpenStreetMap contributors</a>\",\"id\":\"road_map\",\"maxZoom\":10,\"minZoom\":0,\"origin\":\"elastic_maps_service\"}}},\"title\":\"CloudTrail - Source Countries(Geo)\"}"},"coreMigrationVersion":"8.4.3","id":"86029e40-87cf-11ea-b9a0-7b688d6c40a7","migrationVersion":{"visualization":"8.3.0"},"references":[{"id":"5f946950-7fc8-11ea-945d-8d0868f4a377","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2022-10-12T08:36:45.271Z","version":"WzMxMDEsMV0="}
+{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"},"title":"CloudTrail - Source AS","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"CloudTrail - Source AS\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true,\"legendDisplay\":\"show\",\"legendSize\":\"auto\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"source.as.organization.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"coreMigrationVersion":"8.4.3","id":"d51c8ea0-87cf-11ea-b9a0-7b688d6c40a7","migrationVersion":{"visualization":"8.3.0"},"references":[{"id":"5f946950-7fc8-11ea-945d-8d0868f4a377","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2022-10-12T08:36:45.271Z","version":"WzMxMDIsMV0="}
+{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"},"title":"CloudTrail - Source IP","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"CloudTrail - Source IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source\"}}]}"},"coreMigrationVersion":"8.4.3","id":"8e9a0fb0-87d0-11ea-84c8-631650cae227","migrationVersion":{"visualization":"8.3.0"},"references":[{"id":"5f946950-7fc8-11ea-945d-8d0868f4a377","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2022-10-12T08:36:45.271Z","version":"WzMxMDAsMV0="}
+{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"CloudTrail - UserIdentity.arn","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"CloudTrail - UserIdentity.arn\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"emptyAsNull\":false},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"aws.cloudtrail.user_identity.arn\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"includeIsRegex\":true,\"excludeIsRegex\":true},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]},\"showToolbar\":true,\"autoFitRowToContent\":false}}"},"coreMigrationVersion":"8.4.3","id":"8485ad20-87cd-11ea-84c8-631650cae227","migrationVersion":{"visualization":"8.3.0"},"references":[{"id":"5f946950-7fc8-11ea-945d-8d0868f4a377","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2022-10-12T08:41:12.709Z","version":"WzM0OTIsMV0="}
+{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"CloudTrail - Event Name(Area)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"CloudTrail - Event Name(Area)\",\"type\":\"area\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"emptyAsNull\":false},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"extendToTimeRange\":false,\"scaleMetricValues\":false,\"interval\":\"auto\",\"used_interval\":\"30s\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"includeIsRegex\":true,\"excludeIsRegex\":true},\"schema\":\"group\"}],\"params\":{\"type\":\"area\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"area\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"valueAxis\":\"ValueAxis-1\",\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#34130C\"},\"labels\":{},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"params\":{\"date\":true,\"interval\":\"PT12H\",\"format\":\"YYYY-MM-DD HH:mm\",\"bounds\":{\"min\":\"2020-03-27T10:17:24.061Z\",\"max\":\"2020-04-26T10:17:24.061Z\"}},\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true,\"fittingFunction\":\"linear\",\"legendSize\":\"auto\",\"truncateLegend\":true,\"maxLegendLines\":1,\"radiusRatio\":9}}"},"coreMigrationVersion":"8.4.3","id":"5b808920-87a7-11ea-8ea1-d5ea957d0a7d","migrationVersion":{"visualization":"8.3.0"},"references":[{"id":"5f946950-7fc8-11ea-945d-8d0868f4a377","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2022-10-12T08:46:01.776Z","version":"WzM2NzEsMV0="}
+{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"CloudTrail - Event Type(Pie)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"CloudTrail - Event Type(Pie)\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"emptyAsNull\":false},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"aws.cloudtrail.event_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"includeIsRegex\":true,\"excludeIsRegex\":true},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true,\"legendDisplay\":\"show\",\"legendSize\":\"auto\",\"nestedLegend\":false,\"truncateLegend\":true,\"maxLegendLines\":1,\"emptySizeRatio\":0.3}}"},"coreMigrationVersion":"8.4.3","id":"750fd9d0-87a8-11ea-8ea1-d5ea957d0a7d","migrationVersion":{"visualization":"8.3.0"},"references":[{"id":"5f946950-7fc8-11ea-945d-8d0868f4a377","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2022-10-12T08:47:01.298Z","version":"WzM3MzAsMV0="}
+{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"CloudTrail - Event Type(Area)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"CloudTrail - Event Type(Area)\",\"type\":\"area\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"emptyAsNull\":false},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"extendToTimeRange\":false,\"scaleMetricValues\":false,\"interval\":\"auto\",\"used_interval\":\"30s\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"aws.cloudtrail.event_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"includeIsRegex\":true,\"excludeIsRegex\":true},\"schema\":\"group\"}],\"params\":{\"type\":\"area\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"area\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"valueAxis\":\"ValueAxis-1\",\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#34130C\"},\"labels\":{},\"dimensions\":{\"x\":null,\"y\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true,\"fittingFunction\":\"linear\",\"legendSize\":\"auto\",\"truncateLegend\":true,\"maxLegendLines\":1,\"radiusRatio\":9}}"},"coreMigrationVersion":"8.4.3","id":"a9aacce0-87a8-11ea-8ea1-d5ea957d0a7d","migrationVersion":{"visualization":"8.3.0"},"references":[{"id":"5f946950-7fc8-11ea-945d-8d0868f4a377","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2022-10-12T08:47:46.303Z","version":"WzM3NDYsMV0="}
+{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"CloudTrail - Event Source(Pie)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"CloudTrail - Event Source(Pie)\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"emptyAsNull\":false},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.provider\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"includeIsRegex\":true,\"excludeIsRegex\":true},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true,\"legendDisplay\":\"show\",\"legendSize\":\"auto\",\"nestedLegend\":false,\"truncateLegend\":true,\"maxLegendLines\":1,\"emptySizeRatio\":0.3}}"},"coreMigrationVersion":"8.4.3","id":"db266210-87a9-11ea-8ea1-d5ea957d0a7d","migrationVersion":{"visualization":"8.3.0"},"references":[{"id":"5f946950-7fc8-11ea-945d-8d0868f4a377","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2022-10-12T08:52:37.729Z","version":"WzM5NzIsMV0="}
+{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"CloudTrail - Event Source(Area)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"CloudTrail - Event Source(Area)\",\"type\":\"area\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"emptyAsNull\":false},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"extendToTimeRange\":false,\"scaleMetricValues\":false,\"interval\":\"auto\",\"used_interval\":\"30s\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.provider\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"includeIsRegex\":true,\"excludeIsRegex\":true},\"schema\":\"group\"}],\"params\":{\"type\":\"area\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"area\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"valueAxis\":\"ValueAxis-1\",\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#34130C\"},\"labels\":{},\"dimensions\":{\"x\":null,\"y\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true,\"fittingFunction\":\"linear\",\"legendSize\":\"auto\",\"truncateLegend\":true,\"maxLegendLines\":1,\"radiusRatio\":9}}"},"coreMigrationVersion":"8.4.3","id":"e062c4d0-87ae-11ea-b9a0-7b688d6c40a7","migrationVersion":{"visualization":"8.3.0"},"references":[{"id":"5f946950-7fc8-11ea-945d-8d0868f4a377","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2022-10-12T08:53:04.011Z","version":"WzQwMzMsMV0="}
+{"attributes":{"columns":["cloud.account.id","cloud.region","event.provider","event.action","user.name","source.address"],"description":"","grid":{"columns":{"eventName":{"width":182.28571428571428}}},"hideChart":false,"hits":0,"isTextBasedQuery":false,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"search - CloudTrail","version":1},"coreMigrationVersion":"8.4.3","id":"2c0fb0e0-87ce-11ea-b9a0-7b688d6c40a7","migrationVersion":{"search":"8.0.0"},"references":[{"id":"5f946950-7fc8-11ea-945d-8d0868f4a377","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2022-10-12T08:57:48.428Z","version":"WzQxOTMsMV0="}
+{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"8.4.3\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":4,\"i\":\"01bd1211-b9b4-4437-a0cd-f79cd8c7d340\"},\"panelIndex\":\"01bd1211-b9b4-4437-a0cd-f79cd8c7d340\",\"embeddableConfig\":{\"savedVis\":{\"id\":\"\",\"title\":\"\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"# AWS Cloudtrail Summary\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"enhancements\":{}}},{\"version\":\"8.4.3\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":4,\"w\":21,\"h\":7,\"i\":\"ef1c8093-d864-4d8b-88bd-d3d635d90819\"},\"panelIndex\":\"ef1c8093-d864-4d8b-88bd-d3d635d90819\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_ef1c8093-d864-4d8b-88bd-d3d635d90819\"},{\"version\":\"8.4.3\",\"type\":\"visualization\",\"gridData\":{\"x\":21,\"y\":4,\"w\":6,\"h\":7,\"i\":\"8d6c2abf-e123-41cc-9428-c814a8c3851f\"},\"panelIndex\":\"8d6c2abf-e123-41cc-9428-c814a8c3851f\",\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_8d6c2abf-e123-41cc-9428-c814a8c3851f\"},{\"version\":\"8.4.3\",\"type\":\"visualization\",\"gridData\":{\"x\":27,\"y\":4,\"w\":21,\"h\":7,\"i\":\"458220d0-a1bd-4ff4-887c-ddd1174ad52a\"},\"panelIndex\":\"458220d0-a1bd-4ff4-887c-ddd1174ad52a\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_458220d0-a1bd-4ff4-887c-ddd1174ad52a\"},{\"version\":\"8.4.3\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":11,\"w\":11,\"h\":7,\"i\":\"c2b7419d-5a81-4ab1-b793-e884b3b82765\"},\"panelIndex\":\"c2b7419d-5a81-4ab1-b793-e884b3b82765\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_c2b7419d-5a81-4ab1-b793-e884b3b82765\"},{\"version\":\"8.4.3\",\"type\":\"visualization\",\"gridData\":{\"x\":21,\"y\":11,\"w\":27,\"h\":15,\"i\":\"06dacfb3-5be8-48da-be91-a33a0fdedd6f\"},\"panelIndex\":\"06dacfb3-5be8-48da-be91-a33a0fdedd6f\",\"embeddableConfig\":{\"mapCenter\":null,\"mapZoom\":null,\"enhancements\":{}},\"panelRefName\":\"panel_06dacfb3-5be8-48da-be91-a33a0fdedd6f\"},{\"version\":\"8.4.3\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":18,\"w\":11,\"h\":8,\"i\":\"59c704d2-da17-4437-aaa6-72e7f7899be0\"},\"panelIndex\":\"59c704d2-da17-4437-aaa6-72e7f7899be0\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_59c704d2-da17-4437-aaa6-72e7f7899be0\"},{\"version\":\"8.4.3\",\"type\":\"visualization\",\"gridData\":{\"x\":11,\"y\":11,\"w\":10,\"h\":15,\"i\":\"387068a2-b2d7-449a-93c6-92ded89cc535\"},\"panelIndex\":\"387068a2-b2d7-449a-93c6-92ded89cc535\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_387068a2-b2d7-449a-93c6-92ded89cc535\"},{\"version\":\"8.4.3\",\"type\":\"visualization\",\"gridData\":{\"x\":21,\"y\":26,\"w\":27,\"h\":20,\"i\":\"ebfcdb58-d9a8-491b-a4b0-be9334715165\"},\"panelIndex\":\"ebfcdb58-d9a8-491b-a4b0-be9334715165\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_ebfcdb58-d9a8-491b-a4b0-be9334715165\"},{\"version\":\"8.4.3\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":26,\"w\":11,\"h\":4,\"i\":\"d2d6f149-f1d3-468b-8b87-e84a37684862\"},\"panelIndex\":\"d2d6f149-f1d3-468b-8b87-e84a37684862\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetricNew\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"5f946950-7fc8-11ea-945d-8d0868f4a377\",\"name\":\"indexpattern-datasource-layer-1701ef50-bdb1-40e6-964e-4659e2bb8d27\"}],\"state\":{\"visualization\":{\"layerId\":\"1701ef50-bdb1-40e6-964e-4659e2bb8d27\",\"layerType\":\"data\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":0,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#209280\",\"stop\":1},{\"color\":\"#cc5642\",\"stop\":2}],\"colorStops\":[{\"color\":\"#209280\",\"stop\":0},{\"color\":\"#cc5642\",\"stop\":1}],\"continuity\":\"above\",\"maxSteps\":5}},\"metricAccessor\":\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\",\"subtitle\":\"\"},\"query\":{\"query\":\"event.action:(AuthorizeSecurityGroupIngress OR AuthorizeSecurityGroupEgress OR RevokeSecurityGroupIngress OR RevokeSecurityGroupEgress OR CreateSecurityGroup OR DeleteSecurityGroup)\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1701ef50-bdb1-40e6-964e-4659e2bb8d27\":{\"columns\":{\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\":{\"label\":\"Part of Root Logins\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\":{\"label\":\"Security Group Changed\",\"dataType\":\"number\",\"operationType\":\"formula\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"formula\":\"count()\",\"isFormulaBroken\":false},\"references\":[\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\"],\"customLabel\":true}},\"columnOrder\":[\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\",\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.4.3\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":30,\"w\":11,\"h\":4,\"i\":\"d2a2838c-5ec2-451a-ab00-f07b431a5f1d\"},\"panelIndex\":\"d2a2838c-5ec2-451a-ab00-f07b431a5f1d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetricNew\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"5f946950-7fc8-11ea-945d-8d0868f4a377\",\"name\":\"indexpattern-datasource-layer-1701ef50-bdb1-40e6-964e-4659e2bb8d27\"}],\"state\":{\"visualization\":{\"layerId\":\"1701ef50-bdb1-40e6-964e-4659e2bb8d27\",\"layerType\":\"data\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":0,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#209280\",\"stop\":1},{\"color\":\"#cc5642\",\"stop\":2}],\"colorStops\":[{\"color\":\"#209280\",\"stop\":0},{\"color\":\"#cc5642\",\"stop\":1}],\"continuity\":\"above\",\"maxSteps\":5}},\"metricAccessor\":\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\",\"subtitle\":\"\"},\"query\":{\"query\":\"event.action:(CreateNetworkAcl OR CreateNetworkAclEntry OR DeleteNetworkAcl OR DeleteNetworkAclEntry OR ReplaceNetworkAclEntry OR ReplaceNetworkAclAssociation)\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1701ef50-bdb1-40e6-964e-4659e2bb8d27\":{\"columns\":{\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\":{\"label\":\"Part of Security Group Changed\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\":{\"label\":\"NACL Changed\",\"dataType\":\"number\",\"operationType\":\"formula\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"formula\":\"count()\",\"isFormulaBroken\":false},\"references\":[\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\"],\"customLabel\":true}},\"columnOrder\":[\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\",\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.4.3\",\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":26,\"w\":10,\"h\":4,\"i\":\"a6bfa741-063d-45c1-b10e-f468888abbdb\"},\"panelIndex\":\"a6bfa741-063d-45c1-b10e-f468888abbdb\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetricNew\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"5f946950-7fc8-11ea-945d-8d0868f4a377\",\"name\":\"indexpattern-datasource-layer-1701ef50-bdb1-40e6-964e-4659e2bb8d27\"}],\"state\":{\"visualization\":{\"layerId\":\"1701ef50-bdb1-40e6-964e-4659e2bb8d27\",\"layerType\":\"data\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":0,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#209280\",\"stop\":1},{\"color\":\"#cc5642\",\"stop\":2}],\"colorStops\":[{\"color\":\"#209280\",\"stop\":0},{\"color\":\"#cc5642\",\"stop\":1}],\"continuity\":\"above\",\"maxSteps\":5}},\"metricAccessor\":\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\"},\"query\":{\"query\":\"aws.cloudtrail.user_identity.type : \\\"Root\\\" AND NOT aws.cloudtrail.user_identity.invoked_by : * AND NOT aws.cloudtrail.event_type : \\\"AwsServiceEvent\\\" \",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1701ef50-bdb1-40e6-964e-4659e2bb8d27\":{\"columns\":{\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\":{\"label\":\"Part of Root Logins\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\":{\"label\":\"Root Logins\",\"dataType\":\"number\",\"operationType\":\"formula\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"formula\":\"count()\",\"isFormulaBroken\":false},\"references\":[\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\"],\"customLabel\":true}},\"columnOrder\":[\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\",\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{}}},{\"version\":\"8.4.3\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":34,\"w\":11,\"h\":4,\"i\":\"e561ca16-abbd-4e15-aef4-4699556684b0\"},\"panelIndex\":\"e561ca16-abbd-4e15-aef4-4699556684b0\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetricNew\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"5f946950-7fc8-11ea-945d-8d0868f4a377\",\"name\":\"indexpattern-datasource-layer-1701ef50-bdb1-40e6-964e-4659e2bb8d27\"}],\"state\":{\"visualization\":{\"layerId\":\"1701ef50-bdb1-40e6-964e-4659e2bb8d27\",\"layerType\":\"data\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":0,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#209280\",\"stop\":1},{\"color\":\"#cc5642\",\"stop\":2}],\"colorStops\":[{\"color\":\"#209280\",\"stop\":0},{\"color\":\"#cc5642\",\"stop\":1}],\"continuity\":\"above\",\"maxSteps\":5}},\"metricAccessor\":\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\",\"subtitle\":\"\"},\"query\":{\"query\":\"event.action:(CreateNetworkAcl OR CreateNetworkAclEntry OR DeleteNetworkAcl OR DeleteNetworkAclEntry OR ReplaceNetworkAclEntry OR ReplaceNetworkAclAssociation)\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1701ef50-bdb1-40e6-964e-4659e2bb8d27\":{\"columns\":{\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\":{\"label\":\"Part of NACL Changed\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\":{\"label\":\"Network Gateway Changed\",\"dataType\":\"number\",\"operationType\":\"formula\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"formula\":\"count()\",\"isFormulaBroken\":false},\"references\":[\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\"],\"customLabel\":true}},\"columnOrder\":[\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\",\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.4.3\",\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":30,\"w\":10,\"h\":4,\"i\":\"a692c537-bc6a-4ab3-904c-51c8d3e62655\"},\"panelIndex\":\"a692c537-bc6a-4ab3-904c-51c8d3e62655\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetricNew\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"5f946950-7fc8-11ea-945d-8d0868f4a377\",\"name\":\"indexpattern-datasource-layer-1701ef50-bdb1-40e6-964e-4659e2bb8d27\"}],\"state\":{\"visualization\":{\"layerId\":\"1701ef50-bdb1-40e6-964e-4659e2bb8d27\",\"layerType\":\"data\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":0,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#209280\",\"stop\":1},{\"color\":\"#cc5642\",\"stop\":2}],\"colorStops\":[{\"color\":\"#209280\",\"stop\":0},{\"color\":\"#cc5642\",\"stop\":1}],\"continuity\":\"above\",\"maxSteps\":5}},\"metricAccessor\":\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\",\"subtitle\":\"\"},\"query\":{\"query\":\"aws.cloudtrail.error_code : *UnauthorizedOperation OR aws.cloudtrail.error_code : AccessDenied*\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1701ef50-bdb1-40e6-964e-4659e2bb8d27\":{\"columns\":{\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\":{\"label\":\"Part of Failed API calls\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\":{\"label\":\"Unauthorized API calls\",\"dataType\":\"number\",\"operationType\":\"formula\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"formula\":\"count()\",\"isFormulaBroken\":false},\"references\":[\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\"],\"customLabel\":true}},\"columnOrder\":[\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\",\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.4.3\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":38,\"w\":11,\"h\":4,\"i\":\"3149e029-3b17-4f0a-af9c-4e90651c8e5a\"},\"panelIndex\":\"3149e029-3b17-4f0a-af9c-4e90651c8e5a\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetricNew\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"5f946950-7fc8-11ea-945d-8d0868f4a377\",\"name\":\"indexpattern-datasource-layer-1701ef50-bdb1-40e6-964e-4659e2bb8d27\"}],\"state\":{\"visualization\":{\"layerId\":\"1701ef50-bdb1-40e6-964e-4659e2bb8d27\",\"layerType\":\"data\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":0,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#209280\",\"stop\":1},{\"color\":\"#cc5642\",\"stop\":2}],\"colorStops\":[{\"color\":\"#209280\",\"stop\":0},{\"color\":\"#cc5642\",\"stop\":1}],\"continuity\":\"above\",\"maxSteps\":5}},\"metricAccessor\":\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\",\"subtitle\":\"\"},\"query\":{\"query\":\"event.action:(CreateNetworkAcl OR CreateNetworkAclEntry OR DeleteNetworkAcl OR DeleteNetworkAclEntry OR ReplaceNetworkAclEntry OR ReplaceNetworkAclAssociation)\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1701ef50-bdb1-40e6-964e-4659e2bb8d27\":{\"columns\":{\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\":{\"label\":\"Part of Network Gateway Changed\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\":{\"label\":\"Route Table Changed\",\"dataType\":\"number\",\"operationType\":\"formula\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"formula\":\"count()\",\"isFormulaBroken\":false},\"references\":[\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\"],\"customLabel\":true}},\"columnOrder\":[\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\",\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.4.3\",\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":34,\"w\":10,\"h\":4,\"i\":\"c650e9dc-911a-4f54-afe5-034a9ba01996\"},\"panelIndex\":\"c650e9dc-911a-4f54-afe5-034a9ba01996\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetricNew\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"5f946950-7fc8-11ea-945d-8d0868f4a377\",\"name\":\"indexpattern-datasource-layer-1701ef50-bdb1-40e6-964e-4659e2bb8d27\"}],\"state\":{\"visualization\":{\"layerId\":\"1701ef50-bdb1-40e6-964e-4659e2bb8d27\",\"layerType\":\"data\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":0,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#209280\",\"stop\":1},{\"color\":\"#cc5642\",\"stop\":2}],\"colorStops\":[{\"color\":\"#209280\",\"stop\":0},{\"color\":\"#cc5642\",\"stop\":1}],\"continuity\":\"above\",\"maxSteps\":5}},\"metricAccessor\":\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\",\"subtitle\":\"\"},\"query\":{\"query\":\"event.action:(CreateNetworkAcl OR CreateNetworkAclEntry OR DeleteNetworkAcl OR DeleteNetworkAclEntry OR ReplaceNetworkAclEntry OR ReplaceNetworkAclAssociation)\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1701ef50-bdb1-40e6-964e-4659e2bb8d27\":{\"columns\":{\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\":{\"label\":\"Part of Network Gateway Changed\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\":{\"label\":\"VPC Changed\",\"dataType\":\"number\",\"operationType\":\"formula\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"formula\":\"count()\",\"isFormulaBroken\":false},\"references\":[\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\"],\"customLabel\":true}},\"columnOrder\":[\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\",\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.4.3\",\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":38,\"w\":10,\"h\":4,\"i\":\"778fefd6-82fd-4958-b99f-eb1d60e02827\"},\"panelIndex\":\"778fefd6-82fd-4958-b99f-eb1d60e02827\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetricNew\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"5f946950-7fc8-11ea-945d-8d0868f4a377\",\"name\":\"indexpattern-datasource-layer-1701ef50-bdb1-40e6-964e-4659e2bb8d27\"}],\"state\":{\"visualization\":{\"layerId\":\"1701ef50-bdb1-40e6-964e-4659e2bb8d27\",\"layerType\":\"data\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":0,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#209280\",\"stop\":1},{\"color\":\"#cc5642\",\"stop\":2}],\"colorStops\":[{\"color\":\"#209280\",\"stop\":0},{\"color\":\"#cc5642\",\"stop\":1}],\"continuity\":\"above\",\"maxSteps\":5}},\"metricAccessor\":\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\",\"subtitle\":\"\"},\"query\":{\"query\":\"s3.amazonaws.com AND (event.action:(PutBucketAcl OR PutBucketPolicy OR PutBucketCors OR PutBucketLifecycle OR PutBucketReplication OR DeleteBucketPolicy OR DeleteBucketCors OR DeleteBucketLifecycle OR DeleteBucketReplication))\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1701ef50-bdb1-40e6-964e-4659e2bb8d27\":{\"columns\":{\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\":{\"label\":\"Part of VPC Changed\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\":{\"label\":\"S3 Bucket Changed\",\"dataType\":\"number\",\"operationType\":\"formula\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"formula\":\"count()\",\"isFormulaBroken\":false},\"references\":[\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\"],\"customLabel\":true}},\"columnOrder\":[\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\",\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.4.3\",\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":42,\"w\":10,\"h\":4,\"i\":\"e98c9dd0-8e53-4647-a585-3094c6571458\"},\"panelIndex\":\"e98c9dd0-8e53-4647-a585-3094c6571458\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetricNew\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"5f946950-7fc8-11ea-945d-8d0868f4a377\",\"name\":\"indexpattern-datasource-layer-1701ef50-bdb1-40e6-964e-4659e2bb8d27\"}],\"state\":{\"visualization\":{\"layerId\":\"1701ef50-bdb1-40e6-964e-4659e2bb8d27\",\"layerType\":\"data\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":0,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#209280\",\"stop\":1},{\"color\":\"#cc5642\",\"stop\":2}],\"colorStops\":[{\"color\":\"#209280\",\"stop\":0},{\"color\":\"#cc5642\",\"stop\":1}],\"continuity\":\"above\",\"maxSteps\":5}},\"metricAccessor\":\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\",\"subtitle\":\"\"},\"query\":{\"query\":\"event.provider: \\\"kms.amazonaws.com\\\" AND event.action:(DisableKey OR ScheduleKeyDeletion OR PutKeyPolicy)\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1701ef50-bdb1-40e6-964e-4659e2bb8d27\":{\"columns\":{\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\":{\"label\":\"Part of S3 Bucket Changed\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\":{\"label\":\"KMS Key Changed\",\"dataType\":\"number\",\"operationType\":\"formula\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"formula\":\"count()\",\"isFormulaBroken\":false},\"references\":[\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\"],\"customLabel\":true}},\"columnOrder\":[\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\",\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.4.3\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":46,\"w\":15,\"h\":9,\"i\":\"3c3db010-99e4-4814-a15e-5a00c5f66859\"},\"panelIndex\":\"3c3db010-99e4-4814-a15e-5a00c5f66859\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"5f946950-7fc8-11ea-945d-8d0868f4a377\",\"name\":\"indexpattern-datasource-layer-bb2cfec9-f76b-4084-92f5-af8394ad83db\"}],\"state\":{\"visualization\":{\"shape\":\"donut\",\"layers\":[{\"layerId\":\"bb2cfec9-f76b-4084-92f5-af8394ad83db\",\"groups\":[\"78a878d2-b185-4584-9303-35965bb63fd9\"],\"metric\":\"6325da90-d2c2-4971-b5d2-dc6f17a55c51\",\"numberDisplay\":\"percent\",\"categoryDisplay\":\"default\",\"legendDisplay\":\"default\",\"nestedLegend\":false,\"layerType\":\"data\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"bb2cfec9-f76b-4084-92f5-af8394ad83db\":{\"columns\":{\"78a878d2-b185-4584-9303-35965bb63fd9\":{\"label\":\"Top 10 values of event.action\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"event.action\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"6325da90-d2c2-4971-b5d2-dc6f17a55c51\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"}}},\"6325da90-d2c2-4971-b5d2-dc6f17a55c51\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"78a878d2-b185-4584-9303-35965bb63fd9\",\"6325da90-d2c2-4971-b5d2-dc6f17a55c51\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{}}},{\"version\":\"8.4.3\",\"type\":\"visualization\",\"gridData\":{\"x\":15,\"y\":46,\"w\":33,\"h\":9,\"i\":\"2d43cb78-cdf8-4f6f-83b2-e724f1880c4b\"},\"panelIndex\":\"2d43cb78-cdf8-4f6f-83b2-e724f1880c4b\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2d43cb78-cdf8-4f6f-83b2-e724f1880c4b\"},{\"version\":\"8.4.3\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":55,\"w\":15,\"h\":9,\"i\":\"c1ef693d-637a-4d2d-8267-3191015f0df8\"},\"panelIndex\":\"c1ef693d-637a-4d2d-8267-3191015f0df8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_c1ef693d-637a-4d2d-8267-3191015f0df8\"},{\"version\":\"8.4.3\",\"type\":\"visualization\",\"gridData\":{\"x\":15,\"y\":55,\"w\":33,\"h\":9,\"i\":\"9a6adcb9-bce1-44c4-bab8-fe086aaf741d\"},\"panelIndex\":\"9a6adcb9-bce1-44c4-bab8-fe086aaf741d\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9a6adcb9-bce1-44c4-bab8-fe086aaf741d\"},{\"version\":\"8.4.3\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":64,\"w\":15,\"h\":9,\"i\":\"765c4907-29a1-4664-b26f-573aecce8ff2\"},\"panelIndex\":\"765c4907-29a1-4664-b26f-573aecce8ff2\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"5f946950-7fc8-11ea-945d-8d0868f4a377\",\"name\":\"indexpattern-datasource-layer-f23af264-2dc6-4b6d-9ddc-1944230042c9\"}],\"state\":{\"visualization\":{\"shape\":\"pie\",\"layers\":[{\"layerId\":\"f23af264-2dc6-4b6d-9ddc-1944230042c9\",\"groups\":[\"d1dc35d4-5f1b-4f3c-8730-d39de2a2417a\"],\"metric\":\"392128cb-4742-4eb3-86c8-38a05f33bbae\",\"numberDisplay\":\"percent\",\"categoryDisplay\":\"default\",\"legendDisplay\":\"default\",\"nestedLegend\":false,\"layerType\":\"data\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"f23af264-2dc6-4b6d-9ddc-1944230042c9\":{\"columns\":{\"d1dc35d4-5f1b-4f3c-8730-d39de2a2417a\":{\"label\":\"Top 10 values of aws.cloudtrail.error_code\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"aws.cloudtrail.error_code\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"392128cb-4742-4eb3-86c8-38a05f33bbae\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"}}},\"392128cb-4742-4eb3-86c8-38a05f33bbae\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"d1dc35d4-5f1b-4f3c-8730-d39de2a2417a\",\"392128cb-4742-4eb3-86c8-38a05f33bbae\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{}}},{\"version\":\"8.4.3\",\"type\":\"lens\",\"gridData\":{\"x\":15,\"y\":64,\"w\":33,\"h\":9,\"i\":\"67f285a8-da87-481c-9da2-f51aa92a0a45\"},\"panelIndex\":\"67f285a8-da87-481c-9da2-f51aa92a0a45\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"5f946950-7fc8-11ea-945d-8d0868f4a377\",\"name\":\"indexpattern-datasource-layer-f23af264-2dc6-4b6d-9ddc-1944230042c9\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"area\",\"layers\":[{\"layerId\":\"f23af264-2dc6-4b6d-9ddc-1944230042c9\",\"seriesType\":\"area\",\"splitAccessor\":\"4c584ac2-d918-4a9f-90c1-9eea588944ec\",\"accessors\":[\"392128cb-4742-4eb3-86c8-38a05f33bbae\"],\"layerType\":\"data\",\"xAccessor\":\"0d67a1be-4ea1-42c5-a0d7-3ace022c2464\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"f23af264-2dc6-4b6d-9ddc-1944230042c9\":{\"columns\":{\"392128cb-4742-4eb3-86c8-38a05f33bbae\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"4c584ac2-d918-4a9f-90c1-9eea588944ec\":{\"label\":\"Top 10 values of aws.cloudtrail.error_code\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"aws.cloudtrail.error_code\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"392128cb-4742-4eb3-86c8-38a05f33bbae\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"}}},\"0d67a1be-4ea1-42c5-a0d7-3ace022c2464\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}}},\"columnOrder\":[\"4c584ac2-d918-4a9f-90c1-9eea588944ec\",\"0d67a1be-4ea1-42c5-a0d7-3ace022c2464\",\"392128cb-4742-4eb3-86c8-38a05f33bbae\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.4.3\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":73,\"w\":15,\"h\":9,\"i\":\"ca007fbb-a1e3-4c8c-80ee-b20394c82353\"},\"panelIndex\":\"ca007fbb-a1e3-4c8c-80ee-b20394c82353\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_ca007fbb-a1e3-4c8c-80ee-b20394c82353\"},{\"version\":\"8.4.3\",\"type\":\"visualization\",\"gridData\":{\"x\":15,\"y\":73,\"w\":33,\"h\":9,\"i\":\"aa79b7c7-2617-4cdf-959b-225d20b8960f\"},\"panelIndex\":\"aa79b7c7-2617-4cdf-959b-225d20b8960f\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_aa79b7c7-2617-4cdf-959b-225d20b8960f\"},{\"version\":\"8.4.3\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":82,\"w\":48,\"h\":14,\"i\":\"065c67cb-5101-43b1-b117-4b448a731381\"},\"panelIndex\":\"065c67cb-5101-43b1-b117-4b448a731381\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_065c67cb-5101-43b1-b117-4b448a731381\"}]","timeRestore":false,"title":"CloudTrail Summary","version":1},"coreMigrationVersion":"8.4.3","id":"02ca2d20-8245-11ea-8450-d1d13849d130","migrationVersion":{"dashboard":"8.4.0"},"references":[{"id":"38b0cd00-8609-11ea-8ea1-d5ea957d0a7d","name":"ef1c8093-d864-4d8b-88bd-d3d635d90819:panel_ef1c8093-d864-4d8b-88bd-d3d635d90819","type":"visualization"},{"id":"5fdde8a0-87cf-11ea-b9a0-7b688d6c40a7","name":"8d6c2abf-e123-41cc-9428-c814a8c3851f:panel_8d6c2abf-e123-41cc-9428-c814a8c3851f","type":"visualization"},{"id":"70cd1ea0-8609-11ea-8ea1-d5ea957d0a7d","name":"458220d0-a1bd-4ff4-887c-ddd1174ad52a:panel_458220d0-a1bd-4ff4-887c-ddd1174ad52a","type":"visualization"},{"id":"2a1575e0-1d1d-11ed-aa58-67d455528b1d","name":"c2b7419d-5a81-4ab1-b793-e884b3b82765:panel_c2b7419d-5a81-4ab1-b793-e884b3b82765","type":"visualization"},{"id":"86029e40-87cf-11ea-b9a0-7b688d6c40a7","name":"06dacfb3-5be8-48da-be91-a33a0fdedd6f:panel_06dacfb3-5be8-48da-be91-a33a0fdedd6f","type":"visualization"},{"id":"d51c8ea0-87cf-11ea-b9a0-7b688d6c40a7","name":"59c704d2-da17-4437-aaa6-72e7f7899be0:panel_59c704d2-da17-4437-aaa6-72e7f7899be0","type":"visualization"},{"id":"8e9a0fb0-87d0-11ea-84c8-631650cae227","name":"387068a2-b2d7-449a-93c6-92ded89cc535:panel_387068a2-b2d7-449a-93c6-92ded89cc535","type":"visualization"},{"id":"8485ad20-87cd-11ea-84c8-631650cae227","name":"ebfcdb58-d9a8-491b-a4b0-be9334715165:panel_ebfcdb58-d9a8-491b-a4b0-be9334715165","type":"visualization"},{"id":"5f946950-7fc8-11ea-945d-8d0868f4a377","name":"d2d6f149-f1d3-468b-8b87-e84a37684862:indexpattern-datasource-layer-1701ef50-bdb1-40e6-964e-4659e2bb8d27","type":"index-pattern"},{"id":"5f946950-7fc8-11ea-945d-8d0868f4a377","name":"d2a2838c-5ec2-451a-ab00-f07b431a5f1d:indexpattern-datasource-layer-1701ef50-bdb1-40e6-964e-4659e2bb8d27","type":"index-pattern"},{"id":"5f946950-7fc8-11ea-945d-8d0868f4a377","name":"a6bfa741-063d-45c1-b10e-f468888abbdb:indexpattern-datasource-layer-1701ef50-bdb1-40e6-964e-4659e2bb8d27","type":"index-pattern"},{"id":"5f946950-7fc8-11ea-945d-8d0868f4a377","name":"e561ca16-abbd-4e15-aef4-4699556684b0:indexpattern-datasource-layer-1701ef50-bdb1-40e6-964e-4659e2bb8d27","type":"index-pattern"},{"id":"5f946950-7fc8-11ea-945d-8d0868f4a377","name":"a692c537-bc6a-4ab3-904c-51c8d3e62655:indexpattern-datasource-layer-1701ef50-bdb1-40e6-964e-4659e2bb8d27","type":"index-pattern"},{"id":"5f946950-7fc8-11ea-945d-8d0868f4a377","name":"3149e029-3b17-4f0a-af9c-4e90651c8e5a:indexpattern-datasource-layer-1701ef50-bdb1-40e6-964e-4659e2bb8d27","type":"index-pattern"},{"id":"5f946950-7fc8-11ea-945d-8d0868f4a377","name":"c650e9dc-911a-4f54-afe5-034a9ba01996:indexpattern-datasource-layer-1701ef50-bdb1-40e6-964e-4659e2bb8d27","type":"index-pattern"},{"id":"5f946950-7fc8-11ea-945d-8d0868f4a377","name":"778fefd6-82fd-4958-b99f-eb1d60e02827:indexpattern-datasource-layer-1701ef50-bdb1-40e6-964e-4659e2bb8d27","type":"index-pattern"},{"id":"5f946950-7fc8-11ea-945d-8d0868f4a377","name":"e98c9dd0-8e53-4647-a585-3094c6571458:indexpattern-datasource-layer-1701ef50-bdb1-40e6-964e-4659e2bb8d27","type":"index-pattern"},{"id":"5f946950-7fc8-11ea-945d-8d0868f4a377","name":"3c3db010-99e4-4814-a15e-5a00c5f66859:indexpattern-datasource-layer-bb2cfec9-f76b-4084-92f5-af8394ad83db","type":"index-pattern"},{"id":"5b808920-87a7-11ea-8ea1-d5ea957d0a7d","name":"2d43cb78-cdf8-4f6f-83b2-e724f1880c4b:panel_2d43cb78-cdf8-4f6f-83b2-e724f1880c4b","type":"visualization"},{"id":"750fd9d0-87a8-11ea-8ea1-d5ea957d0a7d","name":"c1ef693d-637a-4d2d-8267-3191015f0df8:panel_c1ef693d-637a-4d2d-8267-3191015f0df8","type":"visualization"},{"id":"a9aacce0-87a8-11ea-8ea1-d5ea957d0a7d","name":"9a6adcb9-bce1-44c4-bab8-fe086aaf741d:panel_9a6adcb9-bce1-44c4-bab8-fe086aaf741d","type":"visualization"},{"id":"5f946950-7fc8-11ea-945d-8d0868f4a377","name":"765c4907-29a1-4664-b26f-573aecce8ff2:indexpattern-datasource-layer-f23af264-2dc6-4b6d-9ddc-1944230042c9","type":"index-pattern"},{"id":"5f946950-7fc8-11ea-945d-8d0868f4a377","name":"67f285a8-da87-481c-9da2-f51aa92a0a45:indexpattern-datasource-layer-f23af264-2dc6-4b6d-9ddc-1944230042c9","type":"index-pattern"},{"id":"db266210-87a9-11ea-8ea1-d5ea957d0a7d","name":"ca007fbb-a1e3-4c8c-80ee-b20394c82353:panel_ca007fbb-a1e3-4c8c-80ee-b20394c82353","type":"visualization"},{"id":"e062c4d0-87ae-11ea-b9a0-7b688d6c40a7","name":"aa79b7c7-2617-4cdf-959b-225d20b8960f:panel_aa79b7c7-2617-4cdf-959b-225d20b8960f","type":"visualization"},{"id":"2c0fb0e0-87ce-11ea-b9a0-7b688d6c40a7","name":"065c67cb-5101-43b1-b117-4b448a731381:panel_065c67cb-5101-43b1-b117-4b448a731381","type":"search"}],"type":"dashboard","updated_at":"2022-10-12T09:47:59.387Z","version":"WzU3MTYsMV0="}
+{"excludedObjects":[],"excludedObjectsCount":0,"exportedCount":16,"missingRefCount":0,"missingReferences":[]}
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/AWS/dashboards/VPCFlow Summary.ndjson b/examples/multi-cloud-setup/AWS/dashboards/VPCFlow Summary.ndjson
new file mode 100644
index 000000000..f274e01b2
--- /dev/null
+++ b/examples/multi-cloud-setup/AWS/dashboards/VPCFlow Summary.ndjson	
@@ -0,0 +1,18 @@
+{"attributes":{"fieldAttrs":"{\"aws.vpcflow.action\":{\"count\":2},\"destination.port\":{\"count\":2},\"network.direction\":{\"count\":2}}","fieldFormatMap":"{}","fields":"[]","name":"AWS VPC Flowlogs","runtimeFieldMap":"{}","sourceFilters":"[]","timeFieldName":"@timestamp","title":"logs-aws.vpcflow*","typeMeta":"{}"},"coreMigrationVersion":"8.4.3","id":"99f81900-806f-11ea-945d-8d0868f4a377","migrationVersion":{"index-pattern":"8.0.0"},"references":[],"type":"index-pattern","updated_at":"2022-10-12T10:39:16.143Z","version":"WzY1NjQsMV0="}
+{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"},"title":"VPCFlowLogs - AWS Account(Bar)","uiStateJSON":"{\"vis\":{\"legendOpen\":true}}","version":1,"visState":"{\"title\":\"VPCFlowLogs - AWS Account(Bar)\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#34130C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true,\"legendSize\":\"auto\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"cloud.account.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"cloud.account.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Account\"}}]}"},"coreMigrationVersion":"8.4.3","id":"e64d06f0-8225-11ea-9ba8-7fa25bc74a6f","migrationVersion":{"visualization":"8.3.0"},"references":[{"id":"99f81900-806f-11ea-945d-8d0868f4a377","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2022-10-12T08:36:45.271Z","version":"WzMyNzMsMV0="}
+{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"},"title":"VPCFlowLogs - Region(Bar)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"VPCFlowLogs - Region(Bar)\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#34130C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true,\"legendSize\":\"auto\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"cloud.region\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"cloud.region\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"coreMigrationVersion":"8.4.3","id":"8079b750-8226-11ea-945d-8d0868f4a377","migrationVersion":{"visualization":"8.3.0"},"references":[{"id":"99f81900-806f-11ea-945d-8d0868f4a377","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2022-10-12T08:36:45.271Z","version":"WzMyNzQsMV0="}
+{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"VPCFlowLogs - Accept Packets(Line Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"VPCFlowLogs - Accept Packets(Line Chart)\",\"type\":\"line\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum_bucket\",\"params\":{\"customBucket\":{\"id\":\"1-bucket\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"aws.vpcflow.action: \\\"ACCEPT\\\"\",\"language\":\"kuery\"},\"label\":\"\"}]}},\"customMetric\":{\"id\":\"1-metric\",\"enabled\":true,\"type\":\"sum\",\"params\":{\"field\":\"network.packets\",\"emptyAsNull\":false}},\"customLabel\":\"Sum of network packets\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-30m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"extendToTimeRange\":false,\"scaleMetricValues\":false,\"interval\":\"auto\",\"used_interval\":\"30s\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Sum of network packets\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-3\",\"circlesRadius\":1}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-3\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Sum of network packets\"},\"type\":\"value\"}],\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true,\"fittingFunction\":\"linear\",\"legendSize\":\"auto\",\"truncateLegend\":true,\"maxLegendLines\":1,\"radiusRatio\":9}}"},"coreMigrationVersion":"8.4.3","id":"93a6db30-8228-11ea-9ba8-7fa25bc74a6f","migrationVersion":{"visualization":"8.3.0"},"references":[{"id":"99f81900-806f-11ea-945d-8d0868f4a377","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2022-10-12T10:22:04.760Z","version":"WzYwMTUsMV0="}
+{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"VPCFlowLogs - Reject Packets(Line Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"VPCFlowLogs - Reject Packets(Line Chart)\",\"type\":\"line\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum_bucket\",\"params\":{\"customBucket\":{\"id\":\"1-bucket\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"aws.vpcflow.action: \\\"REJECT\\\"\"},\"label\":\"\"}]}},\"customMetric\":{\"id\":\"1-metric\",\"enabled\":true,\"type\":\"sum\",\"params\":{\"field\":\"network.packets\",\"customLabel\":\"Network packets\",\"emptyAsNull\":false}},\"customLabel\":\"Sum of network packets\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-30m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"extendToTimeRange\":false,\"scaleMetricValues\":false,\"interval\":\"auto\",\"used_interval\":\"30s\",\"drop_partials\":true,\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"\"},\"schema\":\"segment\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"linear\",\"grid\":{\"categoryLines\":false,\"valueAxis\":\"\"},\"isVislibVis\":true,\"labels\":{},\"legendPosition\":\"bottom\",\"maxLegendLines\":1,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Sum of network packets\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Sum of network packets\"},\"type\":\"value\"}]}}"},"coreMigrationVersion":"8.4.3","id":"c3100a20-8234-11ea-8450-d1d13849d130","migrationVersion":{"visualization":"8.3.0"},"references":[{"id":"99f81900-806f-11ea-945d-8d0868f4a377","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2022-10-12T10:21:38.162Z","version":"WzU5ODYsMV0="}
+{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"aws.vpcflow.action: ACCEPT\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"VPCFlowLogs - Accept Src Packets(Pie)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"VPCFlowLogs - Accept Src Packets(Pie)\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"params\":{\"field\":\"source.packets\",\"json\":\"\",\"emptyAsNull\":false},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"includeIsRegex\":true,\"excludeIsRegex\":true,\"json\":\"\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"row\":true,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true,\"legendDisplay\":\"show\",\"legendSize\":\"auto\",\"nestedLegend\":false,\"truncateLegend\":true,\"maxLegendLines\":1,\"emptySizeRatio\":0.3}}"},"coreMigrationVersion":"8.4.3","id":"e3231530-823b-11ea-8450-d1d13849d130","migrationVersion":{"visualization":"8.3.0"},"references":[{"id":"99f81900-806f-11ea-945d-8d0868f4a377","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2022-10-12T10:22:41.275Z","version":"WzYwNDgsMV0="}
+{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"key\":\"aws.vpcflow.action\",\"negate\":false,\"params\":{\"query\":\"ACCEPT\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"aws.vpcflow.action\":\"ACCEPT\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"VPCFlowLogs - Accept Src Packets(Table)","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"VPCFlowLogs - Accept Src Packets(Table)\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"params\":{\"field\":\"source.packets\",\"customLabel\":\"Packets\",\"emptyAsNull\":false},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"includeIsRegex\":true,\"excludeIsRegex\":true,\"customLabel\":\"Src IP\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"showToolbar\":true,\"autoFitRowToContent\":false}}"},"coreMigrationVersion":"8.4.3","id":"41ffb5a0-823b-11ea-8dd2-6fda3f2e19c6","migrationVersion":{"visualization":"8.3.0"},"references":[{"id":"99f81900-806f-11ea-945d-8d0868f4a377","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"99f81900-806f-11ea-945d-8d0868f4a377","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"visualization","updated_at":"2022-10-12T10:23:01.584Z","version":"WzYwNjIsMV0="}
+{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"aws.vpcflow.action: REJECT\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"VPCFlowLogs - Reject Src Packets(Pie)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"VPCFlowLogs - Reject Src Packets(Pie)\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"params\":{\"field\":\"source.packets\",\"json\":\"\",\"emptyAsNull\":false},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"includeIsRegex\":true,\"excludeIsRegex\":true,\"json\":\"\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"row\":true,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true,\"legendDisplay\":\"show\",\"legendSize\":\"auto\",\"nestedLegend\":false,\"truncateLegend\":true,\"maxLegendLines\":1,\"emptySizeRatio\":0.3}}"},"coreMigrationVersion":"8.4.3","id":"82c6bd20-823d-11ea-a1e6-856110366757","migrationVersion":{"visualization":"8.3.0"},"references":[{"id":"99f81900-806f-11ea-945d-8d0868f4a377","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2022-10-12T10:23:32.216Z","version":"WzYwODAsMV0="}
+{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"key\":\"aws.vpcflow.action\",\"negate\":false,\"params\":{\"query\":\"REJECT\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"aws.vpcflow.action\":\"REJECT\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"VPCFlowLogs - Reject Src Packets(Table)","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"VPCFlowLogs - Reject Src Packets(Table)\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"params\":{\"field\":\"source.packets\",\"customLabel\":\"Packets\",\"emptyAsNull\":false},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"includeIsRegex\":true,\"excludeIsRegex\":true,\"customLabel\":\"Src IP\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"showToolbar\":true,\"autoFitRowToContent\":false}}"},"coreMigrationVersion":"8.4.3","id":"435e9770-823d-11ea-8dd2-6fda3f2e19c6","migrationVersion":{"visualization":"8.3.0"},"references":[{"id":"99f81900-806f-11ea-945d-8d0868f4a377","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"99f81900-806f-11ea-945d-8d0868f4a377","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"visualization","updated_at":"2022-10-12T10:23:55.033Z","version":"WzYxMzEsMV0="}
+{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"aws.vpcflow.action : ACCEPT\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"VPCFlowLogsCustom - Accept Src Packets(Pie)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"VPCFlowLogsCustom - Accept Src Packets(Pie)\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"params\":{\"field\":\"source.packets\",\"json\":\"\",\"emptyAsNull\":false},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"includeIsRegex\":true,\"excludeIsRegex\":true,\"json\":\"\"},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.direction\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":2,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"includeIsRegex\":true,\"excludeIsRegex\":true},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"row\":true,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true,\"legendDisplay\":\"show\",\"legendSize\":\"auto\",\"nestedLegend\":false,\"truncateLegend\":true,\"maxLegendLines\":1,\"emptySizeRatio\":0.3}}"},"coreMigrationVersion":"8.4.3","id":"74cc2c90-8174-11ec-b326-ed725936f8cf","migrationVersion":{"visualization":"8.3.0"},"references":[{"id":"99f81900-806f-11ea-945d-8d0868f4a377","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2022-10-12T10:42:30.298Z","version":"WzY3MTgsMV0="}
+{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"VPCFlowLogsCustom - Packets via traffic path(Pie)","uiStateJSON":"{\"vis\":{\"legendOpen\":true}}","version":1,"visState":"{\"title\":\"VPCFlowLogsCustom - Packets via traffic path(Pie)\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"emptyAsNull\":false},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"aws.vpcflow.traffic_path : 1\",\"language\":\"kuery\"},\"label\":\"another resource in the same VPC\"},{\"input\":{\"query\":\"aws.vpcflow.traffic_path : 2\",\"language\":\"kuery\"},\"label\":\"an internet gateway or a gateway VPC endpoint\"},{\"input\":{\"query\":\"aws.vpcflow.traffic_path : 3\",\"language\":\"kuery\"},\"label\":\"a virtual private gateway\"},{\"input\":{\"query\":\"aws.vpcflow.traffic_path : 4\",\"language\":\"kuery\"},\"label\":\"an intra-region VPC peering connection\"},{\"input\":{\"query\":\"aws.vpcflow.traffic_path : 5\",\"language\":\"kuery\"},\"label\":\"an inter-region VPC peering connection\"},{\"input\":{\"query\":\"aws.vpcflow.traffic_path : 6\",\"language\":\"kuery\"},\"label\":\"a local gateway\"},{\"input\":{\"query\":\"aws.vpcflow.traffic_path : 7\",\"language\":\"kuery\"},\"label\":\"a gateway VPC endpoint (Nitro-based instances only)\"},{\"input\":{\"query\":\"aws.vpcflow.traffic_path : 8\",\"language\":\"kuery\"},\"label\":\"an internet gateway (Nitro-based instances only)\"}]},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true,\"legendDisplay\":\"show\",\"legendSize\":\"auto\",\"nestedLegend\":false,\"truncateLegend\":true,\"maxLegendLines\":1,\"emptySizeRatio\":0.3}}"},"coreMigrationVersion":"8.4.3","id":"d29e72b0-60d6-11ec-8f03-4771d7b9c8b5","migrationVersion":{"visualization":"8.3.0"},"references":[{"id":"99f81900-806f-11ea-945d-8d0868f4a377","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2022-10-12T10:47:23.898Z","version":"WzY5MjEsMV0="}
+{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"key\":\"action\",\"negate\":false,\"params\":{\"query\":\"ACCEPT\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"action\":\"ACCEPT\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"VPCFlowLogs - Accept Src Count(Geo)","uiStateJSON":"{\"mapZoom\":2,\"mapCenter\":[25.777633878392646,41.93485907317978]}","version":1,"visState":"{\"type\":\"region_map\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"source.packets\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"emsHotLink\":\"https://maps.elastic.co/v7.7?locale=en#file/world_countries\",\"isDisplayWarning\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapZoom\":2,\"outlineWeight\":1,\"selectedJoinField\":{\"description\":\"ISO 3166-1 alpha-2 Code\",\"name\":\"iso2\",\"type\":\"id\"},\"selectedLayer\":{\"attribution\":\"<a href=\\\"http://www.naturalearthdata.com/about/terms-of-use\\\">Made with NaturalEarth</a>\",\"created_at\":\"2017-04-26T17:12:15.978370\",\"fields\":[{\"description\":\"ISO 3166-1 alpha-2 Code\",\"name\":\"iso2\",\"type\":\"id\"},{\"description\":\"ISO 3166-1 alpha-3 Code\",\"name\":\"iso3\",\"type\":\"id\"},{\"description\":\"Name\",\"name\":\"name\",\"type\":\"name\"}],\"format\":{\"type\":\"geojson\"},\"id\":\"world_countries\",\"isEMS\":true,\"layerId\":\"elastic_maps_service.World Countries\",\"name\":\"World Countries\",\"origin\":\"elastic_maps_service\"},\"showAllShapes\":true,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"attribution\":\"<a rel=\\\"noreferrer noopener\\\" href=\\\"https://www.openstreetmap.org/copyright\\\">Map data &#169; OpenStreetMap contributors</a>\",\"id\":\"road_map\",\"maxZoom\":10,\"minZoom\":0,\"origin\":\"elastic_maps_service\"}}},\"title\":\"VPCFlowLogs - Accept Src Count(Geo)\"}"},"coreMigrationVersion":"8.4.3","id":"77dae980-823e-11ea-a1e6-856110366757","migrationVersion":{"visualization":"8.3.0"},"references":[{"id":"99f81900-806f-11ea-945d-8d0868f4a377","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"99f81900-806f-11ea-945d-8d0868f4a377","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"visualization","updated_at":"2022-10-12T08:36:45.271Z","version":"WzMyODEsMV0="}
+{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"key\":\"action\",\"negate\":false,\"params\":{\"query\":\"REJECT\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"action\":\"REJECT\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"VPCFlowLogs - Reject Src Count(Geo)","uiStateJSON":"{\"mapCenter\":[25.777633878392646,41.93485907317978],\"mapZoom\":2}","version":1,"visState":"{\"type\":\"region_map\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"source.packets\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"emsHotLink\":\"https://maps.elastic.co/v7.7?locale=en#file/world_countries\",\"isDisplayWarning\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapZoom\":2,\"outlineWeight\":1,\"selectedJoinField\":{\"description\":\"ISO 3166-1 alpha-2 Code\",\"name\":\"iso2\",\"type\":\"id\"},\"selectedLayer\":{\"attribution\":\"<a href=\\\"http://www.naturalearthdata.com/about/terms-of-use\\\">Made with NaturalEarth</a>\",\"created_at\":\"2017-04-26T17:12:15.978370\",\"fields\":[{\"description\":\"ISO 3166-1 alpha-2 Code\",\"name\":\"iso2\",\"type\":\"id\"},{\"description\":\"ISO 3166-1 alpha-3 Code\",\"name\":\"iso3\",\"type\":\"id\"},{\"description\":\"Name\",\"name\":\"name\",\"type\":\"name\"}],\"format\":{\"type\":\"geojson\"},\"id\":\"world_countries\",\"isEMS\":true,\"layerId\":\"elastic_maps_service.World Countries\",\"name\":\"World Countries\",\"origin\":\"elastic_maps_service\"},\"showAllShapes\":true,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"attribution\":\"<a rel=\\\"noreferrer noopener\\\" href=\\\"https://www.openstreetmap.org/copyright\\\">Map data &#169; OpenStreetMap contributors</a>\",\"id\":\"road_map\",\"maxZoom\":10,\"minZoom\":0,\"origin\":\"elastic_maps_service\"}}},\"title\":\"VPCFlowLogs - Reject Src Count(Geo)\"}"},"coreMigrationVersion":"8.4.3","id":"b7f8a390-823e-11ea-8450-d1d13849d130","migrationVersion":{"visualization":"8.3.0"},"references":[{"id":"99f81900-806f-11ea-945d-8d0868f4a377","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"99f81900-806f-11ea-945d-8d0868f4a377","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"visualization","updated_at":"2022-10-12T08:36:45.271Z","version":"WzMyODIsMV0="}
+{"attributes":{"allowNoIndex":true,"timeFieldName":"@timestamp","title":"logs-*"},"coreMigrationVersion":"8.4.3","id":"logs-*","migrationVersion":{"index-pattern":"8.0.0"},"references":[],"type":"index-pattern","updated_at":"2022-10-12T08:29:38.085Z","version":"WzI1NjMsMV0="}
+{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"},"title":"VPCFlowLogs - Top 10 Chart Source IP","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"VPCFlowLogs - Top 10 Chart Source IP\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#34130C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"string\"},\"params\":{},\"aggType\":\"date_range\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true,\"fittingFunction\":\"linear\",\"legendSize\":\"auto\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"useNormalizedEsInterval\":true,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"coreMigrationVersion":"8.4.3","id":"e530dac0-8073-11ea-9ba8-7fa25bc74a6f","migrationVersion":{"visualization":"8.3.0"},"references":[{"id":"99f81900-806f-11ea-945d-8d0868f4a377","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2022-10-12T08:36:45.271Z","version":"WzMyODMsMV0="}
+{"attributes":{"columns":["source.ip","source.port","destination.ip","destination.port","aws.vpcflow.action","network.direction"],"description":"","grid":{},"hideChart":false,"hits":0,"isTextBasedQuery":false,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"aws.vpcflow.log_status\",\"params\":{\"query\":\"OK\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"aws.vpcflow.log_status\":\"OK\"}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"search - VPCFlowLogs","version":1},"coreMigrationVersion":"8.4.3","id":"662bb3e0-6572-11ec-8f03-4771d7b9c8b5","migrationVersion":{"search":"8.0.0"},"references":[{"id":"99f81900-806f-11ea-945d-8d0868f4a377","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"99f81900-806f-11ea-945d-8d0868f4a377","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2022-10-12T10:39:31.890Z","version":"WzY2MTYsMV0="}
+{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"8.4.3\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":4,\"i\":\"dfdef1a1-abcc-4d67-8cd5-603ac0f8aeb6\"},\"panelIndex\":\"dfdef1a1-abcc-4d67-8cd5-603ac0f8aeb6\",\"embeddableConfig\":{\"savedVis\":{\"id\":\"\",\"title\":\"\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"# AWS VPCFlow Logs Summary\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.4.3\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":4,\"w\":24,\"h\":7,\"i\":\"9ef783f5-af53-464f-8bf7-8fe79e574163\"},\"panelIndex\":\"9ef783f5-af53-464f-8bf7-8fe79e574163\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9ef783f5-af53-464f-8bf7-8fe79e574163\"},{\"version\":\"8.4.3\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":4,\"w\":24,\"h\":7,\"i\":\"96bddd36-2236-463b-b159-db84432d32de\"},\"panelIndex\":\"96bddd36-2236-463b-b159-db84432d32de\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_96bddd36-2236-463b-b159-db84432d32de\"},{\"version\":\"8.4.3\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":11,\"w\":24,\"h\":8,\"i\":\"79257b0d-673f-4623-86ab-bf3e2cb151f8\"},\"panelIndex\":\"79257b0d-673f-4623-86ab-bf3e2cb151f8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_79257b0d-673f-4623-86ab-bf3e2cb151f8\"},{\"version\":\"8.4.3\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":11,\"w\":24,\"h\":8,\"i\":\"9ac58252-693d-4d1b-a9d0-5fd413fa6814\"},\"panelIndex\":\"9ac58252-693d-4d1b-a9d0-5fd413fa6814\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9ac58252-693d-4d1b-a9d0-5fd413fa6814\"},{\"version\":\"8.4.3\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":19,\"w\":12,\"h\":13,\"i\":\"bca8500a-2fc1-413e-baea-bc3f412302e6\"},\"panelIndex\":\"bca8500a-2fc1-413e-baea-bc3f412302e6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_bca8500a-2fc1-413e-baea-bc3f412302e6\"},{\"version\":\"8.4.3\",\"type\":\"visualization\",\"gridData\":{\"x\":12,\"y\":19,\"w\":12,\"h\":13,\"i\":\"915b89ba-5042-47ba-b109-c166aef741f6\"},\"panelIndex\":\"915b89ba-5042-47ba-b109-c166aef741f6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_915b89ba-5042-47ba-b109-c166aef741f6\"},{\"version\":\"8.4.3\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":19,\"w\":12,\"h\":13,\"i\":\"9fbd1232-494c-4b0f-a78b-c5ef50504ce9\"},\"panelIndex\":\"9fbd1232-494c-4b0f-a78b-c5ef50504ce9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9fbd1232-494c-4b0f-a78b-c5ef50504ce9\"},{\"version\":\"8.4.3\",\"type\":\"visualization\",\"gridData\":{\"x\":36,\"y\":19,\"w\":12,\"h\":13,\"i\":\"bc745ad9-6dbb-436e-8a4a-b01519a8a5b5\"},\"panelIndex\":\"bc745ad9-6dbb-436e-8a4a-b01519a8a5b5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_bc745ad9-6dbb-436e-8a4a-b01519a8a5b5\"},{\"version\":\"8.4.3\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":32,\"w\":12,\"h\":16,\"i\":\"a9c84ab3-2ace-4215-a360-4563f3a653a8\"},\"panelIndex\":\"a9c84ab3-2ace-4215-a360-4563f3a653a8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_a9c84ab3-2ace-4215-a360-4563f3a653a8\"},{\"version\":\"8.4.3\",\"type\":\"lens\",\"gridData\":{\"x\":12,\"y\":32,\"w\":12,\"h\":4,\"i\":\"1a830ccd-e734-4769-80a7-a59ac6213d80\"},\"panelIndex\":\"1a830ccd-e734-4769-80a7-a59ac6213d80\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetricNew\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"99f81900-806f-11ea-945d-8d0868f4a377\",\"name\":\"indexpattern-datasource-layer-1701ef50-bdb1-40e6-964e-4659e2bb8d27\"}],\"state\":{\"visualization\":{\"layerId\":\"1701ef50-bdb1-40e6-964e-4659e2bb8d27\",\"layerType\":\"data\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":0,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#209280\",\"stop\":1},{\"color\":\"#cc5642\",\"stop\":2}],\"colorStops\":[{\"color\":\"#209280\",\"stop\":0},{\"color\":\"#cc5642\",\"stop\":1}],\"continuity\":\"above\",\"maxSteps\":5}},\"metricAccessor\":\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\",\"subtitle\":\"\"},\"query\":{\"query\":\"aws.vpcflow.traffic_path : 1\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1701ef50-bdb1-40e6-964e-4659e2bb8d27\":{\"columns\":{\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\":{\"label\":\"Part of Unauthorized API calls\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\":{\"label\":\"Traffic through another resource in the same VPC\",\"dataType\":\"number\",\"operationType\":\"formula\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"formula\":\"count()\",\"isFormulaBroken\":false},\"references\":[\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\"],\"customLabel\":true}},\"columnOrder\":[\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\",\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.4.3\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":32,\"w\":12,\"h\":4,\"i\":\"0be70c7f-f24c-46a8-93af-9ca19a2338c2\"},\"panelIndex\":\"0be70c7f-f24c-46a8-93af-9ca19a2338c2\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetricNew\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"99f81900-806f-11ea-945d-8d0868f4a377\",\"name\":\"indexpattern-datasource-layer-1701ef50-bdb1-40e6-964e-4659e2bb8d27\"}],\"state\":{\"visualization\":{\"layerId\":\"1701ef50-bdb1-40e6-964e-4659e2bb8d27\",\"layerType\":\"data\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":0,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#209280\",\"stop\":1},{\"color\":\"#cc5642\",\"stop\":2}],\"colorStops\":[{\"color\":\"#209280\",\"stop\":0},{\"color\":\"#cc5642\",\"stop\":1}],\"continuity\":\"above\",\"maxSteps\":5}},\"metricAccessor\":\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\",\"subtitle\":\"\"},\"query\":{\"query\":\"aws.vpcflow.traffic_path : 4\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1701ef50-bdb1-40e6-964e-4659e2bb8d27\":{\"columns\":{\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\":{\"label\":\"Part of Traffic through an internet gateway or a gateway VPC endpoint\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\":{\"label\":\"Traffic through an intra-region VPC peering connection\",\"dataType\":\"number\",\"operationType\":\"formula\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"formula\":\"count()\",\"isFormulaBroken\":false},\"references\":[\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\"],\"customLabel\":true}},\"columnOrder\":[\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\",\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.4.3\",\"type\":\"visualization\",\"gridData\":{\"x\":36,\"y\":32,\"w\":12,\"h\":16,\"i\":\"9d6e0eb4-22ae-4956-9705-9694423ce9eb\"},\"panelIndex\":\"9d6e0eb4-22ae-4956-9705-9694423ce9eb\",\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_9d6e0eb4-22ae-4956-9705-9694423ce9eb\"},{\"version\":\"8.4.3\",\"type\":\"lens\",\"gridData\":{\"x\":12,\"y\":36,\"w\":12,\"h\":4,\"i\":\"2bcf1ccb-985b-45c1-a5f3-aec89ac80573\"},\"panelIndex\":\"2bcf1ccb-985b-45c1-a5f3-aec89ac80573\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetricNew\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"99f81900-806f-11ea-945d-8d0868f4a377\",\"name\":\"indexpattern-datasource-layer-1701ef50-bdb1-40e6-964e-4659e2bb8d27\"}],\"state\":{\"visualization\":{\"layerId\":\"1701ef50-bdb1-40e6-964e-4659e2bb8d27\",\"layerType\":\"data\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":0,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#209280\",\"stop\":1},{\"color\":\"#cc5642\",\"stop\":2}],\"colorStops\":[{\"color\":\"#209280\",\"stop\":0},{\"color\":\"#cc5642\",\"stop\":1}],\"continuity\":\"above\",\"maxSteps\":5}},\"metricAccessor\":\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\",\"subtitle\":\"\"},\"query\":{\"query\":\"aws.vpcflow.traffic_path : 3\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1701ef50-bdb1-40e6-964e-4659e2bb8d27\":{\"columns\":{\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\":{\"label\":\"Part of Traffic through an internet gateway or a gateway VPC endpoint\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\":{\"label\":\"Traffic through a virtual private gateway\",\"dataType\":\"number\",\"operationType\":\"formula\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"formula\":\"count()\",\"isFormulaBroken\":false},\"references\":[\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\"],\"customLabel\":true}},\"columnOrder\":[\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\",\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.4.3\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":36,\"w\":12,\"h\":4,\"i\":\"5c5fa8bd-26df-4384-86b4-3979c59219d7\"},\"panelIndex\":\"5c5fa8bd-26df-4384-86b4-3979c59219d7\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetricNew\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"99f81900-806f-11ea-945d-8d0868f4a377\",\"name\":\"indexpattern-datasource-layer-1701ef50-bdb1-40e6-964e-4659e2bb8d27\"}],\"state\":{\"visualization\":{\"layerId\":\"1701ef50-bdb1-40e6-964e-4659e2bb8d27\",\"layerType\":\"data\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":0,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#209280\",\"stop\":1},{\"color\":\"#cc5642\",\"stop\":2}],\"colorStops\":[{\"color\":\"#209280\",\"stop\":0},{\"color\":\"#cc5642\",\"stop\":1}],\"continuity\":\"above\",\"maxSteps\":5}},\"metricAccessor\":\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\",\"subtitle\":\"\"},\"query\":{\"query\":\"aws.vpcflow.traffic_path : 2\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1701ef50-bdb1-40e6-964e-4659e2bb8d27\":{\"columns\":{\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\":{\"label\":\"Part of Traffic through another resource in the same VPC\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\":{\"label\":\"Traffic through an internet gateway or a gateway VPC endpoint\",\"dataType\":\"number\",\"operationType\":\"formula\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"formula\":\"count()\",\"isFormulaBroken\":false},\"references\":[\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\"],\"customLabel\":true}},\"columnOrder\":[\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\",\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.4.3\",\"type\":\"lens\",\"gridData\":{\"x\":12,\"y\":40,\"w\":12,\"h\":4,\"i\":\"94d5cf1a-789e-4c65-a572-e53283c1a558\"},\"panelIndex\":\"94d5cf1a-789e-4c65-a572-e53283c1a558\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetricNew\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"99f81900-806f-11ea-945d-8d0868f4a377\",\"name\":\"indexpattern-datasource-layer-1701ef50-bdb1-40e6-964e-4659e2bb8d27\"}],\"state\":{\"visualization\":{\"layerId\":\"1701ef50-bdb1-40e6-964e-4659e2bb8d27\",\"layerType\":\"data\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":0,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#209280\",\"stop\":1},{\"color\":\"#cc5642\",\"stop\":2}],\"colorStops\":[{\"color\":\"#209280\",\"stop\":0},{\"color\":\"#cc5642\",\"stop\":1}],\"continuity\":\"above\",\"maxSteps\":5}},\"metricAccessor\":\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\",\"subtitle\":\"\"},\"query\":{\"query\":\"aws.vpcflow.traffic_path : 5\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1701ef50-bdb1-40e6-964e-4659e2bb8d27\":{\"columns\":{\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\":{\"label\":\"Part of Traffic through an intra-region VPC peering connection\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\":{\"label\":\"Traffic through an inter-region VPC peering connection\",\"dataType\":\"number\",\"operationType\":\"formula\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"formula\":\"count()\",\"isFormulaBroken\":false},\"references\":[\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\"],\"customLabel\":true}},\"columnOrder\":[\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\",\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.4.3\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":40,\"w\":12,\"h\":4,\"i\":\"6a5a0cc8-585d-4ed6-a50c-865d60928fe8\"},\"panelIndex\":\"6a5a0cc8-585d-4ed6-a50c-865d60928fe8\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetricNew\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"99f81900-806f-11ea-945d-8d0868f4a377\",\"name\":\"indexpattern-datasource-layer-1701ef50-bdb1-40e6-964e-4659e2bb8d27\"}],\"state\":{\"visualization\":{\"layerId\":\"1701ef50-bdb1-40e6-964e-4659e2bb8d27\",\"layerType\":\"data\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":0,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#209280\",\"stop\":1},{\"color\":\"#cc5642\",\"stop\":2}],\"colorStops\":[{\"color\":\"#209280\",\"stop\":0},{\"color\":\"#cc5642\",\"stop\":1}],\"continuity\":\"above\",\"maxSteps\":5}},\"metricAccessor\":\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\",\"subtitle\":\"\"},\"query\":{\"query\":\"aws.vpcflow.traffic_path : 6\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1701ef50-bdb1-40e6-964e-4659e2bb8d27\":{\"columns\":{\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\":{\"label\":\"Part of Traffic through an inter-region VPC peering connection\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\":{\"label\":\"Traffic through a local gateway\",\"dataType\":\"number\",\"operationType\":\"formula\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"formula\":\"count()\",\"isFormulaBroken\":false},\"references\":[\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\"],\"customLabel\":true}},\"columnOrder\":[\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\",\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.4.3\",\"type\":\"lens\",\"gridData\":{\"x\":12,\"y\":44,\"w\":12,\"h\":4,\"i\":\"493beb97-fe99-4d03-ba8c-c7e938fb10da\"},\"panelIndex\":\"493beb97-fe99-4d03-ba8c-c7e938fb10da\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetricNew\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"99f81900-806f-11ea-945d-8d0868f4a377\",\"name\":\"indexpattern-datasource-layer-1701ef50-bdb1-40e6-964e-4659e2bb8d27\"}],\"state\":{\"visualization\":{\"layerId\":\"1701ef50-bdb1-40e6-964e-4659e2bb8d27\",\"layerType\":\"data\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":0,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#209280\",\"stop\":1},{\"color\":\"#cc5642\",\"stop\":2}],\"colorStops\":[{\"color\":\"#209280\",\"stop\":0},{\"color\":\"#cc5642\",\"stop\":1}],\"continuity\":\"above\",\"maxSteps\":5}},\"metricAccessor\":\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\",\"subtitle\":\"\"},\"query\":{\"query\":\"aws.vpcflow.traffic_path : 7\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1701ef50-bdb1-40e6-964e-4659e2bb8d27\":{\"columns\":{\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\":{\"label\":\"Part of Traffic through an inter-region VPC peering connection\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\":{\"label\":\"Traffic through a gateway VPC endpoint (Nitro-based instances only)\",\"dataType\":\"number\",\"operationType\":\"formula\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"formula\":\"count()\",\"isFormulaBroken\":false},\"references\":[\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\"],\"customLabel\":true}},\"columnOrder\":[\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\",\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.4.3\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":44,\"w\":12,\"h\":4,\"i\":\"58768ee4-5616-4bbd-821d-3e80c2f16373\"},\"panelIndex\":\"58768ee4-5616-4bbd-821d-3e80c2f16373\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetricNew\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"99f81900-806f-11ea-945d-8d0868f4a377\",\"name\":\"indexpattern-datasource-layer-1701ef50-bdb1-40e6-964e-4659e2bb8d27\"}],\"state\":{\"visualization\":{\"layerId\":\"1701ef50-bdb1-40e6-964e-4659e2bb8d27\",\"layerType\":\"data\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":0,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#209280\",\"stop\":1},{\"color\":\"#cc5642\",\"stop\":2}],\"colorStops\":[{\"color\":\"#209280\",\"stop\":0},{\"color\":\"#cc5642\",\"stop\":1}],\"continuity\":\"above\",\"maxSteps\":5}},\"metricAccessor\":\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\",\"subtitle\":\"\"},\"query\":{\"query\":\"aws.vpcflow.traffic_path : 8\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1701ef50-bdb1-40e6-964e-4659e2bb8d27\":{\"columns\":{\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\":{\"label\":\"Part of Traffic through a gateway VPC endpoint (Nitro-based instances only)\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\":{\"label\":\"Traffic through an internet gateway (Nitro-based instances only)\",\"dataType\":\"number\",\"operationType\":\"formula\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"formula\":\"count()\",\"isFormulaBroken\":false},\"references\":[\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\"],\"customLabel\":true}},\"columnOrder\":[\"70d72d5a-1e10-44fe-b29f-0d6c467c4075\",\"70d72d5a-1e10-44fe-b29f-0d6c467c4075X0\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.4.3\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":48,\"w\":24,\"h\":15,\"i\":\"d1c3f6d6-bac5-4d31-af4e-0dbc85eec494\"},\"panelIndex\":\"d1c3f6d6-bac5-4d31-af4e-0dbc85eec494\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_d1c3f6d6-bac5-4d31-af4e-0dbc85eec494\"},{\"version\":\"8.4.3\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":48,\"w\":24,\"h\":15,\"i\":\"3167fad5-70cc-44ab-bce1-53d0f30782af\"},\"panelIndex\":\"3167fad5-70cc-44ab-bce1-53d0f30782af\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3167fad5-70cc-44ab-bce1-53d0f30782af\"},{\"version\":\"8.4.3\",\"type\":\"map\",\"gridData\":{\"x\":0,\"y\":63,\"w\":24,\"h\":14,\"i\":\"2b988a75-75c0-48ab-8741-4d91b28c993f\"},\"panelIndex\":\"2b988a75-75c0-48ab-8741-4d91b28c993f\",\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"alpha\\\":1,\\\"id\\\":\\\"842c201e-96d7-413d-8688-de5ee4f8a1e0\\\",\\\"label\\\":null,\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"isAutoSelect\\\":true,\\\"type\\\":\\\"EMS_TMS\\\",\\\"lightModeDefault\\\":\\\"road_map\\\"},\\\"style\\\":{},\\\"type\\\":\\\"EMS_VECTOR_TILE\\\",\\\"visible\\\":true},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"401944dd-a371-4698-be17-bc4542e9a5d4\\\",\\\"label\\\":\\\"vpc flow action accept\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"aws.vpcflow.action : \\\\\\\"ACCEPT\\\\\\\" \\\"},\\\"sourceDescriptor\\\":{\\\"applyGlobalQuery\\\":true,\\\"filterByMapBounds\\\":true,\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"97903038-e08d-4451-bbd2-eb92c894bdf5\\\",\\\"scalingType\\\":\\\"LIMIT\\\",\\\"sortField\\\":\\\"@timestamp\\\",\\\"sortOrder\\\":\\\"desc\\\",\\\"tooltipProperties\\\":[],\\\"topHitsSize\\\":1,\\\"type\\\":\\\"ES_SEARCH\\\",\\\"indexPatternRefName\\\":\\\"layer_1_source_index_pattern\\\"},\\\"style\\\":{\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#1EA593\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"icon\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"marker\\\"}},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":5},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#167a6d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"GEOJSON_VECTOR\\\",\\\"visible\\\":true},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"b1d44a5c-3a04-4c80-8080-57585b02fd48\\\",\\\"label\\\":\\\"vpc flow action reject\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"aws.vpcflow.action : \\\\\\\"REJECT\\\\\\\" \\\"},\\\"sourceDescriptor\\\":{\\\"applyGlobalQuery\\\":true,\\\"filterByMapBounds\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"9c0e7cce-4f21-4bcd-bb50-ae36c0fffffb\\\",\\\"scalingType\\\":\\\"LIMIT\\\",\\\"sortField\\\":\\\"@timestamp\\\",\\\"sortOrder\\\":\\\"desc\\\",\\\"tooltipProperties\\\":[],\\\"topHitsSize\\\":1,\\\"type\\\":\\\"ES_SEARCH\\\",\\\"indexPatternRefName\\\":\\\"layer_2_source_index_pattern\\\"},\\\"style\\\":{\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#f00f0b\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"icon\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"marker\\\"}},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":5},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#7a1a18\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"GEOJSON_VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"center\\\":{\\\"lat\\\":0,\\\"lon\\\":-108.92402},\\\"filters\\\":[],\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"\\\"},\\\"refreshConfig\\\":{\\\"interval\\\":0,\\\"isPaused\\\":false},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-15d\\\",\\\"to\\\":\\\"now\\\"},\\\"zoom\\\":0.47,\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false}}\",\"title\":\"VPC Flow Action Geo Location[Logs AWS]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":false,\\\"openTOCDetails\\\":[]}\"},\"isLayerTOCOpen\":false,\"mapCenter\":{\"lat\":12.09237,\"lon\":60.11722,\"zoom\":0.47},\"openTOCDetails\":[],\"enhancements\":{},\"hiddenLayers\":[]},\"title\":\"VPC Flow Action Geo Location\"},{\"version\":\"8.4.3\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":63,\"w\":24,\"h\":14,\"i\":\"eeac7bb7-a74c-4e0a-8461-bd544956a423\"},\"panelIndex\":\"eeac7bb7-a74c-4e0a-8461-bd544956a423\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsHeatmap\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"99f81900-806f-11ea-945d-8d0868f4a377\",\"name\":\"indexpattern-datasource-layer-06b84efd-262b-42c9-8d40-db26dd96c80a\"}],\"state\":{\"visualization\":{\"shape\":\"heatmap\",\"layerId\":\"06b84efd-262b-42c9-8d40-db26dd96c80a\",\"layerType\":\"data\",\"legend\":{\"isVisible\":true,\"position\":\"right\",\"type\":\"heatmap_legend\"},\"gridConfig\":{\"type\":\"heatmap_grid\",\"isCellLabelVisible\":false,\"isYAxisLabelVisible\":true,\"isXAxisLabelVisible\":true,\"isYAxisTitleVisible\":false,\"isXAxisTitleVisible\":false},\"valueAccessor\":\"a9f413ff-fdc5-44ec-ac62-490a43129e8d\",\"xAccessor\":\"9ceaba12-daa4-4aad-90d7-c73b645943a3\",\"yAccessor\":\"5014607b-937c-42b3-a4f1-ff33501c2faf\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"06b84efd-262b-42c9-8d40-db26dd96c80a\":{\"columns\":{\"5014607b-937c-42b3-a4f1-ff33501c2faf\":{\"label\":\"Top 3 values of aws.vpcflow.subnet_id\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"aws.vpcflow.subnet_id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a9f413ff-fdc5-44ec-ac62-490a43129e8d\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"}}},\"9ceaba12-daa4-4aad-90d7-c73b645943a3\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"a9f413ff-fdc5-44ec-ac62-490a43129e8d\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"5014607b-937c-42b3-a4f1-ff33501c2faf\",\"9ceaba12-daa4-4aad-90d7-c73b645943a3\",\"a9f413ff-fdc5-44ec-ac62-490a43129e8d\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{}}},{\"version\":\"8.4.3\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":77,\"w\":48,\"h\":16,\"i\":\"512dc9bf-f031-474f-9afb-36c59e7f4743\"},\"panelIndex\":\"512dc9bf-f031-474f-9afb-36c59e7f4743\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_512dc9bf-f031-474f-9afb-36c59e7f4743\"},{\"version\":\"8.4.3\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":93,\"w\":48,\"h\":22,\"i\":\"dea77b59-a68d-49fd-8b62-949f7af9cdf9\"},\"panelIndex\":\"dea77b59-a68d-49fd-8b62-949f7af9cdf9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_dea77b59-a68d-49fd-8b62-949f7af9cdf9\"}]","timeRestore":false,"title":"VPCFlowLogs Summary","version":1},"coreMigrationVersion":"8.4.3","id":"9459bbf0-8071-11ea-945d-8d0868f4a377","migrationVersion":{"dashboard":"8.4.0"},"references":[{"id":"e64d06f0-8225-11ea-9ba8-7fa25bc74a6f","name":"9ef783f5-af53-464f-8bf7-8fe79e574163:panel_9ef783f5-af53-464f-8bf7-8fe79e574163","type":"visualization"},{"id":"8079b750-8226-11ea-945d-8d0868f4a377","name":"96bddd36-2236-463b-b159-db84432d32de:panel_96bddd36-2236-463b-b159-db84432d32de","type":"visualization"},{"id":"93a6db30-8228-11ea-9ba8-7fa25bc74a6f","name":"79257b0d-673f-4623-86ab-bf3e2cb151f8:panel_79257b0d-673f-4623-86ab-bf3e2cb151f8","type":"visualization"},{"id":"c3100a20-8234-11ea-8450-d1d13849d130","name":"9ac58252-693d-4d1b-a9d0-5fd413fa6814:panel_9ac58252-693d-4d1b-a9d0-5fd413fa6814","type":"visualization"},{"id":"e3231530-823b-11ea-8450-d1d13849d130","name":"bca8500a-2fc1-413e-baea-bc3f412302e6:panel_bca8500a-2fc1-413e-baea-bc3f412302e6","type":"visualization"},{"id":"41ffb5a0-823b-11ea-8dd2-6fda3f2e19c6","name":"915b89ba-5042-47ba-b109-c166aef741f6:panel_915b89ba-5042-47ba-b109-c166aef741f6","type":"visualization"},{"id":"82c6bd20-823d-11ea-a1e6-856110366757","name":"9fbd1232-494c-4b0f-a78b-c5ef50504ce9:panel_9fbd1232-494c-4b0f-a78b-c5ef50504ce9","type":"visualization"},{"id":"435e9770-823d-11ea-8dd2-6fda3f2e19c6","name":"bc745ad9-6dbb-436e-8a4a-b01519a8a5b5:panel_bc745ad9-6dbb-436e-8a4a-b01519a8a5b5","type":"visualization"},{"id":"74cc2c90-8174-11ec-b326-ed725936f8cf","name":"a9c84ab3-2ace-4215-a360-4563f3a653a8:panel_a9c84ab3-2ace-4215-a360-4563f3a653a8","type":"visualization"},{"id":"99f81900-806f-11ea-945d-8d0868f4a377","name":"1a830ccd-e734-4769-80a7-a59ac6213d80:indexpattern-datasource-layer-1701ef50-bdb1-40e6-964e-4659e2bb8d27","type":"index-pattern"},{"id":"99f81900-806f-11ea-945d-8d0868f4a377","name":"0be70c7f-f24c-46a8-93af-9ca19a2338c2:indexpattern-datasource-layer-1701ef50-bdb1-40e6-964e-4659e2bb8d27","type":"index-pattern"},{"id":"d29e72b0-60d6-11ec-8f03-4771d7b9c8b5","name":"9d6e0eb4-22ae-4956-9705-9694423ce9eb:panel_9d6e0eb4-22ae-4956-9705-9694423ce9eb","type":"visualization"},{"id":"99f81900-806f-11ea-945d-8d0868f4a377","name":"2bcf1ccb-985b-45c1-a5f3-aec89ac80573:indexpattern-datasource-layer-1701ef50-bdb1-40e6-964e-4659e2bb8d27","type":"index-pattern"},{"id":"99f81900-806f-11ea-945d-8d0868f4a377","name":"5c5fa8bd-26df-4384-86b4-3979c59219d7:indexpattern-datasource-layer-1701ef50-bdb1-40e6-964e-4659e2bb8d27","type":"index-pattern"},{"id":"99f81900-806f-11ea-945d-8d0868f4a377","name":"94d5cf1a-789e-4c65-a572-e53283c1a558:indexpattern-datasource-layer-1701ef50-bdb1-40e6-964e-4659e2bb8d27","type":"index-pattern"},{"id":"99f81900-806f-11ea-945d-8d0868f4a377","name":"6a5a0cc8-585d-4ed6-a50c-865d60928fe8:indexpattern-datasource-layer-1701ef50-bdb1-40e6-964e-4659e2bb8d27","type":"index-pattern"},{"id":"99f81900-806f-11ea-945d-8d0868f4a377","name":"493beb97-fe99-4d03-ba8c-c7e938fb10da:indexpattern-datasource-layer-1701ef50-bdb1-40e6-964e-4659e2bb8d27","type":"index-pattern"},{"id":"99f81900-806f-11ea-945d-8d0868f4a377","name":"58768ee4-5616-4bbd-821d-3e80c2f16373:indexpattern-datasource-layer-1701ef50-bdb1-40e6-964e-4659e2bb8d27","type":"index-pattern"},{"id":"77dae980-823e-11ea-a1e6-856110366757","name":"d1c3f6d6-bac5-4d31-af4e-0dbc85eec494:panel_d1c3f6d6-bac5-4d31-af4e-0dbc85eec494","type":"visualization"},{"id":"b7f8a390-823e-11ea-8450-d1d13849d130","name":"3167fad5-70cc-44ab-bce1-53d0f30782af:panel_3167fad5-70cc-44ab-bce1-53d0f30782af","type":"visualization"},{"id":"logs-*","name":"2b988a75-75c0-48ab-8741-4d91b28c993f:layer_1_source_index_pattern","type":"index-pattern"},{"id":"logs-*","name":"2b988a75-75c0-48ab-8741-4d91b28c993f:layer_2_source_index_pattern","type":"index-pattern"},{"id":"99f81900-806f-11ea-945d-8d0868f4a377","name":"eeac7bb7-a74c-4e0a-8461-bd544956a423:indexpattern-datasource-layer-06b84efd-262b-42c9-8d40-db26dd96c80a","type":"index-pattern"},{"id":"e530dac0-8073-11ea-9ba8-7fa25bc74a6f","name":"512dc9bf-f031-474f-9afb-36c59e7f4743:panel_512dc9bf-f031-474f-9afb-36c59e7f4743","type":"visualization"},{"id":"662bb3e0-6572-11ec-8f03-4771d7b9c8b5","name":"dea77b59-a68d-49fd-8b62-949f7af9cdf9:panel_dea77b59-a68d-49fd-8b62-949f7af9cdf9","type":"search"}],"type":"dashboard","updated_at":"2022-10-12T11:10:23.964Z","version":"WzgzNjcsMV0="}
+{"excludedObjects":[],"excludedObjectsCount":0,"exportedCount":17,"missingRefCount":0,"missingReferences":[]}
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/AWS/json_templates/aws_cw_integration.json b/examples/multi-cloud-setup/AWS/json_templates/aws_cw_integration.json
new file mode 100644
index 000000000..b2f65b635
--- /dev/null
+++ b/examples/multi-cloud-setup/AWS/json_templates/aws_cw_integration.json
@@ -0,0 +1,1823 @@
+{
+    "name": "aws-${name_suffix}",
+    "description": "Cloudwatch log group: $${log_group_name}",
+    "namespace": "default",
+    "policy_id": "${policy_id}",
+    "enabled": true,
+    "output_id": "",
+    "package": {
+        "name": "aws",
+        "title": "AWS",
+        "version": "1.23.4"
+      },
+      "vars": {
+        "shared_credential_file": {
+          "type": "text"
+        },
+        "credential_profile_name": {
+          "type": "text"
+        },
+        "access_key_id": {
+          "type": "text",
+          "value": "${access_key}"
+        },
+        "secret_access_key": {
+          "type": "text",
+          "value": "${access_secret}"
+        },
+        "session_token": {
+          "type": "text"
+        },
+        "role_arn": {
+          "type": "text"
+        },
+        "endpoint": {
+          "value": "",
+          "type": "text"
+        },
+        "proxy_url": {
+          "type": "text"
+        }
+      },
+    "inputs": [
+        {
+            "type": "aws-cloudwatch",
+            "policy_template": "cloudwatch",
+            "enabled": true,
+            "streams": [
+              {
+                "enabled": true,
+                "data_stream": {
+                  "type": "logs",
+                  "dataset": "aws.cloudwatch_logs"
+                },
+                "vars": {
+                  "log_group_arn": {
+                    "type": "text",
+                    "value": "${log_group_arn}"
+                  },
+                  "log_group_name": {
+                    "type": "text"
+                  },
+                  "log_group_name_prefix": {
+                    "type": "text"
+                  },
+                  "region_name": {
+                    "type": "text"
+                  },
+                  "log_streams": {
+                    "value": [],
+                    "type": "text"
+                  },
+                  "log_stream_prefix": {
+                    "type": "text"
+                  },
+                  "start_position": {
+                    "value": "beginning",
+                    "type": "text"
+                  },
+                  "scan_frequency": {
+                    "value": "1m",
+                    "type": "text"
+                  },
+                  "api_timeput": {
+                    "value": "120s",
+                    "type": "text"
+                  },
+                  "api_sleep": {
+                    "value": "200ms",
+                    "type": "text"
+                  },
+                  "tags": {
+                    "value": [
+                      "forwarded",
+                      "aws-cloudwatch-logs"
+                    ],
+                    "type": "text"
+                  },
+                  "processors": {
+                    "type": "yaml"
+                  },
+                  "preserve_original_event": {
+                    "value": false,
+                    "type": "bool"
+                  },
+                  "data_stream.dataset": {
+                    "value": "generic",
+                    "type": "text"
+                  }
+                }
+              }
+            ]
+          },
+        {
+        "type": "aws/metrics",
+        "policy_template": "billing",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "aws.billing"
+            },
+            "vars": {
+              "period": {
+                "value": "12h",
+                "type": "text"
+              },
+              "latency": {
+                "type": "text"
+              },
+              "cost_explorer_config.group_by_dimension_keys": {
+                "value": [
+                  "AZ",
+                  "INSTANCE_TYPE",
+                  "SERVICE",
+                  "LINKED_ACCOUNT"
+                ],
+                "type": "text"
+              },
+              "cost_explorer_config.group_by_tag_keys": {
+                "value": [
+                  "aws:createdBy"
+                ],
+                "type": "text"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "aws-s3",
+        "policy_template": "cloudtrail",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "aws.cloudtrail"
+            },
+            "vars": {
+              "visibility_timeout": {
+                "type": "text"
+              },
+              "api_timeout": {
+                "type": "text"
+              },
+              "queue_url": {
+                "type": "text"
+              },
+              "fips_enabled": {
+                "value": false,
+                "type": "bool"
+              },
+              "tags": {
+                "value": [
+                  "forwarded",
+                  "aws-cloudtrail"
+                ],
+                "type": "text"
+              },
+              "processors": {
+                "type": "yaml"
+              },
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              },
+              "cloudtrail_regex": {
+                "value": "/CloudTrail/",
+                "type": "text"
+              },
+              "cloudtrail_digest_regex": {
+                "value": "/CloudTrail-Digest/",
+                "type": "text"
+              },
+              "cloudtrail_insight_regex": {
+                "value": "/CloudTrail-Insight/",
+                "type": "text"
+              },
+              "max_number_of_messages": {
+                "value": 5,
+                "type": "integer"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "aws-cloudwatch",
+        "policy_template": "cloudtrail",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "aws.cloudtrail"
+            },
+            "vars": {
+              "log_group_arn": {
+                "type": "text"
+              },
+              "log_group_name": {
+                "type": "text"
+              },
+              "log_group_name_prefix": {
+                "type": "text"
+              },
+              "region_name": {
+                "type": "text"
+              },
+              "log_streams": {
+                "value": [],
+                "type": "text"
+              },
+              "log_stream_prefix": {
+                "type": "text"
+              },
+              "start_position": {
+                "value": "beginning",
+                "type": "text"
+              },
+              "scan_frequency": {
+                "value": "1m",
+                "type": "text"
+              },
+              "api_timeput": {
+                "value": "120s",
+                "type": "text"
+              },
+              "api_sleep": {
+                "value": "200ms",
+                "type": "text"
+              },
+              "tags": {
+                "value": [
+                  "forwarded",
+                  "aws-cloudtrail"
+                ],
+                "type": "text"
+              },
+              "processors": {
+                "type": "yaml"
+              },
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "httpjson",
+        "policy_template": "cloudtrail",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "aws.cloudtrail"
+            },
+            "vars": {
+              "url": {
+                "value": "https://server.example.com:8089",
+                "type": "text"
+              },
+              "username": {
+                "type": "text"
+              },
+              "password": {
+                "type": "password"
+              },
+              "token": {
+                "type": "password"
+              },
+              "ssl": {
+                "value": "#certificate_authorities:\n#  - |\n#    -----BEGIN CERTIFICATE-----\n#    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n#    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n#    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n#    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n#    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n#    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n#    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n#    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n#    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n#    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n#    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n#    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n#    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n#    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n#    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n#    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n#    sxSmbIUfc2SGJGCJD4I=\n#    -----END CERTIFICATE-----\n",
+                "type": "yaml"
+              },
+              "interval": {
+                "value": "10s",
+                "type": "text"
+              },
+              "search": {
+                "value": "search sourcetype=aws:cloudtrail",
+                "type": "text"
+              },
+              "tags": {
+                "value": [
+                  "forwarded",
+                  "aws-cloudtrail"
+                ],
+                "type": "text"
+              },
+              "processors": {
+                "type": "yaml"
+              },
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "aws-s3",
+        "policy_template": "cloudwatch",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "aws.cloudwatch_logs"
+            },
+            "vars": {
+              "visibility_timeout": {
+                "type": "text"
+              },
+              "api_timeout": {
+                "type": "text"
+              },
+              "queue_url": {
+                "type": "text"
+              },
+              "fips_enabled": {
+                "value": false,
+                "type": "bool"
+              },
+              "tags": {
+                "value": [
+                  "forwarded",
+                  "aws-cloudwatch-logs"
+                ],
+                "type": "text"
+              },
+              "processors": {
+                "type": "yaml"
+              },
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              },
+              "max_number_of_messages": {
+                "value": 5,
+                "type": "integer"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "aws/metrics",
+        "policy_template": "cloudwatch",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "aws.cloudwatch_metrics"
+            },
+            "vars": {
+              "period": {
+                "value": "300s",
+                "type": "text"
+              },
+              "regions": {
+                "value": [],
+                "type": "text"
+              },
+              "latency": {
+                "type": "text"
+              },
+              "metrics": {
+                "value": "- namespace: AWS/EC2\n  resource_type: ec2:instance\n  name:\n    - CPUUtilization\n    - DiskWriteOps\n  statistic:\n    - Average\n    - Maximum\n  # dimensions:\n   # - name: InstanceId\n      # value: i-123456\n  # tags:\n    # - key: created-by\n      # value: foo\n",
+                "type": "yaml"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "aws/metrics",
+        "policy_template": "dynamodb",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "aws.dynamodb"
+            },
+            "vars": {
+              "period": {
+                "value": "5m",
+                "type": "text"
+              },
+              "regions": {
+                "value": [],
+                "type": "text"
+              },
+              "latency": {
+                "type": "text"
+              },
+              "tags_filter": {
+                "value": "# - key: \"created-by\"\n  # value: \"foo\"\n",
+                "type": "yaml"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "aws/metrics",
+        "policy_template": "ebs",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "aws.ebs"
+            },
+            "vars": {
+              "period": {
+                "value": "5m",
+                "type": "text"
+              },
+              "regions": {
+                "value": [],
+                "type": "text"
+              },
+              "latency": {
+                "type": "text"
+              },
+              "tags_filter": {
+                "value": "# - key: \"created-by\"\n  # value: \"foo\"\n",
+                "type": "yaml"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "aws-s3",
+        "policy_template": "ec2",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "aws.ec2_logs"
+            },
+            "vars": {
+              "visibility_timeout": {
+                "type": "text"
+              },
+              "api_timeout": {
+                "type": "text"
+              },
+              "queue_url": {
+                "type": "text"
+              },
+              "fips_enabled": {
+                "value": false,
+                "type": "bool"
+              },
+              "tags": {
+                "value": [
+                  "forwarded",
+                  "aws-ec2-logs"
+                ],
+                "type": "text"
+              },
+              "processors": {
+                "type": "yaml"
+              },
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              },
+              "max_number_of_messages": {
+                "value": 5,
+                "type": "integer"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "aws-cloudwatch",
+        "policy_template": "ec2",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "aws.ec2_logs"
+            },
+            "vars": {
+              "log_group_arn": {
+                "type": "text"
+              },
+              "log_group_name": {
+                "type": "text"
+              },
+              "log_group_name_prefix": {
+                "type": "text"
+              },
+              "region_name": {
+                "type": "text"
+              },
+              "log_streams": {
+                "value": [],
+                "type": "text"
+              },
+              "log_stream_prefix": {
+                "type": "text"
+              },
+              "start_position": {
+                "value": "beginning",
+                "type": "text"
+              },
+              "scan_frequency": {
+                "value": "1m",
+                "type": "text"
+              },
+              "api_timeput": {
+                "value": "120s",
+                "type": "text"
+              },
+              "api_sleep": {
+                "value": "200ms",
+                "type": "text"
+              },
+              "tags": {
+                "value": [
+                  "forwarded",
+                  "aws-ec2-logs"
+                ],
+                "type": "text"
+              },
+              "processors": {
+                "type": "yaml"
+              },
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "aws/metrics",
+        "policy_template": "ec2",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "aws.ec2_metrics"
+            },
+            "vars": {
+              "period": {
+                "value": "5m",
+                "type": "text"
+              },
+              "regions": {
+                "value": [],
+                "type": "text"
+              },
+              "latency": {
+                "type": "text"
+              },
+              "tags_filter": {
+                "value": "# - key: \"created-by\"\n  # value: \"foo\"\n",
+                "type": "yaml"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "aws/metrics",
+        "policy_template": "ecs",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "aws.ecs_metrics"
+            },
+            "vars": {
+              "period": {
+                "value": "5m",
+                "type": "text"
+              },
+              "regions": {
+                "value": [],
+                "type": "text"
+              },
+              "latency": {
+                "type": "text"
+              },
+              "tags_filter": {
+                "value": "# - key: \"created-by\"\n  # value: \"foo\"\n",
+                "type": "yaml"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "aws-s3",
+        "policy_template": "elb",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "aws.elb_logs"
+            },
+            "vars": {
+              "visibility_timeout": {
+                "type": "text"
+              },
+              "api_timeout": {
+                "type": "text"
+              },
+              "queue_url": {
+                "type": "text"
+              },
+              "fips_enabled": {
+                "value": false,
+                "type": "bool"
+              },
+              "tags": {
+                "value": [
+                  "forwarded",
+                  "aws-elb-logs"
+                ],
+                "type": "text"
+              },
+              "processors": {
+                "type": "yaml"
+              },
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              },
+              "max_number_of_messages": {
+                "value": 5,
+                "type": "integer"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "aws-cloudwatch",
+        "policy_template": "elb",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "aws.elb_logs"
+            },
+            "vars": {
+              "log_group_arn": {
+                "type": "text"
+              },
+              "log_group_name": {
+                "type": "text"
+              },
+              "log_group_name_prefix": {
+                "type": "text"
+              },
+              "region_name": {
+                "type": "text"
+              },
+              "log_streams": {
+                "value": [],
+                "type": "text"
+              },
+              "log_stream_prefix": {
+                "type": "text"
+              },
+              "start_position": {
+                "value": "beginning",
+                "type": "text"
+              },
+              "scan_frequency": {
+                "value": "1m",
+                "type": "text"
+              },
+              "api_timeput": {
+                "value": "120s",
+                "type": "text"
+              },
+              "api_sleep": {
+                "value": "200ms",
+                "type": "text"
+              },
+              "tags": {
+                "value": [
+                  "forwarded",
+                  "aws-elb-logs"
+                ],
+                "type": "text"
+              },
+              "processors": {
+                "type": "yaml"
+              },
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "aws/metrics",
+        "policy_template": "elb",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "aws.elb_metrics"
+            },
+            "vars": {
+              "period": {
+                "value": "1m",
+                "type": "text"
+              },
+              "regions": {
+                "value": [],
+                "type": "text"
+              },
+              "latency": {
+                "type": "text"
+              },
+              "tags_filter": {
+                "value": "# - key: \"created-by\"\n  # value: \"foo\"\n",
+                "type": "yaml"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "aws/metrics",
+        "policy_template": "lambda",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "aws.lambda"
+            },
+            "vars": {
+              "period": {
+                "value": "5m",
+                "type": "text"
+              },
+              "regions": {
+                "value": [],
+                "type": "text"
+              },
+              "latency": {
+                "type": "text"
+              },
+              "tags_filter": {
+                "value": "# - key: \"created-by\"\n  # value: \"foo\"\n",
+                "type": "yaml"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "aws/metrics",
+        "policy_template": "natgateway",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "aws.natgateway"
+            },
+            "vars": {
+              "period": {
+                "value": "1m",
+                "type": "text"
+              },
+              "regions": {
+                "value": [],
+                "type": "text"
+              },
+              "latency": {
+                "type": "text"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "aws-s3",
+        "policy_template": "firewall",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "aws.firewall_logs"
+            },
+            "vars": {
+              "visibility_timeout": {
+                "type": "text"
+              },
+              "api_timeout": {
+                "type": "text"
+              },
+              "queue_url": {
+                "type": "text"
+              },
+              "fips_enabled": {
+                "value": false,
+                "type": "bool"
+              },
+              "tags": {
+                "value": [
+                  "forwarded",
+                  "aws-firewall-logs"
+                ],
+                "type": "text"
+              },
+              "processors": {
+                "type": "yaml"
+              },
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              },
+              "max_number_of_messages": {
+                "value": 5,
+                "type": "integer"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "aws-cloudwatch",
+        "policy_template": "firewall",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "aws.firewall_logs"
+            },
+            "vars": {
+              "log_group_arn": {
+                "type": "text"
+              },
+              "log_group_name": {
+                "type": "text"
+              },
+              "log_group_name_prefix": {
+                "type": "text"
+              },
+              "region_name": {
+                "type": "text"
+              },
+              "log_streams": {
+                "value": [],
+                "type": "text"
+              },
+              "log_stream_prefix": {
+                "type": "text"
+              },
+              "start_position": {
+                "value": "beginning",
+                "type": "text"
+              },
+              "scan_frequency": {
+                "value": "1m",
+                "type": "text"
+              },
+              "api_timeput": {
+                "value": "120s",
+                "type": "text"
+              },
+              "api_sleep": {
+                "value": "200ms",
+                "type": "text"
+              },
+              "tags": {
+                "value": [
+                  "forwarded",
+                  "aws-firewall-logs"
+                ],
+                "type": "text"
+              },
+              "processors": {
+                "type": "yaml"
+              },
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "aws/metrics",
+        "policy_template": "firewall",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "aws.firewall_metrics"
+            },
+            "vars": {
+              "period": {
+                "value": "60s",
+                "type": "text"
+              },
+              "regions": {
+                "value": [],
+                "type": "text"
+              },
+              "latency": {
+                "type": "text"
+              },
+              "metrics": {
+                "value": "- namespace: AWS/NetworkFirewall\n  name:\n    - DroppedPackets\n    - PassedPackets\n    - ReceivedPackets\n    - Packets\n  statistic:\n    - Sum\n  # dimensions:\n   # - name: FirewallName\n      # value: SampleFirewall\n  # tags:\n    # - key: created-by\n      # value: sample\n",
+                "type": "yaml"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "aws/metrics",
+        "policy_template": "rds",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "aws.rds"
+            },
+            "vars": {
+              "period": {
+                "value": "1m",
+                "type": "text"
+              },
+              "regions": {
+                "value": [],
+                "type": "text"
+              },
+              "latency": {
+                "type": "text"
+              },
+              "tags_filter": {
+                "value": "# - key: \"created-by\"\n  # value: \"foo\"\n",
+                "type": "yaml"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "aws-s3",
+        "policy_template": "s3",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "aws.s3access"
+            },
+            "vars": {
+              "visibility_timeout": {
+                "type": "text"
+              },
+              "api_timeout": {
+                "type": "text"
+              },
+              "queue_url": {
+                "type": "text"
+              },
+              "fips_enabled": {
+                "value": false,
+                "type": "bool"
+              },
+              "tags": {
+                "value": [
+                  "forwarded",
+                  "aws-s3access"
+                ],
+                "type": "text"
+              },
+              "processors": {
+                "type": "yaml"
+              },
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              },
+              "max_number_of_messages": {
+                "value": 5,
+                "type": "integer"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "aws/metrics",
+        "policy_template": "s3",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "aws.s3_daily_storage"
+            },
+            "vars": {
+              "period": {
+                "value": "24h",
+                "type": "text"
+              },
+              "regions": {
+                "value": [],
+                "type": "text"
+              },
+              "latency": {
+                "type": "text"
+              }
+            }
+          },
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "aws.s3_request"
+            },
+            "vars": {
+              "period": {
+                "value": "1m",
+                "type": "text"
+              },
+              "regions": {
+                "value": [],
+                "type": "text"
+              },
+              "latency": {
+                "type": "text"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "aws/metrics",
+        "policy_template": "s3_storage_lens",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "aws.s3_storage_lens"
+            },
+            "vars": {
+              "period": {
+                "value": "24h",
+                "type": "text"
+              },
+              "regions": {
+                "value": [],
+                "type": "text"
+              },
+              "latency": {
+                "type": "text"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "aws/metrics",
+        "policy_template": "sns",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "aws.sns"
+            },
+            "vars": {
+              "period": {
+                "value": "5m",
+                "type": "text"
+              },
+              "regions": {
+                "value": [],
+                "type": "text"
+              },
+              "latency": {
+                "type": "text"
+              },
+              "tags_filter": {
+                "value": "# - key: \"created-by\"\n  # value: \"foo\"\n",
+                "type": "yaml"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "aws/metrics",
+        "policy_template": "sqs",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "aws.sqs"
+            },
+            "vars": {
+              "period": {
+                "value": "5m",
+                "type": "text"
+              },
+              "regions": {
+                "value": [],
+                "type": "text"
+              },
+              "latency": {
+                "type": "text"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "aws/metrics",
+        "policy_template": "transitgateway",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "aws.transitgateway"
+            },
+            "vars": {
+              "period": {
+                "value": "1m",
+                "type": "text"
+              },
+              "regions": {
+                "value": [],
+                "type": "text"
+              },
+              "latency": {
+                "type": "text"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "aws/metrics",
+        "policy_template": "usage",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "aws.usage"
+            },
+            "vars": {
+              "period": {
+                "value": "1m",
+                "type": "text"
+              },
+              "regions": {
+                "value": [],
+                "type": "text"
+              },
+              "latency": {
+                "type": "text"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "aws-s3",
+        "policy_template": "vpcflow",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "aws.vpcflow"
+            },
+            "vars": {
+              "visibility_timeout": {
+                "type": "text"
+              },
+              "api_timeout": {
+                "type": "text"
+              },
+              "queue_url": {
+                "type": "text"
+              },
+              "fips_enabled": {
+                "value": false,
+                "type": "bool"
+              },
+              "tags": {
+                "value": [
+                  "forwarded",
+                  "aws-vpcflow"
+                ],
+                "type": "text"
+              },
+              "processors": {
+                "type": "yaml"
+              },
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              },
+              "max_number_of_messages": {
+                "value": 5,
+                "type": "integer"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "aws-cloudwatch",
+        "policy_template": "vpcflow",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "aws.vpcflow"
+            },
+            "vars": {
+              "log_group_arn": {
+                "type": "text"
+              },
+              "log_group_name": {
+                "type": "text"
+              },
+              "log_group_name_prefix": {
+                "type": "text"
+              },
+              "region_name": {
+                "type": "text"
+              },
+              "log_streams": {
+                "value": [],
+                "type": "text"
+              },
+              "log_stream_prefix": {
+                "type": "text"
+              },
+              "start_position": {
+                "value": "beginning",
+                "type": "text"
+              },
+              "scan_frequency": {
+                "value": "1m",
+                "type": "text"
+              },
+              "api_timeput": {
+                "value": "120s",
+                "type": "text"
+              },
+              "api_sleep": {
+                "value": "200ms",
+                "type": "text"
+              },
+              "tags": {
+                "value": [
+                  "forwarded",
+                  "aws-vpcflow"
+                ],
+                "type": "text"
+              },
+              "processors": {
+                "type": "yaml"
+              },
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "aws/metrics",
+        "policy_template": "vpn",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "aws.vpn"
+            },
+            "vars": {
+              "period": {
+                "value": "1m",
+                "type": "text"
+              },
+              "regions": {
+                "value": [],
+                "type": "text"
+              },
+              "latency": {
+                "type": "text"
+              },
+              "tags_filter": {
+                "value": "# - key: \"created-by\"\n  # value: \"foo\"\n",
+                "type": "yaml"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "aws-s3",
+        "policy_template": "waf",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "aws.waf"
+            },
+            "vars": {
+              "visibility_timeout": {
+                "type": "text"
+              },
+              "api_timeout": {
+                "type": "text"
+              },
+              "queue_url": {
+                "type": "text"
+              },
+              "fips_enabled": {
+                "value": false,
+                "type": "bool"
+              },
+              "tags": {
+                "value": [
+                  "forwarded",
+                  "aws-waf"
+                ],
+                "type": "text"
+              },
+              "processors": {
+                "type": "yaml"
+              },
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              },
+              "max_number_of_messages": {
+                "value": 5,
+                "type": "integer"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "aws-cloudwatch",
+        "policy_template": "waf",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "aws.waf"
+            },
+            "vars": {
+              "log_group_arn": {
+                "type": "text"
+              },
+              "log_group_name": {
+                "type": "text"
+              },
+              "log_group_name_prefix": {
+                "type": "text"
+              },
+              "region_name": {
+                "type": "text"
+              },
+              "log_streams": {
+                "value": [],
+                "type": "text"
+              },
+              "log_stream_prefix": {
+                "type": "text"
+              },
+              "start_position": {
+                "value": "beginning",
+                "type": "text"
+              },
+              "scan_frequency": {
+                "value": "1m",
+                "type": "text"
+              },
+              "api_timeput": {
+                "value": "120s",
+                "type": "text"
+              },
+              "api_sleep": {
+                "value": "200ms",
+                "type": "text"
+              },
+              "tags": {
+                "value": [
+                  "forwarded",
+                  "aws-waf"
+                ],
+                "type": "text"
+              },
+              "processors": {
+                "type": "yaml"
+              },
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "aws-cloudwatch",
+        "policy_template": "route53",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "aws.route53_public_logs"
+            },
+            "vars": {
+              "log_group_arn": {
+                "type": "text"
+              },
+              "log_group_name": {
+                "type": "text"
+              },
+              "log_group_name_prefix": {
+                "type": "text"
+              },
+              "log_streams": {
+                "type": "text"
+              },
+              "log_stream_prefix": {
+                "type": "text"
+              },
+              "region_name": {
+                "type": "text"
+              },
+              "start_position": {
+                "value": "beginning",
+                "type": "text"
+              },
+              "scan_frequency": {
+                "value": "1m",
+                "type": "text"
+              },
+              "api_timeout": {
+                "type": "text"
+              },
+              "api_sleep": {
+                "type": "text"
+              },
+              "tags": {
+                "value": [
+                  "forwarded",
+                  "aws-route53_public-logs"
+                ],
+                "type": "text"
+              },
+              "processors": {
+                "type": "yaml"
+              },
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              }
+            }
+          },
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "aws.route53_resolver_logs"
+            },
+            "vars": {
+              "log_group_arn": {
+                "type": "text"
+              },
+              "log_group_name": {
+                "type": "text"
+              },
+              "log_group_name_prefix": {
+                "type": "text"
+              },
+              "log_streams": {
+                "type": "text"
+              },
+              "log_stream_prefix": {
+                "type": "text"
+              },
+              "region_name": {
+                "type": "text"
+              },
+              "start_position": {
+                "value": "beginning",
+                "type": "text"
+              },
+              "scan_frequency": {
+                "value": "1m",
+                "type": "text"
+              },
+              "api_timeout": {
+                "type": "text"
+              },
+              "api_sleep": {
+                "type": "text"
+              },
+              "tags": {
+                "value": [
+                  "forwarded",
+                  "aws-route53_resolver-logs"
+                ],
+                "type": "text"
+              },
+              "processors": {
+                "type": "yaml"
+              },
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "aws-s3",
+        "policy_template": "cloudfront",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "aws.cloudfront_logs"
+            },
+            "vars": {
+              "visibility_timeout": {
+                "type": "text"
+              },
+              "api_timeout": {
+                "type": "text"
+              },
+              "queue_url": {
+                "type": "text"
+              },
+              "fips_enabled": {
+                "value": false,
+                "type": "bool"
+              },
+              "tags": {
+                "value": [
+                  "forwarded",
+                  "aws-cloudfront"
+                ],
+                "type": "text"
+              },
+              "processors": {
+                "type": "yaml"
+              },
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              },
+              "max_number_of_messages": {
+                "value": 5,
+                "type": "integer"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "aws/metrics",
+        "policy_template": "redshift",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "aws.redshift"
+            },
+            "vars": {
+              "period": {
+                "value": "5m",
+                "type": "text"
+              },
+              "regions": {
+                "value": [],
+                "type": "text"
+              },
+              "latency": {
+                "type": "text"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "aws/metrics",
+        "policy_template": "kinesis",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "aws.kinesis"
+            },
+            "vars": {
+              "period": {
+                "value": "5m",
+                "type": "text"
+              },
+              "regions": {
+                "value": [],
+                "type": "text"
+              },
+              "latency": {
+                "type": "text"
+              },
+              "tags_filter": {
+                "value": "# - key: \"created-by\"\n  # value: \"foo\"\n",
+                "type": "yaml"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "httpjson",
+        "policy_template": "securityhub",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "aws.securityhub_findings"
+            },
+            "vars": {
+              "interval": {
+                "value": "1h",
+                "type": "text"
+              },
+              "initial_interval": {
+                "value": "24h",
+                "type": "text"
+              },
+              "tags": {
+                "value": [
+                  "forwarded",
+                  "aws_securityhub_findings"
+                ],
+                "type": "text"
+              },
+              "aws_region": {
+                "type": "text"
+              },
+              "proxy_url": {
+                "type": "text"
+              },
+              "ssl": {
+                "value": "#certificate_authorities:\n#  - |\n#    -----BEGIN CERTIFICATE-----\n#    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n#    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n#    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n#    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n#    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n#    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n#    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n#    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n#    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n#    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n#    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n#    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n#    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n#    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n#    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n#    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n#    sxSmbIUfc2SGJGCJD4I=\n#    -----END CERTIFICATE-----\n",
+                "type": "yaml"
+              },
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              },
+              "preserve_duplicate_custom_fields": {
+                "value": false,
+                "type": "bool"
+              },
+              "processors": {
+                "type": "yaml"
+              }
+            }
+          },
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "aws.securityhub_insights"
+            },
+            "vars": {
+              "interval": {
+                "value": "1m",
+                "type": "text"
+              },
+              "tags": {
+                "value": [
+                  "forwarded",
+                  "aws_securityhub_insights"
+                ],
+                "type": "text"
+              },
+              "aws_region": {
+                "type": "text"
+              },
+              "proxy_url": {
+                "type": "text"
+              },
+              "ssl": {
+                "value": "#certificate_authorities:\n#  - |\n#    -----BEGIN CERTIFICATE-----\n#    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n#    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n#    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n#    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n#    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n#    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n#    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n#    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n#    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n#    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n#    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n#    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n#    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n#    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n#    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n#    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n#    sxSmbIUfc2SGJGCJD4I=\n#    -----END CERTIFICATE-----\n",
+                "type": "yaml"
+              },
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              },
+              "preserve_duplicate_custom_fields": {
+                "value": false,
+                "type": "bool"
+              },
+              "processors": {
+                "type": "yaml"
+              }
+            }
+          }
+        ]
+      }
+    ]
+  }
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/AWS/json_templates/aws_integration.json b/examples/multi-cloud-setup/AWS/json_templates/aws_integration.json
new file mode 100644
index 000000000..5e2f4de1a
--- /dev/null
+++ b/examples/multi-cloud-setup/AWS/json_templates/aws_integration.json
@@ -0,0 +1,1864 @@
+{
+    "name": "aws",
+    "namespace": "default",
+    "description": "Terraformed AWS integration",
+    "package": {
+      "name": "aws",
+      "title": "AWS",
+      "version": "1.23.4"
+    },
+    "enabled": true,
+    "policy_id": "${policy_id}",
+    "output_id": "",
+    "vars": {
+      "shared_credential_file": {
+        "type": "text"
+      },
+      "credential_profile_name": {
+        "type": "text"
+      },
+      "access_key_id": {
+        "type": "text",
+        "value": "${access_key}"
+      },
+      "secret_access_key": {
+        "type": "text",
+        "value": "${access_secret}"
+      },
+      "session_token": {
+        "type": "text"
+      },
+      "role_arn": {
+        "type": "text"
+      },
+      "endpoint": {
+        "value": "",
+        "type": "text"
+      },
+      "proxy_url": {
+        "type": "text"
+      }
+    },
+    "inputs": [
+      {
+        "type": "aws/metrics",
+        "policy_template": "billing",
+        "enabled": true,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "aws.billing"
+            },
+            "vars": {
+              "period": {
+                "value": "12h",
+                "type": "text"
+              },
+              "latency": {
+                "type": "text"
+              },
+              "cost_explorer_config.group_by_dimension_keys": {
+                "value": [
+                  "AZ",
+                  "INSTANCE_TYPE",
+                  "SERVICE",
+                  "LINKED_ACCOUNT"
+                ],
+                "type": "text"
+              },
+              "cost_explorer_config.group_by_tag_keys": {
+                "value": [
+                  "aws:createdBy"
+                ],
+                "type": "text"
+              }
+            },
+            "id": "aws/metrics-aws.billing-6ed9ee36-5623-4ddc-b5b9-96ef1a132c54"
+          }
+        ]
+      },
+      {
+        "type": "aws-s3",
+        "policy_template": "cloudtrail",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "aws.cloudtrail"
+            },
+            "vars": {
+              "visibility_timeout": {
+                "type": "text"
+              },
+              "api_timeout": {
+                "type": "text"
+              },
+              "queue_url": {
+                "type": "text"
+              },
+              "fips_enabled": {
+                "value": false,
+                "type": "bool"
+              },
+              "tags": {
+                "value": [
+                  "forwarded",
+                  "aws-cloudtrail"
+                ],
+                "type": "text"
+              },
+              "processors": {
+                "type": "yaml"
+              },
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              },
+              "cloudtrail_regex": {
+                "value": "/CloudTrail/",
+                "type": "text"
+              },
+              "cloudtrail_digest_regex": {
+                "value": "/CloudTrail-Digest/",
+                "type": "text"
+              },
+              "cloudtrail_insight_regex": {
+                "value": "/CloudTrail-Insight/",
+                "type": "text"
+              },
+              "max_number_of_messages": {
+                "value": 5,
+                "type": "integer"
+              }
+            },
+            "id": "aws-s3-aws.cloudtrail-6ed9ee36-5623-4ddc-b5b9-96ef1a132c54"
+          }
+        ]
+      },
+      {
+        "type": "aws-cloudwatch",
+        "policy_template": "cloudtrail",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "aws.cloudtrail"
+            },
+            "vars": {
+              "log_group_arn": {
+                "type": "text"
+              },
+              "log_group_name": {
+                "type": "text"
+              },
+              "log_group_name_prefix": {
+                "type": "text"
+              },
+              "region_name": {
+                "type": "text"
+              },
+              "log_streams": {
+                "value": [],
+                "type": "text"
+              },
+              "log_stream_prefix": {
+                "type": "text"
+              },
+              "start_position": {
+                "value": "beginning",
+                "type": "text"
+              },
+              "scan_frequency": {
+                "value": "1m",
+                "type": "text"
+              },
+              "api_timeput": {
+                "value": "120s",
+                "type": "text"
+              },
+              "api_sleep": {
+                "value": "200ms",
+                "type": "text"
+              },
+              "tags": {
+                "value": [
+                  "forwarded",
+                  "aws-cloudtrail"
+                ],
+                "type": "text"
+              },
+              "processors": {
+                "type": "yaml"
+              },
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              }
+            },
+            "id": "aws-cloudwatch-aws.cloudtrail-6ed9ee36-5623-4ddc-b5b9-96ef1a132c54"
+          }
+        ]
+      },
+      {
+        "type": "httpjson",
+        "policy_template": "cloudtrail",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "aws.cloudtrail"
+            },
+            "vars": {
+              "url": {
+                "value": "https://server.example.com:8089",
+                "type": "text"
+              },
+              "username": {
+                "type": "text"
+              },
+              "password": {
+                "type": "password"
+              },
+              "token": {
+                "type": "password"
+              },
+              "ssl": {
+                "value": "#certificate_authorities:\n#  - |\n#    -----BEGIN CERTIFICATE-----\n#    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n#    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n#    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n#    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n#    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n#    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n#    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n#    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n#    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n#    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n#    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n#    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n#    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n#    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n#    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n#    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n#    sxSmbIUfc2SGJGCJD4I=\n#    -----END CERTIFICATE-----\n",
+                "type": "yaml"
+              },
+              "interval": {
+                "value": "10s",
+                "type": "text"
+              },
+              "search": {
+                "value": "search sourcetype=aws:cloudtrail",
+                "type": "text"
+              },
+              "tags": {
+                "value": [
+                  "forwarded",
+                  "aws-cloudtrail"
+                ],
+                "type": "text"
+              },
+              "processors": {
+                "type": "yaml"
+              },
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              }
+            },
+            "id": "httpjson-aws.cloudtrail-6ed9ee36-5623-4ddc-b5b9-96ef1a132c54"
+          }
+        ]
+      },
+      {
+        "type": "aws-s3",
+        "policy_template": "cloudwatch",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "aws.cloudwatch_logs"
+            },
+            "vars": {
+              "visibility_timeout": {
+                "type": "text"
+              },
+              "api_timeout": {
+                "type": "text"
+              },
+              "queue_url": {
+                "type": "text"
+              },
+              "fips_enabled": {
+                "value": false,
+                "type": "bool"
+              },
+              "tags": {
+                "value": [
+                  "forwarded",
+                  "aws-cloudwatch-logs"
+                ],
+                "type": "text"
+              },
+              "processors": {
+                "type": "yaml"
+              },
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              },
+              "max_number_of_messages": {
+                "value": 5,
+                "type": "integer"
+              }
+            },
+            "id": "aws-s3-aws.cloudwatch_logs-6ed9ee36-5623-4ddc-b5b9-96ef1a132c54"
+          }
+        ]
+      },
+      {
+        "type": "aws-cloudwatch",
+        "policy_template": "cloudwatch",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "aws.cloudwatch_logs"
+            },
+            "vars": {
+              "log_group_arn": {
+                "type": "text"
+              },
+              "log_group_name": {
+                "type": "text"
+              },
+              "log_group_name_prefix": {
+                "type": "text"
+              },
+              "region_name": {
+                "type": "text"
+              },
+              "log_streams": {
+                "value": [],
+                "type": "text"
+              },
+              "log_stream_prefix": {
+                "type": "text"
+              },
+              "start_position": {
+                "value": "beginning",
+                "type": "text"
+              },
+              "scan_frequency": {
+                "value": "1m",
+                "type": "text"
+              },
+              "api_timeput": {
+                "value": "120s",
+                "type": "text"
+              },
+              "api_sleep": {
+                "value": "200ms",
+                "type": "text"
+              },
+              "tags": {
+                "value": [
+                  "forwarded",
+                  "aws-cloudwatch-logs"
+                ],
+                "type": "text"
+              },
+              "processors": {
+                "type": "yaml"
+              },
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              },
+              "data_stream.dataset": {
+                "value": "generic",
+                "type": "text"
+              }
+            },
+            "id": "aws-cloudwatch-aws.cloudwatch_logs-6ed9ee36-5623-4ddc-b5b9-96ef1a132c54"
+          }
+        ]
+      },
+      {
+        "type": "aws/metrics",
+        "policy_template": "cloudwatch",
+        "enabled": true,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "aws.cloudwatch_metrics"
+            },
+            "vars": {
+              "period": {
+                "value": "300s",
+                "type": "text"
+              },
+              "regions": {
+                "value": [],
+                "type": "text"
+              },
+              "latency": {
+                "type": "text"
+              },
+              "metrics": {
+                "value": "- namespace: AWS/EC2\n  resource_type: ec2:instance\n  name:\n    - CPUUtilization\n    - DiskWriteOps\n  statistic:\n    - Average\n    - Maximum\n  # dimensions:\n   # - name: InstanceId\n      # value: i-123456\n  # tags:\n    # - key: created-by\n      # value: foo\n",
+                "type": "yaml"
+              }
+            },
+            "id": "aws/metrics-aws.cloudwatch_metrics-6ed9ee36-5623-4ddc-b5b9-96ef1a132c54"
+          }
+        ]
+      },
+      {
+        "type": "aws/metrics",
+        "policy_template": "dynamodb",
+        "enabled": true,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "aws.dynamodb"
+            },
+            "vars": {
+              "period": {
+                "value": "5m",
+                "type": "text"
+              },
+              "regions": {
+                "value": [],
+                "type": "text"
+              },
+              "latency": {
+                "type": "text"
+              },
+              "tags_filter": {
+                "value": "# - key: \"created-by\"\n  # value: \"foo\"\n",
+                "type": "yaml"
+              }
+            },
+            "id": "aws/metrics-aws.dynamodb-6ed9ee36-5623-4ddc-b5b9-96ef1a132c54"
+          }
+        ]
+      },
+      {
+        "type": "aws/metrics",
+        "policy_template": "ebs",
+        "enabled": true,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "aws.ebs"
+            },
+            "vars": {
+              "period": {
+                "value": "5m",
+                "type": "text"
+              },
+              "regions": {
+                "value": [],
+                "type": "text"
+              },
+              "latency": {
+                "type": "text"
+              },
+              "tags_filter": {
+                "value": "# - key: \"created-by\"\n  # value: \"foo\"\n",
+                "type": "yaml"
+              }
+            },
+            "id": "aws/metrics-aws.ebs-6ed9ee36-5623-4ddc-b5b9-96ef1a132c54"
+          }
+        ]
+      },
+      {
+        "type": "aws-s3",
+        "policy_template": "ec2",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "aws.ec2_logs"
+            },
+            "vars": {
+              "visibility_timeout": {
+                "type": "text"
+              },
+              "api_timeout": {
+                "type": "text"
+              },
+              "queue_url": {
+                "type": "text"
+              },
+              "fips_enabled": {
+                "value": false,
+                "type": "bool"
+              },
+              "tags": {
+                "value": [
+                  "forwarded",
+                  "aws-ec2-logs"
+                ],
+                "type": "text"
+              },
+              "processors": {
+                "type": "yaml"
+              },
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              },
+              "max_number_of_messages": {
+                "value": 5,
+                "type": "integer"
+              }
+            },
+            "id": "aws-s3-aws.ec2_logs-6ed9ee36-5623-4ddc-b5b9-96ef1a132c54"
+          }
+        ]
+      },
+      {
+        "type": "aws-cloudwatch",
+        "policy_template": "ec2",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "aws.ec2_logs"
+            },
+            "vars": {
+              "log_group_arn": {
+                "type": "text"
+              },
+              "log_group_name": {
+                "type": "text"
+              },
+              "log_group_name_prefix": {
+                "type": "text"
+              },
+              "region_name": {
+                "type": "text"
+              },
+              "log_streams": {
+                "value": [],
+                "type": "text"
+              },
+              "log_stream_prefix": {
+                "type": "text"
+              },
+              "start_position": {
+                "value": "beginning",
+                "type": "text"
+              },
+              "scan_frequency": {
+                "value": "1m",
+                "type": "text"
+              },
+              "api_timeput": {
+                "value": "120s",
+                "type": "text"
+              },
+              "api_sleep": {
+                "value": "200ms",
+                "type": "text"
+              },
+              "tags": {
+                "value": [
+                  "forwarded",
+                  "aws-ec2-logs"
+                ],
+                "type": "text"
+              },
+              "processors": {
+                "type": "yaml"
+              },
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              }
+            },
+            "id": "aws-cloudwatch-aws.ec2_logs-6ed9ee36-5623-4ddc-b5b9-96ef1a132c54"
+          }
+        ]
+      },
+      {
+        "type": "aws/metrics",
+        "policy_template": "ec2",
+        "enabled": true,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "aws.ec2_metrics"
+            },
+            "vars": {
+              "period": {
+                "value": "5m",
+                "type": "text"
+              },
+              "regions": {
+                "value": [],
+                "type": "text"
+              },
+              "latency": {
+                "type": "text"
+              },
+              "tags_filter": {
+                "value": "# - key: \"created-by\"\n  # value: \"foo\"\n",
+                "type": "yaml"
+              }
+            },
+            "id": "aws/metrics-aws.ec2_metrics-6ed9ee36-5623-4ddc-b5b9-96ef1a132c54"
+          }
+        ]
+      },
+      {
+        "type": "aws/metrics",
+        "policy_template": "ecs",
+        "enabled": true,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "aws.ecs_metrics"
+            },
+            "vars": {
+              "period": {
+                "value": "5m",
+                "type": "text"
+              },
+              "regions": {
+                "value": [],
+                "type": "text"
+              },
+              "latency": {
+                "type": "text"
+              },
+              "tags_filter": {
+                "value": "# - key: \"created-by\"\n  # value: \"foo\"\n",
+                "type": "yaml"
+              }
+            },
+            "id": "aws/metrics-aws.ecs_metrics-6ed9ee36-5623-4ddc-b5b9-96ef1a132c54"
+          }
+        ]
+      },
+      {
+        "type": "aws-s3",
+        "policy_template": "elb",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "aws.elb_logs"
+            },
+            "vars": {
+              "visibility_timeout": {
+                "type": "text"
+              },
+              "api_timeout": {
+                "type": "text"
+              },
+              "queue_url": {
+                "type": "text"
+              },
+              "fips_enabled": {
+                "value": false,
+                "type": "bool"
+              },
+              "tags": {
+                "value": [
+                  "forwarded",
+                  "aws-elb-logs"
+                ],
+                "type": "text"
+              },
+              "processors": {
+                "type": "yaml"
+              },
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              },
+              "max_number_of_messages": {
+                "value": 5,
+                "type": "integer"
+              }
+            },
+            "id": "aws-s3-aws.elb_logs-6ed9ee36-5623-4ddc-b5b9-96ef1a132c54"
+          }
+        ]
+      },
+      {
+        "type": "aws-cloudwatch",
+        "policy_template": "elb",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "aws.elb_logs"
+            },
+            "vars": {
+              "log_group_arn": {
+                "type": "text"
+              },
+              "log_group_name": {
+                "type": "text"
+              },
+              "log_group_name_prefix": {
+                "type": "text"
+              },
+              "region_name": {
+                "type": "text"
+              },
+              "log_streams": {
+                "value": [],
+                "type": "text"
+              },
+              "log_stream_prefix": {
+                "type": "text"
+              },
+              "start_position": {
+                "value": "beginning",
+                "type": "text"
+              },
+              "scan_frequency": {
+                "value": "1m",
+                "type": "text"
+              },
+              "api_timeput": {
+                "value": "120s",
+                "type": "text"
+              },
+              "api_sleep": {
+                "value": "200ms",
+                "type": "text"
+              },
+              "tags": {
+                "value": [
+                  "forwarded",
+                  "aws-elb-logs"
+                ],
+                "type": "text"
+              },
+              "processors": {
+                "type": "yaml"
+              },
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              }
+            },
+            "id": "aws-cloudwatch-aws.elb_logs-6ed9ee36-5623-4ddc-b5b9-96ef1a132c54"
+          }
+        ]
+      },
+      {
+        "type": "aws/metrics",
+        "policy_template": "elb",
+        "enabled": true,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "aws.elb_metrics"
+            },
+            "vars": {
+              "period": {
+                "value": "1m",
+                "type": "text"
+              },
+              "regions": {
+                "value": [],
+                "type": "text"
+              },
+              "latency": {
+                "type": "text"
+              },
+              "tags_filter": {
+                "value": "# - key: \"created-by\"\n  # value: \"foo\"\n",
+                "type": "yaml"
+              }
+            },
+            "id": "aws/metrics-aws.elb_metrics-6ed9ee36-5623-4ddc-b5b9-96ef1a132c54"
+          }
+        ]
+      },
+      {
+        "type": "aws/metrics",
+        "policy_template": "lambda",
+        "enabled": true,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "aws.lambda"
+            },
+            "vars": {
+              "period": {
+                "value": "5m",
+                "type": "text"
+              },
+              "regions": {
+                "value": [],
+                "type": "text"
+              },
+              "latency": {
+                "type": "text"
+              },
+              "tags_filter": {
+                "value": "# - key: \"created-by\"\n  # value: \"foo\"\n",
+                "type": "yaml"
+              }
+            },
+            "id": "aws/metrics-aws.lambda-6ed9ee36-5623-4ddc-b5b9-96ef1a132c54"
+          }
+        ]
+      },
+      {
+        "type": "aws/metrics",
+        "policy_template": "natgateway",
+        "enabled": true,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "aws.natgateway"
+            },
+            "vars": {
+              "period": {
+                "value": "1m",
+                "type": "text"
+              },
+              "regions": {
+                "value": [],
+                "type": "text"
+              },
+              "latency": {
+                "type": "text"
+              }
+            },
+            "id": "aws/metrics-aws.natgateway-6ed9ee36-5623-4ddc-b5b9-96ef1a132c54"
+          }
+        ]
+      },
+      {
+        "type": "aws-s3",
+        "policy_template": "firewall",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "aws.firewall_logs"
+            },
+            "vars": {
+              "visibility_timeout": {
+                "type": "text"
+              },
+              "api_timeout": {
+                "type": "text"
+              },
+              "queue_url": {
+                "type": "text"
+              },
+              "fips_enabled": {
+                "value": false,
+                "type": "bool"
+              },
+              "tags": {
+                "value": [
+                  "forwarded",
+                  "aws-firewall-logs"
+                ],
+                "type": "text"
+              },
+              "processors": {
+                "type": "yaml"
+              },
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              },
+              "max_number_of_messages": {
+                "value": 5,
+                "type": "integer"
+              }
+            },
+            "id": "aws-s3-aws.firewall_logs-6ed9ee36-5623-4ddc-b5b9-96ef1a132c54"
+          }
+        ]
+      },
+      {
+        "type": "aws-cloudwatch",
+        "policy_template": "firewall",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "aws.firewall_logs"
+            },
+            "vars": {
+              "log_group_arn": {
+                "type": "text"
+              },
+              "log_group_name": {
+                "type": "text"
+              },
+              "log_group_name_prefix": {
+                "type": "text"
+              },
+              "region_name": {
+                "type": "text"
+              },
+              "log_streams": {
+                "value": [],
+                "type": "text"
+              },
+              "log_stream_prefix": {
+                "type": "text"
+              },
+              "start_position": {
+                "value": "beginning",
+                "type": "text"
+              },
+              "scan_frequency": {
+                "value": "1m",
+                "type": "text"
+              },
+              "api_timeput": {
+                "value": "120s",
+                "type": "text"
+              },
+              "api_sleep": {
+                "value": "200ms",
+                "type": "text"
+              },
+              "tags": {
+                "value": [
+                  "forwarded",
+                  "aws-firewall-logs"
+                ],
+                "type": "text"
+              },
+              "processors": {
+                "type": "yaml"
+              },
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              }
+            },
+            "id": "aws-cloudwatch-aws.firewall_logs-6ed9ee36-5623-4ddc-b5b9-96ef1a132c54"
+          }
+        ]
+      },
+      {
+        "type": "aws/metrics",
+        "policy_template": "firewall",
+        "enabled": true,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "aws.firewall_metrics"
+            },
+            "vars": {
+              "period": {
+                "value": "60s",
+                "type": "text"
+              },
+              "regions": {
+                "value": [],
+                "type": "text"
+              },
+              "latency": {
+                "type": "text"
+              },
+              "metrics": {
+                "value": "- namespace: AWS/NetworkFirewall\n  name:\n    - DroppedPackets\n    - PassedPackets\n    - ReceivedPackets\n    - Packets\n  statistic:\n    - Sum\n  # dimensions:\n   # - name: FirewallName\n      # value: SampleFirewall\n  # tags:\n    # - key: created-by\n      # value: sample\n",
+                "type": "yaml"
+              }
+            },
+            "id": "aws/metrics-aws.firewall_metrics-6ed9ee36-5623-4ddc-b5b9-96ef1a132c54"
+          }
+        ]
+      },
+      {
+        "type": "aws/metrics",
+        "policy_template": "rds",
+        "enabled": true,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "aws.rds"
+            },
+            "vars": {
+              "period": {
+                "value": "1m",
+                "type": "text"
+              },
+              "regions": {
+                "value": [],
+                "type": "text"
+              },
+              "latency": {
+                "type": "text"
+              },
+              "tags_filter": {
+                "value": "# - key: \"created-by\"\n  # value: \"foo\"\n",
+                "type": "yaml"
+              }
+            },
+            "id": "aws/metrics-aws.rds-6ed9ee36-5623-4ddc-b5b9-96ef1a132c54"
+          }
+        ]
+      },
+      {
+        "type": "aws-s3",
+        "policy_template": "s3",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "aws.s3access"
+            },
+            "vars": {
+              "visibility_timeout": {
+                "type": "text"
+              },
+              "api_timeout": {
+                "type": "text"
+              },
+              "queue_url": {
+                "type": "text"
+              },
+              "fips_enabled": {
+                "value": false,
+                "type": "bool"
+              },
+              "tags": {
+                "value": [
+                  "forwarded",
+                  "aws-s3access"
+                ],
+                "type": "text"
+              },
+              "processors": {
+                "type": "yaml"
+              },
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              },
+              "max_number_of_messages": {
+                "value": 5,
+                "type": "integer"
+              }
+            },
+            "id": "aws-s3-aws.s3access-6ed9ee36-5623-4ddc-b5b9-96ef1a132c54"
+          }
+        ]
+      },
+      {
+        "type": "aws/metrics",
+        "policy_template": "s3",
+        "enabled": true,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "aws.s3_daily_storage"
+            },
+            "vars": {
+              "period": {
+                "value": "24h",
+                "type": "text"
+              },
+              "regions": {
+                "value": [],
+                "type": "text"
+              },
+              "latency": {
+                "type": "text"
+              }
+            },
+            "id": "aws/metrics-aws.s3_daily_storage-6ed9ee36-5623-4ddc-b5b9-96ef1a132c54"
+          },
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "aws.s3_request"
+            },
+            "vars": {
+              "period": {
+                "value": "1m",
+                "type": "text"
+              },
+              "regions": {
+                "value": [],
+                "type": "text"
+              },
+              "latency": {
+                "type": "text"
+              }
+            },
+            "id": "aws/metrics-aws.s3_request-6ed9ee36-5623-4ddc-b5b9-96ef1a132c54"
+          }
+        ]
+      },
+      {
+        "type": "aws/metrics",
+        "policy_template": "s3_storage_lens",
+        "enabled": true,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "aws.s3_storage_lens"
+            },
+            "vars": {
+              "period": {
+                "value": "24h",
+                "type": "text"
+              },
+              "regions": {
+                "value": [],
+                "type": "text"
+              },
+              "latency": {
+                "type": "text"
+              }
+            },
+            "id": "aws/metrics-aws.s3_storage_lens-6ed9ee36-5623-4ddc-b5b9-96ef1a132c54"
+          }
+        ]
+      },
+      {
+        "type": "aws/metrics",
+        "policy_template": "sns",
+        "enabled": true,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "aws.sns"
+            },
+            "vars": {
+              "period": {
+                "value": "5m",
+                "type": "text"
+              },
+              "regions": {
+                "value": [],
+                "type": "text"
+              },
+              "latency": {
+                "type": "text"
+              },
+              "tags_filter": {
+                "value": "# - key: \"created-by\"\n  # value: \"foo\"\n",
+                "type": "yaml"
+              }
+            },
+            "id": "aws/metrics-aws.sns-6ed9ee36-5623-4ddc-b5b9-96ef1a132c54"
+          }
+        ]
+      },
+      {
+        "type": "aws/metrics",
+        "policy_template": "sqs",
+        "enabled": true,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "aws.sqs"
+            },
+            "vars": {
+              "period": {
+                "value": "5m",
+                "type": "text"
+              },
+              "regions": {
+                "value": [],
+                "type": "text"
+              },
+              "latency": {
+                "type": "text"
+              }
+            },
+            "id": "aws/metrics-aws.sqs-6ed9ee36-5623-4ddc-b5b9-96ef1a132c54"
+          }
+        ]
+      },
+      {
+        "type": "aws/metrics",
+        "policy_template": "transitgateway",
+        "enabled": true,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "aws.transitgateway"
+            },
+            "vars": {
+              "period": {
+                "value": "1m",
+                "type": "text"
+              },
+              "regions": {
+                "value": [],
+                "type": "text"
+              },
+              "latency": {
+                "type": "text"
+              }
+            },
+            "id": "aws/metrics-aws.transitgateway-6ed9ee36-5623-4ddc-b5b9-96ef1a132c54"
+          }
+        ]
+      },
+      {
+        "type": "aws/metrics",
+        "policy_template": "usage",
+        "enabled": true,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "aws.usage"
+            },
+            "vars": {
+              "period": {
+                "value": "1m",
+                "type": "text"
+              },
+              "regions": {
+                "value": [],
+                "type": "text"
+              },
+              "latency": {
+                "type": "text"
+              }
+            },
+            "id": "aws/metrics-aws.usage-6ed9ee36-5623-4ddc-b5b9-96ef1a132c54"
+          }
+        ]
+      },
+      {
+        "type": "aws-s3",
+        "policy_template": "vpcflow",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "aws.vpcflow"
+            },
+            "vars": {
+              "visibility_timeout": {
+                "type": "text"
+              },
+              "api_timeout": {
+                "type": "text"
+              },
+              "queue_url": {
+                "type": "text"
+              },
+              "fips_enabled": {
+                "value": false,
+                "type": "bool"
+              },
+              "tags": {
+                "value": [
+                  "forwarded",
+                  "aws-vpcflow"
+                ],
+                "type": "text"
+              },
+              "processors": {
+                "type": "yaml"
+              },
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              },
+              "max_number_of_messages": {
+                "value": 5,
+                "type": "integer"
+              }
+            },
+            "id": "aws-s3-aws.vpcflow-6ed9ee36-5623-4ddc-b5b9-96ef1a132c54"
+          }
+        ]
+      },
+      {
+        "type": "aws-cloudwatch",
+        "policy_template": "vpcflow",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "aws.vpcflow"
+            },
+            "vars": {
+              "log_group_arn": {
+                "type": "text"
+              },
+              "log_group_name": {
+                "type": "text"
+              },
+              "log_group_name_prefix": {
+                "type": "text"
+              },
+              "region_name": {
+                "type": "text"
+              },
+              "log_streams": {
+                "value": [],
+                "type": "text"
+              },
+              "log_stream_prefix": {
+                "type": "text"
+              },
+              "start_position": {
+                "value": "beginning",
+                "type": "text"
+              },
+              "scan_frequency": {
+                "value": "1m",
+                "type": "text"
+              },
+              "api_timeput": {
+                "value": "120s",
+                "type": "text"
+              },
+              "api_sleep": {
+                "value": "200ms",
+                "type": "text"
+              },
+              "tags": {
+                "value": [
+                  "forwarded",
+                  "aws-vpcflow"
+                ],
+                "type": "text"
+              },
+              "processors": {
+                "type": "yaml"
+              },
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              }
+            },
+            "id": "aws-cloudwatch-aws.vpcflow-6ed9ee36-5623-4ddc-b5b9-96ef1a132c54"
+          }
+        ]
+      },
+      {
+        "type": "aws/metrics",
+        "policy_template": "vpn",
+        "enabled": true,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "aws.vpn"
+            },
+            "vars": {
+              "period": {
+                "value": "1m",
+                "type": "text"
+              },
+              "regions": {
+                "value": [],
+                "type": "text"
+              },
+              "latency": {
+                "type": "text"
+              },
+              "tags_filter": {
+                "value": "# - key: \"created-by\"\n  # value: \"foo\"\n",
+                "type": "yaml"
+              }
+            },
+            "id": "aws/metrics-aws.vpn-6ed9ee36-5623-4ddc-b5b9-96ef1a132c54"
+          }
+        ]
+      },
+      {
+        "type": "aws-s3",
+        "policy_template": "waf",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "aws.waf"
+            },
+            "vars": {
+              "visibility_timeout": {
+                "type": "text"
+              },
+              "api_timeout": {
+                "type": "text"
+              },
+              "queue_url": {
+                "type": "text"
+              },
+              "fips_enabled": {
+                "value": false,
+                "type": "bool"
+              },
+              "tags": {
+                "value": [
+                  "forwarded",
+                  "aws-waf"
+                ],
+                "type": "text"
+              },
+              "processors": {
+                "type": "yaml"
+              },
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              },
+              "max_number_of_messages": {
+                "value": 5,
+                "type": "integer"
+              }
+            },
+            "id": "aws-s3-aws.waf-6ed9ee36-5623-4ddc-b5b9-96ef1a132c54"
+          }
+        ]
+      },
+      {
+        "type": "aws-cloudwatch",
+        "policy_template": "waf",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "aws.waf"
+            },
+            "vars": {
+              "log_group_arn": {
+                "type": "text"
+              },
+              "log_group_name": {
+                "type": "text"
+              },
+              "log_group_name_prefix": {
+                "type": "text"
+              },
+              "region_name": {
+                "type": "text"
+              },
+              "log_streams": {
+                "value": [],
+                "type": "text"
+              },
+              "log_stream_prefix": {
+                "type": "text"
+              },
+              "start_position": {
+                "value": "beginning",
+                "type": "text"
+              },
+              "scan_frequency": {
+                "value": "1m",
+                "type": "text"
+              },
+              "api_timeput": {
+                "value": "120s",
+                "type": "text"
+              },
+              "api_sleep": {
+                "value": "200ms",
+                "type": "text"
+              },
+              "tags": {
+                "value": [
+                  "forwarded",
+                  "aws-waf"
+                ],
+                "type": "text"
+              },
+              "processors": {
+                "type": "yaml"
+              },
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              }
+            },
+            "id": "aws-cloudwatch-aws.waf-6ed9ee36-5623-4ddc-b5b9-96ef1a132c54"
+          }
+        ]
+      },
+      {
+        "type": "aws-cloudwatch",
+        "policy_template": "route53",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "aws.route53_public_logs"
+            },
+            "vars": {
+              "log_group_arn": {
+                "type": "text"
+              },
+              "log_group_name": {
+                "type": "text"
+              },
+              "log_group_name_prefix": {
+                "type": "text"
+              },
+              "log_streams": {
+                "type": "text"
+              },
+              "log_stream_prefix": {
+                "type": "text"
+              },
+              "region_name": {
+                "type": "text"
+              },
+              "start_position": {
+                "value": "beginning",
+                "type": "text"
+              },
+              "scan_frequency": {
+                "value": "1m",
+                "type": "text"
+              },
+              "api_timeout": {
+                "type": "text"
+              },
+              "api_sleep": {
+                "type": "text"
+              },
+              "tags": {
+                "value": [
+                  "forwarded",
+                  "aws-route53_public-logs"
+                ],
+                "type": "text"
+              },
+              "processors": {
+                "type": "yaml"
+              },
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              }
+            },
+            "id": "aws-cloudwatch-aws.route53_public_logs-6ed9ee36-5623-4ddc-b5b9-96ef1a132c54"
+          },
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "aws.route53_resolver_logs"
+            },
+            "vars": {
+              "log_group_arn": {
+                "type": "text"
+              },
+              "log_group_name": {
+                "type": "text"
+              },
+              "log_group_name_prefix": {
+                "type": "text"
+              },
+              "log_streams": {
+                "type": "text"
+              },
+              "log_stream_prefix": {
+                "type": "text"
+              },
+              "region_name": {
+                "type": "text"
+              },
+              "start_position": {
+                "value": "beginning",
+                "type": "text"
+              },
+              "scan_frequency": {
+                "value": "1m",
+                "type": "text"
+              },
+              "api_timeout": {
+                "type": "text"
+              },
+              "api_sleep": {
+                "type": "text"
+              },
+              "tags": {
+                "value": [
+                  "forwarded",
+                  "aws-route53_resolver-logs"
+                ],
+                "type": "text"
+              },
+              "processors": {
+                "type": "yaml"
+              },
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              }
+            },
+            "id": "aws-cloudwatch-aws.route53_resolver_logs-6ed9ee36-5623-4ddc-b5b9-96ef1a132c54"
+          }
+        ]
+      },
+      {
+        "type": "aws-s3",
+        "policy_template": "cloudfront",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "aws.cloudfront_logs"
+            },
+            "vars": {
+              "visibility_timeout": {
+                "type": "text"
+              },
+              "api_timeout": {
+                "type": "text"
+              },
+              "queue_url": {
+                "type": "text"
+              },
+              "fips_enabled": {
+                "value": false,
+                "type": "bool"
+              },
+              "tags": {
+                "value": [
+                  "forwarded",
+                  "aws-cloudfront"
+                ],
+                "type": "text"
+              },
+              "processors": {
+                "type": "yaml"
+              },
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              },
+              "max_number_of_messages": {
+                "value": 5,
+                "type": "integer"
+              }
+            },
+            "id": "aws-s3-aws.cloudfront_logs-6ed9ee36-5623-4ddc-b5b9-96ef1a132c54"
+          }
+        ]
+      },
+      {
+        "type": "aws/metrics",
+        "policy_template": "redshift",
+        "enabled": true,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "aws.redshift"
+            },
+            "vars": {
+              "period": {
+                "value": "5m",
+                "type": "text"
+              },
+              "regions": {
+                "value": [],
+                "type": "text"
+              },
+              "latency": {
+                "type": "text"
+              }
+            },
+            "id": "aws/metrics-aws.redshift-6ed9ee36-5623-4ddc-b5b9-96ef1a132c54"
+          }
+        ]
+      },
+      {
+        "type": "aws/metrics",
+        "policy_template": "kinesis",
+        "enabled": true,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "aws.kinesis"
+            },
+            "vars": {
+              "period": {
+                "value": "5m",
+                "type": "text"
+              },
+              "regions": {
+                "value": [],
+                "type": "text"
+              },
+              "latency": {
+                "type": "text"
+              },
+              "tags_filter": {
+                "value": "# - key: \"created-by\"\n  # value: \"foo\"\n",
+                "type": "yaml"
+              }
+            },
+            "id": "aws/metrics-aws.kinesis-6ed9ee36-5623-4ddc-b5b9-96ef1a132c54"
+          }
+        ]
+      },
+      {
+        "type": "httpjson",
+        "policy_template": "securityhub",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "aws.securityhub_findings"
+            },
+            "vars": {
+              "interval": {
+                "value": "1h",
+                "type": "text"
+              },
+              "initial_interval": {
+                "value": "24h",
+                "type": "text"
+              },
+              "tags": {
+                "value": [
+                  "forwarded",
+                  "aws_securityhub_findings"
+                ],
+                "type": "text"
+              },
+              "aws_region": {
+                "type": "text"
+              },
+              "proxy_url": {
+                "type": "text"
+              },
+              "ssl": {
+                "value": "#certificate_authorities:\n#  - |\n#    -----BEGIN CERTIFICATE-----\n#    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n#    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n#    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n#    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n#    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n#    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n#    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n#    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n#    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n#    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n#    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n#    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n#    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n#    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n#    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n#    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n#    sxSmbIUfc2SGJGCJD4I=\n#    -----END CERTIFICATE-----\n",
+                "type": "yaml"
+              },
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              },
+              "preserve_duplicate_custom_fields": {
+                "value": false,
+                "type": "bool"
+              },
+              "processors": {
+                "type": "yaml"
+              }
+            },
+            "id": "httpjson-aws.securityhub_findings-6ed9ee36-5623-4ddc-b5b9-96ef1a132c54"
+          },
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "aws.securityhub_insights"
+            },
+            "vars": {
+              "interval": {
+                "value": "1m",
+                "type": "text"
+              },
+              "tags": {
+                "value": [
+                  "forwarded",
+                  "aws_securityhub_insights"
+                ],
+                "type": "text"
+              },
+              "aws_region": {
+                "type": "text"
+              },
+              "proxy_url": {
+                "type": "text"
+              },
+              "ssl": {
+                "value": "#certificate_authorities:\n#  - |\n#    -----BEGIN CERTIFICATE-----\n#    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n#    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n#    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n#    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n#    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n#    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n#    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n#    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n#    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n#    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n#    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n#    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n#    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n#    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n#    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n#    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n#    sxSmbIUfc2SGJGCJD4I=\n#    -----END CERTIFICATE-----\n",
+                "type": "yaml"
+              },
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              },
+              "preserve_duplicate_custom_fields": {
+                "value": false,
+                "type": "bool"
+              },
+              "processors": {
+                "type": "yaml"
+              }
+            },
+            "id": "httpjson-aws.securityhub_insights-6ed9ee36-5623-4ddc-b5b9-96ef1a132c54"
+          }
+        ]
+      }
+    ]
+  }
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/AWS/json_templates/aws_rule_activation.json b/examples/multi-cloud-setup/AWS/json_templates/aws_rule_activation.json
new file mode 100644
index 000000000..a59601ebb
--- /dev/null
+++ b/examples/multi-cloud-setup/AWS/json_templates/aws_rule_activation.json
@@ -0,0 +1 @@
+{"action":"enable","ids":["7e918d20-3fd7-11ed-bd21-4303f72b0875","7e913f00-3fd7-11ed-bd21-4303f72b0875","7e90f0e0-3fd7-11ed-bd21-4303f72b0875","7e907bb0-3fd7-11ed-bd21-4303f72b0875","7e90c9d0-3fd7-11ed-bd21-4303f72b0875","7e902d90-3fd7-11ed-bd21-4303f72b0875","7e9054a0-3fd7-11ed-bd21-4303f72b0875","7e900680-3fd7-11ed-bd21-4303f72b0875","7e8fb860-3fd7-11ed-bd21-4303f72b0875","7e8f9150-3fd7-11ed-bd21-4303f72b0875","7e8f1c20-3fd7-11ed-bd21-4303f72b0875","7e8ef510-3fd7-11ed-bd21-4303f72b0875","7e8e31c0-3fd7-11ed-bd21-4303f72b0875","7e8e0ab0-3fd7-11ed-bd21-4303f72b0875","7e8d6e70-3fd7-11ed-bd21-4303f72b0875","7e8d9580-3fd7-11ed-bd21-4303f72b0875","7e922960-3fd7-11ed-bd21-4303f72b0875","7e93b000-3fd7-11ed-bd21-4303f72b0875","7e942530-3fd7-11ed-bd21-4303f72b0875","7e93d710-3fd7-11ed-bd21-4303f72b0875","7e93fe20-3fd7-11ed-bd21-4303f72b0875","7e950f90-3fd7-11ed-bd21-4303f72b0875","7e9536a0-3fd7-11ed-bd21-4303f72b0875","7e955db0-3fd7-11ed-bd21-4303f72b0875","7e95d2e0-3fd7-11ed-bd21-4303f72b0875","7e97a7a0-3fd7-11ed-bd21-4303f72b0875","7df83350-3fd7-11ed-bd21-4303f72b0875","7df88170-3fd7-11ed-bd21-4303f72b0875","7df992e0-3fd7-11ed-bd21-4303f72b0875","7df80c40-3fd7-11ed-bd21-4303f72b0875","7dfaf270-3fd7-11ed-bd21-4303f72b0875","7dfbdcd0-3fd7-11ed-bd21-4303f72b0875","7e916610-3fd7-11ed-bd21-4303f72b0875","7e8f6a40-3fd7-11ed-bd21-4303f72b0875","7e8de3a0-3fd7-11ed-bd21-4303f72b0875","7e95abd0-3fd7-11ed-bd21-4303f72b0875","7e95f9f0-3fd7-11ed-bd21-4303f72b0875","7dfb8eb0-3fd7-11ed-bd21-4303f72b0875","844c12d0-3fd7-11ed-bd21-4303f72b0875","83719150-3fd7-11ed-bd21-4303f72b0875","83740250-3fd7-11ed-bd21-4303f72b0875","83742960-3fd7-11ed-bd21-4303f72b0875","8375d710-3fd7-11ed-bd21-4303f72b0875","83767350-3fd7-11ed-bd21-4303f72b0875","83af84b0-3fd7-11ed-bd21-4303f72b0875","82d97000-3fd7-11ed-bd21-4303f72b0875","82d921e0-3fd7-11ed-bd21-4303f72b0875","82d9be20-3fd7-11ed-bd21-4303f72b0875","82da3350-3fd7-11ed-bd21-4303f72b0875","82dccb60-3fd7-11ed-bd21-4303f72b0875","82dcf270-3fd7-11ed-bd21-4303f72b0875","82dd1980-3fd7-11ed-bd21-4303f72b0875","82dd4090-3fd7-11ed-bd21-4303f72b0875","82db6bd0-3fd7-11ed-bd21-4303f72b0875","82dc7d40-3fd7-11ed-bd21-4303f72b0875","82dd8eb0-3fd7-11ed-bd21-4303f72b0875","82db44c0-3fd7-11ed-bd21-4303f72b0875","83749e90-3fd7-11ed-bd21-4303f72b0875","82da5a60-3fd7-11ed-bd21-4303f72b0875"]}
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/AWS/json_templates/default-policy.json b/examples/multi-cloud-setup/AWS/json_templates/default-policy.json
new file mode 100644
index 000000000..bab414ae3
--- /dev/null
+++ b/examples/multi-cloud-setup/AWS/json_templates/default-policy.json
@@ -0,0 +1 @@
+{ "name": "${policy_name}", "description": "Terraformed policy", "namespace": "default", "monitoring_enabled": [ "logs", "metrics" ]}
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/AWS/json_templates/es_api_key.json b/examples/multi-cloud-setup/AWS/json_templates/es_api_key.json
new file mode 100644
index 000000000..dccd71b19
--- /dev/null
+++ b/examples/multi-cloud-setup/AWS/json_templates/es_api_key.json
@@ -0,0 +1,3 @@
+{
+   "name": "${elastic-api-key-name}"
+}
diff --git a/examples/multi-cloud-setup/AWS/json_templates/k8s_agent.yaml b/examples/multi-cloud-setup/AWS/json_templates/k8s_agent.yaml
new file mode 100644
index 000000000..eefd2541d
--- /dev/null
+++ b/examples/multi-cloud-setup/AWS/json_templates/k8s_agent.yaml
@@ -0,0 +1,329 @@
+---
+# For more information refer to https://www.elastic.co/guide/en/fleet/current/running-on-kubernetes-managed-by-fleet.html
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: elastic-agent
+  namespace: kube-system
+  labels:
+    app: elastic-agent
+spec:
+  selector:
+    matchLabels:
+      app: elastic-agent
+  template:
+    metadata:
+      labels:
+        app: elastic-agent
+    spec:
+      # Tolerations are needed to run Elastic Agent on Kubernetes master nodes.
+      # Agents running on master nodes collect metrics from the control plane components (scheduler, controller manager) of Kubernetes
+      tolerations:
+        - key: node-role.kubernetes.io/master
+          effect: NoSchedule
+      serviceAccountName: elastic-agent
+      hostNetwork: true
+      # 'hostPID: true' enables the Elastic Security integration to observe all process exec events on the host.
+      # Sharing the host process ID namespace gives visibility of all processes running on the same host.
+      hostPID: true
+      dnsPolicy: ClusterFirstWithHostNet
+      containers:
+        - name: k8smd
+          image: docker.elastic.co/endpoint/k8smd:8.4.0
+        - name: endpoint-security
+          image: docker.elastic.co/endpoint/endpoint-security:8.4.0
+          securityContext:
+            runAsUser: 0
+            privileged: true
+          volumeMounts:
+            - name: boot
+              mountPath: /boot
+            - name: debug
+              mountPath: /sys/kernel/debug
+            - name: bpf
+              mountPath: /sys/fs/bpf
+            - name: etc-passwd
+              mountPath: /mnt/host/etc/passwd
+              readOnly: true
+            - name: etc-group
+              mountPath: /mnt/host/etc/group
+              readOnly: true
+          env:
+            - name: ELASTIC_ENDPOINT_K8S
+              value: "true"
+        - name: elastic-agent
+          image: docker.elastic.co/beats/elastic-agent:8.4.0
+          env:
+            - name: ELASTIC_ENDPOINT_K8S
+              value: "true"
+            # Set to 1 for enrollment into Fleet server. If not set, Elastic Agent is run in standalone mode
+            - name: FLEET_ENROLL
+              value: "1"
+            # Set to true to communicate with Fleet with either insecure HTTP or unverified HTTPS
+            - name: FLEET_INSECURE
+              value: "true"
+            # Fleet Server URL to enroll the Elastic Agent into
+            # FLEET_URL can be found in Kibana, go to Management > Fleet > Settings
+            - name: FLEET_URL
+              value: "${fleet_url}"
+            # Elasticsearch API key used to enroll Elastic Agents in Fleet (https://www.elastic.co/guide/en/fleet/current/fleet-enrollment-tokens.html#fleet-enrollment-tokens)
+            # If FLEET_ENROLLMENT_TOKEN is empty then KIBANA_HOST, KIBANA_FLEET_USERNAME, KIBANA_FLEET_PASSWORD are needed
+            - name: FLEET_ENROLLMENT_TOKEN
+              value: "${enrollment_token}"
+            - name: KIBANA_HOST
+              value: ""
+            # The basic authentication username used to connect to Kibana and retrieve a service_token to enable Fleet
+            - name: KIBANA_FLEET_USERNAME
+              value: "" # elastic
+            # The basic authentication password used to connect to Kibana and retrieve a service_token to enable Fleet
+            - name: KIBANA_FLEET_PASSWORD
+              value: "" # changeme
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+          securityContext:
+            runAsUser: 0
+          resources:
+            limits:
+              memory: 500Mi
+            requests:
+              cpu: 100m
+              memory: 200Mi
+          volumeMounts:
+            - name: proc
+              mountPath: /hostfs/proc
+              readOnly: true
+            - name: etc-kubernetes
+              mountPath: /hostfs/etc/kubernetes
+              readOnly: true
+            - name: var-lib
+              mountPath: /hostfs/var/lib
+              readOnly: true
+            - name: cgroup
+              mountPath: /hostfs/sys/fs/cgroup
+              readOnly: true
+            - name: varlibdockercontainers
+              mountPath: /var/lib/docker/containers
+              readOnly: true
+            - name: varlog
+              mountPath: /var/log
+              readOnly: true
+            - name: passwd
+              mountPath: /hostfs/etc/passwd
+              readOnly: true
+            - name: group
+              mountPath: /hostfs/etc/group
+              readOnly: true
+            - name: etcsysmd
+              mountPath: /hostfs/etc/systemd
+              readOnly: true
+            - name: etc-mid
+              mountPath: /etc/machine-id
+              readOnly: true
+      volumes:
+        - name: proc
+          hostPath:
+            path: /proc
+        - name: cgroup
+          hostPath:
+            path: /sys/fs/cgroup
+        - name: varlibdockercontainers
+          hostPath:
+            path: /var/lib/docker/containers
+        - name: varlog
+          hostPath:
+            path: /var/log
+        # Needed for cloudbeat
+        - name: etc-kubernetes
+          hostPath:
+            path: /etc/kubernetes
+        # Needed for cloudbeat
+        - name: var-lib
+          hostPath:
+            path: /var/lib
+        # Needed for cloudbeat
+        - name: passwd
+          hostPath:
+            path: /etc/passwd
+        # Needed for cloudbeat
+        - name: group
+          hostPath:
+            path: /etc/group
+        # Needed for cloudbeat
+        - name: etcsysmd
+          hostPath:
+            path: /etc/systemd
+        # Mount /etc/machine-id from the host to determine host ID
+        # Needed for Elastic Security integration
+        - name: etc-mid
+          hostPath:
+            path: /etc/machine-id
+            type: File
+        - name: etc-passwd
+          hostPath:
+            path: /etc/passwd
+            type: File
+        - name: etc-group
+          hostPath:
+            path: /etc/group
+            type: File
+        - name: boot
+          hostPath:
+            path: /boot
+        - name: debug
+          hostPath:
+            path: /sys/kernel/debug
+        - name: bpf
+          hostPath:
+            path: /sys/fs/bpf
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: elastic-agent
+subjects:
+  - kind: ServiceAccount
+    name: elastic-agent
+    namespace: kube-system
+roleRef:
+  kind: ClusterRole
+  name: elastic-agent
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  namespace: kube-system
+  name: elastic-agent
+subjects:
+  - kind: ServiceAccount
+    name: elastic-agent
+    namespace: kube-system
+roleRef:
+  kind: Role
+  name: elastic-agent
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: elastic-agent-kubeadm-config
+  namespace: kube-system
+subjects:
+  - kind: ServiceAccount
+    name: elastic-agent
+    namespace: kube-system
+roleRef:
+  kind: Role
+  name: elastic-agent-kubeadm-config
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: elastic-agent
+  labels:
+    k8s-app: elastic-agent
+rules:
+  - apiGroups: [""]
+    resources:
+      - nodes
+      - namespaces
+      - events
+      - pods
+      - services
+      - configmaps
+      # Needed for cloudbeat
+      - serviceaccounts
+      - persistentvolumes
+      - persistentvolumeclaims
+    verbs: ["get", "list", "watch"]
+  # Enable this rule only if planing to use kubernetes_secrets provider
+  #- apiGroups: [""]
+  #  resources:
+  #  - secrets
+  #  verbs: ["get"]
+  - apiGroups: ["extensions"]
+    resources:
+      - replicasets
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["apps"]
+    resources:
+      - statefulsets
+      - deployments
+      - replicasets
+      - daemonsets
+    verbs: ["get", "list", "watch"]
+  - apiGroups:
+      - ""
+    resources:
+      - nodes/stats
+    verbs:
+      - get
+  - apiGroups: [ "batch" ]
+    resources:
+      - jobs
+      - cronjobs
+    verbs: [ "get", "list", "watch" ]
+  # Needed for apiserver
+  - nonResourceURLs:
+      - "/metrics"
+    verbs:
+      - get
+  # Needed for cloudbeat
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources:
+      - clusterrolebindings
+      - clusterroles
+      - rolebindings
+      - roles
+    verbs: ["get", "list", "watch"]
+  # Needed for cloudbeat
+  - apiGroups: ["policy"]
+    resources:
+      - podsecuritypolicies
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: elastic-agent
+  # Should be the namespace where elastic-agent is running
+  namespace: kube-system
+  labels:
+    k8s-app: elastic-agent
+rules:
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs: ["get", "create", "update"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: elastic-agent-kubeadm-config
+  namespace: kube-system
+  labels:
+    k8s-app: elastic-agent
+rules:
+  - apiGroups: [""]
+    resources:
+      - configmaps
+    resourceNames:
+      - kubeadm-config
+    verbs: ["get"]
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: elastic-agent
+  namespace: kube-system
+  labels:
+    k8s-app: elastic-agent
+---
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/AWS/json_templates/k8s_cspm_integration.json b/examples/multi-cloud-setup/AWS/json_templates/k8s_cspm_integration.json
new file mode 100644
index 000000000..5e157d0ca
--- /dev/null
+++ b/examples/multi-cloud-setup/AWS/json_templates/k8s_cspm_integration.json
@@ -0,0 +1,61 @@
+{
+    "name": "cloud_security_posture",
+    "description": "Terraformed k8s integration",
+    "namespace": "default",
+    "policy_id": "${policy_id}",
+    "enabled": true,
+    "output_id": "",
+    "inputs": [
+      {
+        "type": "cloudbeat/vanilla",
+        "policy_template": "kspm",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "cloud_security_posture.findings"
+            }
+          }
+        ]
+      },
+      {
+        "type": "cloudbeat/eks",
+        "policy_template": "kspm",
+        "enabled": true,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "cloud_security_posture.findings"
+            },
+            "vars": {
+              "access_key_id": {
+                "type": "text",
+                "value": "${access_key}"
+              },
+              "secret_access_key": {
+                "type": "text",
+                "value": "${access_secret}"
+              },
+              "session_token": {
+                "type": "text"
+              }
+            }
+          }
+        ]
+      }
+    ],
+    "package": {
+      "name": "cloud_security_posture",
+      "title": "Kubernetes Security Posture Management",
+      "version": "0.0.26"
+    },
+    "vars": {
+      "dataYaml": {
+        "type": "yaml"
+      }
+    }
+  }
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/AWS/json_templates/k8s_endpoint_integration.json b/examples/multi-cloud-setup/AWS/json_templates/k8s_endpoint_integration.json
new file mode 100644
index 000000000..00d35a098
--- /dev/null
+++ b/examples/multi-cloud-setup/AWS/json_templates/k8s_endpoint_integration.json
@@ -0,0 +1,14 @@
+{
+    "name": "k8s-endpoint",
+    "description": "Terraformed k8s integration to protect your endpoints",
+    "namespace": "default",
+    "policy_id": "${policy_id}",
+    "enabled": true,
+    "output_id": "",
+    "inputs": [],
+    "package": {
+      "name": "endpoint",
+      "title": "Endpoint and Cloud Security",
+      "version": "8.4.1"
+    }
+  }
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/AWS/json_templates/k8s_integration.json b/examples/multi-cloud-setup/AWS/json_templates/k8s_integration.json
new file mode 100644
index 000000000..b15b542f7
--- /dev/null
+++ b/examples/multi-cloud-setup/AWS/json_templates/k8s_integration.json
@@ -0,0 +1,1036 @@
+{
+    "name": "kubernetes",
+    "description": "Terraformed k8s integration",
+    "namespace": "default",
+    "policy_id": "${policy_id}",
+    "enabled": true,
+    "output_id": "",
+    "inputs": [
+      {
+        "type": "kubernetes/metrics",
+        "policy_template": "kubelet",
+        "enabled": true,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "kubernetes.container"
+            },
+            "vars": {
+              "add_metadata": {
+                "value": true,
+                "type": "bool"
+              },
+              "bearer_token_file": {
+                "value": "/var/run/secrets/kubernetes.io/serviceaccount/token",
+                "type": "text"
+              },
+              "hosts": {
+                "value": [
+                  "https://$${env.NODE_NAME}:10250"
+                ],
+                "type": "text"
+              },
+              "period": {
+                "value": "10s",
+                "type": "text"
+              },
+              "ssl.verification_mode": {
+                "value": "none",
+                "type": "text"
+              },
+              "add_resource_metadata_config": {
+                "value": "# add_resource_metadata:\n#   namespace:\n#     include_labels: [\"namespacelabel1\"]\n#   node:\n#     include_labels: [\"nodelabel2\"]\n#     include_annotations: [\"nodeannotation1\"]\n#   deployment: false\n",
+                "type": "yaml"
+              },
+              "ssl.certificate_authorities": {
+                "value": [],
+                "type": "text"
+              }
+            }
+          },
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "kubernetes.node"
+            },
+            "vars": {
+              "add_metadata": {
+                "value": true,
+                "type": "bool"
+              },
+              "bearer_token_file": {
+                "value": "/var/run/secrets/kubernetes.io/serviceaccount/token",
+                "type": "text"
+              },
+              "hosts": {
+                "value": [
+                  "https://$${env.NODE_NAME}:10250"
+                ],
+                "type": "text"
+              },
+              "period": {
+                "value": "10s",
+                "type": "text"
+              },
+              "ssl.verification_mode": {
+                "value": "none",
+                "type": "text"
+              },
+              "ssl.certificate_authorities": {
+                "value": [],
+                "type": "text"
+              }
+            }
+          },
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "kubernetes.pod"
+            },
+            "vars": {
+              "add_metadata": {
+                "value": true,
+                "type": "bool"
+              },
+              "bearer_token_file": {
+                "value": "/var/run/secrets/kubernetes.io/serviceaccount/token",
+                "type": "text"
+              },
+              "hosts": {
+                "value": [
+                  "https://$${env.NODE_NAME}:10250"
+                ],
+                "type": "text"
+              },
+              "period": {
+                "value": "10s",
+                "type": "text"
+              },
+              "ssl.verification_mode": {
+                "value": "none",
+                "type": "text"
+              },
+              "ssl.certificate_authorities": {
+                "value": [],
+                "type": "text"
+              },
+              "add_resource_metadata_config": {
+                "value": "# add_resource_metadata:\n#   namespace:\n#     include_labels: [\"namespacelabel1\"]\n#   node:\n#     include_labels: [\"nodelabel2\"]\n#     include_annotations: [\"nodeannotation1\"]\n#   deployment: false\n",
+                "type": "yaml"
+              }
+            }
+          },
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "kubernetes.system"
+            },
+            "vars": {
+              "add_metadata": {
+                "value": true,
+                "type": "bool"
+              },
+              "bearer_token_file": {
+                "value": "/var/run/secrets/kubernetes.io/serviceaccount/token",
+                "type": "text"
+              },
+              "hosts": {
+                "value": [
+                  "https://$${env.NODE_NAME}:10250"
+                ],
+                "type": "text"
+              },
+              "period": {
+                "value": "10s",
+                "type": "text"
+              },
+              "ssl.verification_mode": {
+                "value": "none",
+                "type": "text"
+              },
+              "ssl.certificate_authorities": {
+                "value": [],
+                "type": "text"
+              }
+            }
+          },
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "kubernetes.volume"
+            },
+            "vars": {
+              "add_metadata": {
+                "value": true,
+                "type": "bool"
+              },
+              "bearer_token_file": {
+                "value": "/var/run/secrets/kubernetes.io/serviceaccount/token",
+                "type": "text"
+              },
+              "hosts": {
+                "value": [
+                  "https://$${env.NODE_NAME}:10250"
+                ],
+                "type": "text"
+              },
+              "period": {
+                "value": "10s",
+                "type": "text"
+              },
+              "ssl.verification_mode": {
+                "value": "none",
+                "type": "text"
+              },
+              "ssl.certificate_authorities": {
+                "value": [],
+                "type": "text"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "kubernetes/metrics",
+        "policy_template": "kube-state-metrics",
+        "enabled": false,
+        "streams": [
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "kubernetes.state_container"
+            },
+            "vars": {
+              "add_metadata": {
+                "value": true,
+                "type": "bool"
+              },
+              "hosts": {
+                "value": [
+                  "kube-state-metrics:8080"
+                ],
+                "type": "text"
+              },
+              "leaderelection": {
+                "value": true,
+                "type": "bool"
+              },
+              "period": {
+                "value": "10s",
+                "type": "text"
+              },
+              "node": {
+                "type": "text"
+              },
+              "namespace": {
+                "type": "text"
+              },
+              "bearer_token_file": {
+                "value": "/var/run/secrets/kubernetes.io/serviceaccount/token",
+                "type": "text"
+              },
+              "ssl.certificate_authorities": {
+                "value": [],
+                "type": "text"
+              },
+              "add_resource_metadata_config": {
+                "value": "# add_resource_metadata:\n#   namespace:\n#     include_labels: [\"namespacelabel1\"]\n#   node:\n#     include_labels: [\"nodelabel2\"]\n#     include_annotations: [\"nodeannotation1\"]\n#   deployment: false\n",
+                "type": "yaml"
+              }
+            }
+          },
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "kubernetes.state_cronjob"
+            },
+            "vars": {
+              "add_metadata": {
+                "value": true,
+                "type": "bool"
+              },
+              "hosts": {
+                "value": [
+                  "kube-state-metrics:8080"
+                ],
+                "type": "text"
+              },
+              "leaderelection": {
+                "value": true,
+                "type": "bool"
+              },
+              "period": {
+                "value": "10s",
+                "type": "text"
+              },
+              "node": {
+                "type": "text"
+              },
+              "namespace": {
+                "type": "text"
+              },
+              "bearer_token_file": {
+                "value": "/var/run/secrets/kubernetes.io/serviceaccount/token",
+                "type": "text"
+              },
+              "ssl.certificate_authorities": {
+                "value": [],
+                "type": "text"
+              }
+            }
+          },
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "kubernetes.state_daemonset"
+            },
+            "vars": {
+              "add_metadata": {
+                "value": true,
+                "type": "bool"
+              },
+              "hosts": {
+                "value": [
+                  "kube-state-metrics:8080"
+                ],
+                "type": "text"
+              },
+              "leaderelection": {
+                "value": true,
+                "type": "bool"
+              },
+              "period": {
+                "value": "10s",
+                "type": "text"
+              },
+              "node": {
+                "type": "text"
+              },
+              "namespace": {
+                "type": "text"
+              },
+              "bearer_token_file": {
+                "value": "/var/run/secrets/kubernetes.io/serviceaccount/token",
+                "type": "text"
+              },
+              "ssl.certificate_authorities": {
+                "value": [],
+                "type": "text"
+              }
+            }
+          },
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "kubernetes.state_deployment"
+            },
+            "vars": {
+              "add_metadata": {
+                "value": true,
+                "type": "bool"
+              },
+              "hosts": {
+                "value": [
+                  "kube-state-metrics:8080"
+                ],
+                "type": "text"
+              },
+              "leaderelection": {
+                "value": true,
+                "type": "bool"
+              },
+              "period": {
+                "value": "10s",
+                "type": "text"
+              },
+              "node": {
+                "type": "text"
+              },
+              "namespace": {
+                "type": "text"
+              },
+              "bearer_token_file": {
+                "value": "/var/run/secrets/kubernetes.io/serviceaccount/token",
+                "type": "text"
+              },
+              "ssl.certificate_authorities": {
+                "value": [],
+                "type": "text"
+              }
+            }
+          },
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "kubernetes.state_job"
+            },
+            "vars": {
+              "add_metadata": {
+                "value": true,
+                "type": "bool"
+              },
+              "hosts": {
+                "value": [
+                  "kube-state-metrics:8080"
+                ],
+                "type": "text"
+              },
+              "leaderelection": {
+                "value": true,
+                "type": "bool"
+              },
+              "period": {
+                "value": "10s",
+                "type": "text"
+              },
+              "node": {
+                "type": "text"
+              },
+              "namespace": {
+                "type": "text"
+              },
+              "bearer_token_file": {
+                "value": "/var/run/secrets/kubernetes.io/serviceaccount/token",
+                "type": "text"
+              },
+              "ssl.certificate_authorities": {
+                "value": [],
+                "type": "text"
+              }
+            }
+          },
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "kubernetes.state_node"
+            },
+            "vars": {
+              "add_metadata": {
+                "value": true,
+                "type": "bool"
+              },
+              "hosts": {
+                "value": [
+                  "kube-state-metrics:8080"
+                ],
+                "type": "text"
+              },
+              "leaderelection": {
+                "value": true,
+                "type": "bool"
+              },
+              "period": {
+                "value": "10s",
+                "type": "text"
+              },
+              "node": {
+                "type": "text"
+              },
+              "namespace": {
+                "type": "text"
+              },
+              "bearer_token_file": {
+                "value": "/var/run/secrets/kubernetes.io/serviceaccount/token",
+                "type": "text"
+              },
+              "ssl.certificate_authorities": {
+                "value": [],
+                "type": "text"
+              }
+            }
+          },
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "kubernetes.state_persistentvolume"
+            },
+            "vars": {
+              "add_metadata": {
+                "value": true,
+                "type": "bool"
+              },
+              "hosts": {
+                "value": [
+                  "kube-state-metrics:8080"
+                ],
+                "type": "text"
+              },
+              "leaderelection": {
+                "value": true,
+                "type": "bool"
+              },
+              "period": {
+                "value": "10s",
+                "type": "text"
+              },
+              "node": {
+                "type": "text"
+              },
+              "namespace": {
+                "type": "text"
+              },
+              "bearer_token_file": {
+                "value": "/var/run/secrets/kubernetes.io/serviceaccount/token",
+                "type": "text"
+              },
+              "ssl.certificate_authorities": {
+                "value": [],
+                "type": "text"
+              }
+            }
+          },
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "kubernetes.state_persistentvolumeclaim"
+            },
+            "vars": {
+              "add_metadata": {
+                "value": true,
+                "type": "bool"
+              },
+              "hosts": {
+                "value": [
+                  "kube-state-metrics:8080"
+                ],
+                "type": "text"
+              },
+              "leaderelection": {
+                "value": true,
+                "type": "bool"
+              },
+              "period": {
+                "value": "10s",
+                "type": "text"
+              },
+              "node": {
+                "type": "text"
+              },
+              "namespace": {
+                "type": "text"
+              },
+              "bearer_token_file": {
+                "value": "/var/run/secrets/kubernetes.io/serviceaccount/token",
+                "type": "text"
+              },
+              "ssl.certificate_authorities": {
+                "value": [],
+                "type": "text"
+              }
+            }
+          },
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "kubernetes.state_pod"
+            },
+            "vars": {
+              "add_metadata": {
+                "value": true,
+                "type": "bool"
+              },
+              "hosts": {
+                "value": [
+                  "kube-state-metrics:8080"
+                ],
+                "type": "text"
+              },
+              "leaderelection": {
+                "value": true,
+                "type": "bool"
+              },
+              "period": {
+                "value": "10s",
+                "type": "text"
+              },
+              "node": {
+                "type": "text"
+              },
+              "namespace": {
+                "type": "text"
+              },
+              "bearer_token_file": {
+                "value": "/var/run/secrets/kubernetes.io/serviceaccount/token",
+                "type": "text"
+              },
+              "ssl.certificate_authorities": {
+                "value": [],
+                "type": "text"
+              },
+              "add_resource_metadata_config": {
+                "value": "# add_resource_metadata:\n#   namespace:\n#     include_labels: [\"namespacelabel1\"]\n#   node:\n#     include_labels: [\"nodelabel2\"]\n#     include_annotations: [\"nodeannotation1\"]\n#   deployment: false\n",
+                "type": "yaml"
+              }
+            }
+          },
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "kubernetes.state_replicaset"
+            },
+            "vars": {
+              "add_metadata": {
+                "value": true,
+                "type": "bool"
+              },
+              "hosts": {
+                "value": [
+                  "kube-state-metrics:8080"
+                ],
+                "type": "text"
+              },
+              "leaderelection": {
+                "value": true,
+                "type": "bool"
+              },
+              "period": {
+                "value": "10s",
+                "type": "text"
+              },
+              "node": {
+                "type": "text"
+              },
+              "namespace": {
+                "type": "text"
+              },
+              "bearer_token_file": {
+                "value": "/var/run/secrets/kubernetes.io/serviceaccount/token",
+                "type": "text"
+              },
+              "ssl.certificate_authorities": {
+                "value": [],
+                "type": "text"
+              }
+            }
+          },
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "kubernetes.state_resourcequota"
+            },
+            "vars": {
+              "add_metadata": {
+                "value": true,
+                "type": "bool"
+              },
+              "hosts": {
+                "value": [
+                  "kube-state-metrics:8080"
+                ],
+                "type": "text"
+              },
+              "leaderelection": {
+                "value": true,
+                "type": "bool"
+              },
+              "period": {
+                "value": "10s",
+                "type": "text"
+              },
+              "node": {
+                "type": "text"
+              },
+              "namespace": {
+                "type": "text"
+              },
+              "bearer_token_file": {
+                "value": "/var/run/secrets/kubernetes.io/serviceaccount/token",
+                "type": "text"
+              },
+              "ssl.certificate_authorities": {
+                "value": [],
+                "type": "text"
+              }
+            }
+          },
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "kubernetes.state_service"
+            },
+            "vars": {
+              "add_metadata": {
+                "value": true,
+                "type": "bool"
+              },
+              "hosts": {
+                "value": [
+                  "kube-state-metrics:8080"
+                ],
+                "type": "text"
+              },
+              "leaderelection": {
+                "value": true,
+                "type": "bool"
+              },
+              "period": {
+                "value": "10s",
+                "type": "text"
+              },
+              "node": {
+                "type": "text"
+              },
+              "namespace": {
+                "type": "text"
+              },
+              "bearer_token_file": {
+                "value": "/var/run/secrets/kubernetes.io/serviceaccount/token",
+                "type": "text"
+              },
+              "ssl.certificate_authorities": {
+                "value": [],
+                "type": "text"
+              }
+            }
+          },
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "kubernetes.state_statefulset"
+            },
+            "vars": {
+              "add_metadata": {
+                "value": true,
+                "type": "bool"
+              },
+              "hosts": {
+                "value": [
+                  "kube-state-metrics:8080"
+                ],
+                "type": "text"
+              },
+              "leaderelection": {
+                "value": true,
+                "type": "bool"
+              },
+              "period": {
+                "value": "10s",
+                "type": "text"
+              },
+              "node": {
+                "type": "text"
+              },
+              "namespace": {
+                "type": "text"
+              },
+              "bearer_token_file": {
+                "value": "/var/run/secrets/kubernetes.io/serviceaccount/token",
+                "type": "text"
+              },
+              "ssl.certificate_authorities": {
+                "value": [],
+                "type": "text"
+              }
+            }
+          },
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "kubernetes.state_storageclass"
+            },
+            "vars": {
+              "add_metadata": {
+                "value": true,
+                "type": "bool"
+              },
+              "hosts": {
+                "value": [
+                  "kube-state-metrics:8080"
+                ],
+                "type": "text"
+              },
+              "leaderelection": {
+                "value": true,
+                "type": "bool"
+              },
+              "period": {
+                "value": "10s",
+                "type": "text"
+              },
+              "node": {
+                "type": "text"
+              },
+              "namespace": {
+                "type": "text"
+              },
+              "bearer_token_file": {
+                "value": "/var/run/secrets/kubernetes.io/serviceaccount/token",
+                "type": "text"
+              },
+              "ssl.certificate_authorities": {
+                "value": [],
+                "type": "text"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "kubernetes/metrics",
+        "policy_template": "kube-apiserver",
+        "enabled": true,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "kubernetes.apiserver"
+            },
+            "vars": {
+              "bearer_token_file": {
+                "value": "/var/run/secrets/kubernetes.io/serviceaccount/token",
+                "type": "text"
+              },
+              "hosts": {
+                "value": [
+                  "https://$${env.KUBERNETES_SERVICE_HOST}:$${env.KUBERNETES_SERVICE_PORT}"
+                ],
+                "type": "text"
+              },
+              "leaderelection": {
+                "value": true,
+                "type": "bool"
+              },
+              "period": {
+                "value": "30s",
+                "type": "text"
+              },
+              "ssl.certificate_authorities": {
+                "value": [
+                  "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+                ],
+                "type": "text"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "kubernetes/metrics",
+        "policy_template": "kube-proxy",
+        "enabled": true,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "kubernetes.proxy"
+            },
+            "vars": {
+              "hosts": {
+                "value": [
+                  "localhost:10249"
+                ],
+                "type": "text"
+              },
+              "period": {
+                "value": "10s",
+                "type": "text"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "kubernetes/metrics",
+        "policy_template": "kube-scheduler",
+        "enabled": true,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "kubernetes.scheduler"
+            },
+            "vars": {
+              "bearer_token_file": {
+                "value": "/var/run/secrets/kubernetes.io/serviceaccount/token",
+                "type": "text"
+              },
+              "hosts": {
+                "value": [
+                  "https://0.0.0.0:10259"
+                ],
+                "type": "text"
+              },
+              "period": {
+                "value": "10s",
+                "type": "text"
+              },
+              "ssl.verification_mode": {
+                "value": "none",
+                "type": "text"
+              },
+              "scheduler_label_key": {
+                "value": "component",
+                "type": "text"
+              },
+              "scheduler_label_value": {
+                "value": "kube-scheduler",
+                "type": "text"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "kubernetes/metrics",
+        "policy_template": "kube-controller-manager",
+        "enabled": true,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "kubernetes.controllermanager"
+            },
+            "vars": {
+              "bearer_token_file": {
+                "value": "/var/run/secrets/kubernetes.io/serviceaccount/token",
+                "type": "text"
+              },
+              "hosts": {
+                "value": [
+                  "https://0.0.0.0:10257"
+                ],
+                "type": "text"
+              },
+              "period": {
+                "value": "10s",
+                "type": "text"
+              },
+              "ssl.verification_mode": {
+                "value": "none",
+                "type": "text"
+              },
+              "controller_manager_label_key": {
+                "value": "component",
+                "type": "text"
+              },
+              "controller_manager_label_value": {
+                "value": "kube-controller-manager",
+                "type": "text"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "kubernetes/metrics",
+        "policy_template": "events",
+        "enabled": true,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "kubernetes.event"
+            },
+            "vars": {
+              "period": {
+                "value": "10s",
+                "type": "text"
+              },
+              "add_metadata": {
+                "value": true,
+                "type": "bool"
+              },
+              "skip_older": {
+                "value": true,
+                "type": "bool"
+              },
+              "leaderelection": {
+                "value": true,
+                "type": "bool"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "filestream",
+        "policy_template": "container-logs",
+        "enabled": true,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "kubernetes.container_logs"
+            },
+            "vars": {
+              "paths": {
+                "value": [
+                  "/var/log/containers/*$${kubernetes.container.id}.log"
+                ],
+                "type": "text"
+              },
+              "symlinks": {
+                "value": true,
+                "type": "bool"
+              },
+              "containerParserStream": {
+                "value": "all",
+                "type": "text"
+              },
+              "containerParserFormat": {
+                "value": "auto",
+                "type": "text"
+              },
+              "additionalParsersConfig": {
+                "value": "# - ndjson:\n#     target: json\n#     ignore_decoding_error: true\n# - multiline:\n#     type: pattern\n#     pattern: '^\\['\n#     negate: true\n#     match: after\n",
+                "type": "yaml"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "filestream",
+        "policy_template": "audit-logs",
+        "enabled": true,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "kubernetes.audit_logs"
+            },
+            "vars": {
+              "paths": {
+                "value": [
+                  "/var/log/kubernetes/kube-apiserver-audit.log"
+                ],
+                "type": "text"
+              }
+            }
+          }
+        ]
+      }
+    ],
+    "package": {
+      "name": "kubernetes",
+      "title": "Kubernetes",
+      "version": "1.24.0"
+    }
+}
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/AWS/terraform/ami_picker.tf b/examples/multi-cloud-setup/AWS/terraform/ami_picker.tf
new file mode 100644
index 000000000..ebe39a5f2
--- /dev/null
+++ b/examples/multi-cloud-setup/AWS/terraform/ami_picker.tf
@@ -0,0 +1,27 @@
+locals {
+  map = {
+    af-south-1: "ami-022666956ad401a1"
+    ap-northeast-1: "ami-015f1a68ce825a8d2"
+    ap-northeast-2: "ami-0be9734c9e68b99f4"
+    ap-northeast-3: "ami-01cb3e73f8ef13fdc"
+    ap-south-1: "ami-00aaac1f2ef4ce965"
+    ap-southeast-1: "ami-0012ffabeb7413479"
+    ap-southeast-2: "ami-03ec1fe05b3849c74"
+    ca-central-1: "ami-04c56d394d31cdeac"
+    eu-central-1: "ami-0980c5102b5ef10cc"
+    me-south-1: "ami-03cc0b5db8321f2e5"
+    ap-east-1: "ami-0c7e5903bee96ef81"
+    eu-north-1: "ami-0663a4867a210287a"
+    eu-south-1: "ami-035e213233577516f"
+    eu-west-1: "ami-0213344887e47003a"
+    eu-west-2: "ami-0add0a5a0cf9afc6c"
+    eu-west-3: "ami-01019e7343a5f361d"
+    sa-east-1: "ami-0312c74c38dc7bae6"
+    us-east-1: "ami-0db6c6238a40c0681"
+    us-east-2: "ami-03b6c8bd55e00d5ed"
+    us-west-1: "ami-0f5868930cb63c89c"
+    us-west-2: "ami-038a0ccaaedae6406"
+  }
+
+  ami = lookup(local.map, var.aws_region)
+}
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/AWS/terraform/cloud_formation.tf b/examples/multi-cloud-setup/AWS/terraform/cloud_formation.tf
new file mode 100644
index 000000000..afd516b41
--- /dev/null
+++ b/examples/multi-cloud-setup/AWS/terraform/cloud_formation.tf
@@ -0,0 +1,22 @@
+# resource "aws_cloudformation_stack" "elastic" {
+#   name = "elastic-stack"
+#   template_url = "https://mp-saas-integrations.s3.amazonaws.com/saas-elastic-cloud/main/templates/AgentInstallMain.yaml"
+#   capabilities = ["CAPABILITY_NAMED_IAM"]
+#   parameters = {
+#     DeploymentName = var.elastic_aws_deployment_name
+#     EC2HostName = "elastic-agent"
+#     EC2InstanceType = "t2.micro"
+#     GitBranchName = "main"
+#     KeyPairName = "felix-putty"
+#     PublicSubnet1ID = "subnet-00f145e4ab29d2d0c"
+#     PublicSubnet2ID = "subnet-00f145e4ab29d2d0c"
+#     QSS3BucketName = "mp-saas-integrations"
+#     QSS3KeyPrefix = "saas-elastic-cloud/"
+#     Region = "us-east-1"
+#     RemoteAccessCIDR = "172.31.0.0/16"
+#     RootVolumeSize = "10"
+#     SecretName = "arn:aws:secretsmanager:us-east-1:644184947617:secret:ec_pme_dev_api_key-UCoLzg"
+#     VPCID = "vpc-0a8d055883d1a19ac"
+#   }
+
+# }
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/AWS/terraform/config.tftpl b/examples/multi-cloud-setup/AWS/terraform/config.tftpl
new file mode 100644
index 000000000..8e6c4d5c9
--- /dev/null
+++ b/examples/multi-cloud-setup/AWS/terraform/config.tftpl
@@ -0,0 +1,49 @@
+inputs:
+%{ for values in s3-sqs-objs ~}
+  - type: "s3-sqs"
+    id: "${values.arn}"
+    outputs:
+      - type: "elasticsearch"
+        args:
+          elasticsearch_url: "${elasticsearch_url}"
+          username: "${elasticsearch_user}"
+          password: "${elasticsearch_password}"
+          es_datastream_name: "${values.datastream}"
+          batch_max_actions: 500
+          batch_max_bytes: 10485760
+%{ endfor ~}
+  # - type: "sqs"
+  #   id: "arn:aws:sqs:%REGION%:%ACCOUNT%:%QUEUENAME%"
+  #   outputs:
+  #     - type: "elasticsearch"
+  #       args:
+  #         elasticsearch_url: "${elasticsearch_url}"
+  #         username: "${elasticsearch_user}"
+  #         password: "${elasticsearch_password}"
+  #         es_datastream_name: "logs-generic-default"
+  #         batch_max_actions: 500
+  #         batch_max_bytes: 10485760
+  # - type: "kinesis-data-stream"
+  #   id: "arn:aws:kinesis:%REGION%:%ACCOUNT%:stream/%STREAMNAME%"
+  #   outputs:
+  #     - type: "elasticsearch"
+  #       args:
+  #         elasticsearch_url: "${elasticsearch_url}"
+  #         username: "${elasticsearch_user}"
+  #         password: "${elasticsearch_password}"
+  #         es_datastream_name: "logs-generic-default"
+  #         batch_max_actions: 500
+  #         batch_max_bytes: 10485760
+%{ for arn in cw-logs-objs ~}
+  - type: "cloudwatch-logs"
+    id: "${arn}"
+    outputs:
+      - type: "elasticsearch"
+        args:
+          elasticsearch_url: "${elasticsearch_url}"
+          username: "${elasticsearch_user}"
+          password: "${elasticsearch_password}"
+          es_datastream_name: "logs-aws.cloudwatch_logs-esf"
+          batch_max_actions: 500
+          batch_max_bytes: 10485760
+%{ endfor ~}
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/AWS/terraform/ec_deployment.tf b/examples/multi-cloud-setup/AWS/terraform/ec_deployment.tf
new file mode 100644
index 000000000..2723f60aa
--- /dev/null
+++ b/examples/multi-cloud-setup/AWS/terraform/ec_deployment.tf
@@ -0,0 +1,141 @@
+# -------------------------------------------------------------
+#  Deploy Elastic Cloud
+# -------------------------------------------------------------
+data "ec_stack" "latest" {
+  version_regex = "latest"
+  region        = var.elastic_region
+}
+
+resource "ec_deployment" "elastic_deployment" {
+  name                    = var.elastic_deployment_name
+  region                  = var.elastic_region
+  version                 = var.elastic_version == "latest" ? data.ec_stack.latest.version : var.elastic_version
+  deployment_template_id  = var.elastic_deployment_template_id
+  elasticsearch {
+    autoscale = "true"
+
+    dynamic "remote_cluster" {
+      for_each = var.elastic_remotes
+      content {
+        deployment_id = remote_cluster.value["id"]
+        alias         = remote_cluster.value["alias"]
+      }
+    }
+  }
+  kibana {}
+  integrations_server {}
+}
+
+output "elastic_cluster_id_aws" {
+  value = ec_deployment.elastic_deployment.id
+}
+
+output "elastic_cluster_alias_aws" {
+  value = ec_deployment.elastic_deployment.name
+}
+
+output "elastic_endpoint_aws" {
+  value = ec_deployment.elastic_deployment.kibana[0].https_endpoint
+}
+
+output "elastic_cloud_id_aws" {
+  value = ec_deployment.elastic_deployment.elasticsearch[0].cloud_id
+}
+
+output "elastic_username_aws" {
+  value = ec_deployment.elastic_deployment.elasticsearch_username
+}
+
+output "elastic_password" {
+  value = ec_deployment.elastic_deployment.elasticsearch_password
+  sensitive = true
+}
+
+
+# -------------------------------------------------------------
+#  Load Policy
+# -------------------------------------------------------------
+
+data "external" "elastic_create_policy" {
+  query = {
+    kibana_endpoint  = ec_deployment.elastic_deployment.kibana[0].https_endpoint
+    elastic_username  = ec_deployment.elastic_deployment.elasticsearch_username
+    elastic_password  = ec_deployment.elastic_deployment.elasticsearch_password
+    elastic_json_body = templatefile("${path.module}/../json_templates/default-policy.json", {"policy_name": "AWS"})
+  }
+  program = ["sh", "${path.module}/../../lib/elastic_api/kb_create_agent_policy.sh" ]
+  depends_on = [ec_deployment.elastic_deployment]
+}
+
+data "external" "elastic_add_integration" {
+  query = {
+    kibana_endpoint  = ec_deployment.elastic_deployment.kibana[0].https_endpoint
+    elastic_username  = ec_deployment.elastic_deployment.elasticsearch_username
+    elastic_password  = ec_deployment.elastic_deployment.elasticsearch_password
+    elastic_json_body = templatefile("${path.module}/../json_templates/aws_integration.json", 
+    {
+    "policy_id": data.external.elastic_create_policy.result.id,
+    "access_key": var.aws_access_key,
+    "access_secret": var.aws_secret_key,
+    }
+    )
+  }
+  program = ["sh", "${path.module}/../../lib/elastic_api/kb_add_integration_to_policy.sh" ]
+  depends_on = [data.external.elastic_create_policy]
+}
+
+# -------------------------------------------------------------
+#  Load Rules
+# -------------------------------------------------------------
+
+data "external" "elastic_load_rules" {
+  query = {
+    kibana_endpoint  = ec_deployment.elastic_deployment.kibana[0].https_endpoint
+    elastic_username  = ec_deployment.elastic_deployment.elasticsearch_username
+    elastic_password  = ec_deployment.elastic_deployment.elasticsearch_password
+  }
+  program = ["sh", "${path.module}/../../lib/elastic_api/kb_load_detection_rules.sh" ]
+  depends_on = [ec_deployment.elastic_deployment]
+}
+
+data "external" "elastic_enable_rules" {
+  query = {
+    kibana_endpoint  = ec_deployment.elastic_deployment.kibana[0].https_endpoint
+    elastic_username  = ec_deployment.elastic_deployment.elasticsearch_username
+    elastic_password  = ec_deployment.elastic_deployment.elasticsearch_password
+    elastic_json_body = templatefile("${path.module}/../json_templates/aws_rule_activation.json",{})
+  }
+  program = ["sh", "${path.module}/../../lib/elastic_api/kb_enable_detection_rules.sh" ]
+  depends_on = [data.external.elastic_load_rules]
+}
+
+# -------------------------------------------------------------
+#  Create and Start transforms
+# -------------------------------------------------------------
+
+# -------------------------------------------------------------
+#  Load Dashboards
+# -------------------------------------------------------------
+data "external" "elastic_upload_saved_objects1" {
+  query = {
+	elastic_http_method = "POST"
+    kibana_endpoint  = ec_deployment.elastic_deployment.kibana[0].https_endpoint
+    elastic_username  = ec_deployment.elastic_deployment.elasticsearch_username
+    elastic_password  = ec_deployment.elastic_deployment.elasticsearch_password
+    so_file      		= "${path.module}/../dashboards/CloudTrail Summary.ndjson"
+  }
+  program = ["sh", "${path.module}/../../lib/elastic_api/kb_upload_saved_objects.sh" ]
+  depends_on = [ec_deployment.elastic_deployment]
+}
+
+data "external" "elastic_upload_saved_objects2" {
+  query = {
+	elastic_http_method = "POST"
+    kibana_endpoint  = ec_deployment.elastic_deployment.kibana[0].https_endpoint
+    elastic_username  = ec_deployment.elastic_deployment.elasticsearch_username
+    elastic_password  = ec_deployment.elastic_deployment.elasticsearch_password
+    so_file      		= "${path.module}/../dashboards/VPCFlow Summary.ndjson"
+  }
+  program = ["sh", "${path.module}/../../lib/elastic_api/kb_upload_saved_objects.sh" ]
+  depends_on = [ec_deployment.elastic_deployment]
+}
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/AWS/terraform/eks_agent_manifest.off b/examples/multi-cloud-setup/AWS/terraform/eks_agent_manifest.off
new file mode 100644
index 000000000..df9d8fba4
--- /dev/null
+++ b/examples/multi-cloud-setup/AWS/terraform/eks_agent_manifest.off
@@ -0,0 +1,32 @@
+# -------------------------------------------------------------
+# Add Elastic Agent + k8s integration to all existing EKS clusters
+# -------------------------------------------------------------
+
+data "aws_eks_cluster" "elastic" {
+  name = var.eks_cluster
+}
+
+data "aws_eks_cluster_auth" "elastic" {
+  name = var.eks_cluster
+}
+
+provider "kubectl" {
+  host                   = data.aws_eks_cluster.elastic.endpoint
+  cluster_ca_certificate = base64decode(data.aws_eks_cluster.elastic.certificate_authority[0].data)
+  token                  = data.aws_eks_cluster_auth.elastic.token
+}
+
+resource "kubectl_manifest" "deploy_agent" {
+  yaml_body = templatefile("${path.module}/../json_templates/k8s_agent.yaml", 
+  {
+    "fleet_url": ec_deployment.elastic_deployment.integrations_server[0].https_endpoint,
+    "enrollment_token": "xxx"
+  }
+  )
+  depends_on = [
+    ec_deployment.elastic_deployment,
+    data.external.elastic_add_endpoint_integration,
+    data.aws_eks_cluster.elastic,
+    data.aws_eks_cluster_auth.elastic
+  ]
+}
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/AWS/terraform/eks_integration.tf b/examples/multi-cloud-setup/AWS/terraform/eks_integration.tf
new file mode 100644
index 000000000..c03bec1c0
--- /dev/null
+++ b/examples/multi-cloud-setup/AWS/terraform/eks_integration.tf
@@ -0,0 +1,69 @@
+# -------------------------------------------------------------
+# Load integration policy for Elastic Agent
+# -------------------------------------------------------------
+
+data "external" "elastic_create_k8s_policy" {
+  query = {
+    kibana_endpoint  = ec_deployment.elastic_deployment.kibana[0].https_endpoint
+    elastic_username  = ec_deployment.elastic_deployment.elasticsearch_username
+    elastic_password  = ec_deployment.elastic_deployment.elasticsearch_password
+    elastic_json_body = templatefile("${path.module}/../json_templates/default-policy.json", {"policy_name": "k8s"})
+  }
+  program = ["sh", "${path.module}/../../lib/elastic_api/kb_create_agent_policy.sh" ]
+  depends_on = [ec_deployment.elastic_deployment]
+}
+
+data "external" "elastic_add_k8s_integration" {
+  query = {
+    kibana_endpoint  = ec_deployment.elastic_deployment.kibana[0].https_endpoint
+    elastic_username  = ec_deployment.elastic_deployment.elasticsearch_username
+    elastic_password  = ec_deployment.elastic_deployment.elasticsearch_password
+    elastic_json_body = templatefile("${path.module}/../json_templates/k8s_integration.json", 
+    {
+    "policy_id": data.external.elastic_create_k8s_policy.result.id
+    }
+    )
+  }
+  program = ["sh", "${path.module}/../../lib/elastic_api/kb_add_integration_to_policy.sh" ]
+  depends_on = [data.external.elastic_create_k8s_policy]
+}
+
+data "external" "elastic_add_cspm_integration" {
+  query = {
+    kibana_endpoint  = ec_deployment.elastic_deployment.kibana[0].https_endpoint
+    elastic_username  = ec_deployment.elastic_deployment.elasticsearch_username
+    elastic_password  = ec_deployment.elastic_deployment.elasticsearch_password
+    elastic_json_body = templatefile("${path.module}/../json_templates/k8s_cspm_integration.json", 
+    {
+    "policy_id": data.external.elastic_create_k8s_policy.result.id,
+    "access_key": var.aws_access_key,
+    "access_secret": var.aws_secret_key,
+    }
+    )
+  }
+  program = ["sh", "${path.module}/../../lib/elastic_api/kb_add_integration_to_policy.sh" ]
+  depends_on = [data.external.elastic_add_k8s_integration]
+}
+
+data "external" "elastic_add_endpoint_integration" {
+  query = {
+    kibana_endpoint  = ec_deployment.elastic_deployment.kibana[0].https_endpoint
+    elastic_username  = ec_deployment.elastic_deployment.elasticsearch_username
+    elastic_password  = ec_deployment.elastic_deployment.elasticsearch_password
+    elastic_json_body = templatefile("${path.module}/../json_templates/k8s_endpoint_integration.json", 
+    {
+    "policy_id": data.external.elastic_create_k8s_policy.result.id,
+    }
+    )
+  }
+  program = ["sh", "${path.module}/../../lib/elastic_api/kb_add_integration_to_policy.sh" ]
+  depends_on = [data.external.elastic_add_cspm_integration]
+}
+
+output "elastic_add_endpoint_integration_template" {
+  value = templatefile("${path.module}/../json_templates/k8s_endpoint_integration.json", 
+    {
+    "policy_id": data.external.elastic_create_k8s_policy.result.id,
+    }
+    )
+}
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/AWS/terraform/elastic_agent.tf b/examples/multi-cloud-setup/AWS/terraform/elastic_agent.tf
new file mode 100644
index 000000000..d0b45adb7
--- /dev/null
+++ b/examples/multi-cloud-setup/AWS/terraform/elastic_agent.tf
@@ -0,0 +1,91 @@
+# -------------------------------------------------------------
+# Create EC2 instance + Elastic Agent
+# -------------------------------------------------------------
+
+data "template_file" "install_agent" {
+  template = file("../../lib/scripts/agent_install.sh")
+  vars = {
+    elastic_version = var.elastic_version
+    elasticsearch_username = ec_deployment.elastic_deployment.elasticsearch_username
+    elasticsearch_password = ec_deployment.elastic_deployment.elasticsearch_password
+    kibana_endpoint = ec_deployment.elastic_deployment.kibana[0].https_endpoint
+    integration_server_endpoint = ec_deployment.elastic_deployment.integrations_server[0].https_endpoint
+    policy_id = data.external.elastic_create_policy.result.id
+  }
+}
+
+resource "aws_security_group" "elastic-agent" {
+  name        = "elastic-agent"
+  description = "Allow traffic for elastic-agent"
+
+  ingress {
+    description      = "TLS from VPC"
+    from_port        = 443
+    to_port          = 443
+    protocol         = "tcp"
+    cidr_blocks      = ["0.0.0.0/0"]
+    ipv6_cidr_blocks = ["::/0"]
+  }
+
+  ingress {
+    description      = "SSH"
+    from_port        = 22
+    to_port          = 22
+    protocol         = "tcp"
+    cidr_blocks      = ["0.0.0.0/0"]
+    ipv6_cidr_blocks = ["::/0"]
+  }
+
+  ingress {
+    description      = "ICMP"
+    from_port        = -1
+    to_port          = -1
+    protocol         = "icmp"
+    cidr_blocks      = ["0.0.0.0/0"]
+    ipv6_cidr_blocks = ["::/0"]
+  }
+
+  ingress {
+    description      = "Other ports"
+    from_port        = 8000
+    to_port          = 9500
+    protocol         = "tcp"
+    cidr_blocks      = ["0.0.0.0/0"]
+    ipv6_cidr_blocks = ["::/0"]
+  }
+
+  ingress {
+    description      = "Other ports"
+    from_port        = 6780
+    to_port          = 6800
+    protocol         = "tcp"
+    cidr_blocks      = ["0.0.0.0/0"]
+    ipv6_cidr_blocks = ["::/0"]
+  }
+
+  egress {
+    from_port        = 0
+    to_port          = 0
+    protocol         = "-1"
+    cidr_blocks      = ["0.0.0.0/0"]
+    ipv6_cidr_blocks = ["::/0"]
+  }
+
+  tags = {
+    Name = "elastic-agent"
+  }
+}
+
+resource "aws_instance" "elastic-agent" {
+  ami           = local.ami # us-west-2
+  instance_type = "t2.micro"
+  associate_public_ip_address = true
+  security_groups = [ aws_security_group.elastic-agent.name ]
+  key_name = "felix-london"
+
+  tags = {
+    Name = "elastic-agent"
+  }
+
+  user_data = "${data.template_file.install_agent.rendered}"
+}
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/AWS/terraform/esf_formation.tf b/examples/multi-cloud-setup/AWS/terraform/esf_formation.tf
new file mode 100644
index 000000000..d08d30089
--- /dev/null
+++ b/examples/multi-cloud-setup/AWS/terraform/esf_formation.tf
@@ -0,0 +1,51 @@
+resource "aws_s3_object" "config_file" {
+  bucket = var.bucket_name
+  key    = "sar_config.yaml"
+  content = templatefile("${path.module}/config.tftpl", 
+  {
+    s3-sqs-objs = [
+      {arn= aws_sqs_queue.vpc-events.arn, datastream = "logs-aws.vpcflow-esf"},
+      {arn= aws_sqs_queue.cloudtrail-events.arn, datastream = "logs-aws.cloudtrail-esf"},
+      {arn= aws_sqs_queue.s3-events.arn, datastream = "logs-aws.s3access-esf"},
+      {arn= aws_sqs_queue.elb-events.arn, datastream = "logs-aws.elb-esf"}
+    ]
+    cw-logs-objs = data.aws_cloudwatch_log_groups.all.arns
+    elasticsearch_url  = ec_deployment.elastic_deployment.elasticsearch[0].https_endpoint
+    elasticsearch_user  = ec_deployment.elastic_deployment.elasticsearch_username
+    elasticsearch_password  = ec_deployment.elastic_deployment.elasticsearch_password
+  }
+  )
+}
+
+data "aws_serverlessapplicationrepository_application" "esf_sar" {
+  application_id = "arn:aws:serverlessrepo:eu-central-1:267093732750:applications/elastic-serverless-forwarder"
+}
+
+resource "aws_serverlessapplicationrepository_cloudformation_stack" "esf_cf_stack" {
+  name             = "terraform-elastic-serverless-forwarder"
+  application_id   = data.aws_serverlessapplicationrepository_application.esf_sar.application_id
+  semantic_version = data.aws_serverlessapplicationrepository_application.esf_sar.semantic_version
+  capabilities     = data.aws_serverlessapplicationrepository_application.esf_sar.required_capabilities
+
+parameters = {
+    ElasticServerlessForwarderS3ConfigFile         = "s3://${var.bucket_name}/sar_config.yaml"  ## FILL WITH THE VALUE OF THE S3 URL IN THE FORMAT "s3://bucket-name/config-file-name" POINTING TO THE CONFIGURATION FILE FOR YOUR DEPLOYMENT OF THE ELASTIC SERVERLESS FORWARDER
+
+    ElasticServerlessForwarderSSMSecrets           = ""  ## FILL WITH A COMMA DELIMITED LIST OF AWS SSM SECRETS ARNS REFERENCED IN THE CONFIG YAML FILE (IF ANY).
+
+    ElasticServerlessForwarderKMSKeys              = ""  ## FILL WITH A COMMA DELIMITED LIST OF AWS KMS KEYS ARNS TO BE USED FOR DECRYPTING AWS SSM SECRETS REFERENCED IN THE CONFIG YAML FILE (IF ANY).
+
+    ElasticServerlessForwarderSQSEvents            = ""  ## FILL WITH A COMMA DELIMITED LIST OF DIRECT SQS QUEUES ARNS TO SET AS EVENT TRIGGERS FOR THE LAMBDA (IF ANY).
+
+    ElasticServerlessForwarderS3SQSEvents          = "${aws_sqs_queue.vpc-events.arn},${aws_sqs_queue.cloudtrail-events.arn},${aws_sqs_queue.s3-events.arn},${aws_sqs_queue.elb-events.arn}"  ## FILL WITH A COMMA DELIMITED LIST OF S3 SQS EVENT NOTIFICATIONS ARNS TO SET AS EVENT TRIGGERS FOR THE LAMBDA (IF ANY).
+
+    ElasticServerlessForwarderKinesisEvents        = ""  ## FILL WITH A COMMA DELIMITED LIST OF KINESIS DATA STREAM ARNS TO SET AS EVENT TRIGGERS FOR THE LAMBDA (IF ANY).
+
+    ElasticServerlessForwarderCloudWatchLogsEvents = "${join(",",data.aws_cloudwatch_log_groups.all.arns)}"  ## FILL WITH A COMMA DELIMITED LIST OF CLOUDWATCH LOGS LOG GROUPS ARNS TO SET SUBSCRIPTION FILTERS ON THE LAMBDA FOR (IF ANY).
+
+    ElasticServerlessForwarderS3Buckets            = "${aws_s3_bucket.elastic_bucket.arn}"  ## FILL WITH A COMMA DELIMITED LIST OF S3 BUCKETS ARNS THAT ARE THE SOURCES OF THE S3 SQS EVENT NOTIFICATIONS (IF ANY).
+  }
+
+  depends_on = [
+    data.aws_cloudwatch_log_groups.all
+  ]
+}
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/AWS/terraform/logs-cloudwatch.tf b/examples/multi-cloud-setup/AWS/terraform/logs-cloudwatch.tf
new file mode 100644
index 000000000..bd132514d
--- /dev/null
+++ b/examples/multi-cloud-setup/AWS/terraform/logs-cloudwatch.tf
@@ -0,0 +1,37 @@
+# -------------------------------------------------------------
+# Get all Log Groups
+# -------------------------------------------------------------
+
+data "aws_cloudwatch_log_groups" "all" {}
+
+# -------------------------------------------------------------
+# Data Collection
+#  -- For Cloudwatch we use Elastic Agent to collect data from each log group
+# -------------------------------------------------------------
+
+# data "external" "elastic_add_cw_integrations" {
+#   for_each=data.aws_cloudwatch_log_groups.all.arns
+#   query = {
+#     kibana_endpoint  = ec_deployment.elastic_deployment.kibana[0].https_endpoint
+#     elastic_username  = ec_deployment.elastic_deployment.elasticsearch_username
+#     elastic_password  = ec_deployment.elastic_deployment.elasticsearch_password
+#     elastic_json_body = templatefile("${path.module}/../json_templates/aws_cw_integration.json", 
+#     {
+#     "name_suffix": each.key,
+#     //"log_group_name": each.value.log_group_names,
+#     "log_group_arn": each.value,
+#     "policy_id": data.external.elastic_create_policy.result.id,
+#     "access_key": var.aws_access_key,
+#     "access_secret": var.aws_secret_key,
+#     }
+#     )
+#   }
+#   program = ["sh", "${path.module}/../../lib/elastic_api/kb_add_integration_to_policy.sh" ]
+#   depends_on = [data.external.elastic_create_policy, data.aws_cloudwatch_log_groups.all]
+# }
+
+# -------------------------------------------------------------
+# Data Collection
+#  -- using the serverless forwarder
+# -------------------------------------------------------------
+
diff --git a/examples/multi-cloud-setup/AWS/terraform/logs_cloudtrail.tf b/examples/multi-cloud-setup/AWS/terraform/logs_cloudtrail.tf
new file mode 100644
index 000000000..c18354d84
--- /dev/null
+++ b/examples/multi-cloud-setup/AWS/terraform/logs_cloudtrail.tf
@@ -0,0 +1,51 @@
+data "aws_caller_identity" "current" {}
+
+resource "aws_cloudtrail" "management" {
+  name                          = "tf-trail-elastic"
+  s3_bucket_name                = aws_s3_bucket.elastic_bucket.id
+  include_global_service_events = true
+  is_multi_region_trail         = true
+  enable_logging                = true
+
+  event_selector {
+    read_write_type           = "All"
+    include_management_events = true
+
+    data_resource {
+      type   = "AWS::Lambda::Function"
+      values = ["arn:aws:lambda"]
+    }
+
+    data_resource {
+      type   = "AWS::S3::Object"
+      values = ["arn:aws:s3"]
+    }
+  }
+
+  depends_on = [aws_s3_bucket_policy.cloudtrail]
+}
+
+# -------------------------------------------------------------
+# Event trigger
+# -------------------------------------------------------------
+
+resource "aws_sqs_queue" "cloudtrail-events" {
+  name = "s3-cloudtrail-event-notification-queue"
+  visibility_timeout_seconds = 900
+  policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": "*",
+      "Action": "sqs:SendMessage",
+      "Resource": "arn:aws:sqs:*:*:s3-cloudtrail-event-notification-queue",
+      "Condition": {
+        "ArnEquals": { "aws:SourceArn": "${aws_s3_bucket.elastic_bucket.arn}" }
+      }
+    }
+  ]
+}
+POLICY
+}
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/AWS/terraform/logs_elb.tf b/examples/multi-cloud-setup/AWS/terraform/logs_elb.tf
new file mode 100644
index 000000000..41e5fdba6
--- /dev/null
+++ b/examples/multi-cloud-setup/AWS/terraform/logs_elb.tf
@@ -0,0 +1,24 @@
+# -------------------------------------------------------------
+# Event trigger
+# -------------------------------------------------------------
+
+resource "aws_sqs_queue" "elb-events" {
+  name = "s3-elb-event-notification-queue"
+  visibility_timeout_seconds = 900
+  policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": "*",
+      "Action": "sqs:SendMessage",
+      "Resource": "arn:aws:sqs:*:*:s3-elb-event-notification-queue",
+      "Condition": {
+        "ArnEquals": { "aws:SourceArn": "${aws_s3_bucket.elastic_bucket.arn}" }
+      }
+    }
+  ]
+}
+POLICY
+}
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/AWS/terraform/logs_s3.tf b/examples/multi-cloud-setup/AWS/terraform/logs_s3.tf
new file mode 100644
index 000000000..ddc3f07bf
--- /dev/null
+++ b/examples/multi-cloud-setup/AWS/terraform/logs_s3.tf
@@ -0,0 +1,31 @@
+resource "aws_s3_bucket_logging" "elastic" {
+  bucket = aws_s3_bucket.elastic_bucket.id
+
+  target_bucket = aws_s3_bucket.elastic_bucket.id
+  target_prefix = "AWSLogs/${data.aws_caller_identity.current.account_id}/s3/"
+}
+
+# -------------------------------------------------------------
+# Event trigger
+# -------------------------------------------------------------
+
+resource "aws_sqs_queue" "s3-events" {
+  name = "s3-s3-event-notification-queue"
+  visibility_timeout_seconds = 900
+  policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": "*",
+      "Action": "sqs:SendMessage",
+      "Resource": "arn:aws:sqs:*:*:s3-s3-event-notification-queue",
+      "Condition": {
+        "ArnEquals": { "aws:SourceArn": "${aws_s3_bucket.elastic_bucket.arn}" }
+      }
+    }
+  ]
+}
+POLICY
+}
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/AWS/terraform/logs_vpcflow.tf b/examples/multi-cloud-setup/AWS/terraform/logs_vpcflow.tf
new file mode 100644
index 000000000..c7f1b3901
--- /dev/null
+++ b/examples/multi-cloud-setup/AWS/terraform/logs_vpcflow.tf
@@ -0,0 +1,87 @@
+# -------------------------------------------------------------
+# Data Collection
+# -------------------------------------------------------------
+
+data "aws_vpcs" "all" {}
+
+resource "aws_flow_log" "vpc" { 
+  for_each             = toset(data.aws_vpcs.all.ids)
+
+  iam_role_arn         = aws_iam_role.vpcflow.arn
+  log_destination      = aws_s3_bucket.elastic_bucket.arn
+  log_destination_type = "s3"
+  traffic_type         = "ALL"
+  log_format           = "$${version} $${account-id} $${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport} $${protocol} $${packets} $${bytes} $${start} $${end} $${action} $${log-status} $${vpc-id} $${subnet-id} $${instance-id} $${tcp-flags} $${type} $${pkt-srcaddr} $${pkt-dstaddr} $${region} $${az-id} $${sublocation-type} $${sublocation-id} $${pkt-src-aws-service} $${pkt-dst-aws-service} $${flow-direction} $${traffic-path}"
+  
+  vpc_id               = each.value
+}
+
+# -------------------------------------------------------------
+# Role assignment
+# -------------------------------------------------------------
+
+resource "aws_iam_role" "vpcflow" {
+  name = "vpcflow_writer"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "",
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "vpc-flow-logs.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "vpcflow" {
+  name = "vpcflow_writer"
+  role = aws_iam_role.vpcflow.id
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "logs:CreateLogDelivery",
+        "logs:DeleteLogDelivery"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    }
+  ]
+}
+EOF
+}
+
+# -------------------------------------------------------------
+# Event trigger
+# -------------------------------------------------------------
+
+resource "aws_sqs_queue" "vpc-events" {
+  name = "s3-vpc-event-notification-queue"
+  visibility_timeout_seconds = 900
+  policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": "*",
+      "Action": "sqs:SendMessage",
+      "Resource": "arn:aws:sqs:*:*:s3-vpc-event-notification-queue",
+      "Condition": {
+        "ArnEquals": { "aws:SourceArn": "${aws_s3_bucket.elastic_bucket.arn}" }
+      }
+    }
+  ]
+}
+POLICY
+}
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/AWS/terraform/main.tf b/examples/multi-cloud-setup/AWS/terraform/main.tf
new file mode 100644
index 000000000..94404d47a
--- /dev/null
+++ b/examples/multi-cloud-setup/AWS/terraform/main.tf
@@ -0,0 +1,20 @@
+# -------------------------------------------------------------
+# Terraform provider configuration
+# -------------------------------------------------------------
+
+terraform {
+  required_version = ">= 1.0.2"
+
+  required_providers {
+    ec = {
+      source  = "elastic/ec"
+      version = ">= 0.4.1"
+    }
+    kubectl = {
+      source  = "gavinbunney/kubectl"
+      version = ">= 1.7.0"
+    }
+  }
+}
+
+
diff --git a/examples/multi-cloud-setup/AWS/terraform/s3_bucket.tf b/examples/multi-cloud-setup/AWS/terraform/s3_bucket.tf
new file mode 100644
index 000000000..f54729103
--- /dev/null
+++ b/examples/multi-cloud-setup/AWS/terraform/s3_bucket.tf
@@ -0,0 +1,100 @@
+resource "aws_s3_bucket" "elastic_bucket" {
+  bucket = var.bucket_name
+
+  tags = {
+    Name        = "Elastic SAR Data"
+  }
+}
+
+# resource "aws_s3_bucket_acl" "private_access" {
+#   bucket = aws_s3_bucket.elastic_bucket.id
+#   acl    = "private"
+# }
+
+resource "aws_s3_bucket_notification" "all_notifications" {
+  bucket = aws_s3_bucket.elastic_bucket.id
+  queue {
+    queue_arn     = aws_sqs_queue.cloudtrail-events.arn
+    events        = ["s3:ObjectCreated:*"]
+    filter_prefix       = "AWSLogs/${data.aws_caller_identity.current.account_id}/CloudTrail/"
+  }
+
+  queue {
+    queue_arn     = aws_sqs_queue.vpc-events.arn
+    events        = ["s3:ObjectCreated:*"]
+    filter_prefix       = "AWSLogs/${data.aws_caller_identity.current.account_id}/vpcflowlogs/"
+  }
+
+  queue {
+    queue_arn     = aws_sqs_queue.elb-events.arn
+    events        = ["s3:ObjectCreated:*"]
+    filter_prefix       = "AWSLogs/${data.aws_caller_identity.current.account_id}/elasticloadbalancing/"
+  }
+
+  queue {
+    queue_arn     = aws_sqs_queue.s3-events.arn
+    events        = ["s3:ObjectCreated:*"]
+    filter_prefix       = "AWSLogs/${data.aws_caller_identity.current.account_id}/s3/"
+  }
+}
+
+resource "aws_s3_bucket_policy" "cloudtrail" {
+  bucket = aws_s3_bucket.elastic_bucket.id
+  policy = <<POLICY
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "AWSCloudTrailAclCheck",
+            "Effect": "Allow",
+            "Principal": {
+              "Service": "cloudtrail.amazonaws.com"
+            },
+            "Action": "s3:GetBucketAcl",
+            "Resource": "${aws_s3_bucket.elastic_bucket.arn}"
+        },
+        {
+            "Sid": "AWSLogDeliveryAclCheck",
+            "Effect": "Allow",
+            "Principal": {
+                "Service": "delivery.logs.amazonaws.com"
+            },
+            "Action": "s3:GetBucketAcl",
+            "Resource": "${aws_s3_bucket.elastic_bucket.arn}",
+            "Condition": {
+                "StringEquals": {
+                    "aws:SourceAccount": ${data.aws_caller_identity.current.account_id}
+                }
+            }
+        },
+        {
+            "Sid": "AWSLogWrite",
+            "Effect": "Allow",
+            "Principal": {
+              "Service": [
+                "cloudtrail.amazonaws.com",
+                "vpc-flow-logs.amazonaws.com",
+                "delivery.logs.amazonaws.com"
+              ]
+            },
+            "Action": "s3:PutObject",
+            "Resource": "${aws_s3_bucket.elastic_bucket.arn}/AWSLogs/${data.aws_caller_identity.current.account_id}/*",
+            "Condition": {
+                "StringEquals": {
+                    "s3:x-amz-acl": "bucket-owner-full-control"
+                }
+            }
+        },
+        {
+            "Sid": "S3PolicyStmt-DO-NOT-MODIFY-1664972344369",
+            "Effect": "Allow",
+            "Principal": {
+                "Service": "logging.s3.amazonaws.com"
+            },
+            "Action": "s3:PutObject",
+            "Resource": "arn:aws:s3:::elastic-sar-bucket/*"
+        }
+    ]
+}
+POLICY
+}
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/AWS/terraform/variables.tf b/examples/multi-cloud-setup/AWS/terraform/variables.tf
new file mode 100644
index 000000000..26254ccd7
--- /dev/null
+++ b/examples/multi-cloud-setup/AWS/terraform/variables.tf
@@ -0,0 +1,64 @@
+# -------------------------------------------------------------
+# Elastic configuration
+# -------------------------------------------------------------
+variable "elastic_version" {
+  type = string
+  default = "latest"
+}
+
+variable "elastic_region" {
+  type = string
+  default = "aws-eu-west-2"
+}
+
+variable "elastic_deployment_name" {
+  type = string
+  default = "AWS"
+}
+
+variable "elastic_deployment_template_id" {
+  type = string
+  default = "aws-general-purpose-arm-v5"
+}
+
+variable "elastic_remotes" {
+    type = list(
+            object({
+                id    = string
+                alias = string
+        })
+    )
+    default = []
+}
+
+# -------------------------------------------------------------
+# AWS configuration
+# -------------------------------------------------------------
+
+variable "aws_region" {
+  type = string
+  default = "eu-west-1"
+}
+
+variable "aws_access_key" {
+  type = string
+}
+
+variable "aws_secret_key" {
+  type = string
+}
+
+variable "bucket_name" {
+  type = string
+  default = "elastic-sar-bucket"
+}
+
+variable "elb_names" {
+  type = list
+  default = []
+}
+
+variable "eks_cluster" {
+  type = string
+  default = ""
+}
diff --git a/examples/multi-cloud-setup/Azure/.gitignore b/examples/multi-cloud-setup/Azure/.gitignore
new file mode 100644
index 000000000..cbc93ad91
--- /dev/null
+++ b/examples/multi-cloud-setup/Azure/.gitignore
@@ -0,0 +1,8 @@
+
+.vs/slnx.sqlite
+*.tfstate
+*.backup
+terraform/*.tfstate
+terraform/.terraform
+*.hcl
+local_env
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/Azure/json_templates/azure-logs-integration.json b/examples/multi-cloud-setup/Azure/json_templates/azure-logs-integration.json
new file mode 100644
index 000000000..13b5ed229
--- /dev/null
+++ b/examples/multi-cloud-setup/Azure/json_templates/azure-logs-integration.json
@@ -0,0 +1,354 @@
+{
+    "name": "Azure Logs",
+    "description": "",
+    "namespace": "default",
+    "policy_id": "${policy_id}",
+    "enabled": true,
+    "output_id": "",
+    "inputs": [
+      {
+        "type": "azure-eventhub",
+        "policy_template": "eventhub",
+        "enabled": true,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "azure.eventhub"
+            },
+            "vars": {
+              "parse_message": {
+                "value": false,
+                "type": "bool"
+              },
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              },
+              "data_stream.dataset": {
+                "value": "azure.eventhub",
+                "type": "text"
+              },
+              "storage_account_container": {
+                "type": "text"
+              },
+              "tags": {
+                "value": [
+                  "azure-eventhub",
+                  "forwarded"
+                ],
+                "type": "text"
+              },
+              "processors": {
+                "type": "yaml"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "azure-eventhub",
+        "policy_template": "adlogs",
+        "enabled": true,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "azure.auditlogs"
+            },
+            "vars": {
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              },
+              "storage_account_container": {
+                "type": "text"
+              },
+              "tags": {
+                "value": [
+                  "azure-auditlogs",
+                  "forwarded"
+                ],
+                "type": "text"
+              },
+              "processors": {
+                "type": "yaml"
+              }
+            }
+          },
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "azure.identity_protection"
+            },
+            "vars": {
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              },
+              "storage_account_container": {
+                "type": "text"
+              },
+              "tags": {
+                "value": [
+                  "azure-identity-protection-logs",
+                  "forwarded"
+                ],
+                "type": "text"
+              },
+              "processors": {
+                "type": "yaml"
+              }
+            }
+          },
+          {
+            "enabled": false,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "azure.provisioning"
+            },
+            "vars": {
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              },
+              "storage_account_container": {
+                "type": "text"
+              },
+              "tags": {
+                "value": [
+                  "azure-provisioning-logs",
+                  "forwarded"
+                ],
+                "type": "text"
+              },
+              "processors": {
+                "type": "yaml"
+              }
+            }
+          },
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "azure.signinlogs"
+            },
+            "vars": {
+              "storage_account_container": {
+                "type": "text"
+              },
+              "tags": {
+                "value": [
+                  "azure-signinlogs",
+                  "forwarded"
+                ],
+                "type": "text"
+              },
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              },
+              "processors": {
+                "type": "yaml"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "azure-eventhub",
+        "policy_template": "platformlogs",
+        "enabled": true,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "azure.platformlogs"
+            },
+            "vars": {
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              },
+              "storage_account_container": {
+                "type": "text"
+              },
+              "tags": {
+                "value": [
+                  "azure-platformlogs",
+                  "forwarded"
+                ],
+                "type": "text"
+              },
+              "processors": {
+                "type": "yaml"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "azure-eventhub",
+        "policy_template": "activitylogs",
+        "enabled": true,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "azure.activitylogs"
+            },
+            "vars": {
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              },
+              "storage_account_container": {
+                "type": "text"
+              },
+              "tags": {
+                "value": [
+                  "azure-activitylogs",
+                  "forwarded"
+                ],
+                "type": "text"
+              },
+              "processors": {
+                "type": "yaml"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "azure-eventhub",
+        "policy_template": "springcloudlogs",
+        "enabled": true,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "azure.springcloudlogs"
+            },
+            "vars": {
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              },
+              "storage_account_container": {
+                "type": "text"
+              },
+              "tags": {
+                "value": [
+                  "azure-springcloudlogs",
+                  "forwarded"
+                ],
+                "type": "text"
+              },
+              "processors": {
+                "type": "yaml"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "azure-eventhub",
+        "policy_template": "firewall_logs",
+        "enabled": true,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "azure.firewall_logs"
+            },
+            "vars": {
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              },
+              "storage_account_container": {
+                "type": "text"
+              },
+              "tags": {
+                "value": [
+                  "azure-firewall",
+                  "forwarded"
+                ],
+                "type": "text"
+              },
+              "processors": {
+                "type": "yaml"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "azure-eventhub",
+        "policy_template": "application_gateway",
+        "enabled": true,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "logs",
+              "dataset": "azure.application_gateway"
+            },
+            "vars": {
+              "tags": {
+                "value": [
+                  "azure-application-gateway-logs",
+                  "forwarded"
+                ],
+                "type": "text"
+              },
+              "preserve_original_event": {
+                "value": false,
+                "type": "bool"
+              },
+              "processors": {
+                "type": "yaml"
+              }
+            }
+          }
+        ]
+      }
+    ],
+    "package": {
+      "name": "azure",
+      "title": "Azure Logs",
+      "version": "1.5.2"
+    },
+    "vars": {
+      "eventhub": {
+        "type": "text",
+        "value": "${eventhub}"
+      },
+      "consumer_group": {
+        "value": "$Default",
+        "type": "text"
+      },
+      "connection_string": {
+        "type": "text",
+        "value": "${connection_string}"
+      },
+      "storage_account": {
+        "type": "text",
+        "value": "${storage_account}"
+      },
+      "storage_account_key": {
+        "type": "text",
+        "value": "${storage_account_key}"
+      },
+      "resource_manager_endpoint": {
+        "type": "text"
+      }
+    }
+  }
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/Azure/json_templates/azure-metrics-integration.json b/examples/multi-cloud-setup/Azure/json_templates/azure-metrics-integration.json
new file mode 100644
index 000000000..bde8b2e6b
--- /dev/null
+++ b/examples/multi-cloud-setup/Azure/json_templates/azure-metrics-integration.json
@@ -0,0 +1,267 @@
+{
+    "name": "Azure Metrics",
+    "description": "",
+    "namespace": "default",
+    "policy_id": "${policy_id}",
+    "enabled": true,
+    "output_id": "",
+    "inputs": [
+      {
+        "type": "azure/metrics",
+        "policy_template": "monitor",
+        "enabled": true,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "azure.monitor"
+            },
+            "vars": {
+              "period": {
+                "value": "300s",
+                "type": "text"
+              },
+              "resources": {
+                "value": "- resource_query: \"resourceType eq 'Microsoft.DocumentDb/databaseAccounts'\"\n  metrics:\n  - name: [\"DataUsage\", \"DocumentCount\", \"DocumentQuota\"]\n    namespace: \"Microsoft.DocumentDb/databaseAccounts\"\n",
+                "type": "yaml"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "azure/metrics",
+        "policy_template": "compute_vm",
+        "enabled": true,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "azure.compute_vm"
+            },
+            "vars": {
+              "period": {
+                "value": "300s",
+                "type": "text"
+              },
+              "resource_groups": {
+                "value": [],
+                "type": "text"
+              },
+              "resource_ids": {
+                "value": [],
+                "type": "text"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "azure/metrics",
+        "policy_template": "compute_vm_scaleset",
+        "enabled": true,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "azure.compute_vm_scaleset"
+            },
+            "vars": {
+              "period": {
+                "value": "300s",
+                "type": "text"
+              },
+              "resource_groups": {
+                "value": [],
+                "type": "text"
+              },
+              "resource_ids": {
+                "value": [],
+                "type": "text"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "azure/metrics",
+        "policy_template": "container_registry",
+        "enabled": true,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "azure.container_registry"
+            },
+            "vars": {
+              "period": {
+                "value": "300s",
+                "type": "text"
+              },
+              "resource_groups": {
+                "value": [],
+                "type": "text"
+              },
+              "resource_ids": {
+                "value": [],
+                "type": "text"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "azure/metrics",
+        "policy_template": "container_instance",
+        "enabled": true,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "azure.container_instance"
+            },
+            "vars": {
+              "period": {
+                "value": "300s",
+                "type": "text"
+              },
+              "resource_groups": {
+                "value": [],
+                "type": "text"
+              },
+              "resource_ids": {
+                "value": [],
+                "type": "text"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "azure/metrics",
+        "policy_template": "container_service",
+        "enabled": true,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "azure.container_service"
+            },
+            "vars": {
+              "period": {
+                "value": "300s",
+                "type": "text"
+              },
+              "resource_groups": {
+                "value": [],
+                "type": "text"
+              },
+              "resource_ids": {
+                "value": [],
+                "type": "text"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "azure/metrics",
+        "policy_template": "database_account",
+        "enabled": true,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "azure.database_account"
+            },
+            "vars": {
+              "period": {
+                "value": "300s",
+                "type": "text"
+              },
+              "resource_groups": {
+                "value": [],
+                "type": "text"
+              },
+              "resource_ids": {
+                "value": [],
+                "type": "text"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "type": "azure/metrics",
+        "policy_template": "storage_account",
+        "enabled": true,
+        "streams": [
+          {
+            "enabled": true,
+            "data_stream": {
+              "type": "metrics",
+              "dataset": "azure.storage_account"
+            },
+            "vars": {
+              "period": {
+                "value": "300s",
+                "type": "text"
+              },
+              "resource_groups": {
+                "value": [],
+                "type": "text"
+              },
+              "resource_ids": {
+                "value": [],
+                "type": "text"
+              },
+              "service_types": {
+                "value": [],
+                "type": "text"
+              }
+            }
+          }
+        ]
+      }
+    ],
+    "package": {
+      "name": "azure_metrics",
+      "title": "Azure Resource Metrics",
+      "version": "1.0.5"
+    },
+    "vars": {
+      "client_id": {
+        "type": "text",
+        "value": "${client_id}"
+      },
+      "client_secret": {
+        "type": "text",
+        "value": "${client_secret}"
+      },
+      "tenant_id": {
+        "type": "text",
+        "value": "${tenant_id}"
+      },
+      "subscription_id": {
+        "type": "text",
+        "value": "${subscription_id}"
+      },
+      "refresh_list_interval": {
+        "value": "600s",
+        "type": "text"
+      },
+      "resource_manager_endpoint": {
+        "type": "text"
+      },
+      "active_directory_endpoint": {
+        "type": "text"
+      }
+    }
+  }
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/Azure/json_templates/default-policy.json b/examples/multi-cloud-setup/Azure/json_templates/default-policy.json
new file mode 100644
index 000000000..bab414ae3
--- /dev/null
+++ b/examples/multi-cloud-setup/Azure/json_templates/default-policy.json
@@ -0,0 +1 @@
+{ "name": "${policy_name}", "description": "Terraformed policy", "namespace": "default", "monitoring_enabled": [ "logs", "metrics" ]}
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/Azure/json_templates/es_api_key.json b/examples/multi-cloud-setup/Azure/json_templates/es_api_key.json
new file mode 100644
index 000000000..dccd71b19
--- /dev/null
+++ b/examples/multi-cloud-setup/Azure/json_templates/es_api_key.json
@@ -0,0 +1,3 @@
+{
+   "name": "${elastic-api-key-name}"
+}
diff --git a/examples/multi-cloud-setup/Azure/terraform/azure_environment.tf b/examples/multi-cloud-setup/Azure/terraform/azure_environment.tf
new file mode 100644
index 000000000..aac1a94da
--- /dev/null
+++ b/examples/multi-cloud-setup/Azure/terraform/azure_environment.tf
@@ -0,0 +1,99 @@
+resource "azurerm_resource_group" "main" {
+  name     = "tf-elastic-group"
+  location = var.azure_region
+}
+
+data "azurerm_client_config" "current" {}
+
+data "azurerm_subscription" "current" {}
+
+#################
+## Eventhub to collect the Logs
+#################
+
+resource "azurerm_eventhub_namespace" "elastic" {
+  name                = "azureLogsToElastic"
+  location            = azurerm_resource_group.main.location
+  resource_group_name = azurerm_resource_group.main.name
+  sku                 = "Standard"
+  capacity            = 1
+
+}
+
+resource "azurerm_eventhub" "elastic" {
+  name                = "azureLogsToElasticHub"
+  namespace_name      = azurerm_eventhub_namespace.elastic.name
+  resource_group_name = azurerm_resource_group.main.name
+  partition_count     = 2
+  message_retention   = 1
+}
+
+resource "azurerm_eventhub_authorization_rule" "elastic" {
+  name                = "azureLogsToElasticHubRule"
+  namespace_name      = azurerm_eventhub_namespace.elastic.name
+  eventhub_name       = azurerm_eventhub.elastic.name
+  resource_group_name = azurerm_resource_group.main.name
+  listen              = true
+  send                = true
+  manage              = false
+}
+
+resource "azurerm_storage_account" "elastic" {
+  name                     = "azurelogs2elastic"
+  resource_group_name      = azurerm_resource_group.main.name
+  location                 = azurerm_resource_group.main.location
+  account_tier             = "Standard"
+  account_replication_type = "GRS"
+}
+
+#################
+## Create a vault + key for the Agent VM
+#################
+
+# resource "azurerm_key_vault" "elastic" {
+#   name                        = "elastic-key-vault-tf"
+#   location                    = azurerm_resource_group.main.location
+#   resource_group_name         = azurerm_resource_group.main.name
+#   enabled_for_disk_encryption = true
+#   tenant_id                   = data.azurerm_client_config.current.tenant_id
+#   soft_delete_retention_days  = 7
+#   purge_protection_enabled    = false
+
+#   sku_name = "standard"
+
+#   access_policy {
+#     tenant_id = data.azurerm_client_config.current.tenant_id
+#     object_id = data.azurerm_client_config.current.object_id
+
+#     key_permissions = [
+#       "Create",
+#       "Get",
+#       "Purge",
+#       "Recover"
+#     ]
+
+#     secret_permissions = [
+#       "Get",
+#     ]
+
+#     storage_permissions = [
+#       "Get",
+#     ]
+#   }
+# }
+
+# resource "azurerm_key_vault_key" "generated" {
+#   name         = "elastic-agent-certificate"
+#   key_vault_id = azurerm_key_vault.elastic.id
+#   key_type     = "RSA"
+#   key_size     = 2048
+
+#   key_opts = [
+#     "decrypt",
+#     "encrypt",
+#     "sign",
+#     "unwrapKey",
+#     "verify",
+#     "wrapKey",
+#   ]
+# }
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/Azure/terraform/ec_deployment.tf b/examples/multi-cloud-setup/Azure/terraform/ec_deployment.tf
new file mode 100644
index 000000000..d5a723f15
--- /dev/null
+++ b/examples/multi-cloud-setup/Azure/terraform/ec_deployment.tf
@@ -0,0 +1,146 @@
+# -------------------------------------------------------------
+#  Deploy Elastic Cloud
+# -------------------------------------------------------------
+data "ec_stack" "latest" {
+  version_regex = "latest"
+  region        = var.elastic_region
+}
+
+resource "ec_deployment" "elastic_deployment" {
+  name                    = var.elastic_deployment_name
+  region                  = var.elastic_region
+  version                 = var.elastic_version == "latest" ? data.ec_stack.latest.version : var.elastic_version
+  deployment_template_id  = var.elastic_deployment_template_id
+  elasticsearch {
+	  autoscale = "true"
+
+    dynamic "remote_cluster" {
+      for_each = var.elastic_remotes
+      content {
+        deployment_id = remote_cluster.value["id"]
+        alias         = remote_cluster.value["alias"]
+      }
+    }
+  }
+  kibana {}
+  integrations_server {}
+}
+
+output "elastic_cluster_id" {
+  value = ec_deployment.elastic_deployment.id
+}
+
+output "elastic_cluster_alias" {
+  value = ec_deployment.elastic_deployment.name
+}
+
+output "elastic_endpoint" {
+  value = ec_deployment.elastic_deployment.elasticsearch[0].https_endpoint
+}
+
+output "elastic_password" {
+  value = ec_deployment.elastic_deployment.elasticsearch_password
+  sensitive=true
+}
+
+output "elastic_cloud_id" {
+  value = ec_deployment.elastic_deployment.elasticsearch[0].cloud_id
+}
+
+output "elastic_username" {
+  value = ec_deployment.elastic_deployment.elasticsearch_username
+}
+
+# -------------------------------------------------------------
+#  Load Policy
+# -------------------------------------------------------------
+
+data "external" "elastic_create_policy" {
+  query = {
+    kibana_endpoint  = ec_deployment.elastic_deployment.kibana[0].https_endpoint
+    elastic_username  = ec_deployment.elastic_deployment.elasticsearch_username
+    elastic_password  = ec_deployment.elastic_deployment.elasticsearch_password
+    elastic_json_body = templatefile("${path.module}/../json_templates/default-policy.json", {"policy_name": "Azure"})
+  }
+  program = ["sh", "${path.module}/../../lib/elastic_api/kb_create_agent_policy.sh" ]
+  depends_on = [ec_deployment.elastic_deployment]
+}
+
+data "external" "elastic_add_metrics_integration" {
+  query = {
+    kibana_endpoint  = ec_deployment.elastic_deployment.kibana[0].https_endpoint
+    elastic_username  = ec_deployment.elastic_deployment.elasticsearch_username
+    elastic_password  = ec_deployment.elastic_deployment.elasticsearch_password
+    elastic_json_body = templatefile("${path.module}/../json_templates/azure-metrics-integration.json", 
+    {
+    "policy_id": data.external.elastic_create_policy.result.id,
+    "client_id": var.azure_client_id,
+    "client_secret": var.azure_client_secret,
+    "tenant_id": var.azure_tenant_id,
+    "subscription_id": var.azure_subscription_id
+    }
+    )
+  }
+  program = ["sh", "${path.module}/../../lib/elastic_api/kb_add_integration_to_policy.sh" ]
+  depends_on = [data.external.elastic_create_policy]
+}
+
+data "external" "elastic_add_logs_integration" {
+  query = {
+    kibana_endpoint  = ec_deployment.elastic_deployment.kibana[0].https_endpoint
+    elastic_username  = ec_deployment.elastic_deployment.elasticsearch_username
+    elastic_password  = ec_deployment.elastic_deployment.elasticsearch_password
+    elastic_json_body = templatefile("${path.module}/../json_templates/azure-logs-integration.json", 
+    {
+    "policy_id": data.external.elastic_create_policy.result.id,
+    "eventhub": azurerm_eventhub.elastic.name,
+    "connection_string": azurerm_eventhub_authorization_rule.elastic.primary_connection_string ,
+    "storage_account": azurerm_storage_account.elastic.id ,
+    "storage_account_key": azurerm_storage_account.elastic.primary_access_key
+    }
+    )
+  }
+  program = ["sh", "${path.module}/../../lib/elastic_api/kb_add_integration_to_policy.sh" ]
+  depends_on = [
+    data.external.elastic_create_policy,
+    azurerm_eventhub.elastic,
+    azurerm_eventhub_authorization_rule.elastic,
+    azurerm_storage_account.elastic
+  ]
+}
+
+# -------------------------------------------------------------
+#  Load Rules
+# -------------------------------------------------------------
+
+data "external" "elastic_load_rules" {
+  query = {
+    kibana_endpoint  = ec_deployment.elastic_deployment.kibana[0].https_endpoint
+    elastic_username  = ec_deployment.elastic_deployment.elasticsearch_username
+    elastic_password  = ec_deployment.elastic_deployment.elasticsearch_password
+  }
+  program = ["sh", "${path.module}/../../lib/elastic_api/kb_load_detection_rules.sh" ]
+  depends_on = [ec_deployment.elastic_deployment]
+}
+
+# data "external" "elastic_enable_rules" {
+#   query = {
+#     kibana_endpoint  = ec_deployment.elastic_deployment.kibana[0].https_endpoint
+#     elastic_username  = ec_deployment.elastic_deployment.elasticsearch_username
+#     elastic_password  = ec_deployment.elastic_deployment.elasticsearch_password
+#     elastic_json_body = templatefile("${path.module}/../json_templates/es_rule_activation.json",{})
+#   }
+#   program = ["sh", "${path.module}/../../lib/elastic_api/kb_enable_detection_rules.sh" ]
+#   depends_on = [data.external.elastic_load_rules]
+# }
+
+
+# -------------------------------------------------------------
+#  Create and Start transforms
+# -------------------------------------------------------------
+
+
+# -------------------------------------------------------------
+#  Load Dashboards
+# -------------------------------------------------------------
+
diff --git a/examples/multi-cloud-setup/Azure/terraform/elastic_agent.tf b/examples/multi-cloud-setup/Azure/terraform/elastic_agent.tf
new file mode 100644
index 000000000..926e169cf
--- /dev/null
+++ b/examples/multi-cloud-setup/Azure/terraform/elastic_agent.tf
@@ -0,0 +1,128 @@
+# -------------------------------------------------------------
+# Create VM + Elastic Agent
+# -------------------------------------------------------------
+
+data "template_file" "install_agent" {
+  template = file("../../lib/scripts/agent_install.sh")
+  vars = {
+    elastic_version = var.elastic_version
+    elasticsearch_username = ec_deployment.elastic_deployment.elasticsearch_username
+    elasticsearch_password = ec_deployment.elastic_deployment.elasticsearch_password
+    kibana_endpoint = ec_deployment.elastic_deployment.kibana[0].https_endpoint
+    integration_server_endpoint = ec_deployment.elastic_deployment.integrations_server[0].https_endpoint
+    policy_id = data.external.elastic_create_policy.result.id
+  }
+}
+
+resource "azurerm_virtual_machine_extension" "elastic-agent" {
+  name                 = var.elastic_agent_vm_name
+  virtual_machine_id = "${azurerm_linux_virtual_machine.agent.id}"
+  publisher            = "Microsoft.Azure.Extensions"
+  type                 = "CustomScript"
+  type_handler_version = "2.0"
+
+  settings = <<SETTINGS
+    {"script": "${base64encode(data.template_file.install_agent.rendered)}"}
+  SETTINGS
+}
+
+resource "azurerm_linux_virtual_machine" "agent" {
+  depends_on = [ec_deployment.elastic_deployment, data.external.elastic_create_policy] ## We want to have the elastic deployment before we install the agent
+
+  name                = var.elastic_agent_vm_name
+  resource_group_name = azurerm_resource_group.main.name
+  location            = azurerm_resource_group.main.location
+  size                = "Standard_F2"
+  admin_username      = "adminuser"
+  admin_password      = "${ec_deployment.elastic_deployment.elasticsearch_password}"
+  disable_password_authentication = false
+  network_interface_ids = [ 
+    azurerm_network_interface.main.id,
+    azurerm_network_interface.internal.id,
+  ]
+
+  # admin_ssh_key {
+  #   username   = "adminuser"
+  #   public_key = azurerm_key_vault_key.generated.public_key_pem
+  # }
+
+  os_disk {
+    caching              = "ReadWrite"
+    storage_account_type = "Standard_LRS"
+  }
+
+  source_image_reference {
+    publisher = "Canonical"
+    offer     = "UbuntuServer"
+    sku       = "16.04-LTS"
+    version   = "latest"
+  }
+}
+
+resource "azurerm_virtual_network" "main" {
+  name                = "elastic-agent-network"
+  address_space       = ["10.0.0.0/16"]
+  location            = azurerm_resource_group.main.location
+  resource_group_name = azurerm_resource_group.main.name
+}
+
+resource "azurerm_subnet" "internal" {
+  name                 = "internal"
+  resource_group_name  = azurerm_resource_group.main.name
+  virtual_network_name = azurerm_virtual_network.main.name
+  address_prefixes     = ["10.0.2.0/24"]
+}
+
+resource "azurerm_public_ip" "pip" {
+  name                = "elastic-agent-pip"
+  resource_group_name = azurerm_resource_group.main.name
+  location            = azurerm_resource_group.main.location
+  allocation_method   = "Dynamic"
+}
+
+resource "azurerm_network_interface" "main" {
+  name                = "elastic-agent-nic1"
+  resource_group_name = azurerm_resource_group.main.name
+  location            = azurerm_resource_group.main.location
+
+  ip_configuration {
+    name                          = "primary"
+    subnet_id                     = azurerm_subnet.internal.id
+    private_ip_address_allocation = "Dynamic"
+    public_ip_address_id          = azurerm_public_ip.pip.id
+  }
+}
+
+resource "azurerm_network_interface" "internal" {
+  name                      = "elastic-agent-nic2"
+  resource_group_name       = azurerm_resource_group.main.name
+  location                  = azurerm_resource_group.main.location
+
+  ip_configuration {
+    name                          = "internal"
+    subnet_id                     = azurerm_subnet.internal.id
+    private_ip_address_allocation = "Dynamic"
+  }
+}
+
+resource "azurerm_network_security_group" "agent" {
+  name                = "elastic-agent-sg"
+  location            = azurerm_resource_group.main.location
+  resource_group_name = azurerm_resource_group.main.name
+  security_rule {
+    access                     = "Allow"
+    direction                  = "Inbound"
+    name                       = "tls"
+    priority                   = 100
+    protocol                   = "Tcp"
+    source_port_range          = "*"
+    source_address_prefix      = "*"
+    destination_port_range     = "443"
+    destination_address_prefix = azurerm_network_interface.main.private_ip_address
+  }
+}
+
+resource "azurerm_network_interface_security_group_association" "main" {
+  network_interface_id      = azurerm_network_interface.internal.id
+  network_security_group_id = azurerm_network_security_group.agent.id
+}
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/Azure/terraform/logging.tf b/examples/multi-cloud-setup/Azure/terraform/logging.tf
new file mode 100644
index 000000000..6f54e187a
--- /dev/null
+++ b/examples/multi-cloud-setup/Azure/terraform/logging.tf
@@ -0,0 +1,27 @@
+########################################
+## Activity Logs
+########################################
+
+# data "azurerm_monitor_diagnostic_categories" "subscription" {
+#   resource_id = data.azurerm_subscription.current.id
+# }
+
+#[ "AuditEvent", "Administrative", "Security",  "ServiceHealth", "Alert", "Recommendation", "Policy", "Autoscale", "ResourceHealth"]
+resource "azurerm_monitor_diagnostic_setting" "elastic" {
+  name                              = "AllLogsToElastic"
+  target_resource_id                = data.azurerm_subscription.current.id
+  eventhub_name                     = azurerm_eventhub.elastic.name
+  eventhub_authorization_rule_id    = "${azurerm_eventhub_namespace.elastic.id}/authorizationRules/RootManageSharedAccessKey"
+  
+  dynamic "log" {
+    for_each = [ "Administrative", "Security",  "ServiceHealth", "Alert", "Recommendation", "Policy", "Autoscale", "ResourceHealth"]
+    content {
+        category = log.value
+        enabled  = true
+
+        retention_policy {
+            enabled = false
+        }
+    }
+  }
+}
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/Azure/terraform/main.tf b/examples/multi-cloud-setup/Azure/terraform/main.tf
new file mode 100644
index 000000000..e9f754eb6
--- /dev/null
+++ b/examples/multi-cloud-setup/Azure/terraform/main.tf
@@ -0,0 +1,21 @@
+# -------------------------------------------------------------
+# Terraform provider configuration
+# -------------------------------------------------------------
+terraform {
+  required_version = ">= 1.0.2"
+
+  required_providers {
+    ec = {
+      source  = "elastic/ec"
+      version = ">= 0.4.1"
+    }
+	  azurerm = {
+      source  = "hashicorp/azurerm"
+      version = ">=3.0.0"
+    }
+  }
+}
+
+
+
+
diff --git a/examples/multi-cloud-setup/Azure/terraform/variables.tf b/examples/multi-cloud-setup/Azure/terraform/variables.tf
new file mode 100644
index 000000000..018c14edd
--- /dev/null
+++ b/examples/multi-cloud-setup/Azure/terraform/variables.tf
@@ -0,0 +1,62 @@
+# -------------------------------------------------------------
+# Elastic configuration
+# -------------------------------------------------------------
+variable "elastic_version" {
+  type = string
+  default = "latest"
+}
+
+variable "elastic_region" {
+  type = string
+  default = "azure-westeurope"
+}
+
+variable "elastic_deployment_name" {
+  type = string
+  default = "Azure Observe and Protect"
+}
+
+variable "elastic_deployment_template_id" {
+  type = string
+  default = "azure-general-purpose"
+}
+
+variable "elastic_remotes" {
+    type = list(
+            object({
+                id    = string
+                alias = string
+        })
+    )
+    default = []
+}
+
+variable "elastic_agent_vm_name" {
+  type = string
+  default = "elastic-agent"
+}
+
+# -------------------------------------------------------------
+# Azure configuration
+# -------------------------------------------------------------
+
+variable "azure_region" {
+  type = string
+  default = "West Europe"
+}
+
+variable  "azure_subscription_id" {
+ type = string   
+}
+
+variable  "azure_client_id" {
+ type = string   
+}
+
+variable  "azure_client_secret" {
+ type = string   
+}
+
+variable  "azure_tenant_id" {
+ type = string   
+}
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/GoogleCloud/.gitignore b/examples/multi-cloud-setup/GoogleCloud/.gitignore
new file mode 100644
index 000000000..f71942805
--- /dev/null
+++ b/examples/multi-cloud-setup/GoogleCloud/.gitignore
@@ -0,0 +1,7 @@
+
+.vs/slnx.sqlite
+*.tfstate
+*.backup
+terraform/.terraform
+*.hcl
+local_env
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/GoogleCloud/README.md b/examples/multi-cloud-setup/GoogleCloud/README.md
new file mode 100644
index 000000000..fe6f91f8b
--- /dev/null
+++ b/examples/multi-cloud-setup/GoogleCloud/README.md
@@ -0,0 +1,72 @@
+# Google Cloud environment
+
+
+Modify the terraform env settings. The service account explanation you find below
+
+```json
+{
+	"google_cloud_project" : "<Google Project>",
+	"google_cloud_service_account_path" : "/path/to/service/account/file"
+}
+```
+
+List of other optional parameters that can be added to terraform.tfvars.json 
+| Parameter Name  | Default value | Example | Description |
+| ------------- | ------------- | ------------- | ------------- |
+| elastic_version  | latest  | 8.4.1  | Used to define the Elastic Search version  |
+| elastic_region  | gcp-europe-west3  | gcp-europe-west3  | Used to set the Elastic Cloud region for the Google Cloud deployment  |
+| elastic_deployment_name  | Google Cloud Observe and Protect  | Google Cloud Observe and Protect  | Used to define the name for the Elastic deployment  |
+| google_cloud_region  | europe-west3  | europe-west3  | Used to change the region where the Google Cloud objects getting installed  |
+| google_cloud_network  | default | my-network  | Used to change the network the Elastic Agent VM is installed in. (Network needs to be existent)  |
+
+
+#### Create Google Cloud service account following this steps.
+
+##### Create json for Google Cloud credentials. Follow the instractions here
+
+Use [Google Cloud Console](https://console.cloud.google.com/iam-admin/serviceaccounts) for the initial creation
+
+
+##### Set permission for the Google Cloud service account
+We are using this service also to connect the Elastic Agent to your Google Cloud Project.
+Because of that you should also take care that your Service Account is following the Elastic Agent Integration docs.
+Meaning the service account need to have the following roles as well as the roles for creating the terraformed services
+
+- Elastic Agent integration roles needed
+	- pubsub.subscriptions.consume
+	- pubsub.subscriptions.create 
+	- pubsub.subscriptions.get
+	- pubsub.topics.attachSubscription
+
+- Terraform installation roles need
+	- resourcemanager.projectIamAdmin
+	- roles/compute.instanceAdmin.v1 (To create compute instances)
+	- roles/logging.admin (To create log sinks)
+	- pubsub.editor (This one usually includes the roles the Elastic Agent needs)
+	
+Example roles assignment via `gcloud`
+
+```bash
+gcloud projects add-iam-policy-binding "[PUT YOUR GOOGLE CLOUD PROJECT NAME HERE]" \
+--member=serviceAccount:[PUT YOUR SERVICE ACCOUNT MEMBER HERE] \
+--role=roles/[PUT THE ROLE NAME IN HERE]
+```
+
+Example
+
+```bash
+gcloud projects add-iam-policy-binding "my-project-name" \
+--member=serviceAccount:terraform@elastic-product.iam.gserviceaccount.com \
+--role=roles/pubsub.editor
+```
+
+- Verify permissions
+```bash
+gcloud projects get-iam-policy "[PUT YOUR GOOGLE CLOUD PROJECT NAME HERE]" \
+--flatten="bindings[].members" \
+--format='table(bindings.role)' \
+--filter="bindings.members:[PUT YOUR SERVICE ACCOUNT MEMBER HERE]"``
+
+
+
+ 
diff --git a/examples/multi-cloud-setup/GoogleCloud/dashboards/google_cloud_dashboards.ndjson b/examples/multi-cloud-setup/GoogleCloud/dashboards/google_cloud_dashboards.ndjson
new file mode 100644
index 000000000..8140292d4
--- /dev/null
+++ b/examples/multi-cloud-setup/GoogleCloud/dashboards/google_cloud_dashboards.ndjson
@@ -0,0 +1,24 @@
+{"attributes":{"fieldAttrs":"{\"event.dataset\":{\"count\":14},\"event.module\":{\"count\":13},\"gcp.labels.resource.location\":{\"count\":8},\"gcp.labels.resource.namespace_name\":{\"count\":6},\"cloud.service.name\":{\"count\":4},\"gcp.labels.metrics.method\":{\"count\":3},\"gcp.labels.metrics.topic_id\":{\"count\":1},\"gcp.labels.resource.job_name\":{\"count\":10},\"gcp.metrics.job.pubsub.read_count.value\":{\"count\":1},\"gcp.compute.instance.uptime_total.sec\":{\"count\":2},\"gcp.labels.resource.subscription_id\":{\"count\":5},\"gcp.labels.resource.topic_id\":{\"count\":3},\"metricset.name\":{\"count\":5},\"_index\":{\"count\":1},\"host.hostname\":{\"count\":1},\"gcp.pubsub.topic.oldest_retained_acked_message_age_by_region.value\":{\"count\":2},\"gcp.pubsub.topic.oldest_unacked_message_age_by_region.value\":{\"count\":1},\"gcp.pubsub.topic.retained_acked_bytes_by_region.bytes\":{\"count\":2},\"gcp.pubsub.topic.send_request.count\":{\"count\":1},\"gcp.pubsub.topic.unacked_bytes_by_region.bytes\":{\"count\":2},\"gcp.metrics.log_entry_count.value\":{\"count\":1},\"gcp.labels.resource.destination\":{\"count\":1},\"gcp.labels.resource.name\":{\"count\":1},\"gcp.metrics.exports.byte_count.value\":{\"count\":1},\"gcp.metrics.exports.log_entry_count.value\":{\"count\":1},\"gcp.labels.metrics.response_code\":{\"count\":1},\"gcp.labels.resource.bucket_name\":{\"count\":1},\"gcp.pubsub.subscription.num_undelivered_messages.value\":{\"count\":1},\"gcp.pubsub.subscription.oldest_unacked_message_age_by_region.value\":{\"count\":1},\"gcp.pubsub.subscription.sent_message.count\":{\"count\":1},\"gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_message_operation.count\":{\"count\":1},\"gcp.labels.user.dataflow_job_name\":{\"count\":1},\"gcp.pubsub.subscription.backlog.bytes\":{\"count\":1},\"gcp.pubsub.topic.byte_cost.bytes\":{\"count\":1},\"gcp.storage.storage.total.bytes\":{\"count\":2},\"gcp.storage.api.request.count\":{\"count\":1},\"gcp.storage.network.received.bytes\":{\"count\":1},\"gcp.storage.network.sent.bytes\":{\"count\":1},\"gcp.storage.storage.total_byte_seconds.bytes\":{\"count\":1},\"resource.labels.bucket_name\":{\"count\":1}}","fieldFormatMap":"{\"activemq.broker.memory.broker.pct\":{\"id\":\"percent\"},\"activemq.broker.memory.store.pct\":{\"id\":\"percent\"},\"activemq.broker.memory.temp.pct\":{\"id\":\"percent\"},\"activemq.queue.memory.broker.pct\":{\"id\":\"percent\"},\"activemq.topic.memory.broker.pct\":{\"id\":\"percent\"},\"aerospike.namespace.device.available.pct\":{\"id\":\"percent\"},\"aerospike.namespace.device.free.pct\":{\"id\":\"percent\"},\"aerospike.namespace.device.total.bytes\":{\"id\":\"bytes\"},\"aerospike.namespace.device.used.bytes\":{\"id\":\"bytes\"},\"aerospike.namespace.memory.free.pct\":{\"id\":\"percent\"},\"aerospike.namespace.memory.used.data.bytes\":{\"id\":\"bytes\"},\"aerospike.namespace.memory.used.index.bytes\":{\"id\":\"bytes\"},\"aerospike.namespace.memory.used.sindex.bytes\":{\"id\":\"bytes\"},\"aerospike.namespace.memory.used.total.bytes\":{\"id\":\"bytes\"},\"aws.ec2.diskio.read.bytes\":{\"id\":\"bytes\"},\"aws.ec2.diskio.write.bytes\":{\"id\":\"bytes\"},\"aws.ec2.network.in.bytes\":{\"id\":\"bytes\"},\"aws.ec2.network.out.bytes\":{\"id\":\"bytes\"},\"aws.rds.burst_balance.pct\":{\"id\":\"percent\"},\"aws.rds.cpu.total.pct\":{\"id\":\"percent\"},\"aws.rds.disk_usage.bin_log.bytes\":{\"id\":\"bytes\"},\"aws.rds.free_local_storage.bytes\":{\"id\":\"bytes\"},\"aws.rds.free_storage.bytes\":{\"id\":\"bytes\"},\"aws.rds.freeable_memory.bytes\":{\"id\":\"bytes\"},\"aws.rds.latency.commit\":{\"id\":\"duration\"},\"aws.rds.latency.ddl\":{\"id\":\"duration\"},\"aws.rds.latency.delete\":{\"id\":\"duration\"},\"aws.rds.latency.dml\":{\"id\":\"duration\"},\"aws.rds.latency.insert\":{\"id\":\"duration\"},\"aws.rds.latency.read\":{\"id\":\"duration\"},\"aws.rds.latency.select\":{\"id\":\"duration\"},\"aws.rds.latency.update\":{\"id\":\"duration\"},\"aws.rds.latency.write\":{\"id\":\"duration\"},\"aws.rds.replica_lag.sec\":{\"id\":\"duration\"},\"aws.rds.swap_usage.bytes\":{\"id\":\"bytes\"},\"aws.rds.volume.read.iops\":{\"id\":\"bytes\"},\"aws.rds.volume.write.iops\":{\"id\":\"bytes\"},\"aws.rds.volume_used.bytes\":{\"id\":\"bytes\"},\"aws.s3_daily_storage.bucket.size.bytes\":{\"id\":\"bytes\"},\"aws.s3_request.downloaded.bytes\":{\"id\":\"bytes\"},\"aws.s3_request.latency.first_byte.ms\":{\"id\":\"duration\"},\"aws.s3_request.latency.total_request.ms\":{\"id\":\"duration\"},\"aws.s3_request.requests.select_returned.bytes\":{\"id\":\"bytes\"},\"aws.s3_request.requests.select_scanned.bytes\":{\"id\":\"bytes\"},\"aws.s3_request.uploaded.bytes\":{\"id\":\"bytes\"},\"aws.sqs.oldest_message_age.sec\":{\"id\":\"duration\"},\"aws.sqs.sent_message_size.bytes\":{\"id\":\"bytes\"},\"ceph.cluster_disk.available.bytes\":{\"id\":\"bytes\"},\"ceph.cluster_disk.total.bytes\":{\"id\":\"bytes\"},\"ceph.cluster_disk.used.bytes\":{\"id\":\"bytes\"},\"ceph.cluster_status.degraded.ratio\":{\"id\":\"percent\"},\"ceph.cluster_status.misplace.ratio\":{\"id\":\"percent\"},\"ceph.cluster_status.pg.avail_bytes\":{\"id\":\"bytes\"},\"ceph.cluster_status.pg.data_bytes\":{\"id\":\"bytes\"},\"ceph.cluster_status.pg.total_bytes\":{\"id\":\"bytes\"},\"ceph.cluster_status.pg.used_bytes\":{\"id\":\"bytes\"},\"ceph.cluster_status.traffic.read_bytes\":{\"id\":\"bytes\"},\"ceph.cluster_status.traffic.write_bytes\":{\"id\":\"bytes\"},\"ceph.monitor_health.store_stats.log.bytes\":{\"id\":\"bytes\"},\"ceph.monitor_health.store_stats.misc.bytes\":{\"id\":\"bytes\"},\"ceph.monitor_health.store_stats.sst.bytes\":{\"id\":\"bytes\"},\"ceph.monitor_health.store_stats.total.bytes\":{\"id\":\"bytes\"},\"ceph.osd_df.available.bytes\":{\"id\":\"bytes\"},\"ceph.osd_df.total.byte\":{\"id\":\"bytes\"},\"ceph.osd_df.used.byte\":{\"id\":\"bytes\"},\"ceph.osd_df.used.pct\":{\"id\":\"percent\"},\"ceph.pool_disk.stats.available.bytes\":{\"id\":\"bytes\"},\"ceph.pool_disk.stats.used.bytes\":{\"id\":\"bytes\"},\"client.bytes\":{\"id\":\"bytes\"},\"client.nat.port\":{\"id\":\"string\"},\"client.port\":{\"id\":\"string\"},\"coredns.stats.dns.request.duration.ns.sum\":{\"id\":\"duration\"},\"couchbase.bucket.data.used.bytes\":{\"id\":\"bytes\"},\"couchbase.bucket.disk.used.bytes\":{\"id\":\"bytes\"},\"couchbase.bucket.memory.used.bytes\":{\"id\":\"bytes\"},\"couchbase.bucket.quota.ram.bytes\":{\"id\":\"bytes\"},\"couchbase.bucket.quota.use.pct\":{\"id\":\"percent\"},\"couchbase.cluster.hdd.free.bytes\":{\"id\":\"bytes\"},\"couchbase.cluster.hdd.quota.total.bytes\":{\"id\":\"bytes\"},\"couchbase.cluster.hdd.total.bytes\":{\"id\":\"bytes\"},\"couchbase.cluster.hdd.used.by_data.bytes\":{\"id\":\"bytes\"},\"couchbase.cluster.hdd.used.value.bytes\":{\"id\":\"bytes\"},\"couchbase.cluster.ram.quota.total.per_node.bytes\":{\"id\":\"bytes\"},\"couchbase.cluster.ram.quota.total.value.bytes\":{\"id\":\"bytes\"},\"couchbase.cluster.ram.quota.used.per_node.bytes\":{\"id\":\"bytes\"},\"couchbase.cluster.ram.quota.used.value.bytes\":{\"id\":\"bytes\"},\"couchbase.cluster.ram.total.bytes\":{\"id\":\"bytes\"},\"couchbase.cluster.ram.used.by_data.bytes\":{\"id\":\"bytes\"},\"couchbase.cluster.ram.used.value.bytes\":{\"id\":\"bytes\"},\"couchbase.node.couch.docs.data_size.bytes\":{\"id\":\"bytes\"},\"couchbase.node.couch.docs.disk_size.bytes\":{\"id\":\"bytes\"},\"couchbase.node.mcd_memory.allocated.bytes\":{\"id\":\"bytes\"},\"destination.bytes\":{\"id\":\"bytes\"},\"destination.nat.port\":{\"id\":\"string\"},\"destination.port\":{\"id\":\"string\"},\"docker.cpu.core.*.norm.pct\":{\"id\":\"percent\"},\"docker.cpu.core.*.pct\":{\"id\":\"percent\"},\"docker.cpu.kernel.norm.pct\":{\"id\":\"percent\"},\"docker.cpu.kernel.pct\":{\"id\":\"percent\"},\"docker.cpu.system.norm.pct\":{\"id\":\"percent\"},\"docker.cpu.system.pct\":{\"id\":\"percent\"},\"docker.cpu.total.norm.pct\":{\"id\":\"percent\"},\"docker.cpu.total.pct\":{\"id\":\"percent\"},\"docker.cpu.user.norm.pct\":{\"id\":\"percent\"},\"docker.cpu.user.pct\":{\"id\":\"percent\"},\"docker.diskio.read.bytes\":{\"id\":\"bytes\"},\"docker.diskio.summary.bytes\":{\"id\":\"bytes\"},\"docker.diskio.write.bytes\":{\"id\":\"bytes\"},\"docker.memory.commit.peak\":{\"id\":\"bytes\"},\"docker.memory.commit.total\":{\"id\":\"bytes\"},\"docker.memory.limit\":{\"id\":\"bytes\"},\"docker.memory.private_working_set.total\":{\"id\":\"bytes\"},\"docker.memory.rss.pct\":{\"id\":\"percent\"},\"docker.memory.rss.total\":{\"id\":\"bytes\"},\"docker.memory.usage.max\":{\"id\":\"bytes\"},\"docker.memory.usage.pct\":{\"id\":\"percent\"},\"docker.memory.usage.total\":{\"id\":\"bytes\"},\"docker.network.in.bytes\":{\"id\":\"bytes\"},\"docker.network.inbound.bytes\":{\"id\":\"bytes\"},\"docker.network.out.bytes\":{\"id\":\"bytes\"},\"docker.network.outbound.bytes\":{\"id\":\"bytes\"},\"elasticsearch.index.summary.primaries.segments.memory.bytes\":{\"id\":\"bytes\"},\"elasticsearch.index.summary.primaries.store.size.bytes\":{\"id\":\"bytes\"},\"elasticsearch.index.summary.total.segments.memory.bytes\":{\"id\":\"bytes\"},\"elasticsearch.index.summary.total.store.size.bytes\":{\"id\":\"bytes\"},\"elasticsearch.index.total.segments.memory.bytes\":{\"id\":\"bytes\"},\"elasticsearch.index.total.store.size.bytes\":{\"id\":\"bytes\"},\"elasticsearch.node.jvm.memory.heap.init.bytes\":{\"id\":\"bytes\"},\"elasticsearch.node.jvm.memory.heap.max.bytes\":{\"id\":\"bytes\"},\"elasticsearch.node.jvm.memory.nonheap.init.bytes\":{\"id\":\"bytes\"},\"elasticsearch.node.jvm.memory.nonheap.max.bytes\":{\"id\":\"bytes\"},\"elasticsearch.node.stats.fs.summary.available.bytes\":{\"id\":\"bytes\"},\"elasticsearch.node.stats.fs.summary.free.bytes\":{\"id\":\"bytes\"},\"elasticsearch.node.stats.fs.summary.total.bytes\":{\"id\":\"bytes\"},\"elasticsearch.node.stats.indices.segments.memory.bytes\":{\"id\":\"bytes\"},\"elasticsearch.node.stats.jvm.mem.pools.old.max.bytes\":{\"id\":\"bytes\"},\"elasticsearch.node.stats.jvm.mem.pools.old.peak.bytes\":{\"id\":\"bytes\"},\"elasticsearch.node.stats.jvm.mem.pools.old.peak_max.bytes\":{\"id\":\"bytes\"},\"elasticsearch.node.stats.jvm.mem.pools.old.used.bytes\":{\"id\":\"bytes\"},\"elasticsearch.node.stats.jvm.mem.pools.survivor.max.bytes\":{\"id\":\"bytes\"},\"elasticsearch.node.stats.jvm.mem.pools.survivor.peak.bytes\":{\"id\":\"bytes\"},\"elasticsearch.node.stats.jvm.mem.pools.survivor.peak_max.bytes\":{\"id\":\"bytes\"},\"elasticsearch.node.stats.jvm.mem.pools.survivor.used.bytes\":{\"id\":\"bytes\"},\"elasticsearch.node.stats.jvm.mem.pools.young.max.bytes\":{\"id\":\"bytes\"},\"elasticsearch.node.stats.jvm.mem.pools.young.peak.bytes\":{\"id\":\"bytes\"},\"elasticsearch.node.stats.jvm.mem.pools.young.peak_max.bytes\":{\"id\":\"bytes\"},\"elasticsearch.node.stats.jvm.mem.pools.young.used.bytes\":{\"id\":\"bytes\"},\"elf.header.entrypoint\":{\"id\":\"string\"},\"elf.sections.chi2\":{\"id\":\"number\"},\"elf.sections.entropy\":{\"id\":\"number\"},\"elf.sections.physical_size\":{\"id\":\"bytes\"},\"elf.sections.virtual_address\":{\"id\":\"string\"},\"elf.sections.virtual_size\":{\"id\":\"string\"},\"enterprisesearch.health.jvm.memory_usage.heap_committed.bytes\":{\"id\":\"bytes\"},\"enterprisesearch.health.jvm.memory_usage.heap_init.bytes\":{\"id\":\"bytes\"},\"enterprisesearch.health.jvm.memory_usage.heap_max.bytes\":{\"id\":\"bytes\"},\"enterprisesearch.health.jvm.memory_usage.heap_used.bytes\":{\"id\":\"bytes\"},\"enterprisesearch.health.jvm.memory_usage.non_heap_committed.bytes\":{\"id\":\"bytes\"},\"enterprisesearch.health.jvm.memory_usage.non_heap_init.bytes\":{\"id\":\"bytes\"},\"enterprisesearch.stats.http.network.received.bytes\":{\"id\":\"bytes\"},\"enterprisesearch.stats.http.network.received.bytes_per_sec\":{\"id\":\"bytes\"},\"enterprisesearch.stats.http.network.sent.bytes\":{\"id\":\"bytes\"},\"enterprisesearch.stats.http.network.sent.bytes_per_sec\":{\"id\":\"bytes\"},\"etcd.disk.mvcc_db_total_size.bytes\":{\"id\":\"bytes\"},\"etcd.memory.go_memstats_alloc.bytes\":{\"id\":\"bytes\"},\"etcd.network.client_grpc_received.bytes\":{\"id\":\"bytes\"},\"etcd.network.client_grpc_sent.bytes\":{\"id\":\"bytes\"},\"event.duration\":{\"id\":\"duration\",\"params\":{\"inputFormat\":\"nanoseconds\",\"outputFormat\":\"asMilliseconds\",\"outputPrecision\":1}},\"event.sequence\":{\"id\":\"string\"},\"event.severity\":{\"id\":\"string\"},\"file.elf.header.entrypoint\":{\"id\":\"string\"},\"file.elf.sections.chi2\":{\"id\":\"number\"},\"file.elf.sections.entropy\":{\"id\":\"number\"},\"file.elf.sections.physical_size\":{\"id\":\"bytes\"},\"file.elf.sections.virtual_address\":{\"id\":\"string\"},\"file.elf.sections.virtual_size\":{\"id\":\"string\"},\"golang.heap.allocations.active\":{\"id\":\"bytes\"},\"golang.heap.allocations.allocated\":{\"id\":\"bytes\"},\"golang.heap.allocations.idle\":{\"id\":\"bytes\"},\"golang.heap.allocations.total\":{\"id\":\"bytes\"},\"golang.heap.gc.next_gc_limit\":{\"id\":\"bytes\"},\"golang.heap.system.obtained\":{\"id\":\"bytes\"},\"golang.heap.system.released\":{\"id\":\"bytes\"},\"golang.heap.system.stack\":{\"id\":\"bytes\"},\"golang.heap.system.total\":{\"id\":\"bytes\"},\"haproxy.info.idle.pct\":{\"id\":\"percent\"},\"haproxy.info.memory.max.bytes\":{\"id\":\"bytes\"},\"haproxy.info.ssl.frontend.session_reuse.pct\":{\"id\":\"percent\"},\"haproxy.stat.compressor.bypassed.bytes\":{\"id\":\"bytes\"},\"haproxy.stat.compressor.in.bytes\":{\"id\":\"bytes\"},\"haproxy.stat.compressor.out.bytes\":{\"id\":\"bytes\"},\"haproxy.stat.compressor.response.bytes\":{\"id\":\"bytes\"},\"haproxy.stat.in.bytes\":{\"id\":\"bytes\"},\"haproxy.stat.out.bytes\":{\"id\":\"bytes\"},\"haproxy.stat.throttle.pct\":{\"id\":\"percent\"},\"http.request.body.bytes\":{\"id\":\"bytes\"},\"http.request.bytes\":{\"id\":\"bytes\"},\"http.response.body.bytes\":{\"id\":\"bytes\"},\"http.response.bytes\":{\"id\":\"bytes\"},\"http.response.status_code\":{\"id\":\"string\"},\"istio.citadel.grpc.server.handling.latency.ms.sum\":{\"id\":\"duration\"},\"istio.galley.runtime.processor.event_span.duration.ms.sum\":{\"id\":\"duration\"},\"istio.galley.runtime.processor.snapshot_lifetime.duration.ms.sum\":{\"id\":\"duration\"},\"istio.mesh.request.duration.ms.sum\":{\"id\":\"duration\"},\"kibana.stats.process.memory.heap.size_limit.bytes\":{\"id\":\"bytes\"},\"kibana.stats.process.memory.heap.total.bytes\":{\"id\":\"bytes\"},\"kibana.stats.process.memory.heap.used.bytes\":{\"id\":\"bytes\"},\"kubernetes.apiserver.http.request.size.bytes.sum\":{\"id\":\"bytes\"},\"kubernetes.apiserver.http.response.size.bytes.sum\":{\"id\":\"bytes\"},\"kubernetes.apiserver.process.memory.resident.bytes\":{\"id\":\"bytes\"},\"kubernetes.apiserver.process.memory.virtual.bytes\":{\"id\":\"bytes\"},\"kubernetes.container.cpu.usage.limit.pct\":{\"id\":\"percent\"},\"kubernetes.container.cpu.usage.node.pct\":{\"id\":\"percent\"},\"kubernetes.container.logs.available.bytes\":{\"id\":\"bytes\"},\"kubernetes.container.logs.capacity.bytes\":{\"id\":\"bytes\"},\"kubernetes.container.logs.used.bytes\":{\"id\":\"bytes\"},\"kubernetes.container.memory.available.bytes\":{\"id\":\"bytes\"},\"kubernetes.container.memory.limit.bytes\":{\"id\":\"bytes\"},\"kubernetes.container.memory.request.bytes\":{\"id\":\"bytes\"},\"kubernetes.container.memory.rss.bytes\":{\"id\":\"bytes\"},\"kubernetes.container.memory.usage.bytes\":{\"id\":\"bytes\"},\"kubernetes.container.memory.usage.limit.pct\":{\"id\":\"percent\"},\"kubernetes.container.memory.usage.node.pct\":{\"id\":\"percent\"},\"kubernetes.container.memory.workingset.bytes\":{\"id\":\"bytes\"},\"kubernetes.container.rootfs.available.bytes\":{\"id\":\"bytes\"},\"kubernetes.container.rootfs.capacity.bytes\":{\"id\":\"bytes\"},\"kubernetes.container.rootfs.used.bytes\":{\"id\":\"bytes\"},\"kubernetes.controllermanager.http.request.size.bytes.sum\":{\"id\":\"bytes\"},\"kubernetes.controllermanager.http.response.size.bytes.sum\":{\"id\":\"bytes\"},\"kubernetes.controllermanager.process.memory.resident.bytes\":{\"id\":\"bytes\"},\"kubernetes.controllermanager.process.memory.virtual.bytes\":{\"id\":\"bytes\"},\"kubernetes.node.fs.available.bytes\":{\"id\":\"bytes\"},\"kubernetes.node.fs.capacity.bytes\":{\"id\":\"bytes\"},\"kubernetes.node.fs.used.bytes\":{\"id\":\"bytes\"},\"kubernetes.node.memory.allocatable.bytes\":{\"id\":\"bytes\"},\"kubernetes.node.memory.available.bytes\":{\"id\":\"bytes\"},\"kubernetes.node.memory.capacity.bytes\":{\"id\":\"bytes\"},\"kubernetes.node.memory.rss.bytes\":{\"id\":\"bytes\"},\"kubernetes.node.memory.usage.bytes\":{\"id\":\"bytes\"},\"kubernetes.node.memory.workingset.bytes\":{\"id\":\"bytes\"},\"kubernetes.node.network.rx.bytes\":{\"id\":\"bytes\"},\"kubernetes.node.network.tx.bytes\":{\"id\":\"bytes\"},\"kubernetes.node.runtime.imagefs.available.bytes\":{\"id\":\"bytes\"},\"kubernetes.node.runtime.imagefs.capacity.bytes\":{\"id\":\"bytes\"},\"kubernetes.node.runtime.imagefs.used.bytes\":{\"id\":\"bytes\"},\"kubernetes.pod.cpu.usage.limit.pct\":{\"id\":\"percent\"},\"kubernetes.pod.cpu.usage.node.pct\":{\"id\":\"percent\"},\"kubernetes.pod.memory.available.bytes\":{\"id\":\"bytes\"},\"kubernetes.pod.memory.rss.bytes\":{\"id\":\"bytes\"},\"kubernetes.pod.memory.usage.bytes\":{\"id\":\"bytes\"},\"kubernetes.pod.memory.usage.limit.pct\":{\"id\":\"percent\"},\"kubernetes.pod.memory.usage.node.pct\":{\"id\":\"percent\"},\"kubernetes.pod.memory.working_set.bytes\":{\"id\":\"bytes\"},\"kubernetes.pod.network.rx.bytes\":{\"id\":\"bytes\"},\"kubernetes.pod.network.tx.bytes\":{\"id\":\"bytes\"},\"kubernetes.proxy.http.request.size.bytes.sum\":{\"id\":\"bytes\"},\"kubernetes.proxy.http.response.size.bytes.sum\":{\"id\":\"bytes\"},\"kubernetes.proxy.process.memory.resident.bytes\":{\"id\":\"bytes\"},\"kubernetes.proxy.process.memory.virtual.bytes\":{\"id\":\"bytes\"},\"kubernetes.scheduler.http.request.size.bytes.sum\":{\"id\":\"bytes\"},\"kubernetes.scheduler.http.response.size.bytes.sum\":{\"id\":\"bytes\"},\"kubernetes.scheduler.process.memory.resident.bytes\":{\"id\":\"bytes\"},\"kubernetes.scheduler.process.memory.virtual.bytes\":{\"id\":\"bytes\"},\"kubernetes.system.memory.rss.bytes\":{\"id\":\"bytes\"},\"kubernetes.system.memory.usage.bytes\":{\"id\":\"bytes\"},\"kubernetes.system.memory.workingset.bytes\":{\"id\":\"bytes\"},\"kubernetes.volume.fs.available.bytes\":{\"id\":\"bytes\"},\"kubernetes.volume.fs.capacity.bytes\":{\"id\":\"bytes\"},\"kubernetes.volume.fs.used.bytes\":{\"id\":\"bytes\"},\"kubernetes.volume.fs.used.pct\":{\"id\":\"percent\"},\"linux.iostat.read.per_sec.bytes\":{\"id\":\"bytes\"},\"linux.iostat.write.per_sec.bytes\":{\"id\":\"bytes\"},\"linux.memory.hugepages.default_size\":{\"id\":\"bytes\"},\"linux.memory.hugepages.free\":{\"id\":\"number\"},\"linux.memory.hugepages.reserved\":{\"id\":\"number\"},\"linux.memory.hugepages.surplus\":{\"id\":\"number\"},\"linux.memory.hugepages.total\":{\"id\":\"number\"},\"linux.memory.hugepages.used.bytes\":{\"id\":\"bytes\"},\"linux.memory.hugepages.used.pct\":{\"id\":\"percent\"},\"linux.memory.page_stats.direct_efficiency.pct\":{\"id\":\"percent\"},\"linux.memory.page_stats.kswapd_efficiency.pct\":{\"id\":\"percent\"},\"linux.memory.page_stats.pgfree.pages\":{\"id\":\"number\"},\"linux.memory.page_stats.pgscan_direct.pages\":{\"id\":\"number\"},\"linux.memory.page_stats.pgscan_kswapd.pages\":{\"id\":\"number\"},\"linux.memory.page_stats.pgsteal_direct.pages\":{\"id\":\"number\"},\"linux.memory.page_stats.pgsteal_kswapd.pages\":{\"id\":\"number\"},\"linux.pressure.cpu.some.10.pct\":{\"id\":\"percent\"},\"linux.pressure.cpu.some.300.pct\":{\"id\":\"percent\"},\"linux.pressure.cpu.some.60.pct\":{\"id\":\"percent\"},\"linux.pressure.io.full.10.pct\":{\"id\":\"percent\"},\"linux.pressure.io.full.300.pct\":{\"id\":\"percent\"},\"linux.pressure.io.full.60.pct\":{\"id\":\"percent\"},\"linux.pressure.io.some.10.pct\":{\"id\":\"percent\"},\"linux.pressure.io.some.300.pct\":{\"id\":\"percent\"},\"linux.pressure.io.some.60.pct\":{\"id\":\"percent\"},\"linux.pressure.memory.full.10.pct\":{\"id\":\"percent\"},\"linux.pressure.memory.full.300.pct\":{\"id\":\"percent\"},\"linux.pressure.memory.full.60.pct\":{\"id\":\"percent\"},\"linux.pressure.memory.some.10.pct\":{\"id\":\"percent\"},\"linux.pressure.memory.some.300.pct\":{\"id\":\"percent\"},\"linux.pressure.memory.some.60.pct\":{\"id\":\"percent\"},\"log.syslog.facility.code\":{\"id\":\"string\"},\"log.syslog.priority\":{\"id\":\"string\"},\"mongodb.dbstats.avg_obj_size.bytes\":{\"id\":\"bytes\"},\"mongodb.dbstats.data_size.bytes\":{\"id\":\"bytes\"},\"mongodb.dbstats.extent_free_list.size.bytes\":{\"id\":\"bytes\"},\"mongodb.dbstats.file_size.bytes\":{\"id\":\"bytes\"},\"mongodb.dbstats.index_size.bytes\":{\"id\":\"bytes\"},\"mongodb.dbstats.storage_size.bytes\":{\"id\":\"bytes\"},\"mongodb.replstatus.headroom.max\":{\"id\":\"duration\"},\"mongodb.replstatus.headroom.min\":{\"id\":\"duration\"},\"mongodb.replstatus.lag.max\":{\"id\":\"duration\"},\"mongodb.replstatus.lag.min\":{\"id\":\"duration\"},\"mongodb.replstatus.oplog.size.allocated\":{\"id\":\"bytes\"},\"mongodb.replstatus.oplog.size.used\":{\"id\":\"bytes\"},\"mongodb.status.extra_info.heap_usage.bytes\":{\"id\":\"bytes\"},\"mongodb.status.network.in.bytes\":{\"id\":\"bytes\"},\"mongodb.status.network.out.bytes\":{\"id\":\"bytes\"},\"mongodb.status.wired_tiger.cache.dirty.bytes\":{\"id\":\"bytes\"},\"mongodb.status.wired_tiger.cache.maximum.bytes\":{\"id\":\"bytes\"},\"mongodb.status.wired_tiger.cache.used.bytes\":{\"id\":\"bytes\"},\"mongodb.status.wired_tiger.log.max_file_size.bytes\":{\"id\":\"bytes\"},\"mongodb.status.wired_tiger.log.size.bytes\":{\"id\":\"bytes\"},\"mongodb.status.wired_tiger.log.write.bytes\":{\"id\":\"bytes\"},\"mysql.status.bytes.received\":{\"id\":\"bytes\"},\"mysql.status.bytes.sent\":{\"id\":\"bytes\"},\"nats.connection.idle_time\":{\"id\":\"duration\"},\"nats.connection.in.bytes\":{\"id\":\"bytes\"},\"nats.connection.out.bytes\":{\"id\":\"bytes\"},\"nats.connection.pending_bytes\":{\"id\":\"bytes\"},\"nats.connection.uptime\":{\"id\":\"duration\"},\"nats.route.in.bytes\":{\"id\":\"bytes\"},\"nats.route.out.bytes\":{\"id\":\"bytes\"},\"nats.stats.cpu\":{\"id\":\"percent\"},\"nats.stats.in.bytes\":{\"id\":\"bytes\"},\"nats.stats.mem.bytes\":{\"id\":\"bytes\"},\"nats.stats.out.bytes\":{\"id\":\"bytes\"},\"nats.stats.uptime\":{\"id\":\"duration\"},\"nats.subscriptions.cache.hit_rate\":{\"id\":\"percent\"},\"network.bytes\":{\"id\":\"bytes\"},\"oracle.tablespace.data_file.size.bytes\":{\"id\":\"bytes\"},\"oracle.tablespace.data_file.size.free.bytes\":{\"id\":\"bytes\"},\"oracle.tablespace.data_file.size.max.bytes\":{\"id\":\"bytes\"},\"oracle.tablespace.space.free.bytes\":{\"id\":\"bytes\"},\"oracle.tablespace.space.total.bytes\":{\"id\":\"bytes\"},\"oracle.tablespace.space.used.bytes\":{\"id\":\"bytes\"},\"package.size\":{\"id\":\"string\"},\"process.cpu.pct\":{\"id\":\"percent\"},\"process.elf.header.entrypoint\":{\"id\":\"string\"},\"process.elf.sections.chi2\":{\"id\":\"number\"},\"process.elf.sections.entropy\":{\"id\":\"number\"},\"process.elf.sections.physical_size\":{\"id\":\"bytes\"},\"process.elf.sections.virtual_address\":{\"id\":\"string\"},\"process.elf.sections.virtual_size\":{\"id\":\"string\"},\"process.memory.pct\":{\"id\":\"percent\"},\"process.parent.elf.header.entrypoint\":{\"id\":\"string\"},\"process.parent.elf.sections.chi2\":{\"id\":\"number\"},\"process.parent.elf.sections.entropy\":{\"id\":\"number\"},\"process.parent.elf.sections.physical_size\":{\"id\":\"bytes\"},\"process.parent.elf.sections.virtual_address\":{\"id\":\"string\"},\"process.parent.elf.sections.virtual_size\":{\"id\":\"string\"},\"process.parent.pgid\":{\"id\":\"string\"},\"process.parent.pid\":{\"id\":\"string\"},\"process.parent.ppid\":{\"id\":\"string\"},\"process.parent.thread.id\":{\"id\":\"string\"},\"process.pgid\":{\"id\":\"string\"},\"process.pid\":{\"id\":\"string\"},\"process.ppid\":{\"id\":\"string\"},\"process.thread.id\":{\"id\":\"string\"},\"rabbitmq.connection.frame_max\":{\"id\":\"bytes\"},\"rabbitmq.node.disk.free.bytes\":{\"id\":\"bytes\"},\"rabbitmq.node.disk.free.limit.bytes\":{\"id\":\"bytes\"},\"rabbitmq.node.gc.reclaimed.bytes\":{\"id\":\"bytes\"},\"rabbitmq.node.io.read.bytes\":{\"id\":\"bytes\"},\"rabbitmq.node.io.write.bytes\":{\"id\":\"bytes\"},\"rabbitmq.node.mem.limit.bytes\":{\"id\":\"bytes\"},\"rabbitmq.queue.consumers.utilisation.pct\":{\"id\":\"percent\"},\"rabbitmq.queue.memory.bytes\":{\"id\":\"bytes\"},\"redis.info.memory.allocator_stats.active\":{\"id\":\"bytes\"},\"redis.info.memory.allocator_stats.allocated\":{\"id\":\"bytes\"},\"redis.info.memory.allocator_stats.fragmentation.bytes\":{\"id\":\"bytes\"},\"redis.info.memory.allocator_stats.resident\":{\"id\":\"bytes\"},\"redis.info.memory.allocator_stats.rss.bytes\":{\"id\":\"bytes\"},\"redis.info.memory.fragmentation.bytes\":{\"id\":\"bytes\"},\"redis.info.memory.max.value\":{\"id\":\"bytes\"},\"redis.info.memory.used.dataset\":{\"id\":\"bytes\"},\"redis.info.memory.used.lua\":{\"id\":\"bytes\"},\"redis.info.memory.used.peak\":{\"id\":\"bytes\"},\"redis.info.memory.used.rss\":{\"id\":\"bytes\"},\"redis.info.memory.used.value\":{\"id\":\"bytes\"},\"redis.info.persistence.aof.buffer.size\":{\"id\":\"bytes\"},\"redis.info.persistence.aof.copy_on_write.last_size\":{\"id\":\"bytes\"},\"redis.info.persistence.aof.rewrite.buffer.size\":{\"id\":\"bytes\"},\"redis.info.persistence.aof.rewrite.current_time.sec\":{\"id\":\"duration\"},\"redis.info.persistence.aof.rewrite.last_time.sec\":{\"id\":\"duration\"},\"redis.info.persistence.aof.size.base\":{\"id\":\"bytes\"},\"redis.info.persistence.aof.size.current\":{\"id\":\"bytes\"},\"redis.info.persistence.rdb.bgsave.current_time.sec\":{\"id\":\"duration\"},\"redis.info.persistence.rdb.bgsave.last_time.sec\":{\"id\":\"duration\"},\"redis.info.persistence.rdb.copy_on_write.last_size\":{\"id\":\"bytes\"},\"redis.info.replication.backlog.size\":{\"id\":\"bytes\"},\"redis.info.replication.master.last_io_seconds_ago\":{\"id\":\"duration\"},\"redis.info.replication.master.sync.last_io_seconds_ago\":{\"id\":\"duration\"},\"redis.info.replication.master.sync.left_bytes\":{\"id\":\"bytes\"},\"server.bytes\":{\"id\":\"bytes\"},\"server.nat.port\":{\"id\":\"string\"},\"server.port\":{\"id\":\"string\"},\"source.bytes\":{\"id\":\"bytes\"},\"source.nat.port\":{\"id\":\"string\"},\"source.port\":{\"id\":\"string\"},\"system.core.idle.pct\":{\"id\":\"percent\"},\"system.core.iowait.pct\":{\"id\":\"percent\"},\"system.core.irq.pct\":{\"id\":\"percent\"},\"system.core.nice.pct\":{\"id\":\"percent\"},\"system.core.softirq.pct\":{\"id\":\"percent\"},\"system.core.steal.pct\":{\"id\":\"percent\"},\"system.core.system.pct\":{\"id\":\"percent\"},\"system.core.total.pct\":{\"id\":\"percent\"},\"system.core.user.pct\":{\"id\":\"percent\"},\"system.cpu.idle.norm.pct\":{\"id\":\"percent\"},\"system.cpu.idle.pct\":{\"id\":\"percent\"},\"system.cpu.iowait.norm.pct\":{\"id\":\"percent\"},\"system.cpu.iowait.pct\":{\"id\":\"percent\"},\"system.cpu.irq.norm.pct\":{\"id\":\"percent\"},\"system.cpu.irq.pct\":{\"id\":\"percent\"},\"system.cpu.nice.norm.pct\":{\"id\":\"percent\"},\"system.cpu.nice.pct\":{\"id\":\"percent\"},\"system.cpu.softirq.norm.pct\":{\"id\":\"percent\"},\"system.cpu.softirq.pct\":{\"id\":\"percent\"},\"system.cpu.steal.norm.pct\":{\"id\":\"percent\"},\"system.cpu.steal.pct\":{\"id\":\"percent\"},\"system.cpu.system.norm.pct\":{\"id\":\"percent\"},\"system.cpu.system.pct\":{\"id\":\"percent\"},\"system.cpu.total.norm.pct\":{\"id\":\"percent\"},\"system.cpu.total.pct\":{\"id\":\"percent\"},\"system.cpu.user.norm.pct\":{\"id\":\"percent\"},\"system.cpu.user.pct\":{\"id\":\"percent\"},\"system.diskio.iostat.read.per_sec.bytes\":{\"id\":\"bytes\"},\"system.diskio.iostat.write.per_sec.bytes\":{\"id\":\"bytes\"},\"system.diskio.read.bytes\":{\"id\":\"bytes\"},\"system.diskio.write.bytes\":{\"id\":\"bytes\"},\"system.entropy.pct\":{\"id\":\"percent\"},\"system.filesystem.available\":{\"id\":\"bytes\"},\"system.filesystem.free\":{\"id\":\"bytes\"},\"system.filesystem.total\":{\"id\":\"bytes\"},\"system.filesystem.used.bytes\":{\"id\":\"bytes\"},\"system.filesystem.used.pct\":{\"id\":\"percent\"},\"system.fsstat.total_size.free\":{\"id\":\"bytes\"},\"system.fsstat.total_size.total\":{\"id\":\"bytes\"},\"system.fsstat.total_size.used\":{\"id\":\"bytes\"},\"system.memory.actual.free\":{\"id\":\"bytes\"},\"system.memory.actual.used.bytes\":{\"id\":\"bytes\"},\"system.memory.actual.used.pct\":{\"id\":\"percent\"},\"system.memory.cached\":{\"id\":\"bytes\"},\"system.memory.free\":{\"id\":\"bytes\"},\"system.memory.hugepages.default_size\":{\"id\":\"bytes\"},\"system.memory.hugepages.free\":{\"id\":\"number\"},\"system.memory.hugepages.reserved\":{\"id\":\"number\"},\"system.memory.hugepages.surplus\":{\"id\":\"number\"},\"system.memory.hugepages.total\":{\"id\":\"number\"},\"system.memory.hugepages.used.bytes\":{\"id\":\"bytes\"},\"system.memory.hugepages.used.pct\":{\"id\":\"percent\"},\"system.memory.page_stats.direct_efficiency.pct\":{\"id\":\"percent\"},\"system.memory.page_stats.kswapd_efficiency.pct\":{\"id\":\"percent\"},\"system.memory.page_stats.pgfree.pages\":{\"id\":\"number\"},\"system.memory.page_stats.pgscan_direct.pages\":{\"id\":\"number\"},\"system.memory.page_stats.pgscan_kswapd.pages\":{\"id\":\"number\"},\"system.memory.page_stats.pgsteal_direct.pages\":{\"id\":\"number\"},\"system.memory.page_stats.pgsteal_kswapd.pages\":{\"id\":\"number\"},\"system.memory.swap.free\":{\"id\":\"bytes\"},\"system.memory.swap.total\":{\"id\":\"bytes\"},\"system.memory.swap.used.bytes\":{\"id\":\"bytes\"},\"system.memory.swap.used.pct\":{\"id\":\"percent\"},\"system.memory.total\":{\"id\":\"bytes\"},\"system.memory.used.bytes\":{\"id\":\"bytes\"},\"system.memory.used.pct\":{\"id\":\"percent\"},\"system.network.in.bytes\":{\"id\":\"bytes\"},\"system.network.out.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.blkio.total.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.cpu.pressure.full.10.pct\":{\"id\":\"percent\"},\"system.process.cgroup.cpu.pressure.full.300.pct\":{\"id\":\"percent\"},\"system.process.cgroup.cpu.pressure.full.60.pct\":{\"id\":\"percent\"},\"system.process.cgroup.cpu.pressure.some.10.pct\":{\"id\":\"percent\"},\"system.process.cgroup.cpu.pressure.some.300.pct\":{\"id\":\"percent\"},\"system.process.cgroup.cpu.pressure.some.60.pct\":{\"id\":\"percent\"},\"system.process.cgroup.cpu.pressure.some.total\":{\"id\":\"percent\"},\"system.process.cgroup.io.pressure.full.10.pct\":{\"id\":\"percent\"},\"system.process.cgroup.io.pressure.full.300.pct\":{\"id\":\"percent\"},\"system.process.cgroup.io.pressure.full.60.pct\":{\"id\":\"percent\"},\"system.process.cgroup.io.pressure.some.10.pct\":{\"id\":\"percent\"},\"system.process.cgroup.io.pressure.some.60.pct\":{\"id\":\"percent\"},\"system.process.cgroup.memory.kmem.limit.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.kmem.usage.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.kmem.usage.max.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.kmem_tcp.limit.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.kmem_tcp.usage.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.kmem_tcp.usage.max.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.mem.high.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.mem.limit.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.mem.low.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.mem.max.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.mem.usage.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.mem.usage.max.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.memsw.high.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.memsw.limit.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.memsw.low.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.memsw.max.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.memsw.usage.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.memsw.usage.max.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.stats.active_anon.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.stats.active_file.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.stats.cache.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.stats.hierarchical_memory_limit.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.stats.hierarchical_memsw_limit.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.stats.inactive_anon.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.stats.inactive_file.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.stats.mapped_file.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.stats.rss.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.stats.rss_huge.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.stats.swap.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.stats.unevictable.bytes\":{\"id\":\"bytes\"},\"system.process.cpu.total.norm.pct\":{\"id\":\"percent\"},\"system.process.cpu.total.pct\":{\"id\":\"percent\"},\"system.process.memory.rss.bytes\":{\"id\":\"bytes\"},\"system.process.memory.rss.pct\":{\"id\":\"percent\"},\"system.process.memory.share\":{\"id\":\"bytes\"},\"system.process.memory.size\":{\"id\":\"bytes\"},\"system.service.resources.network.in.bytes\":{\"id\":\"bytes\"},\"system.service.resources.network.in.packets\":{\"id\":\"bytes\"},\"system.socket.summary.tcp.memory\":{\"id\":\"bytes\"},\"system.socket.summary.udp.memory\":{\"id\":\"bytes\"},\"system.uptime.duration.ms\":{\"id\":\"duration\",\"params\":{\"inputFormat\":\"milliseconds\"}},\"task_stats.cpu.kernel.norm.pct\":{\"id\":\"percent\"},\"task_stats.cpu.kernel.pct\":{\"id\":\"percent\"},\"task_stats.cpu.system.norm.pct\":{\"id\":\"percent\"},\"task_stats.cpu.system.pct\":{\"id\":\"percent\"},\"task_stats.cpu.total.norm.pct\":{\"id\":\"percent\"},\"task_stats.cpu.total.pct\":{\"id\":\"percent\"},\"task_stats.cpu.user.norm.pct\":{\"id\":\"percent\"},\"task_stats.cpu.user.pct\":{\"id\":\"percent\"},\"task_stats.diskio.read.bytes\":{\"id\":\"bytes\"},\"task_stats.diskio.read.summary.bytes\":{\"id\":\"bytes\"},\"task_stats.diskio.read.write.bytes\":{\"id\":\"bytes\"},\"task_stats.network.inbound.bytes\":{\"id\":\"bytes\"},\"task_stats.network.outbound.bytes\":{\"id\":\"bytes\"},\"threat.enrichments.indicator.file.elf.header.entrypoint\":{\"id\":\"string\"},\"threat.enrichments.indicator.file.elf.sections.chi2\":{\"id\":\"number\"},\"threat.enrichments.indicator.file.elf.sections.entropy\":{\"id\":\"number\"},\"threat.enrichments.indicator.file.elf.sections.physical_size\":{\"id\":\"bytes\"},\"threat.enrichments.indicator.file.elf.sections.virtual_address\":{\"id\":\"string\"},\"threat.enrichments.indicator.file.elf.sections.virtual_size\":{\"id\":\"string\"},\"threat.enrichments.indicator.url.port\":{\"id\":\"string\"},\"threat.indicator.file.elf.header.entrypoint\":{\"id\":\"string\"},\"threat.indicator.file.elf.sections.chi2\":{\"id\":\"number\"},\"threat.indicator.file.elf.sections.entropy\":{\"id\":\"number\"},\"threat.indicator.file.elf.sections.physical_size\":{\"id\":\"bytes\"},\"threat.indicator.file.elf.sections.virtual_address\":{\"id\":\"string\"},\"threat.indicator.file.elf.sections.virtual_size\":{\"id\":\"string\"},\"threat.indicator.url.port\":{\"id\":\"string\"},\"url.port\":{\"id\":\"string\"},\"vsphere.datastore.capacity.free.bytes\":{\"id\":\"bytes\"},\"vsphere.datastore.capacity.total.bytes\":{\"id\":\"bytes\"},\"vsphere.datastore.capacity.used.bytes\":{\"id\":\"bytes\"},\"vsphere.datastore.capacity.used.pct\":{\"id\":\"percent\"},\"vsphere.host.memory.free.bytes\":{\"id\":\"bytes\"},\"vsphere.host.memory.total.bytes\":{\"id\":\"bytes\"},\"vsphere.host.memory.used.bytes\":{\"id\":\"bytes\"},\"vsphere.virtualmachine.memory.free.guest.bytes\":{\"id\":\"bytes\"},\"vsphere.virtualmachine.memory.total.guest.bytes\":{\"id\":\"bytes\"},\"vsphere.virtualmachine.memory.used.guest.bytes\":{\"id\":\"bytes\"},\"vsphere.virtualmachine.memory.used.host.bytes\":{\"id\":\"bytes\"},\"windows.service.uptime.ms\":{\"id\":\"duration\",\"params\":{\"inputFormat\":\"milliseconds\"}}}","fields":"[]","name":"Google Cloud Metrics","runtimeFieldMap":"{\"resource.labels.bucket_name\":{\"type\":\"keyword\",\"script\":{\"source\":\"if (doc.containsKey('gcp.labels.resource.bucket_name') && doc['gcp.labels.resource.bucket_name'].size()>0) {\\r\\n\\tdef source = doc['gcp.labels.resource.bucket_name'].value;\\r\\n\\tif (source != \\\"\\\") {\\r\\n\\t\\temit(source);\\r\\n\\t}\\r\\n}\"}}}","sourceFilters":"[]","timeFieldName":"@timestamp","title":"metrics-gcp*","typeMeta":"{}"},"coreMigrationVersion":"8.4.1","id":"fdf52f50-9a09-11ec-9e73-cd9488048b9c","migrationVersion":{"index-pattern":"8.0.0"},"references":[],"type":"index-pattern","updated_at":"2022-09-23T11:33:18.788Z","version":"WzQ3NiwxXQ=="}
+{"attributes":{"allowNoIndex":true,"fieldAttrs":"{\"service.type\":{\"count\":3},\"event.action\":{\"count\":6},\"gcp.audit.authorization_info.granted\":{\"count\":1},\"gcp.audit.authorization_info.resource\":{\"count\":2},\"user.email\":{\"count\":1},\"event.dataset\":{\"count\":3},\"event.id\":{\"count\":7},\"insertId\":{\"count\":1},\"gcp.audit.resource_name\":{\"count\":2},\"service.name\":{\"count\":1},\"protoPayload.authorizationInfo.granted\":{\"count\":1},\"protoPayload.authorizationInfo.permission\":{\"count\":1},\"protoPayload.status.message\":{\"count\":1},\"resource.type\":{\"count\":2},\"severity\":{\"count\":1},\"destination.ip\":{\"count\":1},\"gcp.destination.instance.project_id\":{\"count\":1},\"gcp.destination.vpc.project_id\":{\"count\":1},\"gcp.destination.vpc.vpc_name\":{\"count\":1},\"gcp.source.instance.project_id\":{\"count\":3},\"gcp.source.vpc.project_id\":{\"count\":1},\"gcp.source.vpc.vpc_name\":{\"count\":1},\"source.ip\":{\"count\":1},\"gcp.destination.instance.zone\":{\"count\":1},\"gcp.source.instance.zone\":{\"count\":1},\"client.user.email\":{\"count\":2},\"event.outcome\":{\"count\":1},\"gcp.audit.authorization_info.permission\":{\"count\":1},\"log.level\":{\"count\":1}}","fields":"[]","name":"Google Cloud logs","runtimeFieldMap":"{\"repo\":{\"type\":\"keyword\",\"script\":{\"source\":\"def fieldname = \\\"gcp.audit.resource_name\\\";\\r\\nif (!doc.containsKey(fieldname)) {\\r\\n    return\\r\\n}\\r\\nif (doc[fieldname].size()>0) {\\r\\n    def field_value = doc[fieldname].value;\\r\\n    if (field_value != null) {\\r\\n        String repo=grok('objects/%{HOSTNAME:repo}').extract(field_value)?.repo;\\r\\n        if (repo != null) emit(repo); \\r\\n        return;\\r\\n    }\\r\\n}\"}}}","sourceFilters":"[]","timeFieldName":"@timestamp","title":"logs-gcp*","typeMeta":"{}"},"coreMigrationVersion":"8.4.1","id":"1bd60400-9a04-11ec-9e73-cd9488048b9c","migrationVersion":{"index-pattern":"8.0.0"},"references":[],"type":"index-pattern","updated_at":"2022-09-23T11:51:51.577Z","version":"WzI4ODYsMV0="}
+{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"41c39bea-4ad3-4f53-a7cd-6031adfdc4d4":{"columnOrder":["4e32b4ff-3425-4375-a10b-9cd0831d6586","04f3f55c-6828-45ff-889c-2fb41540ecb5"],"columns":{"04f3f55c-6828-45ff-889c-2fb41540ecb5":{"customLabel":true,"dataType":"number","isBucketed":false,"label":"Accessed","operationType":"count","scale":"ratio","sourceField":"___records___"},"4e32b4ff-3425-4375-a10b-9cd0831d6586":{"dataType":"string","isBucketed":true,"label":"Top values of repo","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"04f3f55c-6828-45ff-889c-2fb41540ecb5","type":"column"},"orderDirection":"desc","otherBucket":true,"parentFormat":{"id":"terms"},"size":10},"scale":"ordinal","sourceField":"repo"}},"incompleteColumns":{}}}}},"filters":[],"query":{"language":"kuery","query":"resource.labels.bucket_name : *"},"visualization":{"layers":[{"categoryDisplay":"default","groups":["4e32b4ff-3425-4375-a10b-9cd0831d6586"],"layerId":"41c39bea-4ad3-4f53-a7cd-6031adfdc4d4","layerType":"data","legendDisplay":"default","legendSize":"auto","metric":"04f3f55c-6828-45ff-889c-2fb41540ecb5","nestedLegend":false,"numberDisplay":"percent"}],"shape":"pie"}},"title":"Eden snapshot repo access","visualizationType":"lnsPie"},"coreMigrationVersion":"8.4.1","id":"d8c69540-e1a1-11ec-811c-21b61472328d","migrationVersion":{"lens":"8.3.0"},"references":[{"id":"1bd60400-9a04-11ec-9e73-cd9488048b9c","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"1bd60400-9a04-11ec-9e73-cd9488048b9c","name":"indexpattern-datasource-layer-41c39bea-4ad3-4f53-a7cd-6031adfdc4d4","type":"index-pattern"}],"type":"lens","updated_at":"2022-09-23T11:33:18.788Z","version":"WzQ3OCwxXQ=="}
+{"attributes":{"fieldAttrs":"{\"last_access\":{\"count\":1},\"repo\":{\"count\":1},\"resource.labels.bucket_name\":{\"count\":2}}","fields":"[]","name":"GCS Repository usage","runtimeFieldMap":"{}","sourceFilters":"[]","timeFieldName":"","title":"gcs-repos*","typeMeta":"{}"},"coreMigrationVersion":"8.4.1","id":"bd031150-e262-11ec-b9dc-7d1db9e51c26","migrationVersion":{"index-pattern":"8.0.0"},"references":[],"type":"index-pattern","updated_at":"2022-09-23T11:33:18.788Z","version":"WzQyMCwxXQ=="}
+{"attributes":{"columns":["resource.labels.bucket_name","repo","last_access"],"description":"","grid":{},"hideChart":false,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["resource.labels.bucket_name","asc"],["repo","asc"]],"title":"[GCP] GCS repos"},"coreMigrationVersion":"8.4.1","id":"80fff320-e263-11ec-b9dc-7d1db9e51c26","migrationVersion":{"search":"8.0.0"},"references":[{"id":"bd031150-e262-11ec-b9dc-7d1db9e51c26","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2022-09-23T11:33:18.788Z","version":"WzQ3MSwxXQ=="}
+{"attributes":{"columns":["client.user.email","event.action","gcp.audit.authorization_info.granted","gcp.audit.authorization_info.resource"],"description":"","grid":{"columns":{"client.user.email":{"width":389},"event.action":{"width":192},"gcp.audit.authorization_info.granted":{"width":74},"user.email":{"width":385}}},"hideChart":false,"isTextBasedQuery":false,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.dataset : \\\"gcp.audit\\\" and service.name: \\\"storage.googleapis.com\\\" \",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"[GCP] Storage audit logs"},"coreMigrationVersion":"8.4.1","id":"918a1440-e025-11ec-811c-21b61472328d","migrationVersion":{"search":"8.0.0"},"references":[{"id":"1bd60400-9a04-11ec-9e73-cd9488048b9c","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2022-09-23T11:52:19.741Z","version":"WzI5MzAsMV0="}
+{"attributes":{"color":"#6092C0","description":"All assets to monitor GCP","name":"GCP"},"coreMigrationVersion":"8.4.1","id":"c6b63650-7462-11ec-adfa-5dd9fdfc6ea6","migrationVersion":{"tag":"8.0.0"},"references":[],"type":"tag","updated_at":"2022-09-23T11:33:18.788Z","version":"WzQ3MiwxXQ=="}
+{"attributes":{"description":"This dashboard is meant to analyze one specific bucket in GCS","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"8.4.1\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":4,\"i\":\"3dcf2b52-2c72-4211-8e4a-2e246b91b44f\"},\"panelIndex\":\"3dcf2b52-2c72-4211-8e4a-2e246b91b44f\",\"embeddableConfig\":{\"savedVis\":{\"id\":\"\",\"title\":\"\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"## Google Cloud Storage Bucket overview\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.4.1\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":4,\"w\":48,\"h\":7,\"i\":\"1b79bbe6-b082-4915-b2ad-070bc5f5bf7e\"},\"panelIndex\":\"1b79bbe6-b082-4915-b2ad-070bc5f5bf7e\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"fdf52f50-9a09-11ec-9e73-cd9488048b9c\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"fdf52f50-9a09-11ec-9e73-cd9488048b9c\",\"name\":\"indexpattern-datasource-layer-a45fa57d-1dda-48fc-85ce-84ba57f1763a\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"title\":\"Empty XY chart\",\"legend\":{\"isVisible\":true,\"position\":\"right\",\"legendSize\":\"auto\"},\"valueLabels\":\"hide\",\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"a45fa57d-1dda-48fc-85ce-84ba57f1763a\",\"accessors\":[\"ee4ed363-245d-4cb9-b500-d0551f62de80\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"splitAccessor\":\"ada4334a-e1af-46a6-92fb-342a42e8c9f4\",\"xAccessor\":\"5027002b-7fff-4b8a-8259-c95daf77a021\"}],\"yRightExtent\":{\"mode\":\"full\"},\"yLeftExtent\":{\"mode\":\"full\"}},\"query\":{\"query\":\"event.dataset : \\\"gcp.storage\\\" \",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a45fa57d-1dda-48fc-85ce-84ba57f1763a\":{\"columns\":{\"ee4ed363-245d-4cb9-b500-d0551f62de80\":{\"label\":\"API request count\",\"dataType\":\"number\",\"operationType\":\"average\",\"sourceField\":\"gcp.storage.api.request.count\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{},\"customLabel\":true},\"ada4334a-e1af-46a6-92fb-342a42e8c9f4\":{\"label\":\"Top values of gcp.labels.resource.bucket_name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"gcp.labels.resource.bucket_name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"ee4ed363-245d-4cb9-b500-d0551f62de80\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"5027002b-7fff-4b8a-8259-c95daf77a021\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true}}},\"columnOrder\":[\"ada4334a-e1af-46a6-92fb-342a42e8c9f4\",\"5027002b-7fff-4b8a-8259-c95daf77a021\",\"ee4ed363-245d-4cb9-b500-d0551f62de80\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Usage in API calls per Bucket\"},{\"version\":\"8.4.1\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":11,\"w\":12,\"h\":14,\"i\":\"a0d39d49-778e-4a79-bb70-39599ee3ae94\"},\"panelIndex\":\"a0d39d49-778e-4a79-bb70-39599ee3ae94\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"id\":\"fdf52f50-9a09-11ec-9e73-cd9488048b9c\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"fdf52f50-9a09-11ec-9e73-cd9488048b9c\",\"name\":\"indexpattern-datasource-layer-6cd2f738-9a8a-46a3-b0c0-bf5e86f749d6\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"shape\":\"donut\",\"layers\":[{\"layerId\":\"6cd2f738-9a8a-46a3-b0c0-bf5e86f749d6\",\"groups\":[\"d6981906-3290-4637-a38d-2e334d803686\"],\"metric\":\"65fa0944-aadb-4801-94d6-f0c6f38ed44c\",\"numberDisplay\":\"percent\",\"categoryDisplay\":\"default\",\"legendDisplay\":\"default\",\"nestedLegend\":false,\"layerType\":\"data\",\"legendSize\":\"auto\"}]},\"query\":{\"query\":\"event.dataset : \\\"gcp.storage\\\" \",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"6cd2f738-9a8a-46a3-b0c0-bf5e86f749d6\":{\"columns\":{\"d6981906-3290-4637-a38d-2e334d803686\":{\"label\":\"Top values of gcp.labels.metrics.method\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"gcp.labels.metrics.method\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"65fa0944-aadb-4801-94d6-f0c6f38ed44c\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"65fa0944-aadb-4801-94d6-f0c6f38ed44c\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\"}},\"columnOrder\":[\"d6981906-3290-4637-a38d-2e334d803686\",\"65fa0944-aadb-4801-94d6-f0c6f38ed44c\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Storage Access method\"},{\"version\":\"8.4.1\",\"type\":\"lens\",\"gridData\":{\"x\":12,\"y\":11,\"w\":36,\"h\":14,\"i\":\"f6880ef9-33a3-4db2-891f-c0a0ef88e306\"},\"panelIndex\":\"f6880ef9-33a3-4db2-891f-c0a0ef88e306\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"fdf52f50-9a09-11ec-9e73-cd9488048b9c\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"fdf52f50-9a09-11ec-9e73-cd9488048b9c\",\"name\":\"indexpattern-datasource-layer-6cd2f738-9a8a-46a3-b0c0-bf5e86f749d6\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\",\"legendSize\":\"auto\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"6cd2f738-9a8a-46a3-b0c0-bf5e86f749d6\",\"seriesType\":\"bar_stacked\",\"xAccessor\":\"0a9b81e1-1e18-462c-9e18-89b3bec35325\",\"splitAccessor\":\"d6981906-3290-4637-a38d-2e334d803686\",\"accessors\":[\"65fa0944-aadb-4801-94d6-f0c6f38ed44c\"],\"layerType\":\"data\"}]},\"query\":{\"query\":\"event.dataset : \\\"gcp.storage\\\" \",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"6cd2f738-9a8a-46a3-b0c0-bf5e86f749d6\":{\"columns\":{\"d6981906-3290-4637-a38d-2e334d803686\":{\"label\":\"Top values of gcp.labels.metrics.method\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"gcp.labels.metrics.method\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"65fa0944-aadb-4801-94d6-f0c6f38ed44c\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"0a9b81e1-1e18-462c-9e18-89b3bec35325\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true}},\"65fa0944-aadb-4801-94d6-f0c6f38ed44c\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\"}},\"columnOrder\":[\"d6981906-3290-4637-a38d-2e334d803686\",\"0a9b81e1-1e18-462c-9e18-89b3bec35325\",\"65fa0944-aadb-4801-94d6-f0c6f38ed44c\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Storage Access method over time\"},{\"version\":\"8.4.1\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":25,\"w\":12,\"h\":15,\"i\":\"a1cc565f-a30a-45fd-a34a-7a2531664a47\"},\"panelIndex\":\"a1cc565f-a30a-45fd-a34a-7a2531664a47\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"GCS object analysis\",\"panelRefName\":\"panel_a1cc565f-a30a-45fd-a34a-7a2531664a47\"},{\"version\":\"8.4.1\",\"type\":\"lens\",\"gridData\":{\"x\":12,\"y\":25,\"w\":36,\"h\":15,\"i\":\"ab503be8-81b6-4b85-99ec-ff630eac2b3c\"},\"panelIndex\":\"ab503be8-81b6-4b85-99ec-ff630eac2b3c\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{},\"attributes\":{\"title\":\"GCS object analysis (copy)\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"1bd60400-9a04-11ec-9e73-cd9488048b9c\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"1bd60400-9a04-11ec-9e73-cd9488048b9c\",\"name\":\"indexpattern-datasource-layer-41c39bea-4ad3-4f53-a7cd-6031adfdc4d4\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\",\"legendSize\":\"auto\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"41c39bea-4ad3-4f53-a7cd-6031adfdc4d4\",\"seriesType\":\"bar_stacked\",\"splitAccessor\":\"1a8b94f7-4324-4210-b645-4203cec650b0\",\"accessors\":[\"04f3f55c-6828-45ff-889c-2fb41540ecb5\"],\"layerType\":\"data\",\"xAccessor\":\"c7f2a241-9435-4f54-a5b4-2160ad8a7742\"}]},\"query\":{\"query\":\"resource.labels.bucket_name : *\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"41c39bea-4ad3-4f53-a7cd-6031adfdc4d4\":{\"columns\":{\"1a8b94f7-4324-4210-b645-4203cec650b0\":{\"label\":\"Top values of repo\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"repo\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"04f3f55c-6828-45ff-889c-2fb41540ecb5\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"c7f2a241-9435-4f54-a5b4-2160ad8a7742\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true}},\"04f3f55c-6828-45ff-889c-2fb41540ecb5\":{\"label\":\"Accessed\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"customLabel\":true}},\"columnOrder\":[\"1a8b94f7-4324-4210-b645-4203cec650b0\",\"c7f2a241-9435-4f54-a5b4-2160ad8a7742\",\"04f3f55c-6828-45ff-889c-2fb41540ecb5\"],\"incompleteColumns\":{}}}}}}}},\"title\":\"GCS object analysis over time\"},{\"version\":\"8.4.1\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":40,\"w\":21,\"h\":20,\"i\":\"b4e2f5ac-2c50-4820-8dc3-50d72cf0da81\"},\"panelIndex\":\"b4e2f5ac-2c50-4820-8dc3-50d72cf0da81\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{},\"sort\":[[\"resource.labels.bucket_name\",\"asc\"],[\"last_access\",\"asc\"]]},\"title\":\"[GCP] GCS repos without access\",\"panelRefName\":\"panel_b4e2f5ac-2c50-4820-8dc3-50d72cf0da81\"},{\"version\":\"8.4.1\",\"type\":\"lens\",\"gridData\":{\"x\":21,\"y\":40,\"w\":27,\"h\":20,\"i\":\"1efb58f8-d9db-4dbe-9f51-329440768a39\"},\"panelIndex\":\"1efb58f8-d9db-4dbe-9f51-329440768a39\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsHeatmap\",\"type\":\"lens\",\"references\":[{\"id\":\"1bd60400-9a04-11ec-9e73-cd9488048b9c\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"1bd60400-9a04-11ec-9e73-cd9488048b9c\",\"name\":\"indexpattern-datasource-layer-6b73d226-6c45-4d3c-a234-453885173aac\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"6b73d226-6c45-4d3c-a234-453885173aac\",\"layerType\":\"data\",\"title\":\"Empty Heatmap chart\",\"shape\":\"heatmap\",\"legend\":{\"isVisible\":true,\"position\":\"right\",\"maxLines\":1,\"shouldTruncate\":true,\"type\":\"lens_heatmap_legendConfig\",\"legendSize\":\"auto\"},\"gridConfig\":{\"type\":\"lens_heatmap_grid\",\"isCellLabelVisible\":false,\"isYAxisLabelVisible\":true,\"isXAxisLabelVisible\":true},\"yAccessor\":\"51be05ae-c815-4732-b5b3-650796405834\",\"xAccessor\":\"277d607e-e33a-4e36-92b7-bbc0fc15bc02\",\"valueAccessor\":\"ae2b8f67-b369-4a5f-9d44-0387e0834fb0\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":5,\"name\":\"custom\",\"colorStops\":[{\"color\":\"#cc564200\",\"stop\":0},{\"color\":\"#209280\",\"stop\":1}],\"reverse\":true,\"stops\":[{\"color\":\"#cc564200\",\"stop\":1},{\"color\":\"#209280\",\"stop\":10191}],\"rangeMin\":0,\"rangeMax\":1,\"rangeType\":\"number\"},\"accessor\":\"ae2b8f67-b369-4a5f-9d44-0387e0834fb0\"}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"6b73d226-6c45-4d3c-a234-453885173aac\":{\"columns\":{\"51be05ae-c815-4732-b5b3-650796405834\":{\"label\":\"Top values of repo\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"repo\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"ae2b8f67-b369-4a5f-9d44-0387e0834fb0\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"277d607e-e33a-4e36-92b7-bbc0fc15bc02\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true}},\"ae2b8f67-b369-4a5f-9d44-0387e0834fb0\":{\"label\":\"Requests\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"customLabel\":true}},\"columnOrder\":[\"51be05ae-c815-4732-b5b3-650796405834\",\"277d607e-e33a-4e36-92b7-bbc0fc15bc02\",\"ae2b8f67-b369-4a5f-9d44-0387e0834fb0\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Repo access over time\"},{\"version\":\"8.4.1\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":60,\"w\":48,\"h\":16,\"i\":\"a3beea95-c585-497c-aba1-56e960f74e93\"},\"panelIndex\":\"a3beea95-c585-497c-aba1-56e960f74e93\",\"embeddableConfig\":{\"columns\":[\"@timestamp\",\"resource.labels.location\",\"user.email\",\"severity\",\"event.action\",\"gcp.audit.authorization_info.granted\",\"event.outcome\",\"gcp.audit.authorization_info.resource\"],\"enhancements\":{}},\"panelRefName\":\"panel_a3beea95-c585-497c-aba1-56e960f74e93\"}]","timeRestore":false,"title":"[Google Cloud] GCS Bucket analysis","version":1},"coreMigrationVersion":"8.4.1","id":"78e2bff0-e250-11ec-b9dc-7d1db9e51c26","migrationVersion":{"dashboard":"8.4.0"},"references":[{"id":"fdf52f50-9a09-11ec-9e73-cd9488048b9c","name":"1b79bbe6-b082-4915-b2ad-070bc5f5bf7e:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"fdf52f50-9a09-11ec-9e73-cd9488048b9c","name":"1b79bbe6-b082-4915-b2ad-070bc5f5bf7e:indexpattern-datasource-layer-a45fa57d-1dda-48fc-85ce-84ba57f1763a","type":"index-pattern"},{"id":"fdf52f50-9a09-11ec-9e73-cd9488048b9c","name":"a0d39d49-778e-4a79-bb70-39599ee3ae94:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"fdf52f50-9a09-11ec-9e73-cd9488048b9c","name":"a0d39d49-778e-4a79-bb70-39599ee3ae94:indexpattern-datasource-layer-6cd2f738-9a8a-46a3-b0c0-bf5e86f749d6","type":"index-pattern"},{"id":"fdf52f50-9a09-11ec-9e73-cd9488048b9c","name":"f6880ef9-33a3-4db2-891f-c0a0ef88e306:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"fdf52f50-9a09-11ec-9e73-cd9488048b9c","name":"f6880ef9-33a3-4db2-891f-c0a0ef88e306:indexpattern-datasource-layer-6cd2f738-9a8a-46a3-b0c0-bf5e86f749d6","type":"index-pattern"},{"id":"d8c69540-e1a1-11ec-811c-21b61472328d","name":"a1cc565f-a30a-45fd-a34a-7a2531664a47:panel_a1cc565f-a30a-45fd-a34a-7a2531664a47","type":"lens"},{"id":"1bd60400-9a04-11ec-9e73-cd9488048b9c","name":"ab503be8-81b6-4b85-99ec-ff630eac2b3c:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"1bd60400-9a04-11ec-9e73-cd9488048b9c","name":"ab503be8-81b6-4b85-99ec-ff630eac2b3c:indexpattern-datasource-layer-41c39bea-4ad3-4f53-a7cd-6031adfdc4d4","type":"index-pattern"},{"id":"80fff320-e263-11ec-b9dc-7d1db9e51c26","name":"b4e2f5ac-2c50-4820-8dc3-50d72cf0da81:panel_b4e2f5ac-2c50-4820-8dc3-50d72cf0da81","type":"search"},{"id":"1bd60400-9a04-11ec-9e73-cd9488048b9c","name":"1efb58f8-d9db-4dbe-9f51-329440768a39:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"1bd60400-9a04-11ec-9e73-cd9488048b9c","name":"1efb58f8-d9db-4dbe-9f51-329440768a39:indexpattern-datasource-layer-6b73d226-6c45-4d3c-a234-453885173aac","type":"index-pattern"},{"id":"918a1440-e025-11ec-811c-21b61472328d","name":"a3beea95-c585-497c-aba1-56e960f74e93:panel_a3beea95-c585-497c-aba1-56e960f74e93","type":"search"},{"id":"c6b63650-7462-11ec-adfa-5dd9fdfc6ea6","name":"tag-c6b63650-7462-11ec-adfa-5dd9fdfc6ea6","type":"tag"}],"type":"dashboard","updated_at":"2022-09-23T11:56:12.623Z","version":"WzMxODUsMV0="}
+{"attributes":{"allowNoIndex":true,"timeFieldName":"@timestamp","title":"metrics-*"},"coreMigrationVersion":"8.4.1","id":"metrics-*","migrationVersion":{"index-pattern":"8.0.0"},"references":[],"type":"index-pattern","updated_at":"2022-09-23T11:33:34.304Z","version":"WzE3MjMsMV0="}
+{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"title":"Logs Header","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Logs Header\",\"type\":\"metrics\",\"aggs\":[],\"params\":{\"time_range_mode\":\"last_value\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"type\":\"markdown\",\"series\":[{\"time_range_mode\":\"entire_time_range\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"color\":\"#68BC00\",\"split_mode\":\"everything\",\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"separate_axis\":0,\"axis_position\":\"right\",\"formatter\":\"number\",\"chart_type\":\"line\",\"line_width\":1,\"point_size\":1,\"fill\":0.5,\"stacked\":\"none\",\"split_color_mode\":\"gradient\"}],\"time_field\":\"@timestamp\",\"index_pattern\":\"logs*\",\"interval\":\"\",\"axis_position\":\"left\",\"axis_formatter\":\"number\",\"axis_scale\":\"normal\",\"show_legend\":1,\"show_grid\":1,\"isModelInvalid\":false,\"markdown\":\"[Risks](/app/infra#/link-to/pod-logs/0b2173e4-1c29-11ea-b9f8-42010a8001fa?time=1576079575338)\",\"background_color\":\"rgba(231,102,76,1)\",\"markdown_vertical_align\":\"middle\",\"filter\":{\"query\":\"\",\"language\":\"kuery\"},\"bar_color_rules\":[{\"id\":\"3e6a25c0-1822-11ea-b0f8-ed9a77282123\"}],\"markdown_css\":\"font-family:\\\"Inter UI\\\",-apple-system,system-ui,\\\"Segoe UI\\\",Helvetica,Arial,sans-serif,\\\"Apple Color Emoji\\\",\\\"Segoe UI Emoji\\\",\\\"Segoe UI Symbol\\\";font-weight:500;text-align:center;font-kerning:normal;font-size:36px;font-stretch:100%;font-style:normal;font-variant-caps:normal;font-variant-east-asian:normal;font-variant-ligatures:normal;font-variant-numeric:normal;\\r\\np {\\r\\nposition:absolute;top:50%;left:50%;transform:translateX(-50%) translateY(-50%) rotate(-90deg);\\r\\n } a{text-decoration:none !important;}\",\"use_kibana_indexes\":false,\"hide_last_value_indicator\":true,\"drop_last_bucket\":1,\"truncate_legend\":1,\"max_lines_legend\":1,\"tooltip_mode\":\"show_all\"}}"},"coreMigrationVersion":"8.4.1","id":"ee75e580-1822-11ea-a279-cf37f62e6395","migrationVersion":{"visualization":"8.3.0"},"references":[],"type":"visualization","updated_at":"2022-09-23T11:33:18.788Z","version":"WzUzMiwxXQ=="}
+{"attributes":{"fieldAttrs":"{\"_index\":{\"count\":3},\"action\":{\"count\":1}}","fieldFormatMap":"{\"action\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"{{rawValue}}\",\"labelTemplate\":\"Resolve\"}}}","fields":"[]","runtimeFieldMap":"{}","timeFieldName":"@timestamp","title":"alerts*,*:.alerts*,*:.siem-signals*,.alerts*","typeMeta":"{}"},"coreMigrationVersion":"8.4.1","id":"8b5b9b10-9e0e-11ec-987d-697a56940492","migrationVersion":{"index-pattern":"8.0.0"},"references":[],"type":"index-pattern","updated_at":"2022-09-23T11:33:18.788Z","version":"WzUzMywxXQ=="}
+{"attributes":{"allowNoIndex":true,"timeFieldName":"@timestamp","title":"logs-*"},"coreMigrationVersion":"8.4.1","id":"logs-*","migrationVersion":{"index-pattern":"8.0.0"},"references":[],"type":"index-pattern","updated_at":"2022-09-23T11:33:34.304Z","version":"WzE3MjIsMV0="}
+{"attributes":{"columns":["resource.type","severity","protoPayload.authorizationInfo.permission","protoPayload.authorizationInfo.granted","protoPayload.status.message"],"description":"","grid":{},"hideChart":false,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"service.name : \\\"compute.googleapis.com\\\"   \",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"[GCP] Compute Logs"},"coreMigrationVersion":"8.4.1","id":"d600e7f0-e1d5-11ec-811c-21b61472328d","migrationVersion":{"search":"8.0.0"},"references":[{"id":"1bd60400-9a04-11ec-9e73-cd9488048b9c","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2022-09-23T11:33:18.788Z","version":"WzUzNCwxXQ=="}
+{"attributes":{"columns":["log.level","event.outcome","client.user.email","event.action","gcp.audit.authorization_info.resource","gcp.audit.authorization_info.permission"],"description":"","grid":{},"hideChart":false,"isTextBasedQuery":false,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"service.name : \\\"pubsub.googleapis.com\\\" \",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"[GCP] PubSub Logs"},"coreMigrationVersion":"8.4.1","id":"27fa6380-e1d4-11ec-811c-21b61472328d","migrationVersion":{"search":"8.0.0"},"references":[{"id":"1bd60400-9a04-11ec-9e73-cd9488048b9c","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2022-09-23T11:49:13.158Z","version":"WzI3NjAsMV0="}
+{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"title":"Metric Top Banner with Arrow","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Metric Top Banner with Arrow\",\"type\":\"metrics\",\"aggs\":[],\"params\":{\"time_range_mode\":\"entire_time_range\",\"id\":\"644e40fb-777c-4fc3-aca7-5aa77a071114\",\"type\":\"markdown\",\"series\":[{\"time_range_mode\":\"entire_time_range\",\"id\":\"7d440687-1f12-4548-bef2-0547926e6b83\",\"color\":\"#68BC00\",\"split_mode\":\"everything\",\"palette\":{\"type\":\"palette\",\"name\":\"default\"},\"metrics\":[{\"id\":\"1ee35dea-274b-4f10-856e-6d8be1ae1782\",\"type\":\"count\"}],\"separate_axis\":0,\"axis_position\":\"right\",\"formatter\":\"default\",\"chart_type\":\"line\",\"line_width\":1,\"point_size\":1,\"fill\":0.5,\"stacked\":\"none\",\"override_index_pattern\":0,\"series_drop_last_bucket\":0}],\"time_field\":\"\",\"use_kibana_indexes\":true,\"interval\":\"\",\"axis_position\":\"left\",\"axis_formatter\":\"number\",\"axis_scale\":\"normal\",\"show_legend\":1,\"truncate_legend\":1,\"max_lines_legend\":1,\"show_grid\":1,\"tooltip_mode\":\"show_all\",\"drop_last_bucket\":0,\"markdown\":\"Metrics\",\"isModelInvalid\":false,\"markdown_css\":\"p {\\r\\n    position: relative;\\r\\n    background: #fa744eff;\\r\\n    -webkit-border-radius: 10px;\\r\\n    -moz-border-radius: 10px;\\r\\n    border-radius: 10px; \\r\\n    width: 100%; \\r\\n    height: 50px;\\r\\n    text-align: center;\\r\\n    padding-top: 10px;\\r\\n    color: #fff;\\r\\n    font-weight: 500;\\r\\n    font-size: 20px;\\r\\n    font-family: Inter;\\r\\n}\\r\\n\\r\\np:before {\\r\\n    content: \\\"\\\";\\r\\n    position: absolute;\\r\\n    top: 50px;\\r\\n    left: 49%;\\r\\n    z-index: 1;\\r\\n    border: solid 15px transparent;\\r\\n    border-top-color: #fa744eff;\\r\\n}\",\"markdown_vertical_align\":\"middle\",\"index_pattern_ref_name\":\"metrics_0_index_pattern\"}}"},"coreMigrationVersion":"8.4.1","id":"0837b230-c9ee-11ec-a663-3dcfabdeadb8","migrationVersion":{"visualization":"8.3.0"},"references":[{"id":"logs-*","name":"metrics_0_index_pattern","type":"index-pattern"}],"type":"visualization","updated_at":"2022-09-23T11:41:20.977Z","version":"WzIzMTksMV0="}
+{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"title":"Log Top Banner with Arrow","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Log Top Banner with Arrow\",\"type\":\"metrics\",\"aggs\":[],\"params\":{\"time_range_mode\":\"entire_time_range\",\"id\":\"644e40fb-777c-4fc3-aca7-5aa77a071114\",\"type\":\"markdown\",\"series\":[{\"time_range_mode\":\"entire_time_range\",\"id\":\"7d440687-1f12-4548-bef2-0547926e6b83\",\"color\":\"#68BC00\",\"split_mode\":\"everything\",\"palette\":{\"type\":\"palette\",\"name\":\"default\"},\"metrics\":[{\"id\":\"1ee35dea-274b-4f10-856e-6d8be1ae1782\",\"type\":\"count\"}],\"separate_axis\":0,\"axis_position\":\"right\",\"formatter\":\"default\",\"chart_type\":\"line\",\"line_width\":1,\"point_size\":1,\"fill\":0.5,\"stacked\":\"none\",\"override_index_pattern\":0,\"series_drop_last_bucket\":0}],\"time_field\":\"\",\"use_kibana_indexes\":true,\"interval\":\"\",\"axis_position\":\"left\",\"axis_formatter\":\"number\",\"axis_scale\":\"normal\",\"show_legend\":1,\"truncate_legend\":1,\"max_lines_legend\":1,\"show_grid\":1,\"tooltip_mode\":\"show_all\",\"drop_last_bucket\":0,\"markdown\":\"Logs\",\"isModelInvalid\":false,\"markdown_css\":\"p {\\r\\n    position: relative;\\r\\n    background: #54bcb2ff;\\r\\n    -webkit-border-radius: 10px;\\r\\n    -moz-border-radius: 10px;\\r\\n    border-radius: 10px; \\r\\n    width: 100%; \\r\\n    height: 50px;\\r\\n    text-align: center;\\r\\n    padding-top: 10px;\\r\\n    color: #fff;\\r\\n    font-weight: 500;\\r\\n    font-size: 20px;\\r\\n    font-family: Inter;\\r\\n}\\r\\n\\r\\np:before {\\r\\n    content: \\\"\\\";\\r\\n    position: absolute;\\r\\n    top: 50px;\\r\\n    left: 49.3%;\\r\\n    z-index: 1;\\r\\n    border: solid 15px transparent;\\r\\n    border-top-color: #54bcb2ff;\\r\\n}\",\"markdown_vertical_align\":\"middle\",\"index_pattern_ref_name\":\"metrics_0_index_pattern\"}}"},"coreMigrationVersion":"8.4.1","id":"67d64da0-c9ee-11ec-a663-3dcfabdeadb8","migrationVersion":{"visualization":"8.3.0"},"references":[{"id":"logs-*","name":"metrics_0_index_pattern","type":"index-pattern"}],"type":"visualization","updated_at":"2022-09-23T11:41:36.347Z","version":"WzI0MDYsMV0="}
+{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"title":"[GCP] VPC Network map","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"[GCP] VPC Network map\",\"type\":\"vega\",\"aggs\":[],\"params\":{\"spec\":\"{\\n  $schema: https://vega.github.io/schema/vega/v5.json\\n  title: Network map\\n  autosize: {\\n    \\\"type\\\": \\\"fit\\\",\\n    \\\"contains\\\": \\\"padding\\\"\\n  }\\n  padding: 20\\n  \\n  \\\"signals\\\": [\\n    {\\n      \\\"name\\\": \\\"$minBytesTransferred\\\", \\\"value\\\": 0,\\n      \\\"bind\\\": {\\\"input\\\": \\\"range\\\", \\\"name\\\": \\\"Min to show connection\\\" , \\\"min\\\": 0, \\\"max\\\": 999999999, \\\"step\\\": 100}\\n    }\\n  ],\\n  \\n  \\\"data\\\": [\\n    {\\n      \\\"name\\\": \\\"connections\\\",\\n      url: {\\n        index: gcp_vpc*\\n        body: {\\n          size: 1000\\n        }\\n      }\\n      \\\"format\\\": {\\\"property\\\": \\\"hits.hits\\\"},\\n      \\\"transform\\\": [\\n        {\\n          \\\"type\\\": \\\"project\\\",\\n          \\\"fields\\\": [\\n            \\\"_source.source.ip\\\",\\n            \\\"_source.gcp.source.vpc.project_id\\\",\\n            \\\"_source.gcp.source.vpc.vpc_name\\\",\\n            \\\"_source.gcp.source.vpc.subnetwork_name\\\",\\n            \\\"_source.destination.ip\\\",\\n            \\\"_source.gcp.destination.vpc.project_id\\\",\\n            \\\"_source.gcp.destination.vpc.vpc_name\\\",\\n            \\\"_source.gcp.destination.vpc.subnetwork_name\\\",\\n            \\\"_source.network.bytes.sum\\\"\\n          ],\\n          \\\"as\\\": [\\n            \\\"source_ip\\\", \\n            \\\"source_project\\\",\\n            \\\"source_vpc\\\",\\n            \\\"source_subnetwork\\\",\\n            \\\"destination_ip\\\", \\n            \\\"destination_project\\\",\\n            \\\"destination_vpc\\\",\\n            \\\"destination_subnetwork\\\",\\n            \\\"value\\\"]\\n        },\\n        {\\n          \\\"type\\\": \\\"formula\\\",\\n          \\\"as\\\": \\\"source_subnetwork\\\",\\n          \\\"expr\\\": \\\"datum.source_subnetwork + '_sn'\\\"\\n        },\\n        {\\n          \\\"type\\\": \\\"formula\\\",\\n          \\\"as\\\": \\\"destination_subnetwork\\\",\\n          \\\"expr\\\": \\\"datum.destination_subnetwork + '_sn'\\\"\\n        }\\n      ]\\n    },\\n    {\\n      \\\"name\\\": \\\"sourceIsolatedLevel1\\\",\\n      \\\"source\\\": [\\n        \\\"connections\\\"\\n      ],\\n      \\\"transform\\\": [\\n        {\\n          \\\"type\\\": \\\"project\\\",\\n          \\\"fields\\\": [\\n            \\\"source_project\\\",\\n            \\\"currentNode\\\",\\n            \\\"value\\\"\\n          ],\\n          \\\"as\\\": [\\n            \\\"currentNode\\\",\\n            \\\"parent\\\",\\n            \\\"value\\\"\\n          ]\\n        },\\n        {\\n          \\\"type\\\": \\\"aggregate\\\",\\n          \\\"groupby\\\": [\\n            \\\"parent\\\",\\n            \\\"currentNode\\\"\\n          ],\\n          \\\"fields\\\": [\\n            \\\"value\\\"\\n          ],\\n          \\\"ops\\\": [\\n            \\\"sum\\\"\\n          ],\\n          \\\"as\\\": [\\n            \\\"value\\\"\\n          ]\\n        },\\n        {\\n          \\\"type\\\": \\\"formula\\\",\\n          \\\"as\\\": \\\"parent\\\",\\n          \\\"expr\\\": \\\"!isDefined(datum.parent)?'Source':datum.parent\\\"\\n        },\\n        {\\n          \\\"type\\\": \\\"project\\\",\\n          \\\"fields\\\": [\\n            \\\"currentNode\\\",\\n            \\\"parent\\\",\\n            \\\"value\\\"\\n          ],\\n          \\\"as\\\": [\\n            \\\"currentNode\\\",\\n            \\\"parent\\\",\\n            \\\"value\\\"\\n          ]\\n        },\\n        {\\n          \\\"type\\\": \\\"filter\\\",\\n          \\\"expr\\\": \\\"datum.currentNode\\\"\\n        },\\n        {\\n          \\\"type\\\": \\\"formula\\\",\\n          \\\"as\\\": \\\"type\\\"\\n          \\\"expr\\\": \\\"'Project'\\\"\\n        }\\n      ]\\n    },\\n    {\\n      \\\"name\\\": \\\"sourceRootNode\\\",\\n      \\\"source\\\": \\\"sourceIsolatedLevel1\\\",\\n      \\\"transform\\\": [\\n        {\\n          \\\"type\\\": \\\"project\\\",\\n          \\\"fields\\\": [\\n            \\\"parent\\\",\\n            \\\"cluster\\\"\\n            \\n          ],\\n          \\\"as\\\": [\\n            \\\"currentNode\\\",\\n            \\\"parent\\\"\\n          ]\\n        },\\n        {\\n          \\\"type\\\": \\\"aggregate\\\",\\n          \\\"groupby\\\": [\\\"currentNode\\\",\\\"parent\\\"]\\n        },\\n        {\\n          \\\"type\\\": \\\"project\\\",\\n          \\\"fields\\\": [\\n            \\\"currentNode\\\",\\n            \\\"parent\\\"\\n            \\n          ],\\n          \\\"as\\\": [\\n            \\\"currentNode\\\",\\n            \\\"parent\\\"\\n          ]\\n        },\\n        {\\n          \\\"type\\\": \\\"formula\\\",\\n          \\\"as\\\": \\\"type\\\"\\n          \\\"expr\\\": \\\"'environment'\\\"\\n        }\\n        \\n      ]\\n    },\\n  { \\n    \\\"name\\\": \\\"sourceIsolatedLevel2\\\",\\n    \\\"source\\\": \\\"connections\\\",\\n    \\\"transform\\\": [\\n    {\\n      \\\"type\\\": \\\"project\\\",\\n      \\\"fields\\\": [\\n        \\\"source_project\\\",\\n        \\\"source_vpc\\\",\\n        \\\"value\\\"\\n      ],\\n      \\\"as\\\": [\\n        \\\"parent\\\",\\n        \\\"currentNode\\\",\\n        \\\"value\\\"\\n      ]\\n    },\\n    {\\n      \\\"type\\\": \\\"aggregate\\\",\\n      \\\"groupby\\\": [\\n        \\\"parent\\\",\\n        \\\"currentNode\\\"\\n      ],\\n      \\\"fields\\\": [\\n        \\\"value\\\"\\n      ],\\n      \\\"ops\\\": [\\n        \\\"sum\\\"\\n      ],\\n      \\\"as\\\": [\\n        \\\"value\\\"\\n      ]\\n    },\\n    {\\n      \\\"type\\\": \\\"project\\\",\\n      \\\"fields\\\": [\\n        \\\"currentNode\\\",\\n        \\\"parent\\\",\\n        \\\"value\\\"\\n      ],\\n      \\\"as\\\": [\\n        \\\"currentNode\\\",\\n        \\\"parent\\\",\\n        \\\"value\\\"\\n      ]\\n    },\\n    {\\n      \\\"type\\\": \\\"filter\\\",\\n      \\\"expr\\\": \\\"datum.currentNode\\\"\\n    },\\n    {\\n      \\\"type\\\": \\\"filter\\\",\\n      \\\"expr\\\": \\\"datum.parent\\\"\\n    },\\n        {\\n          \\\"type\\\": \\\"formula\\\",\\n          \\\"as\\\": \\\"type\\\"\\n          \\\"expr\\\": \\\"'VPC'\\\"\\n        }\\n  ]\\n},\\n{\\n  \\\"name\\\": \\\"sourceIsolatedLevel3\\\",\\n  \\\"source\\\": \\\"connections\\\",\\n  \\\"transform\\\": [\\n    {\\n      \\\"type\\\": \\\"project\\\",\\n      \\\"fields\\\": [\\n        \\\"source_vpc\\\",\\n        \\\"source_subnetwork\\\",\\n        \\\"value\\\"\\n      ],\\n      \\\"as\\\": [\\n        \\\"parent\\\",\\n        \\\"currentNode\\\",\\n        \\\"value\\\"\\n      ]\\n    },\\n    {\\n      \\\"type\\\": \\\"aggregate\\\",\\n      \\\"groupby\\\": [\\n        \\\"parent\\\",\\n        \\\"currentNode\\\"\\n      ],\\n      \\\"fields\\\": [\\n        \\\"value\\\"\\n      ],\\n      \\\"ops\\\": [\\n        \\\"sum\\\"\\n      ],\\n      \\\"as\\\": [\\n        \\\"value\\\"\\n      ]\\n    },\\n    {\\n      \\\"type\\\": \\\"project\\\",\\n      \\\"fields\\\": [\\n        \\\"currentNode\\\",\\n        \\\"parent\\\",\\n        \\\"value\\\"\\n      ],\\n      \\\"as\\\": [\\n        \\\"currentNode\\\",\\n        \\\"parent\\\",\\n        \\\"value\\\"\\n      ]\\n    },\\n    {\\n      \\\"type\\\": \\\"filter\\\",\\n      \\\"expr\\\": \\\"datum.currentNode\\\"\\n    },\\n    {\\n      \\\"type\\\": \\\"filter\\\",\\n      \\\"expr\\\": \\\"datum.parent\\\"\\n    },\\n        {\\n          \\\"type\\\": \\\"formula\\\",\\n          \\\"as\\\": \\\"type\\\"\\n          \\\"expr\\\": \\\"'subnetwork'\\\"\\n        }\\n  ]\\n}, \\n{\\n  \\\"name\\\": \\\"sourceIsolatedLevel4\\\",\\n  \\\"source\\\": \\\"connections\\\",\\n  \\\"transform\\\": [\\n    {\\n      \\\"type\\\": \\\"project\\\",\\n      \\\"fields\\\": [\\n        \\\"source_subnetwork\\\",\\n        \\\"source_ip\\\",\\n        \\\"value\\\"\\n      ],\\n      \\\"as\\\": [\\n        \\\"parent\\\",\\n        \\\"currentNode\\\",\\n        \\\"value\\\"\\n      ]\\n    },\\n    {\\n      \\\"type\\\": \\\"aggregate\\\",\\n      \\\"groupby\\\": [\\n        \\\"parent\\\",\\n        \\\"currentNode\\\"\\n      ],\\n      \\\"fields\\\": [\\n        \\\"value\\\"\\n      ],\\n      \\\"ops\\\": [\\n        \\\"sum\\\"\\n      ],\\n      \\\"as\\\": [\\n        \\\"value\\\"\\n      ]\\n    },\\n    {\\n      \\\"type\\\": \\\"project\\\",\\n      \\\"fields\\\": [\\n        \\\"currentNode\\\",\\n        \\\"parent\\\",\\n        \\\"value\\\"\\n      ],\\n      \\\"as\\\": [\\n        \\\"currentNode\\\",\\n        \\\"parent\\\",\\n        \\\"value\\\"\\n      ]\\n    },\\n    {\\n      \\\"type\\\": \\\"filter\\\",\\n      \\\"expr\\\": \\\"datum.currentNode\\\"\\n    },\\n    {\\n      \\\"type\\\": \\\"filter\\\",\\n      \\\"expr\\\": \\\"datum.parent\\\"\\n    },\\n        {\\n          \\\"type\\\": \\\"formula\\\",\\n          \\\"as\\\": \\\"type\\\"\\n          \\\"expr\\\": \\\"'hosts'\\\"\\n        }\\n  ]\\n},\\n    {\\n      \\\"name\\\": \\\"destinationIsolatedLevel1\\\",\\n      \\\"source\\\": [\\n        \\\"connections\\\"\\n      ],\\n      \\\"transform\\\": [\\n        {\\n          \\\"type\\\": \\\"project\\\",\\n          \\\"fields\\\": [\\n            \\\"destination_project\\\",\\n            \\\"currentNode\\\",\\n            \\\"value\\\"\\n          ],\\n          \\\"as\\\": [\\n            \\\"currentNode\\\",\\n            \\\"parent\\\",\\n            \\\"value\\\"\\n          ]\\n        },\\n        {\\n          \\\"type\\\": \\\"aggregate\\\",\\n          \\\"groupby\\\": [\\n            \\\"parent\\\",\\n            \\\"currentNode\\\"\\n          ],\\n          \\\"fields\\\": [\\n            \\\"value\\\"\\n          ],\\n          \\\"ops\\\": [\\n            \\\"sum\\\"\\n          ],\\n          \\\"as\\\": [\\n            \\\"value\\\"\\n          ]\\n        },\\n        {\\n          \\\"type\\\": \\\"formula\\\",\\n          \\\"as\\\": \\\"parent\\\",\\n          \\\"expr\\\": \\\"!isDefined(datum.parent)?'Destination':datum.parent\\\"\\n        },\\n        {\\n          \\\"type\\\": \\\"project\\\",\\n          \\\"fields\\\": [\\n            \\\"currentNode\\\",\\n            \\\"parent\\\",\\n            \\\"value\\\"\\n          ],\\n          \\\"as\\\": [\\n            \\\"currentNode\\\",\\n            \\\"parent\\\",\\n            \\\"value\\\"\\n          ]\\n        },\\n        {\\n          \\\"type\\\": \\\"filter\\\",\\n          \\\"expr\\\": \\\"datum.currentNode\\\"\\n        },\\n        {\\n          \\\"type\\\": \\\"formula\\\",\\n          \\\"as\\\": \\\"type\\\"\\n          \\\"expr\\\": \\\"'Project'\\\"\\n        }\\n      ]\\n    },\\n    {\\n      \\\"name\\\": \\\"destinationRootNode\\\",\\n      \\\"source\\\": \\\"destinationIsolatedLevel1\\\",\\n      \\\"transform\\\": [\\n        {\\n          \\\"type\\\": \\\"project\\\",\\n          \\\"fields\\\": [\\n            \\\"parent\\\",\\n            \\\"cluster\\\"\\n            \\n          ],\\n          \\\"as\\\": [\\n            \\\"currentNode\\\",\\n            \\\"parent\\\"\\n          ]\\n        },\\n        {\\n          \\\"type\\\": \\\"aggregate\\\",\\n          \\\"groupby\\\": [\\\"currentNode\\\",\\\"parent\\\"]\\n        },\\n        {\\n          \\\"type\\\": \\\"project\\\",\\n          \\\"fields\\\": [\\n            \\\"currentNode\\\",\\n            \\\"parent\\\"\\n            \\n          ],\\n          \\\"as\\\": [\\n            \\\"currentNode\\\",\\n            \\\"parent\\\"\\n          ]\\n        },\\n        {\\n          \\\"type\\\": \\\"formula\\\",\\n          \\\"as\\\": \\\"type\\\"\\n          \\\"expr\\\": \\\"'environment'\\\"\\n        }\\n        \\n      ]\\n    },\\n  { \\n    \\\"name\\\": \\\"destinationIsolatedLevel2\\\",\\n    \\\"source\\\": \\\"connections\\\",\\n    \\\"transform\\\": [\\n    {\\n      \\\"type\\\": \\\"project\\\",\\n      \\\"fields\\\": [\\n        \\\"destination_project\\\",\\n        \\\"destination_vpc\\\",\\n        \\\"value\\\"\\n      ],\\n      \\\"as\\\": [\\n        \\\"parent\\\",\\n        \\\"currentNode\\\",\\n        \\\"value\\\"\\n      ]\\n    },\\n    {\\n      \\\"type\\\": \\\"aggregate\\\",\\n      \\\"groupby\\\": [\\n        \\\"parent\\\",\\n        \\\"currentNode\\\"\\n      ],\\n      \\\"fields\\\": [\\n        \\\"value\\\"\\n      ],\\n      \\\"ops\\\": [\\n        \\\"sum\\\"\\n      ],\\n      \\\"as\\\": [\\n        \\\"value\\\"\\n      ]\\n    },\\n    {\\n      \\\"type\\\": \\\"project\\\",\\n      \\\"fields\\\": [\\n        \\\"currentNode\\\",\\n        \\\"parent\\\",\\n        \\\"value\\\"\\n      ],\\n      \\\"as\\\": [\\n        \\\"currentNode\\\",\\n        \\\"parent\\\",\\n        \\\"value\\\"\\n      ]\\n    },\\n    {\\n      \\\"type\\\": \\\"filter\\\",\\n      \\\"expr\\\": \\\"datum.currentNode\\\"\\n    },\\n    {\\n      \\\"type\\\": \\\"filter\\\",\\n      \\\"expr\\\": \\\"datum.parent\\\"\\n    },\\n        {\\n          \\\"type\\\": \\\"formula\\\",\\n          \\\"as\\\": \\\"type\\\"\\n          \\\"expr\\\": \\\"'VPC'\\\"\\n        }\\n  ]\\n},\\n{\\n  \\\"name\\\": \\\"destinationIsolatedLevel3\\\",\\n  \\\"source\\\": \\\"connections\\\",\\n  \\\"transform\\\": [\\n    {\\n      \\\"type\\\": \\\"project\\\",\\n      \\\"fields\\\": [\\n        \\\"destination_vpc\\\",\\n        \\\"destination_subnetwork\\\",\\n        \\\"value\\\"\\n      ],\\n      \\\"as\\\": [\\n        \\\"parent\\\",\\n        \\\"currentNode\\\",\\n        \\\"value\\\"\\n      ]\\n    },\\n    {\\n      \\\"type\\\": \\\"aggregate\\\",\\n      \\\"groupby\\\": [\\n        \\\"parent\\\",\\n        \\\"currentNode\\\"\\n      ],\\n      \\\"fields\\\": [\\n        \\\"value\\\"\\n      ],\\n      \\\"ops\\\": [\\n        \\\"sum\\\"\\n      ],\\n      \\\"as\\\": [\\n        \\\"value\\\"\\n      ]\\n    },\\n    {\\n      \\\"type\\\": \\\"project\\\",\\n      \\\"fields\\\": [\\n        \\\"currentNode\\\",\\n        \\\"parent\\\",\\n        \\\"value\\\"\\n      ],\\n      \\\"as\\\": [\\n        \\\"currentNode\\\",\\n        \\\"parent\\\",\\n        \\\"value\\\"\\n      ]\\n    },\\n    {\\n      \\\"type\\\": \\\"filter\\\",\\n      \\\"expr\\\": \\\"datum.currentNode\\\"\\n    },\\n    {\\n      \\\"type\\\": \\\"filter\\\",\\n      \\\"expr\\\": \\\"datum.parent\\\"\\n    },\\n        {\\n          \\\"type\\\": \\\"formula\\\",\\n          \\\"as\\\": \\\"type\\\"\\n          \\\"expr\\\": \\\"'subnetwork'\\\"\\n        }\\n  ]\\n}, \\n{\\n  \\\"name\\\": \\\"destinationIsolatedLevel4\\\",\\n  \\\"source\\\": \\\"connections\\\",\\n  \\\"transform\\\": [\\n    {\\n      \\\"type\\\": \\\"project\\\",\\n      \\\"fields\\\": [\\n        \\\"destination_subnetwork\\\",\\n        \\\"destination_ip\\\",\\n        \\\"value\\\"\\n      ],\\n      \\\"as\\\": [\\n        \\\"parent\\\",\\n        \\\"currentNode\\\",\\n        \\\"value\\\"\\n      ]\\n    },\\n    {\\n      \\\"type\\\": \\\"aggregate\\\",\\n      \\\"groupby\\\": [\\n        \\\"parent\\\",\\n        \\\"currentNode\\\"\\n      ],\\n      \\\"fields\\\": [\\n        \\\"value\\\"\\n      ],\\n      \\\"ops\\\": [\\n        \\\"sum\\\"\\n      ],\\n      \\\"as\\\": [\\n        \\\"value\\\"\\n      ]\\n    },\\n    {\\n      \\\"type\\\": \\\"project\\\",\\n      \\\"fields\\\": [\\n        \\\"currentNode\\\",\\n        \\\"parent\\\",\\n        \\\"value\\\"\\n      ],\\n      \\\"as\\\": [\\n        \\\"currentNode\\\",\\n        \\\"parent\\\",\\n        \\\"value\\\"\\n      ]\\n    },\\n    {\\n      \\\"type\\\": \\\"filter\\\",\\n      \\\"expr\\\": \\\"datum.currentNode\\\"\\n    },\\n    {\\n      \\\"type\\\": \\\"filter\\\",\\n      \\\"expr\\\": \\\"datum.parent\\\"\\n    },\\n        {\\n          \\\"type\\\": \\\"formula\\\",\\n          \\\"as\\\": \\\"type\\\"\\n          \\\"expr\\\": \\\"'hosts'\\\"\\n        }\\n  ]\\n},\\n{\\n  \\\"name\\\": \\\"sourceTree\\\",\\n  \\\"source\\\": [\\n    \\\"sourceRootNode\\\",\\n    \\\"sourceIsolatedLevel1\\\",\\n    \\\"sourceIsolatedLevel2\\\",\\n    \\\"sourceIsolatedLevel3\\\",\\n    \\\"sourceIsolatedLevel4\\\"  \\n  ],\\n  \\\"transform\\\": [\\n    {\\n      \\\"type\\\": \\\"stratify\\\",\\n      \\\"key\\\": \\\"currentNode\\\",\\n      \\\"parentKey\\\": \\\"parent\\\"\\n    },\\n    {\\n      \\\"type\\\": \\\"pack\\\",\\n      \\\"field\\\": \\\"value\\\",\\n      \\\"sort\\\": {\\\"field\\\": \\\"value\\\"},\\n      \\\"size\\\": [{\\\"signal\\\": \\\"width/2\\\"}, {\\\"signal\\\": \\\"height\\\"}],\\n      \\\"padding\\\": 100\\n    } \\n  ]\\n} ,\\n{\\n  \\\"name\\\": \\\"destinationTree\\\",\\n  \\\"source\\\": [\\n    \\\"destinationRootNode\\\",\\n    \\\"destinationIsolatedLevel1\\\",\\n    \\\"destinationIsolatedLevel2\\\",\\n    \\\"destinationIsolatedLevel3\\\",\\n    \\\"destinationIsolatedLevel4\\\"  \\n  ],\\n  \\\"transform\\\": [\\n    {\\n      \\\"type\\\": \\\"stratify\\\",\\n      \\\"key\\\": \\\"currentNode\\\",\\n      \\\"parentKey\\\": \\\"parent\\\"\\n    },\\n    {\\n      \\\"type\\\": \\\"pack\\\",\\n      \\\"field\\\": \\\"value\\\",\\n      \\\"sort\\\": {\\\"field\\\": \\\"value\\\"},\\n      \\\"size\\\": [{\\\"signal\\\": \\\"width/2\\\"}, {\\\"signal\\\": \\\"height\\\"}],\\n      \\\"padding\\\": 100\\n    } ,\\n    //Move destination tree to the right\\n    {\\n      \\\"type\\\": \\\"formula\\\",\\n      \\\"as\\\": \\\"x\\\",\\n      \\\"expr\\\": \\\"datum.x +  width/2\\\"\\n    }\\n  ]\\n},\\n    {\\n      name: links\\n      source: connections\\n      transform: [\\n        {\\n        \\\"type\\\": \\\"aggregate\\\",\\n        \\\"groupby\\\": [\\n          \\\"source_ip\\\",\\n          \\\"destination_ip\\\"\\n        ],\\n        \\\"fields\\\": [\\n          \\\"value\\\"\\n        ],\\n        \\\"ops\\\": [\\n          \\\"sum\\\"\\n        ],\\n        \\\"as\\\": [\\n          \\\"value\\\"\\n        ]\\n      },\\n      //Set min size to see all connections\\n      {\\n        \\\"type\\\": \\\"formula\\\",\\n        \\\"as\\\": \\\"value\\\",\\n        \\\"expr\\\": \\\"datum.value == 0 ? 1 : datum.value\\\"\\n      },\\n      {\\n        \\\"type\\\": \\\"filter\\\",\\n        \\\"expr\\\": \\\"datum.value > $minBytesTransferred\\\"\\n      },\\n      {\\n        type: lookup\\n        from: sourceTree\\n        key: currentNode\\n        fields: [\\\"source_ip\\\"]\\n        as: [\\\"source\\\"]\\n      },\\n      {\\n        type: lookup\\n        from: destinationTree\\n        key: currentNode\\n        fields: [\\\"destination_ip\\\"]\\n        as: [\\\"target\\\"]\\n      },\\n      {\\\"type\\\": \\\"formula\\\", \\\"as\\\": \\\"fbytes\\\", \\\"expr\\\": \\\"datum.value < 1024 ? datum.value + ' B' : (datum.value < 1024 * 1024) ?  format(datum.value / 1024, ',.2f') + ' KB' : (datum.value < 1024 * 1024 * 1024) ? format(datum.value / 1024 / 1024, ',.2f') + ' MB' : (datum.value / 1024 / 1024 / 1024) ? format(datum.value / 1024 / 1024 / 1024, ',.2f') + ' GB' : 'NA'\\\"}\\n      \\n      // calculate SVG link path between source and destination ips\\n          {\\n            type: linkpath\\n            orient: horizontal\\n            shape: line\\n            sourceY: {expr: \\\"datum.source.y\\\"}\\n            sourceX: {expr: \\\"datum.source.x\\\"}\\n            targetY: {expr: \\\"datum.target.y\\\"}\\n            targetX: {expr: \\\"datum.target.x\\\"}\\n         }\\n      ]\\n    }\\n  ]\\n  \\n  \\\"scales\\\": [\\n    {\\n      \\\"name\\\": \\\"color\\\",\\n      \\\"type\\\": \\\"ordinal\\\",\\n      \\\"domain\\\": {\\\"data\\\": \\\"sourceTree\\\", \\\"field\\\": \\\"type\\\"},\\n      \\\"range\\\": {\\\"scheme\\\": \\\"category20\\\"}\\n    },\\n    {\\n      name: width\\n      type: linear\\n      range: [1,10]\\n      domain: {data: \\\"links\\\", field: \\\"value\\\"}\\n    }\\n  ],\\n  \\n  \\\"marks\\\": [\\n    {\\n      \\\"type\\\": \\\"symbol\\\",\\n      \\\"from\\\": {\\\"data\\\": \\\"sourceTree\\\"},\\n      \\\"encode\\\": {\\n        \\\"enter\\\": {\\n          \\\"shape\\\": {\\\"value\\\": \\\"circle\\\"},\\n          \\\"fill\\\": {\\\"scale\\\": \\\"color\\\", \\\"field\\\": \\\"type\\\"},\\n          \\\"tooltip\\\": [\\n            {\\\"signal\\\": \\\"{'Type': datum.type,'Name': datum.currentNode}\\\"\\n            }\\n          ]\\n        },\\n        \\\"update\\\": {\\n          \\\"x\\\": {\\\"signal\\\": \\\"datum.x - 0\\\"},\\n          \\\"y\\\": {\\\"signal\\\": \\\"datum.y - 0\\\"},\\n          \\\"size\\\": {\\\"signal\\\": \\\"4 * datum.r * datum.r\\\"},\\n          \\\"stroke\\\": {\\\"value\\\": \\\"white\\\"},\\n          \\\"strokeWidth\\\": {\\\"value\\\": 0.5}\\n        },\\n        \\\"hover\\\": {\\n          \\\"stroke\\\": {\\\"value\\\": \\\"red\\\"},\\n          \\\"strokeWidth\\\": {\\\"value\\\": 2}\\n        }\\n      }\\n    },\\n    {\\n      \\\"type\\\": \\\"symbol\\\",\\n      \\\"from\\\": {\\\"data\\\": \\\"destinationTree\\\"},\\n      \\\"encode\\\": {\\n        \\\"enter\\\": {\\n          \\\"shape\\\": {\\\"value\\\": \\\"circle\\\"},\\n          \\\"fill\\\": {\\\"scale\\\": \\\"color\\\", \\\"field\\\": \\\"type\\\"},\\n          \\\"tooltip\\\": [\\n            {\\\"signal\\\": \\\"{'Type': datum.type,'Name': datum.currentNode}\\\"\\n            }\\n          ]\\n        },\\n        \\\"update\\\": {\\n          \\\"x\\\": {\\\"signal\\\": \\\"datum.x\\\"},\\n          \\\"y\\\": {\\\"signal\\\": \\\"datum.y + 0\\\"},\\n          \\\"size\\\": {\\\"signal\\\": \\\"4 * datum.r * datum.r\\\"},\\n          \\\"stroke\\\": {\\\"value\\\": \\\"white\\\"},\\n          \\\"strokeWidth\\\": {\\\"value\\\": 0.5}\\n        },\\n        \\\"hover\\\": {\\n          \\\"stroke\\\": {\\\"value\\\": \\\"red\\\"},\\n          \\\"strokeWidth\\\": {\\\"value\\\": 2}\\n        }\\n      }\\n    },\\n    {\\n      // draw the connecting line between stacks\\n      type: path\\n      name: linksMark\\n      from: {data: \\\"links\\\"}\\n      encode: {\\n        update: { \\n          path: {field: \\\"path\\\"}\\n          strokeWidth: {scale: \\\"width\\\", field: \\\"value\\\"}\\n          \\\"tooltip\\\": [\\n            {\\\"signal\\\": \\\"{'Source': datum.source_ip,'Destination': datum.destination_ip,'Bytes':datum.fbytes}\\\"\\n            }\\n          ]\\n        }\\n\\n      }\\n    }\\n  ]\\n}\"}}"},"coreMigrationVersion":"8.4.1","id":"a864cf30-2796-11ed-8b66-293f5fd86974","migrationVersion":{"visualization":"8.3.0"},"references":[],"type":"visualization","updated_at":"2022-09-23T11:33:18.788Z","version":"WzUzOCwxXQ=="}
+{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.dataset : \\\"gcp.vpcflow\\\" \",\"language\":\"kuery\"},\"filter\":[]}"},"title":"[GCP] Sankey Source to Destination country (copy 1)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"[GCP] Sankey Source to Destination country (copy 1)\",\"type\":\"vega\",\"aggs\":[],\"params\":{\"spec\":\"{\\r\\n  $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n  data: [\\r\\n    {\\r\\n      // query ES based on the currently selected time range and filter string\\r\\n      name: rawData\\r\\n      url: {\\r\\n        %context%: true\\r\\n        %timefield%: @timestamp\\r\\n        index: logs*\\r\\n        body: {\\r\\n          size: 0\\r\\n          aggs: {\\r\\n            table: {\\r\\n              composite: {\\r\\n                size: 10000\\r\\n                sources: [\\r\\n                  {\\r\\n                    stk1: {\\r\\n                      terms: {field: \\\"gcp.source.vpc.subnetwork_name\\\"}\\r\\n                    }\\r\\n                  }\\r\\n                  {\\r\\n                    stk2: {\\r\\n                      terms: {field: \\\"gcp.destination.vpc.subnetwork_name\\\"}\\r\\n                    }\\r\\n                  }\\r\\n                ]\\r\\n              }\\r\\n            }\\r\\n          }\\r\\n        }\\r\\n      }\\r\\n      // From the result, take just the data we are interested in\\r\\n      format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n      // Convert key.stk1 -> stk1 for simpler access below\\r\\n      transform: [\\r\\n        {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n        {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n        {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n      ]\\r\\n    }\\r\\n    {\\r\\n      name: nodes\\r\\n      source: rawData\\r\\n      transform: [\\r\\n        // when a country is selected, filter out unrelated data\\r\\n        {\\r\\n          type: filter\\r\\n          expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n        }\\r\\n        // Set new key for later lookups - identifies each node\\r\\n        {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n        // instead of each table row, create two new rows,\\r\\n        // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n        // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n        {\\r\\n          type: fold\\r\\n          fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n          as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n        }\\r\\n        // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n        // Space separator ensures proper sort order in some corner cases.\\r\\n        {\\r\\n          type: formula\\r\\n          expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n          as: sortField\\r\\n        }\\r\\n        // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n        // independently for each stack, and ensuring they are in the proper order,\\r\\n        // alphabetical from the top (reversed on the y axis)\\r\\n        {\\r\\n          type: stack\\r\\n          groupby: [\\\"stack\\\"]\\r\\n          sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n          field: size\\r\\n        }\\r\\n        // calculate vertical center point for each node, used to draw edges\\r\\n        {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n      ]\\r\\n    }\\r\\n    {\\r\\n      name: groups\\r\\n      source: nodes\\r\\n      transform: [\\r\\n        // combine all nodes into country groups, summing up the doc counts\\r\\n        {\\r\\n          type: aggregate\\r\\n          groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n          fields: [\\\"size\\\"]\\r\\n          ops: [\\\"sum\\\"]\\r\\n          as: [\\\"total\\\"]\\r\\n        }\\r\\n        // re-calculate the stacking y0,y1 values\\r\\n        {\\r\\n          type: stack\\r\\n          groupby: [\\\"stack\\\"]\\r\\n          sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n          field: total\\r\\n        }\\r\\n        // project y0 and y1 values to screen coordinates\\r\\n        // doing it once here instead of doing it several times in marks\\r\\n        {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n        {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n        // boolean flag if the label should be on the right of the stack\\r\\n        {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n        // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n        // domain upper bound, which represents the total traffic\\r\\n        {\\r\\n          type: formula\\r\\n          expr: datum.total/domain('y')[1]\\r\\n          as: percentage\\r\\n        }\\r\\n      ]\\r\\n    }\\r\\n    {\\r\\n      // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n      name: destinationNodes\\r\\n      source: nodes\\r\\n      transform: [\\r\\n        {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n      ]\\r\\n    }\\r\\n    {\\r\\n      name: edges\\r\\n      source: nodes\\r\\n      transform: [\\r\\n        // we only want nodes from the left stack\\r\\n        {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n        // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n        {\\r\\n          type: lookup\\r\\n          from: destinationNodes\\r\\n          key: key\\r\\n          fields: [\\\"key\\\"]\\r\\n          as: [\\\"target\\\"]\\r\\n        }\\r\\n        // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n        {\\r\\n          type: linkpath\\r\\n          orient: horizontal\\r\\n          shape: diagonal\\r\\n          sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n          sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n          targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n          targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n        }\\r\\n        // A little trick to calculate the thickness of the line.\\r\\n        // The value needs to be the same as the hight of the node, but scaling\\r\\n        // size to screen's height gives inversed value because screen's Y\\r\\n        // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n        // is at the bottom. So subtracting scaled doc count from screen height\\r\\n        // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n        {\\r\\n          type: formula\\r\\n          expr: range('y')[0]-scale('y', datum.size)\\r\\n          as: strokeWidth\\r\\n        }\\r\\n        // Tooltip needs individual link's percentage of all traffic\\r\\n        {\\r\\n          type: formula\\r\\n          expr: datum.size/domain('y')[1]\\r\\n          as: percentage\\r\\n        }\\r\\n      ]\\r\\n    }\\r\\n  ]\\r\\n  scales: [\\r\\n    {\\r\\n      // calculates horizontal stack positioning\\r\\n      name: x\\r\\n      type: band\\r\\n      range: width\\r\\n      domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n      paddingOuter: 0.05\\r\\n      paddingInner: 0.95\\r\\n    }\\r\\n    {\\r\\n      // this scale goes up as high as the highest y1 value of all nodes\\r\\n      name: y\\r\\n      type: linear\\r\\n      range: height\\r\\n      domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n    }\\r\\n    {\\r\\n      // use rawData to ensure the colors stay the same when clicking.\\r\\n      name: color\\r\\n      type: ordinal\\r\\n      range: category\\r\\n      domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n    }\\r\\n    {\\r\\n      // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n      name: stackNames\\r\\n      type: ordinal\\r\\n      range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n      domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n    }\\r\\n  ]\\r\\n  axes: [\\r\\n    {\\r\\n      // x axis should use custom label formatting to print proper stack names\\r\\n      orient: bottom\\r\\n      scale: x\\r\\n      encode: {\\r\\n        labels: {\\r\\n          update: {\\r\\n            text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n          }\\r\\n        }\\r\\n      }\\r\\n    }\\r\\n    {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n  ]\\r\\n  marks: [\\r\\n    {\\r\\n      // draw the connecting line between stacks\\r\\n      type: path\\r\\n      name: edgeMark\\r\\n      from: {data: \\\"edges\\\"}\\r\\n      // this prevents some autosizing issues with large strokeWidth for paths\\r\\n      clip: true\\r\\n      encode: {\\r\\n        update: {\\r\\n          // By default use color of the left node, except when showing traffic\\r\\n          // from just one country, in which case use destination color.\\r\\n          stroke: [\\r\\n            {\\r\\n              test: groupSelector && groupSelector.stack=='stk1'\\r\\n              scale: color\\r\\n              field: stk2\\r\\n            }\\r\\n            {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n          ]\\r\\n          strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n          path: {field: \\\"path\\\"}\\r\\n          // when showing all traffic, and hovering over a country,\\r\\n          // highlight the traffic from that country.\\r\\n          strokeOpacity: {\\r\\n            signal: !groupSelector && (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n          }\\r\\n          // Ensure that the hover-selected edges show on top\\r\\n          zindex: {\\r\\n            signal: !groupSelector && (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n          }\\r\\n          // format tooltip string\\r\\n          tooltip: {\\r\\n            signal: datum.stk1 + ' &#x2192; ' + datum.stk2 + '    ' + format(datum.size, ',.0f') + '   (' + format(datum.percentage, '.1%') + ')'\\r\\n          }\\r\\n        }\\r\\n        // Simple mouseover highlighting of a single line\\r\\n        hover: {\\r\\n          strokeOpacity: {value: 1}\\r\\n        }\\r\\n      }\\r\\n    }\\r\\n    {\\r\\n      // draw stack groups (countries)\\r\\n      type: rect\\r\\n      name: groupMark\\r\\n      from: {data: \\\"groups\\\"}\\r\\n      encode: {\\r\\n        enter: {\\r\\n          fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n          width: {scale: \\\"x\\\", band: 1}\\r\\n        }\\r\\n        update: {\\r\\n          x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n          y: {field: \\\"scaledY0\\\"}\\r\\n          y2: {field: \\\"scaledY1\\\"}\\r\\n          fillOpacity: {value: 0.6}\\r\\n          tooltip: {\\r\\n            signal: datum.grpId + '   ' + format(datum.total, ',.0f') + '   (' + format(datum.percentage, '.1%') + ')'\\r\\n          }\\r\\n        }\\r\\n        hover: {\\r\\n          fillOpacity: {value: 1}\\r\\n        }\\r\\n      }\\r\\n    }\\r\\n    {\\r\\n      // draw country code labels on the inner side of the stack\\r\\n      type: text\\r\\n      from: {data: \\\"groups\\\"}\\r\\n      // don't process events for the labels - otherwise line mouseover is unclean\\r\\n      interactive: false\\r\\n      encode: {\\r\\n        update: {\\r\\n          // depending on which stack it is, position x with some padding\\r\\n          x: {\\r\\n            signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n          }\\r\\n          // middle of the group\\r\\n          yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n          align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n          baseline: {value: \\\"middle\\\"}\\r\\n          fontWeight: {value: \\\"bold\\\"}\\r\\n          // only show text label if the group's height is large enough\\r\\n          text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) > 13 ? datum.grpId : ''\\\"}\\r\\n        }\\r\\n      }\\r\\n    }\\r\\n    {\\r\\n      // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n      type: group\\r\\n      data: [\\r\\n        // We need to make the button show only when groupSelector signal is true.\\r\\n        // Each mark is drawn as many times as there are elements in the backing data.\\r\\n        // Which means that if values list is empty, it will not be drawn.\\r\\n        // Here I create a data source with one empty object, and filter that list\\r\\n        // based on the signal value. This can only be done in a group.\\r\\n        {\\r\\n          name: dataForShowAll\\r\\n          values: [{}]\\r\\n          transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n        }\\r\\n      ]\\r\\n      // Set button size and positioning\\r\\n      encode: {\\r\\n        enter: {\\r\\n          xc: {signal: \\\"width/2\\\"}\\r\\n          y: {value: 30}\\r\\n          width: {value: 80}\\r\\n          height: {value: 30}\\r\\n        }\\r\\n      }\\r\\n      marks: [\\r\\n        {\\r\\n          // This group is shown as a button with rounded corners.\\r\\n          type: group\\r\\n          // mark name allows signal capturing\\r\\n          name: groupReset\\r\\n          // Only shows button if dataForShowAll has values.\\r\\n          from: {data: \\\"dataForShowAll\\\"}\\r\\n          encode: {\\r\\n            enter: {\\r\\n              cornerRadius: {value: 6}\\r\\n              fill: {value: \\\"#f5f5f5\\\"}\\r\\n              stroke: {value: \\\"#c1c1c1\\\"}\\r\\n              strokeWidth: {value: 2}\\r\\n              // use parent group's size\\r\\n              height: {\\r\\n                field: {group: \\\"height\\\"}\\r\\n              }\\r\\n              width: {\\r\\n                field: {group: \\\"width\\\"}\\r\\n              }\\r\\n            }\\r\\n            update: {\\r\\n              // groups are transparent by default\\r\\n              opacity: {value: 1}\\r\\n            }\\r\\n            hover: {\\r\\n              opacity: {value: 0.7}\\r\\n            }\\r\\n          }\\r\\n          marks: [\\r\\n            {\\r\\n              type: text\\r\\n              // if true, it will prevent clicking on the button when over text.\\r\\n              interactive: false\\r\\n              encode: {\\r\\n                enter: {\\r\\n                  // center text in the paren group\\r\\n                  xc: {\\r\\n                    field: {group: \\\"width\\\"}\\r\\n                    mult: 0.5\\r\\n                  }\\r\\n                  yc: {\\r\\n                    field: {group: \\\"height\\\"}\\r\\n                    mult: 0.5\\r\\n                    offset: 2\\r\\n                  }\\r\\n                  align: {value: \\\"center\\\"}\\r\\n                  baseline: {value: \\\"middle\\\"}\\r\\n                  fontWeight: {value: \\\"bold\\\"}\\r\\n                  text: {value: \\\"Show All\\\"}\\r\\n                }\\r\\n              }\\r\\n            }\\r\\n          ]\\r\\n        }\\r\\n      ]\\r\\n    }\\r\\n  ]\\r\\n  signals: [\\r\\n    {\\r\\n      // used to highlight traffic to/from the same country\\r\\n      name: groupHover\\r\\n      value: {}\\r\\n      on: [\\r\\n        {\\r\\n          events: @groupMark:mouseover\\r\\n          update: \\\"{stk1:datum.stack=='stk1' && datum.grpId, stk2:datum.stack=='stk2' && datum.grpId}\\\"\\r\\n        }\\r\\n        {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n      ]\\r\\n    }\\r\\n    // used to filter only the data related to the selected country\\r\\n    {\\r\\n      name: groupSelector\\r\\n      value: false\\r\\n      on: [\\r\\n        {\\r\\n          // Clicking groupMark sets this signal to the filter values\\r\\n          events: @groupMark:click!\\r\\n          update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' && datum.grpId, stk2:datum.stack=='stk2' && datum.grpId}\\\"\\r\\n        }\\r\\n        {\\r\\n          // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n          events: [\\r\\n            {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n            {type: \\\"dblclick\\\"}\\r\\n          ]\\r\\n          update: \\\"false\\\"\\r\\n        }\\r\\n      ]\\r\\n    }\\r\\n  ]\\r\\n}\"}}"},"coreMigrationVersion":"8.4.1","id":"b7c12f20-7466-11ec-adfa-5dd9fdfc6ea6","migrationVersion":{"visualization":"8.3.0"},"references":[{"id":"c6b63650-7462-11ec-adfa-5dd9fdfc6ea6","name":"tag-ref-c6b63650-7462-11ec-adfa-5dd9fdfc6ea6","type":"tag"}],"type":"visualization","updated_at":"2022-09-23T11:33:18.788Z","version":"WzUzOSwxXQ=="}
+{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.dataset : \\\"gcp.firewall\\\"  \",\"language\":\"kuery\"},\"filter\":[]}"},"title":"[GCP] Sankey Source to Destination country (Firewall)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"[GCP] Sankey Source to Destination country (Firewall)\",\"type\":\"vega\",\"aggs\":[],\"params\":{\"spec\":\"{\\r\\n  $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n  data: [\\r\\n    {\\r\\n      // query ES based on the currently selected time range and filter string\\r\\n      name: rawData\\r\\n      url: {\\r\\n        %context%: true\\r\\n        %timefield%: @timestamp\\r\\n        index: logs*\\r\\n        body: {\\r\\n          size: 0\\r\\n          aggs: {\\r\\n            table: {\\r\\n              composite: {\\r\\n                size: 10000\\r\\n                sources: [\\r\\n                  {\\r\\n                    stk1: {\\r\\n                      terms: {field: \\\"source.geo.country_iso_code\\\"}\\r\\n                    }\\r\\n                  }\\r\\n                  {\\r\\n                    stk2: {\\r\\n                      terms: {field: \\\"destination.geo.country_iso_code\\\"}\\r\\n                    }\\r\\n                  }\\r\\n                ]\\r\\n              }\\r\\n            }\\r\\n          }\\r\\n        }\\r\\n      }\\r\\n      // From the result, take just the data we are interested in\\r\\n      format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n      // Convert key.stk1 -> stk1 for simpler access below\\r\\n      transform: [\\r\\n        {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n        {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n        {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n      ]\\r\\n    }\\r\\n    {\\r\\n      name: nodes\\r\\n      source: rawData\\r\\n      transform: [\\r\\n        // when a country is selected, filter out unrelated data\\r\\n        {\\r\\n          type: filter\\r\\n          expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n        }\\r\\n        // Set new key for later lookups - identifies each node\\r\\n        {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n        // instead of each table row, create two new rows,\\r\\n        // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n        // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n        {\\r\\n          type: fold\\r\\n          fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n          as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n        }\\r\\n        // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n        // Space separator ensures proper sort order in some corner cases.\\r\\n        {\\r\\n          type: formula\\r\\n          expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n          as: sortField\\r\\n        }\\r\\n        // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n        // independently for each stack, and ensuring they are in the proper order,\\r\\n        // alphabetical from the top (reversed on the y axis)\\r\\n        {\\r\\n          type: stack\\r\\n          groupby: [\\\"stack\\\"]\\r\\n          sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n          field: size\\r\\n        }\\r\\n        // calculate vertical center point for each node, used to draw edges\\r\\n        {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n      ]\\r\\n    }\\r\\n    {\\r\\n      name: groups\\r\\n      source: nodes\\r\\n      transform: [\\r\\n        // combine all nodes into country groups, summing up the doc counts\\r\\n        {\\r\\n          type: aggregate\\r\\n          groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n          fields: [\\\"size\\\"]\\r\\n          ops: [\\\"sum\\\"]\\r\\n          as: [\\\"total\\\"]\\r\\n        }\\r\\n        // re-calculate the stacking y0,y1 values\\r\\n        {\\r\\n          type: stack\\r\\n          groupby: [\\\"stack\\\"]\\r\\n          sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n          field: total\\r\\n        }\\r\\n        // project y0 and y1 values to screen coordinates\\r\\n        // doing it once here instead of doing it several times in marks\\r\\n        {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n        {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n        // boolean flag if the label should be on the right of the stack\\r\\n        {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n        // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n        // domain upper bound, which represents the total traffic\\r\\n        {\\r\\n          type: formula\\r\\n          expr: datum.total/domain('y')[1]\\r\\n          as: percentage\\r\\n        }\\r\\n      ]\\r\\n    }\\r\\n    {\\r\\n      // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n      name: destinationNodes\\r\\n      source: nodes\\r\\n      transform: [\\r\\n        {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n      ]\\r\\n    }\\r\\n    {\\r\\n      name: edges\\r\\n      source: nodes\\r\\n      transform: [\\r\\n        // we only want nodes from the left stack\\r\\n        {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n        // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n        {\\r\\n          type: lookup\\r\\n          from: destinationNodes\\r\\n          key: key\\r\\n          fields: [\\\"key\\\"]\\r\\n          as: [\\\"target\\\"]\\r\\n        }\\r\\n        // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n        {\\r\\n          type: linkpath\\r\\n          orient: horizontal\\r\\n          shape: diagonal\\r\\n          sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n          sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n          targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n          targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n        }\\r\\n        // A little trick to calculate the thickness of the line.\\r\\n        // The value needs to be the same as the hight of the node, but scaling\\r\\n        // size to screen's height gives inversed value because screen's Y\\r\\n        // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n        // is at the bottom. So subtracting scaled doc count from screen height\\r\\n        // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n        {\\r\\n          type: formula\\r\\n          expr: range('y')[0]-scale('y', datum.size)\\r\\n          as: strokeWidth\\r\\n        }\\r\\n        // Tooltip needs individual link's percentage of all traffic\\r\\n        {\\r\\n          type: formula\\r\\n          expr: datum.size/domain('y')[1]\\r\\n          as: percentage\\r\\n        }\\r\\n      ]\\r\\n    }\\r\\n  ]\\r\\n  scales: [\\r\\n    {\\r\\n      // calculates horizontal stack positioning\\r\\n      name: x\\r\\n      type: band\\r\\n      range: width\\r\\n      domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n      paddingOuter: 0.05\\r\\n      paddingInner: 0.95\\r\\n    }\\r\\n    {\\r\\n      // this scale goes up as high as the highest y1 value of all nodes\\r\\n      name: y\\r\\n      type: linear\\r\\n      range: height\\r\\n      domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n    }\\r\\n    {\\r\\n      // use rawData to ensure the colors stay the same when clicking.\\r\\n      name: color\\r\\n      type: ordinal\\r\\n      range: category\\r\\n      domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n    }\\r\\n    {\\r\\n      // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n      name: stackNames\\r\\n      type: ordinal\\r\\n      range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n      domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n    }\\r\\n  ]\\r\\n  axes: [\\r\\n    {\\r\\n      // x axis should use custom label formatting to print proper stack names\\r\\n      orient: bottom\\r\\n      scale: x\\r\\n      encode: {\\r\\n        labels: {\\r\\n          update: {\\r\\n            text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n          }\\r\\n        }\\r\\n      }\\r\\n    }\\r\\n    {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n  ]\\r\\n  marks: [\\r\\n    {\\r\\n      // draw the connecting line between stacks\\r\\n      type: path\\r\\n      name: edgeMark\\r\\n      from: {data: \\\"edges\\\"}\\r\\n      // this prevents some autosizing issues with large strokeWidth for paths\\r\\n      clip: true\\r\\n      encode: {\\r\\n        update: {\\r\\n          // By default use color of the left node, except when showing traffic\\r\\n          // from just one country, in which case use destination color.\\r\\n          stroke: [\\r\\n            {\\r\\n              test: groupSelector && groupSelector.stack=='stk1'\\r\\n              scale: color\\r\\n              field: stk2\\r\\n            }\\r\\n            {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n          ]\\r\\n          strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n          path: {field: \\\"path\\\"}\\r\\n          // when showing all traffic, and hovering over a country,\\r\\n          // highlight the traffic from that country.\\r\\n          strokeOpacity: {\\r\\n            signal: !groupSelector && (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n          }\\r\\n          // Ensure that the hover-selected edges show on top\\r\\n          zindex: {\\r\\n            signal: !groupSelector && (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n          }\\r\\n          // format tooltip string\\r\\n          tooltip: {\\r\\n            signal: datum.stk1 + ' &#x2192; ' + datum.stk2 + '    ' + format(datum.size, ',.0f') + '   (' + format(datum.percentage, '.1%') + ')'\\r\\n          }\\r\\n        }\\r\\n        // Simple mouseover highlighting of a single line\\r\\n        hover: {\\r\\n          strokeOpacity: {value: 1}\\r\\n        }\\r\\n      }\\r\\n    }\\r\\n    {\\r\\n      // draw stack groups (countries)\\r\\n      type: rect\\r\\n      name: groupMark\\r\\n      from: {data: \\\"groups\\\"}\\r\\n      encode: {\\r\\n        enter: {\\r\\n          fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n          width: {scale: \\\"x\\\", band: 1}\\r\\n        }\\r\\n        update: {\\r\\n          x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n          y: {field: \\\"scaledY0\\\"}\\r\\n          y2: {field: \\\"scaledY1\\\"}\\r\\n          fillOpacity: {value: 0.6}\\r\\n          tooltip: {\\r\\n            signal: datum.grpId + '   ' + format(datum.total, ',.0f') + '   (' + format(datum.percentage, '.1%') + ')'\\r\\n          }\\r\\n        }\\r\\n        hover: {\\r\\n          fillOpacity: {value: 1}\\r\\n        }\\r\\n      }\\r\\n    }\\r\\n    {\\r\\n      // draw country code labels on the inner side of the stack\\r\\n      type: text\\r\\n      from: {data: \\\"groups\\\"}\\r\\n      // don't process events for the labels - otherwise line mouseover is unclean\\r\\n      interactive: false\\r\\n      encode: {\\r\\n        update: {\\r\\n          // depending on which stack it is, position x with some padding\\r\\n          x: {\\r\\n            signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n          }\\r\\n          // middle of the group\\r\\n          yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n          align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n          baseline: {value: \\\"middle\\\"}\\r\\n          fontWeight: {value: \\\"bold\\\"}\\r\\n          // only show text label if the group's height is large enough\\r\\n          text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) > 13 ? datum.grpId : ''\\\"}\\r\\n        }\\r\\n      }\\r\\n    }\\r\\n    {\\r\\n      // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n      type: group\\r\\n      data: [\\r\\n        // We need to make the button show only when groupSelector signal is true.\\r\\n        // Each mark is drawn as many times as there are elements in the backing data.\\r\\n        // Which means that if values list is empty, it will not be drawn.\\r\\n        // Here I create a data source with one empty object, and filter that list\\r\\n        // based on the signal value. This can only be done in a group.\\r\\n        {\\r\\n          name: dataForShowAll\\r\\n          values: [{}]\\r\\n          transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n        }\\r\\n      ]\\r\\n      // Set button size and positioning\\r\\n      encode: {\\r\\n        enter: {\\r\\n          xc: {signal: \\\"width/2\\\"}\\r\\n          y: {value: 30}\\r\\n          width: {value: 80}\\r\\n          height: {value: 30}\\r\\n        }\\r\\n      }\\r\\n      marks: [\\r\\n        {\\r\\n          // This group is shown as a button with rounded corners.\\r\\n          type: group\\r\\n          // mark name allows signal capturing\\r\\n          name: groupReset\\r\\n          // Only shows button if dataForShowAll has values.\\r\\n          from: {data: \\\"dataForShowAll\\\"}\\r\\n          encode: {\\r\\n            enter: {\\r\\n              cornerRadius: {value: 6}\\r\\n              fill: {value: \\\"#f5f5f5\\\"}\\r\\n              stroke: {value: \\\"#c1c1c1\\\"}\\r\\n              strokeWidth: {value: 2}\\r\\n              // use parent group's size\\r\\n              height: {\\r\\n                field: {group: \\\"height\\\"}\\r\\n              }\\r\\n              width: {\\r\\n                field: {group: \\\"width\\\"}\\r\\n              }\\r\\n            }\\r\\n            update: {\\r\\n              // groups are transparent by default\\r\\n              opacity: {value: 1}\\r\\n            }\\r\\n            hover: {\\r\\n              opacity: {value: 0.7}\\r\\n            }\\r\\n          }\\r\\n          marks: [\\r\\n            {\\r\\n              type: text\\r\\n              // if true, it will prevent clicking on the button when over text.\\r\\n              interactive: false\\r\\n              encode: {\\r\\n                enter: {\\r\\n                  // center text in the paren group\\r\\n                  xc: {\\r\\n                    field: {group: \\\"width\\\"}\\r\\n                    mult: 0.5\\r\\n                  }\\r\\n                  yc: {\\r\\n                    field: {group: \\\"height\\\"}\\r\\n                    mult: 0.5\\r\\n                    offset: 2\\r\\n                  }\\r\\n                  align: {value: \\\"center\\\"}\\r\\n                  baseline: {value: \\\"middle\\\"}\\r\\n                  fontWeight: {value: \\\"bold\\\"}\\r\\n                  text: {value: \\\"Show All\\\"}\\r\\n                }\\r\\n              }\\r\\n            }\\r\\n          ]\\r\\n        }\\r\\n      ]\\r\\n    }\\r\\n  ]\\r\\n  signals: [\\r\\n    {\\r\\n      // used to highlight traffic to/from the same country\\r\\n      name: groupHover\\r\\n      value: {}\\r\\n      on: [\\r\\n        {\\r\\n          events: @groupMark:mouseover\\r\\n          update: \\\"{stk1:datum.stack=='stk1' && datum.grpId, stk2:datum.stack=='stk2' && datum.grpId}\\\"\\r\\n        }\\r\\n        {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n      ]\\r\\n    }\\r\\n    // used to filter only the data related to the selected country\\r\\n    {\\r\\n      name: groupSelector\\r\\n      value: false\\r\\n      on: [\\r\\n        {\\r\\n          // Clicking groupMark sets this signal to the filter values\\r\\n          events: @groupMark:click!\\r\\n          update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' && datum.grpId, stk2:datum.stack=='stk2' && datum.grpId}\\\"\\r\\n        }\\r\\n        {\\r\\n          // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n          events: [\\r\\n            {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n            {type: \\\"dblclick\\\"}\\r\\n          ]\\r\\n          update: \\\"false\\\"\\r\\n        }\\r\\n      ]\\r\\n    }\\r\\n  ]\\r\\n}\"}}"},"coreMigrationVersion":"8.4.1","id":"b64abe60-e1d8-11ec-811c-21b61472328d","migrationVersion":{"visualization":"8.3.0"},"references":[{"id":"c6b63650-7462-11ec-adfa-5dd9fdfc6ea6","name":"tag-ref-c6b63650-7462-11ec-adfa-5dd9fdfc6ea6","type":"tag"}],"type":"visualization","updated_at":"2022-09-23T11:33:18.788Z","version":"WzU0MCwxXQ=="}
+{"attributes":{"fieldAttrs":"{}","fieldFormatMap":"{\"cost\":{\"id\":\"currency\",\"params\":{}}}","fields":"[]","name":"gcp*:*billing*","runtimeFieldMap":"{}","sourceFilters":"[]","title":"gcp*:*billing*","typeMeta":"{}"},"coreMigrationVersion":"8.4.1","id":"df7b5a80-e343-11ec-b9dc-7d1db9e51c26","migrationVersion":{"index-pattern":"8.0.0"},"references":[],"type":"index-pattern","updated_at":"2022-09-23T11:33:18.788Z","version":"WzU0MSwxXQ=="}
+{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":true,\"hidePanelTitles\":false,\"syncTooltips\":true}","panelsJSON":"[{\"version\":\"8.4.1\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":5,\"h\":5,\"i\":\"c2465bd8-ec2f-446c-be7b-a50c853ac141\"},\"panelIndex\":\"c2465bd8-ec2f-446c-be7b-a50c853ac141\",\"embeddableConfig\":{\"savedVis\":{\"id\":\"\",\"title\":\"\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":8,\"openLinksInNewTab\":false,\"markdown\":\"![test](https://cdn.dribbble.com/users/1161517/screenshots/4086623/media/8b62947ff6e0d9e42b7c9876a7183e1c.gif)\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"enhancements\":{},\"hidePanelTitles\":true}},{\"version\":\"8.4.1\",\"type\":\"visualization\",\"gridData\":{\"x\":5,\"y\":0,\"w\":43,\"h\":5,\"i\":\"31106f85-c89c-478c-94ec-881bc2c28d84\"},\"panelIndex\":\"31106f85-c89c-478c-94ec-881bc2c28d84\",\"embeddableConfig\":{\"savedVis\":{\"id\":\"\",\"title\":\"\",\"description\":\"\",\"type\":\"metrics\",\"params\":{\"time_range_mode\":\"entire_time_range\",\"id\":\"4765b8cc-5a10-4dc6-9d7d-1c2e036d4068\",\"type\":\"markdown\",\"series\":[{\"time_range_mode\":\"entire_time_range\",\"id\":\"68c141bd-3641-4ed7-945b-bccb48f8f242\",\"color\":\"#68BC00\",\"split_mode\":\"everything\",\"palette\":{\"type\":\"palette\",\"name\":\"default\"},\"metrics\":[{\"id\":\"0babaf30-7a90-421d-9dd4-1d5fad23c450\",\"type\":\"count\"}],\"separate_axis\":0,\"axis_position\":\"right\",\"formatter\":\"default\",\"chart_type\":\"line\",\"line_width\":1,\"point_size\":1,\"fill\":0.5,\"stacked\":\"none\",\"override_index_pattern\":0,\"series_drop_last_bucket\":0}],\"time_field\":\"\",\"use_kibana_indexes\":true,\"interval\":\"\",\"axis_position\":\"left\",\"axis_formatter\":\"number\",\"axis_scale\":\"normal\",\"show_legend\":1,\"truncate_legend\":1,\"max_lines_legend\":1,\"show_grid\":1,\"tooltip_mode\":\"show_all\",\"drop_last_bucket\":0,\"markdown\":\"## Google Cloud monitoring overview \\r\\nThis dashboard provides a single pane of glass view into your Google Cloud environment. The dashboard is created via elastic terraform examples. After creation it can take some time until all visualizations showing data.  \",\"isModelInvalid\":false,\"markdown_css\":\"\",\"markdown_vertical_align\":\"middle\",\"index_pattern_ref_name\":\"metrics_31106f85-c89c-478c-94ec-881bc2c28d84_0_index_pattern\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.4.1\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":5,\"w\":15,\"h\":9,\"i\":\"ec48927f-c88c-406c-b72a-21d1678cad32\"},\"panelIndex\":\"ec48927f-c88c-406c-b72a-21d1678cad32\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"id\":\"1bd60400-9a04-11ec-9e73-cd9488048b9c\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"1bd60400-9a04-11ec-9e73-cd9488048b9c\",\"name\":\"indexpattern-datasource-layer-0952adb9-5cf8-45b2-8cf7-17dbe2e513c4\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"shape\":\"donut\",\"layers\":[{\"layerId\":\"0952adb9-5cf8-45b2-8cf7-17dbe2e513c4\",\"groups\":[\"85fb97ce-7ef0-4089-b40a-5ae46674cf3a\"],\"metric\":\"1a10e360-7399-4a4b-8f83-569df685eee2\",\"numberDisplay\":\"percent\",\"categoryDisplay\":\"default\",\"legendDisplay\":\"default\",\"nestedLegend\":false,\"layerType\":\"data\",\"legendSize\":\"auto\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0952adb9-5cf8-45b2-8cf7-17dbe2e513c4\":{\"columns\":{\"85fb97ce-7ef0-4089-b40a-5ae46674cf3a\":{\"label\":\"Top values of cloud.project.id\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"cloud.project.id\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"1a10e360-7399-4a4b-8f83-569df685eee2\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"1a10e360-7399-4a4b-8f83-569df685eee2\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\"}},\"columnOrder\":[\"85fb97ce-7ef0-4089-b40a-5ae46674cf3a\",\"1a10e360-7399-4a4b-8f83-569df685eee2\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Projects\"},{\"version\":\"8.4.1\",\"type\":\"lens\",\"gridData\":{\"x\":15,\"y\":5,\"w\":14,\"h\":9,\"i\":\"35a2804f-97bb-4d66-a898-d29e9fca9249\"},\"panelIndex\":\"35a2804f-97bb-4d66-a898-d29e9fca9249\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"id\":\"1bd60400-9a04-11ec-9e73-cd9488048b9c\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"1bd60400-9a04-11ec-9e73-cd9488048b9c\",\"name\":\"indexpattern-datasource-layer-4f847068-8c3f-45e7-af92-62b19de4de81\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"shape\":\"donut\",\"layers\":[{\"layerId\":\"4f847068-8c3f-45e7-af92-62b19de4de81\",\"groups\":[\"43a4ae87-22d5-411d-b84b-5d76e9272f98\"],\"metric\":\"8a1860a9-b61e-43d1-98ae-13c0738310b0\",\"numberDisplay\":\"percent\",\"categoryDisplay\":\"default\",\"legendDisplay\":\"default\",\"nestedLegend\":false,\"layerType\":\"data\",\"legendSize\":\"auto\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"4f847068-8c3f-45e7-af92-62b19de4de81\":{\"columns\":{\"43a4ae87-22d5-411d-b84b-5d76e9272f98\":{\"label\":\"Top values of cloud.region\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"cloud.region\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"8a1860a9-b61e-43d1-98ae-13c0738310b0\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"8a1860a9-b61e-43d1-98ae-13c0738310b0\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\"}},\"columnOrder\":[\"43a4ae87-22d5-411d-b84b-5d76e9272f98\",\"8a1860a9-b61e-43d1-98ae-13c0738310b0\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Regions\"},{\"version\":\"8.4.1\",\"type\":\"lens\",\"gridData\":{\"x\":29,\"y\":5,\"w\":19,\"h\":9,\"i\":\"127988b1-d18b-4c05-b6ba-08b0c27d42ad\"},\"panelIndex\":\"127988b1-d18b-4c05-b6ba-08b0c27d42ad\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"id\":\"1bd60400-9a04-11ec-9e73-cd9488048b9c\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"1bd60400-9a04-11ec-9e73-cd9488048b9c\",\"name\":\"indexpattern-datasource-layer-92bb8c52-6c12-456f-bf57-ba639a334d12\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"shape\":\"donut\",\"layers\":[{\"layerId\":\"92bb8c52-6c12-456f-bf57-ba639a334d12\",\"groups\":[\"41bb8f1a-9aa4-45ba-9ecb-092a6061c6fa\"],\"metric\":\"5b45c9b9-fbe9-4c2e-902c-908b53e37a30\",\"numberDisplay\":\"percent\",\"categoryDisplay\":\"default\",\"legendDisplay\":\"default\",\"nestedLegend\":false,\"layerType\":\"data\",\"legendSize\":\"auto\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"92bb8c52-6c12-456f-bf57-ba639a334d12\":{\"columns\":{\"41bb8f1a-9aa4-45ba-9ecb-092a6061c6fa\":{\"label\":\"Top values of data_stream.dataset\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data_stream.dataset\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"5b45c9b9-fbe9-4c2e-902c-908b53e37a30\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"5b45c9b9-fbe9-4c2e-902c-908b53e37a30\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\"}},\"columnOrder\":[\"41bb8f1a-9aa4-45ba-9ecb-092a6061c6fa\",\"5b45c9b9-fbe9-4c2e-902c-908b53e37a30\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Log data sources\"},{\"version\":\"8.4.1\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":14,\"w\":2,\"h\":8,\"i\":\"29780e76-27af-4bf8-a791-6ae98d19a91a\"},\"panelIndex\":\"29780e76-27af-4bf8-a791-6ae98d19a91a\",\"embeddableConfig\":{\"hidePanelTitles\":true,\"enhancements\":{}},\"panelRefName\":\"panel_29780e76-27af-4bf8-a791-6ae98d19a91a\"},{\"version\":\"8.4.1\",\"type\":\"lens\",\"gridData\":{\"x\":2,\"y\":14,\"w\":23,\"h\":8,\"i\":\"1c76ef12-d9b9-48b5-8c94-3e7afcbb4d10\"},\"panelIndex\":\"1c76ef12-d9b9-48b5-8c94-3e7afcbb4d10\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"8b5b9b10-9e0e-11ec-987d-697a56940492\",\"name\":\"indexpattern-datasource-layer-fc12a422-351d-4fb4-ae16-35a49bfb0ffe\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"4412f98e-fe17-452b-8a80-a45690118739\",\"width\":506},{\"isTransposed\":false,\"columnId\":\"bad70713-9bbd-4814-8c6a-c91a69dc74bd\",\"summaryRow\":\"sum\",\"summaryLabel\":\"Total\",\"colorMode\":\"none\"},{\"columnId\":\"6f60b176-9723-4b46-a047-8d0754702d15\",\"isTransposed\":false,\"width\":128}],\"layerId\":\"fc12a422-351d-4fb4-ae16-35a49bfb0ffe\",\"layerType\":\"data\",\"sorting\":{\"columnId\":\"6f60b176-9723-4b46-a047-8d0754702d15\",\"direction\":\"desc\"},\"rowHeight\":\"single\",\"rowHeightLines\":1},\"query\":{\"query\":\"cloud.provider : \\\"gcp\\\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"fc12a422-351d-4fb4-ae16-35a49bfb0ffe\":{\"columns\":{\"4412f98e-fe17-452b-8a80-a45690118739\":{\"label\":\"Top alerts\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"kibana.alert.rule.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"bad70713-9bbd-4814-8c6a-c91a69dc74bd\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false},\"customLabel\":true},\"bad70713-9bbd-4814-8c6a-c91a69dc74bd\":{\"label\":\"Occurences\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"customLabel\":true},\"6f60b176-9723-4b46-a047-8d0754702d15\":{\"label\":\"Risk score\",\"dataType\":\"number\",\"operationType\":\"range\",\"sourceField\":\"kibana.alert.risk_score\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"type\":\"histogram\",\"ranges\":[{\"from\":0,\"to\":1000,\"label\":\"\"}],\"maxBars\":\"auto\"},\"customLabel\":true}},\"columnOrder\":[\"4412f98e-fe17-452b-8a80-a45690118739\",\"6f60b176-9723-4b46-a047-8d0754702d15\",\"bad70713-9bbd-4814-8c6a-c91a69dc74bd\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.4.1\",\"type\":\"lens\",\"gridData\":{\"x\":25,\"y\":14,\"w\":7,\"h\":8,\"i\":\"8e936240-f0f6-4cb0-9622-611e84ee3ee2\"},\"panelIndex\":\"8e936240-f0f6-4cb0-9622-611e84ee3ee2\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"1bd60400-9a04-11ec-9e73-cd9488048b9c\",\"name\":\"indexpattern-datasource-layer-932b2bd6-ece2-4102-8adf-a601e58b0e29\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"932b2bd6-ece2-4102-8adf-a601e58b0e29\",\"accessor\":\"9892af2e-47e1-4b27-b16e-fa79a235983b\",\"layerType\":\"data\",\"colorMode\":\"Background\",\"palette\":{\"type\":\"palette\",\"name\":\"status\",\"params\":{\"name\":\"status\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":0,\"rangeMax\":18433.5,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#209280\",\"stop\":0},{\"color\":\"#d6bf57\",\"stop\":8192.66},{\"color\":\"#cc5642\",\"stop\":16385.33}],\"steps\":3,\"continuity\":\"above\",\"maxSteps\":5}}},\"query\":{\"query\":\"error.message : * or error.code : *\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"932b2bd6-ece2-4102-8adf-a601e58b0e29\":{\"columns\":{\"9892af2e-47e1-4b27-b16e-fa79a235983b\":{\"label\":\"Error messages\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"9892af2e-47e1-4b27-b16e-fa79a235983b\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.4.1\",\"type\":\"visualization\",\"gridData\":{\"x\":32,\"y\":14,\"w\":16,\"h\":8,\"i\":\"101832e2-8b59-4aa2-8213-708ef0a4fae6\"},\"panelIndex\":\"101832e2-8b59-4aa2-8213-708ef0a4fae6\",\"embeddableConfig\":{\"savedVis\":{\"title\":\"\",\"description\":\"\",\"type\":\"metrics\",\"params\":{\"time_range_mode\":\"entire_time_range\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"type\":\"markdown\",\"series\":[{\"time_range_mode\":\"entire_time_range\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"color\":\"#68BC00\",\"split_mode\":\"everything\",\"palette\":{\"type\":\"palette\",\"name\":\"default\"},\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"separate_axis\":0,\"axis_position\":\"right\",\"formatter\":\"number\",\"chart_type\":\"line\",\"line_width\":1,\"point_size\":1,\"fill\":0.5,\"stacked\":\"none\"}],\"time_field\":\"@timestamp\",\"use_kibana_indexes\":true,\"interval\":\"\",\"axis_position\":\"left\",\"axis_formatter\":\"number\",\"axis_scale\":\"normal\",\"show_legend\":1,\"show_grid\":1,\"tooltip_mode\":\"show_all\",\"markdown\":\"[Alert overview](/app/dashboards#/view/eda3de50-e3b4-11eb-a664-89f326f6e2c5)\\r\\n\\r\\n[Detection Engine](security/detections)\",\"isModelInvalid\":false,\"markdown_openLinksInNewTab\":1,\"markdown_vertical_align\":\"middle\",\"markdown_css\":\"a{background-color:#006bb4;color:#fff;padding:8px 12px;height:40px; width: 100%; text-align: center; display:inline-block;font-family:Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;font-weight:400;letter-spacing:-0.005em;font-size:1rem;line-height:1.5;text-decoration:none;border-radius:4px;vertical-align:middle,margin-bottom: 15px}\",\"drop_last_bucket\":1,\"truncate_legend\":1,\"max_lines_legend\":1,\"index_pattern_ref_name\":\"metrics_101832e2-8b59-4aa2-8213-708ef0a4fae6_0_index_pattern\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.4.1\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":22,\"w\":48,\"h\":4,\"i\":\"49e69eda-a8d4-45f1-aefb-58f7bfa744ee\"},\"panelIndex\":\"49e69eda-a8d4-45f1-aefb-58f7bfa744ee\",\"embeddableConfig\":{\"savedVis\":{\"title\":\"\",\"description\":\"\",\"type\":\"metrics\",\"params\":{\"time_range_mode\":\"entire_time_range\",\"id\":\"763b6711-676d-41d1-8e36-46692dc79716\",\"type\":\"markdown\",\"series\":[{\"time_range_mode\":\"entire_time_range\",\"id\":\"b3bde219-a04b-45af-83a5-f3f3ede99749\",\"color\":\"#68BC00\",\"split_mode\":\"everything\",\"palette\":{\"type\":\"palette\",\"name\":\"default\"},\"metrics\":[{\"id\":\"4ac2bc10-b620-4694-ac62-58d3654453b5\",\"type\":\"count\"}],\"separate_axis\":0,\"axis_position\":\"right\",\"formatter\":\"default\",\"chart_type\":\"line\",\"line_width\":1,\"point_size\":1,\"fill\":0.5,\"stacked\":\"none\",\"override_index_pattern\":0,\"series_drop_last_bucket\":0}],\"time_field\":\"\",\"use_kibana_indexes\":true,\"interval\":\"\",\"axis_position\":\"left\",\"axis_formatter\":\"number\",\"axis_scale\":\"normal\",\"show_legend\":1,\"truncate_legend\":1,\"max_lines_legend\":1,\"show_grid\":1,\"tooltip_mode\":\"show_all\",\"drop_last_bucket\":0,\"markdown\":\"Infrastructure analysis\",\"isModelInvalid\":false,\"markdown_css\":\"p {\\r\\n    text-align: center;\\r\\n    font-size: 30px;\\r\\n}\",\"background_color\":\"rgba(96,146,192,1)\",\"markdown_vertical_align\":\"middle\",\"index_pattern_ref_name\":\"metrics_49e69eda-a8d4-45f1-aefb-58f7bfa744ee_0_index_pattern\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"hidePanelTitles\":true,\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.4.1\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":26,\"w\":22,\"h\":15,\"i\":\"eb01da07-3037-4c6e-b554-054285f34ea0\"},\"panelIndex\":\"eb01da07-3037-4c6e-b554-054285f34ea0\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"id\":\"fdf52f50-9a09-11ec-9e73-cd9488048b9c\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"fdf52f50-9a09-11ec-9e73-cd9488048b9c\",\"name\":\"indexpattern-datasource-layer-b76d886d-76fb-4171-bcd0-dd2f2c38c5db\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"shape\":\"treemap\",\"layers\":[{\"layerId\":\"b76d886d-76fb-4171-bcd0-dd2f2c38c5db\",\"groups\":[\"63d2e8c6-b00e-4f87-9594-7a9d19a8978c\"],\"metric\":\"d271e693-3e5c-4ad4-99c8-996162326158\",\"numberDisplay\":\"percent\",\"categoryDisplay\":\"default\",\"legendDisplay\":\"default\",\"nestedLegend\":false,\"layerType\":\"data\",\"legendSize\":\"auto\"}]},\"query\":{\"query\":\"NOT host.name : \\\"felix-agent\\\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b76d886d-76fb-4171-bcd0-dd2f2c38c5db\":{\"columns\":{\"63d2e8c6-b00e-4f87-9594-7a9d19a8978c\":{\"label\":\"Top values of host.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"d271e693-3e5c-4ad4-99c8-996162326158\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false}},\"d271e693-3e5c-4ad4-99c8-996162326158\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\"}},\"columnOrder\":[\"63d2e8c6-b00e-4f87-9594-7a9d19a8978c\",\"d271e693-3e5c-4ad4-99c8-996162326158\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Collected metrics per host\"},{\"version\":\"8.4.1\",\"type\":\"lens\",\"gridData\":{\"x\":22,\"y\":26,\"w\":9,\"h\":15,\"i\":\"c64c3c5e-0974-489d-8559-6ef357e36618\"},\"panelIndex\":\"c64c3c5e-0974-489d-8559-6ef357e36618\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"id\":\"fdf52f50-9a09-11ec-9e73-cd9488048b9c\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"fdf52f50-9a09-11ec-9e73-cd9488048b9c\",\"name\":\"indexpattern-datasource-layer-f82c91d1-5be2-4052-9d6a-19073aebe8d7\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"shape\":\"donut\",\"layers\":[{\"layerId\":\"f82c91d1-5be2-4052-9d6a-19073aebe8d7\",\"groups\":[\"5799d91b-b1ea-47e1-9011-c943dff30c67\"],\"metric\":\"53f67b0b-0126-45d4-b88a-59993d3191e6\",\"numberDisplay\":\"percent\",\"categoryDisplay\":\"default\",\"legendDisplay\":\"default\",\"nestedLegend\":false,\"layerType\":\"data\",\"legendSize\":\"auto\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"f82c91d1-5be2-4052-9d6a-19073aebe8d7\":{\"columns\":{\"5799d91b-b1ea-47e1-9011-c943dff30c67\":{\"label\":\"Top values of event.dataset\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"event.dataset\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"53f67b0b-0126-45d4-b88a-59993d3191e6\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"53f67b0b-0126-45d4-b88a-59993d3191e6\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\"}},\"columnOrder\":[\"5799d91b-b1ea-47e1-9011-c943dff30c67\",\"53f67b0b-0126-45d4-b88a-59993d3191e6\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Metric data sources\"},{\"version\":\"8.4.1\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":41,\"w\":48,\"h\":4,\"i\":\"a253b1a0-e01a-47df-be9e-3f2557a70b13\"},\"panelIndex\":\"a253b1a0-e01a-47df-be9e-3f2557a70b13\",\"embeddableConfig\":{\"savedVis\":{\"id\":\"\",\"title\":\"\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"#### Compute\\n[Historical analysis](/app/dashboards#/view/f40ee870-5e4a-11ea-a4f6-717338406083)\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"enhancements\":{}}},{\"version\":\"8.4.1\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":45,\"w\":24,\"h\":4,\"i\":\"22d7ebb3-c97b-45b6-ac38-cbd0889a9e36\"},\"panelIndex\":\"22d7ebb3-c97b-45b6-ac38-cbd0889a9e36\",\"embeddableConfig\":{\"savedVis\":{\"title\":\"\",\"description\":\"\",\"type\":\"metrics\",\"params\":{\"time_range_mode\":\"entire_time_range\",\"id\":\"644e40fb-777c-4fc3-aca7-5aa77a071114\",\"type\":\"markdown\",\"series\":[{\"time_range_mode\":\"entire_time_range\",\"id\":\"7d440687-1f12-4548-bef2-0547926e6b83\",\"color\":\"#68BC00\",\"split_mode\":\"everything\",\"palette\":{\"type\":\"palette\",\"name\":\"default\"},\"metrics\":[{\"id\":\"1ee35dea-274b-4f10-856e-6d8be1ae1782\",\"type\":\"count\"}],\"separate_axis\":0,\"axis_position\":\"right\",\"formatter\":\"default\",\"chart_type\":\"line\",\"line_width\":1,\"point_size\":1,\"fill\":0.5,\"stacked\":\"none\",\"override_index_pattern\":0,\"series_drop_last_bucket\":0}],\"time_field\":\"\",\"use_kibana_indexes\":true,\"interval\":\"\",\"axis_position\":\"left\",\"axis_formatter\":\"number\",\"axis_scale\":\"normal\",\"show_legend\":1,\"truncate_legend\":1,\"max_lines_legend\":1,\"show_grid\":1,\"tooltip_mode\":\"show_all\",\"drop_last_bucket\":0,\"markdown\":\"Metrics\",\"isModelInvalid\":false,\"markdown_css\":\"p {\\r\\n    position: relative;\\r\\n    background: #fa744eff;\\r\\n    -webkit-border-radius: 10px;\\r\\n    -moz-border-radius: 10px;\\r\\n    border-radius: 10px; \\r\\n    width: 100%; \\r\\n    height: 50px;\\r\\n    text-align: center;\\r\\n    padding-top: 10px;\\r\\n    color: #fff;\\r\\n    font-weight: 500;\\r\\n    font-size: 20px;\\r\\n    font-family: Inter;\\r\\n}\\r\\n\\r\\np:before {\\r\\n    content: \\\"\\\";\\r\\n    position: absolute;\\r\\n    top: 50px;\\r\\n    left: 49%;\\r\\n    z-index: 1;\\r\\n    border: solid 15px transparent;\\r\\n    border-top-color: #fa744eff;\\r\\n}\",\"markdown_vertical_align\":\"middle\",\"index_pattern_ref_name\":\"metrics_22d7ebb3-c97b-45b6-ac38-cbd0889a9e36_0_index_pattern\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"hidePanelTitles\":true,\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.4.1\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":45,\"w\":24,\"h\":4,\"i\":\"9766e395-8c4b-43d4-aaaa-5b6311e28188\"},\"panelIndex\":\"9766e395-8c4b-43d4-aaaa-5b6311e28188\",\"embeddableConfig\":{\"savedVis\":{\"title\":\"\",\"description\":\"\",\"type\":\"metrics\",\"params\":{\"time_range_mode\":\"entire_time_range\",\"id\":\"644e40fb-777c-4fc3-aca7-5aa77a071114\",\"type\":\"markdown\",\"series\":[{\"time_range_mode\":\"entire_time_range\",\"id\":\"7d440687-1f12-4548-bef2-0547926e6b83\",\"color\":\"#68BC00\",\"split_mode\":\"everything\",\"palette\":{\"type\":\"palette\",\"name\":\"default\"},\"metrics\":[{\"id\":\"1ee35dea-274b-4f10-856e-6d8be1ae1782\",\"type\":\"count\"}],\"separate_axis\":0,\"axis_position\":\"right\",\"formatter\":\"default\",\"chart_type\":\"line\",\"line_width\":1,\"point_size\":1,\"fill\":0.5,\"stacked\":\"none\",\"override_index_pattern\":0,\"series_drop_last_bucket\":0}],\"time_field\":\"\",\"use_kibana_indexes\":true,\"interval\":\"\",\"axis_position\":\"left\",\"axis_formatter\":\"number\",\"axis_scale\":\"normal\",\"show_legend\":1,\"truncate_legend\":1,\"max_lines_legend\":1,\"show_grid\":1,\"tooltip_mode\":\"show_all\",\"drop_last_bucket\":0,\"markdown\":\"Logs\",\"isModelInvalid\":false,\"markdown_css\":\"p {\\r\\n    position: relative;\\r\\n    background: #54bcb2ff;\\r\\n    -webkit-border-radius: 10px;\\r\\n    -moz-border-radius: 10px;\\r\\n    border-radius: 10px; \\r\\n    width: 100%; \\r\\n    height: 50px;\\r\\n    text-align: center;\\r\\n    padding-top: 10px;\\r\\n    color: #fff;\\r\\n    font-weight: 500;\\r\\n    font-size: 20px;\\r\\n    font-family: Inter;\\r\\n}\\r\\n\\r\\np:before {\\r\\n    content: \\\"\\\";\\r\\n    position: absolute;\\r\\n    top: 50px;\\r\\n    left: 49.3%;\\r\\n    z-index: 1;\\r\\n    border: solid 15px transparent;\\r\\n    border-top-color: #54bcb2ff;\\r\\n}\",\"markdown_vertical_align\":\"middle\",\"index_pattern_ref_name\":\"metrics_9766e395-8c4b-43d4-aaaa-5b6311e28188_0_index_pattern\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"hidePanelTitles\":true,\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.4.1\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":49,\"w\":24,\"h\":15,\"i\":\"d1481c72-82dc-48f0-805b-554b82e97e2c\"},\"panelIndex\":\"d1481c72-82dc-48f0-805b-554b82e97e2c\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"fdf52f50-9a09-11ec-9e73-cd9488048b9c\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"fdf52f50-9a09-11ec-9e73-cd9488048b9c\",\"name\":\"indexpattern-datasource-layer-ac8895bf-16d0-4292-b5cb-5d1ef9a4df03\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"ac8895bf-16d0-4292-b5cb-5d1ef9a4df03\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"ddff06a4-2585-48c5-8657-1f75ce0a46a6\"},{\"isTransposed\":false,\"columnId\":\"c00df0f7-b260-4514-86ad-89075cb7f9d6\"},{\"columnId\":\"da97a87f-c9f9-4d5a-a514-9249b16cabcc\",\"isTransposed\":false},{\"columnId\":\"bf118770-39a2-4aa2-9247-e669463bfd09\",\"isTransposed\":false},{\"columnId\":\"3a05b534-3bf6-4fbd-b2f2-78d8eb279cd4\",\"isTransposed\":false}],\"rowHeight\":\"single\",\"rowHeightLines\":1},\"query\":{\"query\":\"event.dataset : \\\"gcp.compute\\\" \",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ac8895bf-16d0-4292-b5cb-5d1ef9a4df03\":{\"columns\":{\"ddff06a4-2585-48c5-8657-1f75ce0a46a6\":{\"label\":\"Name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"c00df0f7-b260-4514-86ad-89075cb7f9d6\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false},\"customLabel\":true},\"c00df0f7-b260-4514-86ad-89075cb7f9d6\":{\"label\":\"cpu.usage\",\"dataType\":\"number\",\"operationType\":\"median\",\"sourceField\":\"gcp.compute.instance.cpu.usage.pct\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"format\":{\"id\":\"percent\",\"params\":{\"decimals\":2}}},\"customLabel\":true},\"da97a87f-c9f9-4d5a-a514-9249b16cabcc\":{\"label\":\"reserved_cores\",\"dataType\":\"number\",\"operationType\":\"average\",\"sourceField\":\"gcp.compute.instance.cpu.reserved_cores.value\",\"isBucketed\":false,\"scale\":\"ratio\",\"customLabel\":true},\"bf118770-39a2-4aa2-9247-e669463bfd09\":{\"label\":\"ram_used\",\"dataType\":\"number\",\"operationType\":\"median\",\"sourceField\":\"gcp.compute.instance.memory.balloon.ram_used.value\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"format\":{\"id\":\"bytes\",\"params\":{\"decimals\":2}}},\"customLabel\":true},\"3a05b534-3bf6-4fbd-b2f2-78d8eb279cd4\":{\"label\":\"uptime_total (s)\",\"dataType\":\"number\",\"operationType\":\"median\",\"sourceField\":\"gcp.compute.instance.uptime_total.sec\",\"isBucketed\":false,\"scale\":\"ratio\",\"customLabel\":true}},\"columnOrder\":[\"ddff06a4-2585-48c5-8657-1f75ce0a46a6\",\"da97a87f-c9f9-4d5a-a514-9249b16cabcc\",\"c00df0f7-b260-4514-86ad-89075cb7f9d6\",\"bf118770-39a2-4aa2-9247-e669463bfd09\",\"3a05b534-3bf6-4fbd-b2f2-78d8eb279cd4\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{}}},{\"version\":\"8.4.1\",\"type\":\"search\",\"gridData\":{\"x\":24,\"y\":49,\"w\":24,\"h\":15,\"i\":\"cc1ef889-a45c-405f-bb4c-c4019f90f91f\"},\"panelIndex\":\"cc1ef889-a45c-405f-bb4c-c4019f90f91f\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_cc1ef889-a45c-405f-bb4c-c4019f90f91f\"},{\"version\":\"8.4.1\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":64,\"w\":48,\"h\":4,\"i\":\"459faf62-86cf-4a6b-b512-054637c4f4ce\"},\"panelIndex\":\"459faf62-86cf-4a6b-b512-054637c4f4ce\",\"embeddableConfig\":{\"savedVis\":{\"title\":\"\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"#### Pub/Sub\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.4.1\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":68,\"w\":48,\"h\":21,\"i\":\"f2f96eaa-23a5-441b-817d-248a71261527\"},\"panelIndex\":\"f2f96eaa-23a5-441b-817d-248a71261527\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_f2f96eaa-23a5-441b-817d-248a71261527\"},{\"version\":\"8.4.1\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":89,\"w\":48,\"h\":4,\"i\":\"8729c6c1-f86e-4a30-951d-b50938d6bff4\"},\"panelIndex\":\"8729c6c1-f86e-4a30-951d-b50938d6bff4\",\"embeddableConfig\":{\"savedVis\":{\"title\":\"\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"#### Storage\\n[Historical analysis](#/view/ca401040-8e52-11ea-9fa6-4d675d5290dc)\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.4.1\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":93,\"w\":24,\"h\":4,\"i\":\"86421d57-f18c-40dd-8874-cd398cc23ff5\"},\"panelIndex\":\"86421d57-f18c-40dd-8874-cd398cc23ff5\",\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true},\"panelRefName\":\"panel_86421d57-f18c-40dd-8874-cd398cc23ff5\"},{\"version\":\"8.4.1\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":93,\"w\":24,\"h\":4,\"i\":\"9ef9e734-4e67-449a-b01a-25e00c890850\"},\"panelIndex\":\"9ef9e734-4e67-449a-b01a-25e00c890850\",\"embeddableConfig\":{\"hidePanelTitles\":true,\"enhancements\":{}},\"panelRefName\":\"panel_9ef9e734-4e67-449a-b01a-25e00c890850\"},{\"version\":\"8.4.1\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":97,\"w\":16,\"h\":14,\"i\":\"4ff68d23-8672-4f9a-bc03-3157a5215eec\"},\"panelIndex\":\"4ff68d23-8672-4f9a-bc03-3157a5215eec\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"id\":\"fdf52f50-9a09-11ec-9e73-cd9488048b9c\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"fdf52f50-9a09-11ec-9e73-cd9488048b9c\",\"name\":\"indexpattern-datasource-layer-4f6e49ee-7d49-4749-9a5b-69c1a8e21fd8\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"shape\":\"donut\",\"layers\":[{\"layerId\":\"4f6e49ee-7d49-4749-9a5b-69c1a8e21fd8\",\"groups\":[\"7e166e7b-1503-491c-b604-490b44ab237e\"],\"metric\":\"65118e16-3d03-4789-ad1b-6dfb71844f89\",\"numberDisplay\":\"percent\",\"categoryDisplay\":\"default\",\"legendDisplay\":\"default\",\"nestedLegend\":false,\"layerType\":\"data\",\"legendSize\":\"auto\"}]},\"query\":{\"query\":\"event.dataset : \\\"gcp.storage\\\" \",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"4f6e49ee-7d49-4749-9a5b-69c1a8e21fd8\":{\"columns\":{\"7e166e7b-1503-491c-b604-490b44ab237e\":{\"label\":\"Top values of gcp.labels.metrics.response_code\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"gcp.labels.metrics.response_code\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"65118e16-3d03-4789-ad1b-6dfb71844f89\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"65118e16-3d03-4789-ad1b-6dfb71844f89\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\"}},\"columnOrder\":[\"7e166e7b-1503-491c-b604-490b44ab237e\",\"65118e16-3d03-4789-ad1b-6dfb71844f89\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Access Response Codes\"},{\"version\":\"8.4.1\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":97,\"w\":13,\"h\":14,\"i\":\"f9172858-9353-4c58-a482-2ffe5aa58234\"},\"panelIndex\":\"f9172858-9353-4c58-a482-2ffe5aa58234\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"id\":\"1bd60400-9a04-11ec-9e73-cd9488048b9c\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"1bd60400-9a04-11ec-9e73-cd9488048b9c\",\"name\":\"indexpattern-datasource-layer-7e09bc3d-8d91-48f9-a780-8211d30d4b86\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"shape\":\"pie\",\"layers\":[{\"layerId\":\"7e09bc3d-8d91-48f9-a780-8211d30d4b86\",\"groups\":[\"a52666f2-f2ad-409d-b3f6-ee16d8a6097c\"],\"metric\":\"2eea11f9-ac8f-4cb1-a47e-1545d2650320\",\"numberDisplay\":\"percent\",\"categoryDisplay\":\"default\",\"legendDisplay\":\"default\",\"nestedLegend\":false,\"layerType\":\"data\",\"legendSize\":\"auto\"}]},\"query\":{\"query\":\"service.type : \\\"gcp.audit\\\" and service.name: \\\"storage.googleapis.com\\\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"7e09bc3d-8d91-48f9-a780-8211d30d4b86\":{\"columns\":{\"a52666f2-f2ad-409d-b3f6-ee16d8a6097c\":{\"label\":\"Top values of resource.labels.bucket_name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"resource.labels.bucket_name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"2eea11f9-ac8f-4cb1-a47e-1545d2650320\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"2eea11f9-ac8f-4cb1-a47e-1545d2650320\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\"}},\"columnOrder\":[\"a52666f2-f2ad-409d-b3f6-ee16d8a6097c\",\"2eea11f9-ac8f-4cb1-a47e-1545d2650320\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{\"dynamicActions\":{\"events\":[{\"eventId\":\"ff6c0021-2857-4950-bfe9-323bb6b98080\",\"triggers\":[\"FILTER_TRIGGER\"],\"action\":{\"factoryId\":\"DASHBOARD_TO_DASHBOARD_DRILLDOWN\",\"name\":\"Analyze bucket\",\"config\":{\"useCurrentFilters\":false,\"useCurrentDateRange\":true}}}]}}},\"title\":\"Storage related audit logs\"},{\"version\":\"8.4.1\",\"type\":\"lens\",\"gridData\":{\"x\":37,\"y\":97,\"w\":11,\"h\":14,\"i\":\"b5781c0b-6887-4745-9f14-4c04bc497ab4\"},\"panelIndex\":\"b5781c0b-6887-4745-9f14-4c04bc497ab4\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"id\":\"1bd60400-9a04-11ec-9e73-cd9488048b9c\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"1bd60400-9a04-11ec-9e73-cd9488048b9c\",\"name\":\"indexpattern-datasource-layer-4958b59e-9531-4d0b-8779-1e431db4cd07\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"shape\":\"donut\",\"layers\":[{\"layerId\":\"4958b59e-9531-4d0b-8779-1e431db4cd07\",\"groups\":[\"989e562c-c13a-4a8d-a38a-dcb56563dcb1\"],\"metric\":\"57fe9793-5ae7-4910-907c-a4b2c3a1bf55\",\"numberDisplay\":\"percent\",\"categoryDisplay\":\"default\",\"legendDisplay\":\"default\",\"nestedLegend\":false,\"layerType\":\"data\",\"legendSize\":\"auto\"}]},\"query\":{\"query\":\"event.dataset : \\\"gcp.audit\\\" and service.name : \\\"storage.googleapis.com\\\" \",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"4958b59e-9531-4d0b-8779-1e431db4cd07\":{\"columns\":{\"989e562c-c13a-4a8d-a38a-dcb56563dcb1\":{\"label\":\"Top values of gcp.audit.method_name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"gcp.audit.method_name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"57fe9793-5ae7-4910-907c-a4b2c3a1bf55\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"57fe9793-5ae7-4910-907c-a4b2c3a1bf55\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\"}},\"columnOrder\":[\"989e562c-c13a-4a8d-a38a-dcb56563dcb1\",\"57fe9793-5ae7-4910-907c-a4b2c3a1bf55\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{}}},{\"version\":\"8.4.1\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":111,\"w\":24,\"h\":15,\"i\":\"f09d8125-09c8-4b1c-a1b6-9df1d628fde3\"},\"panelIndex\":\"f09d8125-09c8-4b1c-a1b6-9df1d628fde3\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"fdf52f50-9a09-11ec-9e73-cd9488048b9c\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"fdf52f50-9a09-11ec-9e73-cd9488048b9c\",\"name\":\"indexpattern-datasource-layer-a45fa57d-1dda-48fc-85ce-84ba57f1763a\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"title\":\"Empty XY chart\",\"legend\":{\"isVisible\":true,\"position\":\"right\",\"legendSize\":\"auto\"},\"valueLabels\":\"hide\",\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"a45fa57d-1dda-48fc-85ce-84ba57f1763a\",\"accessors\":[\"ee4ed363-245d-4cb9-b500-d0551f62de80\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"splitAccessor\":\"ada4334a-e1af-46a6-92fb-342a42e8c9f4\",\"xAccessor\":\"5027002b-7fff-4b8a-8259-c95daf77a021\"}],\"yRightExtent\":{\"mode\":\"full\"},\"yLeftExtent\":{\"mode\":\"full\"}},\"query\":{\"query\":\"event.dataset : \\\"gcp.storage\\\" \",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a45fa57d-1dda-48fc-85ce-84ba57f1763a\":{\"columns\":{\"ee4ed363-245d-4cb9-b500-d0551f62de80\":{\"label\":\"Average of gcp.storage.storage.total.bytes\",\"dataType\":\"number\",\"operationType\":\"average\",\"sourceField\":\"gcp.storage.storage.total.bytes\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"format\":{\"id\":\"bytes\",\"params\":{\"decimals\":0}}}},\"ada4334a-e1af-46a6-92fb-342a42e8c9f4\":{\"label\":\"Top values of resource.labels.bucket_name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"resource.labels.bucket_name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"ee4ed363-245d-4cb9-b500-d0551f62de80\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"5027002b-7fff-4b8a-8259-c95daf77a021\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true}}},\"columnOrder\":[\"ada4334a-e1af-46a6-92fb-342a42e8c9f4\",\"5027002b-7fff-4b8a-8259-c95daf77a021\",\"ee4ed363-245d-4cb9-b500-d0551f62de80\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{\"dynamicActions\":{\"events\":[{\"eventId\":\"03394478-c5cb-4e71-901d-92d977af78eb\",\"triggers\":[\"FILTER_TRIGGER\"],\"action\":{\"factoryId\":\"DASHBOARD_TO_DASHBOARD_DRILLDOWN\",\"name\":\"Analyze bucket\",\"config\":{\"useCurrentFilters\":false,\"useCurrentDateRange\":true}}}]}}},\"title\":\"Usage in Bytes per Bucket\"},{\"version\":\"8.4.1\",\"type\":\"search\",\"gridData\":{\"x\":24,\"y\":111,\"w\":24,\"h\":30,\"i\":\"99e87e22-f2a8-411b-8f1c-7f5e7c366d8f\"},\"panelIndex\":\"99e87e22-f2a8-411b-8f1c-7f5e7c366d8f\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_99e87e22-f2a8-411b-8f1c-7f5e7c366d8f\"},{\"version\":\"8.4.1\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":126,\"w\":24,\"h\":15,\"i\":\"579c6131-8811-4f1a-b321-949c8b911129\"},\"panelIndex\":\"579c6131-8811-4f1a-b321-949c8b911129\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"fdf52f50-9a09-11ec-9e73-cd9488048b9c\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"fdf52f50-9a09-11ec-9e73-cd9488048b9c\",\"name\":\"indexpattern-datasource-layer-a45fa57d-1dda-48fc-85ce-84ba57f1763a\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"title\":\"Empty XY chart\",\"legend\":{\"isVisible\":true,\"position\":\"right\",\"legendSize\":\"auto\"},\"valueLabels\":\"hide\",\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"a45fa57d-1dda-48fc-85ce-84ba57f1763a\",\"accessors\":[\"ee4ed363-245d-4cb9-b500-d0551f62de80\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"splitAccessor\":\"ada4334a-e1af-46a6-92fb-342a42e8c9f4\",\"xAccessor\":\"5027002b-7fff-4b8a-8259-c95daf77a021\"}],\"yRightExtent\":{\"mode\":\"full\"},\"yLeftExtent\":{\"mode\":\"full\"}},\"query\":{\"query\":\"event.dataset : \\\"gcp.storage\\\" \",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a45fa57d-1dda-48fc-85ce-84ba57f1763a\":{\"columns\":{\"ee4ed363-245d-4cb9-b500-d0551f62de80\":{\"label\":\"API request count\",\"dataType\":\"number\",\"operationType\":\"average\",\"sourceField\":\"gcp.storage.api.request.count\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{},\"customLabel\":true},\"ada4334a-e1af-46a6-92fb-342a42e8c9f4\":{\"label\":\"Top values of gcp.labels.resource.bucket_name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"gcp.labels.resource.bucket_name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"ee4ed363-245d-4cb9-b500-d0551f62de80\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"5027002b-7fff-4b8a-8259-c95daf77a021\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true}}},\"columnOrder\":[\"ada4334a-e1af-46a6-92fb-342a42e8c9f4\",\"5027002b-7fff-4b8a-8259-c95daf77a021\",\"ee4ed363-245d-4cb9-b500-d0551f62de80\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Usage in API calls per Bucket\"},{\"version\":\"8.4.1\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":141,\"w\":48,\"h\":4,\"i\":\"c503e460-3464-4390-86f5-1fd4a6f87196\"},\"panelIndex\":\"c503e460-3464-4390-86f5-1fd4a6f87196\",\"embeddableConfig\":{\"savedVis\":{\"id\":\"\",\"title\":\"\",\"description\":\"\",\"type\":\"metrics\",\"params\":{\"time_range_mode\":\"entire_time_range\",\"id\":\"763b6711-676d-41d1-8e36-46692dc79716\",\"type\":\"markdown\",\"series\":[{\"time_range_mode\":\"entire_time_range\",\"id\":\"b3bde219-a04b-45af-83a5-f3f3ede99749\",\"color\":\"#68BC00\",\"split_mode\":\"everything\",\"palette\":{\"type\":\"palette\",\"name\":\"default\"},\"metrics\":[{\"id\":\"4ac2bc10-b620-4694-ac62-58d3654453b5\",\"type\":\"count\"}],\"separate_axis\":0,\"axis_position\":\"right\",\"formatter\":\"default\",\"chart_type\":\"line\",\"line_width\":1,\"point_size\":1,\"fill\":0.5,\"stacked\":\"none\",\"override_index_pattern\":0,\"series_drop_last_bucket\":0}],\"time_field\":\"\",\"use_kibana_indexes\":true,\"interval\":\"\",\"axis_position\":\"left\",\"axis_formatter\":\"number\",\"axis_scale\":\"normal\",\"show_legend\":1,\"truncate_legend\":1,\"max_lines_legend\":1,\"show_grid\":1,\"tooltip_mode\":\"show_all\",\"drop_last_bucket\":0,\"markdown\":\"Network analysis\",\"isModelInvalid\":false,\"markdown_css\":\"p {\\r\\n    text-align: center;\\r\\n    font-size: 30px;\\r\\n}\",\"background_color\":\"rgba(84,179,153,1)\",\"markdown_vertical_align\":\"middle\",\"index_pattern_ref_name\":\"metrics_c503e460-3464-4390-86f5-1fd4a6f87196_0_index_pattern\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.4.1\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":145,\"w\":48,\"h\":14,\"i\":\"0f017b89-39ad-46d0-a2af-a542016315f6\"},\"panelIndex\":\"0f017b89-39ad-46d0-a2af-a542016315f6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0f017b89-39ad-46d0-a2af-a542016315f6\"},{\"version\":\"8.4.1\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":159,\"w\":48,\"h\":12,\"i\":\"73fd5e77-e984-4688-8553-25efea5fc818\"},\"panelIndex\":\"73fd5e77-e984-4688-8553-25efea5fc818\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"1bd60400-9a04-11ec-9e73-cd9488048b9c\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"1bd60400-9a04-11ec-9e73-cd9488048b9c\",\"name\":\"indexpattern-datasource-layer-942bb851-a16a-4422-afaf-8521bb72644f\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\",\"legendSize\":\"auto\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"942bb851-a16a-4422-afaf-8521bb72644f\",\"accessors\":[\"da23fc0e-33d4-4361-8ddb-67862b6e0951\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"a2c30dbc-5784-423d-a343-177a03140465\",\"splitAccessor\":\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\"}]},\"query\":{\"query\":\"event.dataset : \\\"gcp.firewall\\\" \",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"942bb851-a16a-4422-afaf-8521bb72644f\":{\"columns\":{\"a2c30dbc-5784-423d-a343-177a03140465\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true}},\"da23fc0e-33d4-4361-8ddb-67862b6e0951\":{\"label\":\"Events\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"customLabel\":true},\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\":{\"label\":\"Top values of gcp.firewall.rule_details.action\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.action\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"da23fc0e-33d4-4361-8ddb-67862b6e0951\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}}},\"columnOrder\":[\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\",\"a2c30dbc-5784-423d-a343-177a03140465\",\"da23fc0e-33d4-4361-8ddb-67862b6e0951\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Firewall events over time\"},{\"version\":\"8.4.1\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":171,\"w\":24,\"h\":15,\"i\":\"a6c71d75-eb2e-4a2f-a63a-02e4993b20af\"},\"panelIndex\":\"a6c71d75-eb2e-4a2f-a63a-02e4993b20af\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"[GCP] Sankey Source to Destination network\",\"panelRefName\":\"panel_a6c71d75-eb2e-4a2f-a63a-02e4993b20af\"},{\"version\":\"8.4.1\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":171,\"w\":24,\"h\":30,\"i\":\"2b9548ac-4e83-496c-9769-ba40ef99698c\"},\"panelIndex\":\"2b9548ac-4e83-496c-9769-ba40ef99698c\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsHeatmap\",\"type\":\"lens\",\"references\":[{\"id\":\"1bd60400-9a04-11ec-9e73-cd9488048b9c\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"1bd60400-9a04-11ec-9e73-cd9488048b9c\",\"name\":\"indexpattern-datasource-layer-8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"shape\":\"heatmap\",\"layerId\":\"8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\",\"layerType\":\"data\",\"legend\":{\"isVisible\":false,\"position\":\"right\",\"type\":\"lens_heatmap_legendConfig\",\"maxLines\":2,\"shouldTruncate\":false,\"legendSize\":\"auto\"},\"gridConfig\":{\"type\":\"lens_heatmap_grid\",\"isCellLabelVisible\":false,\"isYAxisLabelVisible\":true,\"isXAxisLabelVisible\":true},\"valueAccessor\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"yAccessor\":\"06178db9-8ae7-4706-b479-29aea6be4d75\",\"xAccessor\":\"313bb272-53cc-4d90-890e-d0952e9fd07f\",\"palette\":{\"type\":\"palette\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}],\"rangeMin\":0,\"rangeMax\":80},\"accessor\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\"}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\":{\"columns\":{\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\":{\"label\":\"Total bytes\",\"dataType\":\"number\",\"operationType\":\"sum\",\"sourceField\":\"network.bytes\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"format\":{\"id\":\"bytes\",\"params\":{\"decimals\":2}}},\"customLabel\":true},\"06178db9-8ae7-4706-b479-29aea6be4d75\":{\"label\":\"Source\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"source.as.organization.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true},\"customLabel\":true},\"313bb272-53cc-4d90-890e-d0952e9fd07f\":{\"label\":\"Destination\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"destination.as.organization.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true},\"customLabel\":true}},\"columnOrder\":[\"06178db9-8ae7-4706-b479-29aea6be4d75\",\"313bb272-53cc-4d90-890e-d0952e9fd07f\",\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Sum of bytes between source and destination\"},{\"version\":\"8.4.1\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":186,\"w\":24,\"h\":15,\"i\":\"812deca8-6df0-4bfb-bb19-a25f4f271c44\"},\"panelIndex\":\"812deca8-6df0-4bfb-bb19-a25f4f271c44\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_812deca8-6df0-4bfb-bb19-a25f4f271c44\"},{\"version\":\"8.4.1\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":201,\"w\":48,\"h\":4,\"i\":\"0dfe9db2-92b4-40c1-99b6-036dad508051\"},\"panelIndex\":\"0dfe9db2-92b4-40c1-99b6-036dad508051\",\"embeddableConfig\":{\"savedVis\":{\"title\":\"\",\"description\":\"\",\"type\":\"metrics\",\"params\":{\"time_range_mode\":\"entire_time_range\",\"id\":\"763b6711-676d-41d1-8e36-46692dc79716\",\"type\":\"markdown\",\"series\":[{\"time_range_mode\":\"entire_time_range\",\"id\":\"b3bde219-a04b-45af-83a5-f3f3ede99749\",\"color\":\"#68BC00\",\"split_mode\":\"everything\",\"palette\":{\"type\":\"palette\",\"name\":\"default\"},\"metrics\":[{\"id\":\"4ac2bc10-b620-4694-ac62-58d3654453b5\",\"type\":\"count\"}],\"separate_axis\":0,\"axis_position\":\"right\",\"formatter\":\"default\",\"chart_type\":\"line\",\"line_width\":1,\"point_size\":1,\"fill\":0.5,\"stacked\":\"none\",\"override_index_pattern\":0,\"series_drop_last_bucket\":0}],\"time_field\":\"\",\"use_kibana_indexes\":true,\"interval\":\"\",\"axis_position\":\"left\",\"axis_formatter\":\"number\",\"axis_scale\":\"normal\",\"show_legend\":1,\"truncate_legend\":1,\"max_lines_legend\":1,\"show_grid\":1,\"tooltip_mode\":\"show_all\",\"drop_last_bucket\":0,\"markdown\":\"Cost analysis\",\"isModelInvalid\":false,\"markdown_css\":\"p {\\r\\n    text-align: center;\\r\\n    font-size: 30px;\\r\\n}\",\"background_color\":\"rgba(96,146,192,1)\",\"markdown_vertical_align\":\"middle\",\"index_pattern_ref_name\":\"metrics_0dfe9db2-92b4-40c1-99b6-036dad508051_0_index_pattern\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"hidePanelTitles\":true,\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.4.1\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":205,\"w\":12,\"h\":9,\"i\":\"70e5c7ed-ecb6-4a69-9c38-3dc0857d5224\"},\"panelIndex\":\"70e5c7ed-ecb6-4a69-9c38-3dc0857d5224\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"id\":\"df7b5a80-e343-11ec-b9dc-7d1db9e51c26\",\"name\":\"indexpattern-datasource-layer-79fbce75-d3ec-40eb-97a8-da7a023c0c35\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"shape\":\"donut\",\"layers\":[{\"layerId\":\"79fbce75-d3ec-40eb-97a8-da7a023c0c35\",\"groups\":[\"bf2e2cbc-7df9-4d65-94a4-418f36bfad2c\"],\"metric\":\"97a64abe-bdc6-4792-af54-c8253ac7a7eb\",\"numberDisplay\":\"percent\",\"categoryDisplay\":\"default\",\"legendDisplay\":\"default\",\"nestedLegend\":false,\"layerType\":\"data\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"79fbce75-d3ec-40eb-97a8-da7a023c0c35\":{\"columns\":{\"bf2e2cbc-7df9-4d65-94a4-418f36bfad2c\":{\"label\":\"Top 5 values of project.name.keyword\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"project.name.keyword\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"97a64abe-bdc6-4792-af54-c8253ac7a7eb\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"}}},\"97a64abe-bdc6-4792-af54-c8253ac7a7eb\":{\"label\":\"Sum of cost\",\"dataType\":\"number\",\"operationType\":\"sum\",\"sourceField\":\"cost\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"bf2e2cbc-7df9-4d65-94a4-418f36bfad2c\",\"97a64abe-bdc6-4792-af54-c8253ac7a7eb\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Cost per project\"},{\"version\":\"8.4.1\",\"type\":\"lens\",\"gridData\":{\"x\":12,\"y\":205,\"w\":12,\"h\":9,\"i\":\"138a3873-25ed-464b-8bcf-1f96b4eda2e0\"},\"panelIndex\":\"138a3873-25ed-464b-8bcf-1f96b4eda2e0\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"id\":\"fdf52f50-9a09-11ec-9e73-cd9488048b9c\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"fdf52f50-9a09-11ec-9e73-cd9488048b9c\",\"name\":\"indexpattern-datasource-layer-c08143e4-fc28-429b-94aa-96d17605b8d0\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"shape\":\"pie\",\"layers\":[{\"layerId\":\"c08143e4-fc28-429b-94aa-96d17605b8d0\",\"groups\":[\"b18f3373-b63f-45b9-b57f-53727f282bb7\",\"5e56e383-a36f-4f8a-a516-ebe63661d83e\"],\"metric\":\"9f4f82af-9329-49f9-88fc-9ef51c312d7e\",\"numberDisplay\":\"value\",\"categoryDisplay\":\"default\",\"legendDisplay\":\"default\",\"nestedLegend\":false,\"layerType\":\"data\",\"legendSize\":\"auto\"}]},\"query\":{\"query\":\"event.dataset : \\\"gcp.compute\\\" \",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c08143e4-fc28-429b-94aa-96d17605b8d0\":{\"columns\":{\"b18f3373-b63f-45b9-b57f-53727f282bb7\":{\"label\":\"Filters\",\"dataType\":\"string\",\"operationType\":\"filters\",\"scale\":\"ordinal\",\"isBucketed\":true,\"params\":{\"filters\":[{\"input\":{\"query\":\"gcp.compute.instance.cpu.usage.pct <= 20\",\"language\":\"kuery\"},\"label\":\"Underutilized\"},{\"input\":{\"query\":\"gcp.compute.instance.cpu.usage.pct >= 80\",\"language\":\"kuery\"},\"label\":\"Reaching limits\"}]}},\"9f4f82af-9329-49f9-88fc-9ef51c312d7e\":{\"label\":\"Instance\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"cloud.instance.name\",\"isBucketed\":false,\"customLabel\":true},\"5e56e383-a36f-4f8a-a516-ebe63661d83e\":{\"label\":\"Top values of cloud.instance.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"cloud.instance.name\",\"isBucketed\":true,\"params\":{\"size\":50,\"orderBy\":{\"type\":\"column\",\"columnId\":\"9f4f82af-9329-49f9-88fc-9ef51c312d7e\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}}},\"columnOrder\":[\"b18f3373-b63f-45b9-b57f-53727f282bb7\",\"5e56e383-a36f-4f8a-a516-ebe63661d83e\",\"9f4f82af-9329-49f9-88fc-9ef51c312d7e\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Amount of VMs under or over utilized\"},{\"version\":\"8.4.1\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":205,\"w\":24,\"h\":9,\"i\":\"23b90fe8-b800-446f-87d4-424b4421ef76\"},\"panelIndex\":\"23b90fe8-b800-446f-87d4-424b4421ef76\",\"embeddableConfig\":{\"savedVis\":{\"id\":\"\",\"title\":\"\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"This is an high level overview of the current cost structure within Google Cloud. Its based on the BigQuery Billing data export within Google Cloud. In order to make the analysis as useful as possible its important to have very detailed billing data. \\n\\nWhile analyzing the current cost can help to understand who is spending most the more important part is to identify possible savings. Elastic can help doing this by identifying underutilized and unused resources. \\n\\nClick [here](#123) to for some suggestions.\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.4.1\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":214,\"w\":48,\"h\":12,\"i\":\"26b33de3-63a8-4122-bf20-1f8338baf102\"},\"panelIndex\":\"26b33de3-63a8-4122-bf20-1f8338baf102\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetricNew\",\"type\":\"lens\",\"references\":[{\"id\":\"df7b5a80-e343-11ec-b9dc-7d1db9e51c26\",\"name\":\"indexpattern-datasource-layer-62b71fec-26a7-4020-be6d-a82bf91acb3a\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"62b71fec-26a7-4020-be6d-a82bf91acb3a\",\"layerType\":\"data\",\"metricAccessor\":\"df9e1358-019a-4c3d-b854-9b8666398c8d\",\"breakdownByAccessor\":\"4b4160c7-2f4f-45ea-9b91-f86936d9b7e3\",\"secondaryMetricAccessor\":\"1fd29078-a1d6-47de-9ae4-d9a6e6a927a0\",\"secondaryPrefix\":\"Credits\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"62b71fec-26a7-4020-be6d-a82bf91acb3a\":{\"columns\":{\"df9e1358-019a-4c3d-b854-9b8666398c8d\":{\"label\":\"Sum of cost\",\"dataType\":\"number\",\"operationType\":\"sum\",\"sourceField\":\"cost\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":true}},\"4b4160c7-2f4f-45ea-9b91-f86936d9b7e3\":{\"label\":\"Top 5 values of service.description.keyword\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"service.description.keyword\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"df9e1358-019a-4c3d-b854-9b8666398c8d\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"}}},\"1fd29078-a1d6-47de-9ae4-d9a6e6a927a0\":{\"label\":\"Sum of credits.amount\",\"dataType\":\"number\",\"operationType\":\"sum\",\"sourceField\":\"credits.amount\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"4b4160c7-2f4f-45ea-9b91-f86936d9b7e3\",\"df9e1358-019a-4c3d-b854-9b8666398c8d\",\"1fd29078-a1d6-47de-9ae4-d9a6e6a927a0\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{}}}]","timeRestore":false,"title":"[Google Cloud] Overview","version":1},"coreMigrationVersion":"8.4.1","id":"34518930-c161-11ec-a663-3dcfabdeadb8","migrationVersion":{"dashboard":"8.4.0"},"references":[{"id":"metrics-*","name":"31106f85-c89c-478c-94ec-881bc2c28d84:metrics_31106f85-c89c-478c-94ec-881bc2c28d84_0_index_pattern","type":"index-pattern"},{"id":"1bd60400-9a04-11ec-9e73-cd9488048b9c","name":"ec48927f-c88c-406c-b72a-21d1678cad32:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"1bd60400-9a04-11ec-9e73-cd9488048b9c","name":"ec48927f-c88c-406c-b72a-21d1678cad32:indexpattern-datasource-layer-0952adb9-5cf8-45b2-8cf7-17dbe2e513c4","type":"index-pattern"},{"id":"1bd60400-9a04-11ec-9e73-cd9488048b9c","name":"35a2804f-97bb-4d66-a898-d29e9fca9249:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"1bd60400-9a04-11ec-9e73-cd9488048b9c","name":"35a2804f-97bb-4d66-a898-d29e9fca9249:indexpattern-datasource-layer-4f847068-8c3f-45e7-af92-62b19de4de81","type":"index-pattern"},{"id":"1bd60400-9a04-11ec-9e73-cd9488048b9c","name":"127988b1-d18b-4c05-b6ba-08b0c27d42ad:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"1bd60400-9a04-11ec-9e73-cd9488048b9c","name":"127988b1-d18b-4c05-b6ba-08b0c27d42ad:indexpattern-datasource-layer-92bb8c52-6c12-456f-bf57-ba639a334d12","type":"index-pattern"},{"id":"ee75e580-1822-11ea-a279-cf37f62e6395","name":"29780e76-27af-4bf8-a791-6ae98d19a91a:panel_29780e76-27af-4bf8-a791-6ae98d19a91a","type":"visualization"},{"id":"8b5b9b10-9e0e-11ec-987d-697a56940492","name":"1c76ef12-d9b9-48b5-8c94-3e7afcbb4d10:indexpattern-datasource-layer-fc12a422-351d-4fb4-ae16-35a49bfb0ffe","type":"index-pattern"},{"id":"1bd60400-9a04-11ec-9e73-cd9488048b9c","name":"8e936240-f0f6-4cb0-9622-611e84ee3ee2:indexpattern-datasource-layer-932b2bd6-ece2-4102-8adf-a601e58b0e29","type":"index-pattern"},{"id":"logs-*","name":"101832e2-8b59-4aa2-8213-708ef0a4fae6:metrics_101832e2-8b59-4aa2-8213-708ef0a4fae6_0_index_pattern","type":"index-pattern"},{"id":"logs-*","name":"49e69eda-a8d4-45f1-aefb-58f7bfa744ee:metrics_49e69eda-a8d4-45f1-aefb-58f7bfa744ee_0_index_pattern","type":"index-pattern"},{"id":"fdf52f50-9a09-11ec-9e73-cd9488048b9c","name":"eb01da07-3037-4c6e-b554-054285f34ea0:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"fdf52f50-9a09-11ec-9e73-cd9488048b9c","name":"eb01da07-3037-4c6e-b554-054285f34ea0:indexpattern-datasource-layer-b76d886d-76fb-4171-bcd0-dd2f2c38c5db","type":"index-pattern"},{"id":"fdf52f50-9a09-11ec-9e73-cd9488048b9c","name":"c64c3c5e-0974-489d-8559-6ef357e36618:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"fdf52f50-9a09-11ec-9e73-cd9488048b9c","name":"c64c3c5e-0974-489d-8559-6ef357e36618:indexpattern-datasource-layer-f82c91d1-5be2-4052-9d6a-19073aebe8d7","type":"index-pattern"},{"id":"logs-*","name":"22d7ebb3-c97b-45b6-ac38-cbd0889a9e36:metrics_22d7ebb3-c97b-45b6-ac38-cbd0889a9e36_0_index_pattern","type":"index-pattern"},{"id":"logs-*","name":"9766e395-8c4b-43d4-aaaa-5b6311e28188:metrics_9766e395-8c4b-43d4-aaaa-5b6311e28188_0_index_pattern","type":"index-pattern"},{"id":"fdf52f50-9a09-11ec-9e73-cd9488048b9c","name":"d1481c72-82dc-48f0-805b-554b82e97e2c:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"fdf52f50-9a09-11ec-9e73-cd9488048b9c","name":"d1481c72-82dc-48f0-805b-554b82e97e2c:indexpattern-datasource-layer-ac8895bf-16d0-4292-b5cb-5d1ef9a4df03","type":"index-pattern"},{"id":"d600e7f0-e1d5-11ec-811c-21b61472328d","name":"cc1ef889-a45c-405f-bb4c-c4019f90f91f:panel_cc1ef889-a45c-405f-bb4c-c4019f90f91f","type":"search"},{"id":"27fa6380-e1d4-11ec-811c-21b61472328d","name":"f2f96eaa-23a5-441b-817d-248a71261527:panel_f2f96eaa-23a5-441b-817d-248a71261527","type":"search"},{"id":"0837b230-c9ee-11ec-a663-3dcfabdeadb8","name":"86421d57-f18c-40dd-8874-cd398cc23ff5:panel_86421d57-f18c-40dd-8874-cd398cc23ff5","type":"visualization"},{"id":"67d64da0-c9ee-11ec-a663-3dcfabdeadb8","name":"9ef9e734-4e67-449a-b01a-25e00c890850:panel_9ef9e734-4e67-449a-b01a-25e00c890850","type":"visualization"},{"id":"fdf52f50-9a09-11ec-9e73-cd9488048b9c","name":"4ff68d23-8672-4f9a-bc03-3157a5215eec:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"fdf52f50-9a09-11ec-9e73-cd9488048b9c","name":"4ff68d23-8672-4f9a-bc03-3157a5215eec:indexpattern-datasource-layer-4f6e49ee-7d49-4749-9a5b-69c1a8e21fd8","type":"index-pattern"},{"id":"1bd60400-9a04-11ec-9e73-cd9488048b9c","name":"f9172858-9353-4c58-a482-2ffe5aa58234:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"1bd60400-9a04-11ec-9e73-cd9488048b9c","name":"f9172858-9353-4c58-a482-2ffe5aa58234:indexpattern-datasource-layer-7e09bc3d-8d91-48f9-a780-8211d30d4b86","type":"index-pattern"},{"id":"78e2bff0-e250-11ec-b9dc-7d1db9e51c26","name":"f9172858-9353-4c58-a482-2ffe5aa58234:drilldown:DASHBOARD_TO_DASHBOARD_DRILLDOWN:ff6c0021-2857-4950-bfe9-323bb6b98080:dashboardId","type":"dashboard"},{"id":"1bd60400-9a04-11ec-9e73-cd9488048b9c","name":"b5781c0b-6887-4745-9f14-4c04bc497ab4:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"1bd60400-9a04-11ec-9e73-cd9488048b9c","name":"b5781c0b-6887-4745-9f14-4c04bc497ab4:indexpattern-datasource-layer-4958b59e-9531-4d0b-8779-1e431db4cd07","type":"index-pattern"},{"id":"fdf52f50-9a09-11ec-9e73-cd9488048b9c","name":"f09d8125-09c8-4b1c-a1b6-9df1d628fde3:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"fdf52f50-9a09-11ec-9e73-cd9488048b9c","name":"f09d8125-09c8-4b1c-a1b6-9df1d628fde3:indexpattern-datasource-layer-a45fa57d-1dda-48fc-85ce-84ba57f1763a","type":"index-pattern"},{"id":"78e2bff0-e250-11ec-b9dc-7d1db9e51c26","name":"f09d8125-09c8-4b1c-a1b6-9df1d628fde3:drilldown:DASHBOARD_TO_DASHBOARD_DRILLDOWN:03394478-c5cb-4e71-901d-92d977af78eb:dashboardId","type":"dashboard"},{"id":"918a1440-e025-11ec-811c-21b61472328d","name":"99e87e22-f2a8-411b-8f1c-7f5e7c366d8f:panel_99e87e22-f2a8-411b-8f1c-7f5e7c366d8f","type":"search"},{"id":"fdf52f50-9a09-11ec-9e73-cd9488048b9c","name":"579c6131-8811-4f1a-b321-949c8b911129:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"fdf52f50-9a09-11ec-9e73-cd9488048b9c","name":"579c6131-8811-4f1a-b321-949c8b911129:indexpattern-datasource-layer-a45fa57d-1dda-48fc-85ce-84ba57f1763a","type":"index-pattern"},{"id":"logs-*","name":"c503e460-3464-4390-86f5-1fd4a6f87196:metrics_c503e460-3464-4390-86f5-1fd4a6f87196_0_index_pattern","type":"index-pattern"},{"id":"a864cf30-2796-11ed-8b66-293f5fd86974","name":"0f017b89-39ad-46d0-a2af-a542016315f6:panel_0f017b89-39ad-46d0-a2af-a542016315f6","type":"visualization"},{"id":"1bd60400-9a04-11ec-9e73-cd9488048b9c","name":"73fd5e77-e984-4688-8553-25efea5fc818:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"1bd60400-9a04-11ec-9e73-cd9488048b9c","name":"73fd5e77-e984-4688-8553-25efea5fc818:indexpattern-datasource-layer-942bb851-a16a-4422-afaf-8521bb72644f","type":"index-pattern"},{"id":"b7c12f20-7466-11ec-adfa-5dd9fdfc6ea6","name":"a6c71d75-eb2e-4a2f-a63a-02e4993b20af:panel_a6c71d75-eb2e-4a2f-a63a-02e4993b20af","type":"visualization"},{"id":"1bd60400-9a04-11ec-9e73-cd9488048b9c","name":"2b9548ac-4e83-496c-9769-ba40ef99698c:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"1bd60400-9a04-11ec-9e73-cd9488048b9c","name":"2b9548ac-4e83-496c-9769-ba40ef99698c:indexpattern-datasource-layer-8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97","type":"index-pattern"},{"id":"b64abe60-e1d8-11ec-811c-21b61472328d","name":"812deca8-6df0-4bfb-bb19-a25f4f271c44:panel_812deca8-6df0-4bfb-bb19-a25f4f271c44","type":"visualization"},{"id":"logs-*","name":"0dfe9db2-92b4-40c1-99b6-036dad508051:metrics_0dfe9db2-92b4-40c1-99b6-036dad508051_0_index_pattern","type":"index-pattern"},{"id":"df7b5a80-e343-11ec-b9dc-7d1db9e51c26","name":"70e5c7ed-ecb6-4a69-9c38-3dc0857d5224:indexpattern-datasource-layer-79fbce75-d3ec-40eb-97a8-da7a023c0c35","type":"index-pattern"},{"id":"fdf52f50-9a09-11ec-9e73-cd9488048b9c","name":"138a3873-25ed-464b-8bcf-1f96b4eda2e0:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"fdf52f50-9a09-11ec-9e73-cd9488048b9c","name":"138a3873-25ed-464b-8bcf-1f96b4eda2e0:indexpattern-datasource-layer-c08143e4-fc28-429b-94aa-96d17605b8d0","type":"index-pattern"},{"id":"df7b5a80-e343-11ec-b9dc-7d1db9e51c26","name":"26b33de3-63a8-4122-bf20-1f8338baf102:indexpattern-datasource-layer-62b71fec-26a7-4020-be6d-a82bf91acb3a","type":"index-pattern"},{"id":"c6b63650-7462-11ec-adfa-5dd9fdfc6ea6","name":"tag-c6b63650-7462-11ec-adfa-5dd9fdfc6ea6","type":"tag"}],"type":"dashboard","updated_at":"2022-09-23T11:54:35.262Z","version":"WzMxMjcsMV0="}
+{"attributes":{"fieldAttrs":"{}","fields":"[]","name":"Google Cloud host profile","runtimeFieldMap":"{}","sourceFilters":"[]","title":"gcp-host-profile","typeMeta":"{}"},"coreMigrationVersion":"8.4.1","id":"91da29fc-b164-4d47-aa68-2dcf162d4233","migrationVersion":{"index-pattern":"8.0.0"},"references":[],"type":"index-pattern","updated_at":"2022-09-23T11:33:18.788Z","version":"WzQxOCwxXQ=="}
+{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"syncTooltips\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"8.4.1\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":32,\"h\":7,\"i\":\"172d4c23-ac59-4aad-9f83-a7f0f5df838f\"},\"panelIndex\":\"172d4c23-ac59-4aad-9f83-a7f0f5df838f\",\"embeddableConfig\":{\"savedVis\":{\"id\":\"\",\"title\":\"\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"# Google Cloud cost optimizer\\nThis dashboard provides insight into possible savings based on usage data. Elastic can correlate Metrics, Logs and Billing data to find overprovisioned and unused resources.\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"enhancements\":{},\"hidePanelTitles\":true}},{\"version\":\"8.4.1\",\"type\":\"lens\",\"gridData\":{\"x\":32,\"y\":0,\"w\":16,\"h\":7,\"i\":\"67b8b563-c1c8-4edf-8b16-e0fa589b6804\"},\"panelIndex\":\"67b8b563-c1c8-4edf-8b16-e0fa589b6804\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"91da29fc-b164-4d47-aa68-2dcf162d4233\",\"name\":\"indexpattern-datasource-layer-fa3c4303-b552-4295-a8b5-a59bea996cdc\"}],\"state\":{\"visualization\":{\"layerId\":\"fa3c4303-b552-4295-a8b5-a59bea996cdc\",\"accessor\":\"43b83672-5b55-4c9b-9a59-0e8c275629cb\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"fa3c4303-b552-4295-a8b5-a59bea996cdc\":{\"columns\":{\"43b83672-5b55-4c9b-9a59-0e8c275629cbX0\":{\"label\":\"Part of Possible savings in $\",\"dataType\":\"number\",\"operationType\":\"math\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"tinymathAst\":1564},\"references\":[],\"customLabel\":true},\"43b83672-5b55-4c9b-9a59-0e8c275629cb\":{\"label\":\"Possible savings in $ per month\",\"dataType\":\"number\",\"operationType\":\"formula\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"formula\":\"1564\",\"isFormulaBroken\":false},\"references\":[\"43b83672-5b55-4c9b-9a59-0e8c275629cbX0\"],\"customLabel\":true}},\"columnOrder\":[\"43b83672-5b55-4c9b-9a59-0e8c275629cb\",\"43b83672-5b55-4c9b-9a59-0e8c275629cbX0\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.4.1\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":7,\"w\":24,\"h\":5,\"i\":\"15a01bcb-93e4-415d-aec9-5ad4bde21d77\"},\"panelIndex\":\"15a01bcb-93e4-415d-aec9-5ad4bde21d77\",\"embeddableConfig\":{\"savedVis\":{\"title\":\"\",\"description\":\"\",\"type\":\"metrics\",\"params\":{\"time_range_mode\":\"entire_time_range\",\"id\":\"644e40fb-777c-4fc3-aca7-5aa77a071114\",\"type\":\"markdown\",\"series\":[{\"time_range_mode\":\"entire_time_range\",\"id\":\"7d440687-1f12-4548-bef2-0547926e6b83\",\"color\":\"#68BC00\",\"split_mode\":\"everything\",\"palette\":{\"type\":\"palette\",\"name\":\"default\"},\"metrics\":[{\"id\":\"1ee35dea-274b-4f10-856e-6d8be1ae1782\",\"type\":\"count\"}],\"separate_axis\":0,\"axis_position\":\"right\",\"formatter\":\"default\",\"chart_type\":\"line\",\"line_width\":1,\"point_size\":1,\"fill\":0.5,\"stacked\":\"none\",\"override_index_pattern\":0,\"series_drop_last_bucket\":0}],\"time_field\":\"\",\"use_kibana_indexes\":true,\"interval\":\"\",\"axis_position\":\"left\",\"axis_formatter\":\"number\",\"axis_scale\":\"normal\",\"show_legend\":1,\"truncate_legend\":1,\"max_lines_legend\":1,\"show_grid\":1,\"tooltip_mode\":\"show_all\",\"drop_last_bucket\":0,\"markdown\":\"Storage\",\"isModelInvalid\":false,\"markdown_css\":\"p {\\r\\n    position: relative;\\r\\n    background: #fa744eff;\\r\\n    -webkit-border-radius: 10px;\\r\\n    -moz-border-radius: 10px;\\r\\n    border-radius: 10px; \\r\\n    width: 100%; \\r\\n    height: 50px;\\r\\n    text-align: center;\\r\\n    padding-top: 10px;\\r\\n    color: #fff;\\r\\n    font-weight: 500;\\r\\n    font-size: 20px;\\r\\n    font-family: Inter;\\r\\n}\\r\\n\\r\\np:before {\\r\\n    content: \\\"\\\";\\r\\n    position: absolute;\\r\\n    top: 50px;\\r\\n    left: 49%;\\r\\n    z-index: 1;\\r\\n    border: solid 15px transparent;\\r\\n    border-top-color: #fa744eff;\\r\\n}\",\"markdown_vertical_align\":\"middle\",\"index_pattern_ref_name\":\"metrics_15a01bcb-93e4-415d-aec9-5ad4bde21d77_0_index_pattern\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"hidePanelTitles\":true,\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.4.1\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":7,\"w\":24,\"h\":5,\"i\":\"4134018a-0ddc-4561-8b87-d7eb8b2b44fb\"},\"panelIndex\":\"4134018a-0ddc-4561-8b87-d7eb8b2b44fb\",\"embeddableConfig\":{\"savedVis\":{\"title\":\"\",\"description\":\"\",\"type\":\"metrics\",\"params\":{\"time_range_mode\":\"entire_time_range\",\"id\":\"644e40fb-777c-4fc3-aca7-5aa77a071114\",\"type\":\"markdown\",\"series\":[{\"time_range_mode\":\"entire_time_range\",\"id\":\"7d440687-1f12-4548-bef2-0547926e6b83\",\"color\":\"#68BC00\",\"split_mode\":\"everything\",\"palette\":{\"type\":\"palette\",\"name\":\"default\"},\"metrics\":[{\"id\":\"1ee35dea-274b-4f10-856e-6d8be1ae1782\",\"type\":\"count\"}],\"separate_axis\":0,\"axis_position\":\"right\",\"formatter\":\"default\",\"chart_type\":\"line\",\"line_width\":1,\"point_size\":1,\"fill\":0.5,\"stacked\":\"none\",\"override_index_pattern\":0,\"series_drop_last_bucket\":0}],\"time_field\":\"\",\"use_kibana_indexes\":true,\"interval\":\"\",\"axis_position\":\"left\",\"axis_formatter\":\"number\",\"axis_scale\":\"normal\",\"show_legend\":1,\"truncate_legend\":1,\"max_lines_legend\":1,\"show_grid\":1,\"tooltip_mode\":\"show_all\",\"drop_last_bucket\":0,\"markdown\":\"Compute\",\"isModelInvalid\":false,\"markdown_css\":\"p {\\r\\n    position: relative;\\r\\n    background: #fa744eff;\\r\\n    -webkit-border-radius: 10px;\\r\\n    -moz-border-radius: 10px;\\r\\n    border-radius: 10px; \\r\\n    width: 100%; \\r\\n    height: 50px;\\r\\n    text-align: center;\\r\\n    padding-top: 10px;\\r\\n    color: #fff;\\r\\n    font-weight: 500;\\r\\n    font-size: 20px;\\r\\n    font-family: Inter;\\r\\n}\\r\\n\\r\\np:before {\\r\\n    content: \\\"\\\";\\r\\n    position: absolute;\\r\\n    top: 50px;\\r\\n    left: 49%;\\r\\n    z-index: 1;\\r\\n    border: solid 15px transparent;\\r\\n    border-top-color: #fa744eff;\\r\\n}\",\"markdown_vertical_align\":\"middle\",\"index_pattern_ref_name\":\"metrics_4134018a-0ddc-4561-8b87-d7eb8b2b44fb_0_index_pattern\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"hidePanelTitles\":true,\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.4.1\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":12,\"w\":24,\"h\":15,\"i\":\"c2ca06d4-503d-4590-90cf-8e168a3c6e81\"},\"panelIndex\":\"c2ca06d4-503d-4590-90cf-8e168a3c6e81\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{},\"sort\":[[\"last_access\",\"asc\"],[\"resource.labels.bucket_name\",\"asc\"]]},\"title\":\"[GCP] GCS repos without access\",\"panelRefName\":\"panel_c2ca06d4-503d-4590-90cf-8e168a3c6e81\"},{\"version\":\"8.4.1\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":12,\"w\":24,\"h\":15,\"i\":\"766adb6a-dab2-466f-b170-b3620e13d63b\"},\"panelIndex\":\"766adb6a-dab2-466f-b170-b3620e13d63b\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"91da29fc-b164-4d47-aa68-2dcf162d4233\",\"name\":\"indexpattern-datasource-layer-94d28cab-fe49-4d82-a6f9-88b319464e53\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"88bde20b-6864-48f5-a051-62dacc6864b2\",\"isTransposed\":false},{\"columnId\":\"8a2f6eb1-778e-4b15-9dba-80cb1b4fb562\",\"isTransposed\":false},{\"columnId\":\"ad96b9c4-172c-40c3-a810-63c36e343e18\",\"isTransposed\":false},{\"columnId\":\"e17793cb-13e1-45f8-b0a7-da97516c78a0\",\"isTransposed\":false}],\"layerId\":\"94d28cab-fe49-4d82-a6f9-88b319464e53\",\"layerType\":\"data\"},\"query\":{\"query\":\"host.cpu.usage.max <= 0.2\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"94d28cab-fe49-4d82-a6f9-88b319464e53\":{\"columns\":{\"88bde20b-6864-48f5-a051-62dacc6864b2\":{\"label\":\"Top 10 values of host.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"8a2f6eb1-778e-4b15-9dba-80cb1b4fb562\"},\"orderDirection\":\"asc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"}}},\"8a2f6eb1-778e-4b15-9dba-80cb1b4fb562\":{\"label\":\"Max CPU\",\"dataType\":\"number\",\"operationType\":\"median\",\"sourceField\":\"host.cpu.usage.max\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":true,\"format\":{\"id\":\"percent\",\"params\":{\"decimals\":2}}},\"customLabel\":true},\"ad96b9c4-172c-40c3-a810-63c36e343e18\":{\"label\":\"Sum disk write\",\"dataType\":\"number\",\"operationType\":\"median\",\"sourceField\":\"host.disk.write.bytes.sum\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":true,\"format\":{\"id\":\"bytes\",\"params\":{\"decimals\":2}}},\"customLabel\":true},\"e17793cb-13e1-45f8-b0a7-da97516c78a0\":{\"label\":\"Sum network egress bytes\",\"dataType\":\"number\",\"operationType\":\"median\",\"sourceField\":\"host.network.egress.bytes.sum\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":true,\"format\":{\"id\":\"bytes\",\"params\":{\"decimals\":2}}},\"customLabel\":true}},\"columnOrder\":[\"88bde20b-6864-48f5-a051-62dacc6864b2\",\"8a2f6eb1-778e-4b15-9dba-80cb1b4fb562\",\"ad96b9c4-172c-40c3-a810-63c36e343e18\",\"e17793cb-13e1-45f8-b0a7-da97516c78a0\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Compute instances with low resource usage\"}]","timeRestore":false,"title":"Google Cloud cost optimizer","version":1},"coreMigrationVersion":"8.4.1","id":"0745a060-3994-11ed-9f6d-29083095ff71","migrationVersion":{"dashboard":"8.4.0"},"references":[{"id":"91da29fc-b164-4d47-aa68-2dcf162d4233","name":"67b8b563-c1c8-4edf-8b16-e0fa589b6804:indexpattern-datasource-layer-fa3c4303-b552-4295-a8b5-a59bea996cdc","type":"index-pattern"},{"id":"metrics-*","name":"15a01bcb-93e4-415d-aec9-5ad4bde21d77:metrics_15a01bcb-93e4-415d-aec9-5ad4bde21d77_0_index_pattern","type":"index-pattern"},{"id":"metrics-*","name":"4134018a-0ddc-4561-8b87-d7eb8b2b44fb:metrics_4134018a-0ddc-4561-8b87-d7eb8b2b44fb_0_index_pattern","type":"index-pattern"},{"id":"80fff320-e263-11ec-b9dc-7d1db9e51c26","name":"c2ca06d4-503d-4590-90cf-8e168a3c6e81:panel_c2ca06d4-503d-4590-90cf-8e168a3c6e81","type":"search"},{"id":"91da29fc-b164-4d47-aa68-2dcf162d4233","name":"766adb6a-dab2-466f-b170-b3620e13d63b:indexpattern-datasource-layer-94d28cab-fe49-4d82-a6f9-88b319464e53","type":"index-pattern"},{"id":"c6b63650-7462-11ec-adfa-5dd9fdfc6ea6","name":"tag-c6b63650-7462-11ec-adfa-5dd9fdfc6ea6","type":"tag"}],"type":"dashboard","updated_at":"2022-09-23T11:33:18.788Z","version":"WzQ3NSwxXQ=="}
+{"excludedObjects":[],"excludedObjectsCount":0,"exportedCount":23,"missingRefCount":0,"missingReferences":[]}
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/GoogleCloud/json_templates/default-policy.json b/examples/multi-cloud-setup/GoogleCloud/json_templates/default-policy.json
new file mode 100644
index 000000000..bab414ae3
--- /dev/null
+++ b/examples/multi-cloud-setup/GoogleCloud/json_templates/default-policy.json
@@ -0,0 +1 @@
+{ "name": "${policy_name}", "description": "Terraformed policy", "namespace": "default", "monitoring_enabled": [ "logs", "metrics" ]}
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/GoogleCloud/json_templates/es_api_key.json b/examples/multi-cloud-setup/GoogleCloud/json_templates/es_api_key.json
new file mode 100644
index 000000000..dccd71b19
--- /dev/null
+++ b/examples/multi-cloud-setup/GoogleCloud/json_templates/es_api_key.json
@@ -0,0 +1,3 @@
+{
+   "name": "${elastic-api-key-name}"
+}
diff --git a/examples/multi-cloud-setup/GoogleCloud/json_templates/es_host_transform.json b/examples/multi-cloud-setup/GoogleCloud/json_templates/es_host_transform.json
new file mode 100644
index 000000000..b460b145b
--- /dev/null
+++ b/examples/multi-cloud-setup/GoogleCloud/json_templates/es_host_transform.json
@@ -0,0 +1,51 @@
+{
+  "source": {
+    "index": [
+      "metric*"
+    ]
+  },
+  "pivot": {
+    "group_by": {
+      "host.name": {
+        "terms": {
+          "field": "host.name"
+        }
+      }
+    },
+    "aggregations": {
+      "host.cpu.usage.max": {
+        "max": {
+          "field": "gcp.compute.instance.cpu.usage.pct"
+        }
+      },
+      "host.memory.usage.max": {
+        "max": {
+          "field": "gcp.compute.instance.memory.balloon.ram_used.value"
+        }
+      },
+      "host.disk.write.bytes.sum": {
+        "sum": {
+          "field": "gcp.compute.instance.disk.write.bytes"
+        }
+      },
+      "host.network.egress.bytes.sum": {
+        "sum": {
+          "field": "gcp.compute.instance.network.egress.bytes"
+        }
+      },
+      "last_data": {
+        "max": {
+          "field": "@timestamp"
+        }
+      }
+    }
+  },
+  "dest": {
+    "index": "gcp-host-profile"
+  },
+  "sync": {
+    "time": {
+      "field": "@timestamp"
+    }
+  }
+}
diff --git a/examples/multi-cloud-setup/GoogleCloud/json_templates/es_repo_transform.json b/examples/multi-cloud-setup/GoogleCloud/json_templates/es_repo_transform.json
new file mode 100644
index 000000000..e315eb2bc
--- /dev/null
+++ b/examples/multi-cloud-setup/GoogleCloud/json_templates/es_repo_transform.json
@@ -0,0 +1,45 @@
+{
+  "source": {
+    "index": [
+      "logs*"
+    ],
+    "runtime_mappings": {
+      "repo": {
+        "type": "keyword",
+        "script": {
+          "source": "if (doc.containsKey('repository')) {\r\n    emit (doc['repository'].value);\r\n    return;\r\n}\r\n\r\ndef fieldname = \"gcp.audit.resource_name\";\r\nif (!doc.containsKey(fieldname)) {\r\n    return;\r\n}\r\nif (doc[fieldname].size()>0) {\r\n    def field_value = doc[fieldname].value;\r\n    if (field_value != null) {\r\n        String repo=grok('objects/%%{HOSTNAME:repo}').extract(field_value)?.repo;\r\n        if (repo != null) emit(repo); \r\n        return;\r\n    }\r\n}"
+        }
+      }
+    }
+  },
+  "pivot": {
+    "group_by": {
+      "repository": {
+        "terms": {
+          "field": "repo"
+        }
+      },
+      "resource.labels.bucket_name": {
+        "terms": {
+          "field": "resource.labels.bucket_name"
+        }
+      }
+    },
+    "aggregations": {
+      "last_access": {
+        "max": {
+          "field": "@timestamp"
+        }
+      }
+    }
+  },
+  "description": "Transforms logs data into GCS usage profile",
+  "dest": {
+    "index": "gcs-repos"
+  },
+  "sync": {
+    "time": {
+      "field": "@timestamp"
+    }
+  }
+}
diff --git a/examples/multi-cloud-setup/GoogleCloud/json_templates/es_rule_activation.json b/examples/multi-cloud-setup/GoogleCloud/json_templates/es_rule_activation.json
new file mode 100644
index 000000000..417e6d4f8
--- /dev/null
+++ b/examples/multi-cloud-setup/GoogleCloud/json_templates/es_rule_activation.json
@@ -0,0 +1 @@
+{"action":"enable","ids":["caad06b0-3999-11ed-9681-5f50c03b8306","caac1c50-3999-11ed-9681-5f50c03b8306","caac6a70-3999-11ed-9681-5f50c03b8306","caaba720-3999-11ed-9681-5f50c03b8306","caab31f0-3999-11ed-9681-5f50c03b8306","ca166c00-3999-11ed-9681-5f50c03b8306","ca1644f0-3999-11ed-9681-5f50c03b8306","ca16ba20-3999-11ed-9681-5f50c03b8306","ca16e130-3999-11ed-9681-5f50c03b8306","ca172f50-3999-11ed-9681-5f50c03b8306","ca17a480-3999-11ed-9681-5f50c03b8306","ca177d70-3999-11ed-9681-5f50c03b8306","ca1840c0-3999-11ed-9681-5f50c03b8306","ca17f2a0-3999-11ed-9681-5f50c03b8306","ca18dd00-3999-11ed-9681-5f50c03b8306","ca192b20-3999-11ed-9681-5f50c03b8306","ca1bc330-3999-11ed-9681-5f50c03b8306","ca1c1150-3999-11ed-9681-5f50c03b8306","ca1c5f70-3999-11ed-9681-5f50c03b8306","ca1cd4a0-3999-11ed-9681-5f50c03b8306","ca1d22c0-3999-11ed-9681-5f50c03b8306","ca1d97f0-3999-11ed-9681-5f50c03b8306","ca1d49d0-3999-11ed-9681-5f50c03b8306","cd2fe100-3999-11ed-9681-5f50c03b8306"]}
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/GoogleCloud/json_templates/es_vpc_flow_transform.json b/examples/multi-cloud-setup/GoogleCloud/json_templates/es_vpc_flow_transform.json
new file mode 100644
index 000000000..50b6bb4f0
--- /dev/null
+++ b/examples/multi-cloud-setup/GoogleCloud/json_templates/es_vpc_flow_transform.json
@@ -0,0 +1,88 @@
+{
+  "source": {
+    "index": [
+      "logs*"
+    ],
+    "query": {
+      "bool": {
+        "should": [
+          {
+            "match_phrase": {
+              "event.dataset": "gcp.vpcflow"
+            }
+          }
+        ],
+        "minimum_should_match": 1
+      }
+    }
+  },
+  "pivot": {
+    "group_by": {
+      "gcp.source.vpc.vpc_name": {
+        "terms": {
+          "field": "gcp.source.vpc.vpc_name"
+        }
+      },
+      "gcp.source.vpc.project_id": {
+        "terms": {
+          "field": "gcp.source.vpc.project_id"
+        }
+      },
+      "gcp.source.vpc.subnetwork_name": {
+        "terms": {
+          "field": "gcp.source.vpc.subnetwork_name"
+        }
+      },
+      "source.ip": {
+        "terms": {
+          "field": "source.ip"
+        }
+      },
+      "gcp.source.instance.region": {
+        "terms": {
+          "field": "gcp.source.instance.region"
+        }
+      },
+      "gcp.destination.vpc.vpc_name": {
+        "terms": {
+          "field": "gcp.destination.vpc.vpc_name"
+        }
+      },
+      "gcp.destination.vpc.project_id": {
+        "terms": {
+          "field": "gcp.destination.vpc.project_id"
+        }
+      },
+      "gcp.destination.vpc.subnetwork_name": {
+        "terms": {
+          "field": "gcp.destination.vpc.subnetwork_name"
+        }
+      },
+      "destination.ip": {
+        "terms": {
+          "field": "destination.ip"
+        }
+      },
+      "gcp.destination.instance.region": {
+        "terms": {
+          "field": "gcp.destination.instance.region"
+        }
+      }
+    },
+    "aggregations": {
+      "network.bytes.sum": {
+        "sum": {
+          "field": "network.bytes"
+        }
+      }
+    }
+  },
+  "dest": {
+    "index": "gcp_vpc_flow_summary"
+  },
+  "sync": {
+    "time": {
+      "field": "@timestamp"
+    }
+  }
+}
diff --git a/examples/multi-cloud-setup/GoogleCloud/json_templates/gcp_integration.json b/examples/multi-cloud-setup/GoogleCloud/json_templates/gcp_integration.json
new file mode 100644
index 000000000..dafe15b84
--- /dev/null
+++ b/examples/multi-cloud-setup/GoogleCloud/json_templates/gcp_integration.json
@@ -0,0 +1,400 @@
+{
+  "name": "gcp",
+  "description": "Terraformed GCP integration",
+  "namespace": "default",
+  "policy_id": "${policy_id}",
+  "enabled": true,
+  "output_id": "",
+  "inputs": [
+    {
+      "type": "gcp-pubsub",
+      "policy_template": "audit",
+      "enabled": %{ if audit_log_topic != ""}true%{ else }false%{ endif },
+      "streams": [
+        {
+          "enabled": true,
+          "data_stream": {
+            "type": "logs",
+            "dataset": "gcp.audit"
+          },
+          "vars": {
+            "topic": {
+              "value": "${audit_log_topic}",
+              "type": "text"
+            },
+            "subscription_name": {
+              "value": "${audit_log_topic}",
+              "type": "text"
+            },
+            "subscription_create": {
+              "value": true,
+              "type": "bool"
+            },
+            "alternative_host": {
+              "type": "text"
+            },
+            "tags": {
+              "value": [
+                "forwarded",
+                "gcp-audit"
+              ],
+              "type": "text"
+            },
+            "preserve_original_event": {
+              "value": false,
+              "type": "bool"
+            },
+            "processors": {
+              "type": "yaml"
+            }
+          }
+        }
+      ]
+    },
+    {
+      "type": "gcp-pubsub",
+      "policy_template": "firewall",
+      "enabled": %{ if firewall_log_topic != ""}true%{ else }false%{ endif },
+      "streams": [
+        {
+          "enabled": true,
+          "data_stream": {
+            "type": "logs",
+            "dataset": "gcp.firewall"
+          },
+          "vars": {
+            "topic": {
+              "value": "${firewall_log_topic}",
+              "type": "text"
+            },
+            "subscription_name": {
+              "value": "${firewall_log_topic}",
+              "type": "text"
+            },
+            "subscription_create": {
+              "value": true,
+              "type": "bool"
+            },
+            "alternative_host": {
+              "type": "text"
+            },
+            "tags": {
+              "value": [
+                "forwarded",
+                "gcp-firewall"
+              ],
+              "type": "text"
+            },
+            "preserve_original_event": {
+              "value": false,
+              "type": "bool"
+            },
+            "processors": {
+              "type": "yaml"
+            }
+          }
+        }
+      ]
+    },
+    {
+      "type": "gcp-pubsub",
+      "policy_template": "vpcflow",
+      "enabled": %{ if vpcflow_log_topic != ""}true%{ else }false%{ endif },
+      "streams": [
+        {
+          "enabled": true,
+          "data_stream": {
+            "type": "logs",
+            "dataset": "gcp.vpcflow"
+          },
+          "vars": {
+            "topic": {
+              "value": "${vpcflow_log_topic}",
+              "type": "text"
+            },
+            "subscription_name": {
+              "value": "${vpcflow_log_topic}",
+              "type": "text"
+            },
+            "subscription_create": {
+              "value": true,
+              "type": "bool"
+            },
+            "alternative_host": {
+              "type": "text"
+            },
+            "tags": {
+              "value": [
+                "forwarded",
+                "gcp-vpcflow"
+              ],
+              "type": "text"
+            },
+            "preserve_original_event": {
+              "value": false,
+              "type": "bool"
+            },
+            "processors": {
+              "type": "yaml"
+            }
+          }
+        }
+      ]
+    },
+    {
+      "type": "gcp-pubsub",
+      "policy_template": "dns",
+      "enabled": %{ if dns_log_topic != ""}true%{ else }false%{ endif },
+      "streams": [
+        {
+          "enabled": true,
+          "data_stream": {
+            "type": "logs",
+            "dataset": "gcp.dns"
+          },
+          "vars": {
+            "topic": {
+              "value": "${dns_log_topic}",
+              "type": "text"
+            },
+            "subscription_name": {
+              "value": "${dns_log_topic}",
+              "type": "text"
+            },
+            "subscription_create": {
+              "value": true,
+              "type": "bool"
+            },
+            "alternative_host": {
+              "type": "text"
+            },
+            "tags": {
+              "value": [
+                "forwarded",
+                "gcp-dns"
+              ],
+              "type": "text"
+            },
+            "preserve_original_event": {
+              "value": false,
+              "type": "bool"
+            },
+            "processors": {
+              "type": "yaml"
+            }
+          }
+        }
+      ]
+    },
+    {
+      "type": "gcp/metrics",
+      "policy_template": "billing",
+      "enabled": false,
+      "streams": [
+        {
+          "enabled": false,
+          "data_stream": {
+            "type": "metrics",
+            "dataset": "gcp.billing"
+          },
+          "vars": {
+            "period": {
+              "value": "24h",
+              "type": "text"
+            },
+            "dataset_id": {
+              "type": "text"
+            },
+            "table_pattern": {
+              "value": "gcp_billing_export_v1",
+              "type": "text"
+            },
+            "cost_type": {
+              "value": "regular",
+              "type": "text"
+            }
+          }
+        }
+      ]
+    },
+    {
+      "type": "gcp/metrics",
+      "policy_template": "compute",
+      "enabled": true,
+      "streams": [
+        {
+          "enabled": true,
+          "data_stream": {
+            "type": "metrics",
+            "dataset": "gcp.compute"
+          },
+          "vars": {
+            "zone": {
+              "type": "text"
+            },
+            "region": {
+              "type": "text"
+            },
+            "period": {
+              "value": "60s",
+              "type": "text"
+            },
+            "exclude_labels": {
+              "type": "bool"
+            }
+          }
+        }
+      ]
+    },
+    {
+      "type": "gcp/metrics",
+      "policy_template": "firestore",
+      "enabled": true,
+      "streams": [
+        {
+          "enabled": true,
+          "data_stream": {
+            "type": "metrics",
+            "dataset": "gcp.firestore"
+          },
+          "vars": {
+            "zone": {
+              "type": "text"
+            },
+            "region": {
+              "type": "text"
+            },
+            "period": {
+              "value": "60s",
+              "type": "text"
+            },
+            "exclude_labels": {
+              "type": "bool"
+            }
+          }
+        }
+      ]
+    },
+    {
+      "type": "gcp/metrics",
+      "policy_template": "loadbalancing",
+      "enabled": true,
+      "streams": [
+        {
+          "enabled": true,
+          "data_stream": {
+            "type": "metrics",
+            "dataset": "gcp.loadbalancing_metrics"
+          },
+          "vars": {
+            "zone": {
+              "type": "text"
+            },
+            "region": {
+              "type": "text"
+            },
+            "period": {
+              "value": "60s",
+              "type": "text"
+            },
+            "exclude_labels": {
+              "type": "bool"
+            }
+          }
+        }
+      ]
+    },
+    {
+      "type": "gcp-pubsub",
+      "policy_template": "loadbalancing",
+      "enabled": %{ if lb_log_topic != ""}true%{ else }false%{ endif },
+      "streams": [
+        {
+          "enabled": true,
+          "data_stream": {
+            "type": "logs",
+            "dataset": "gcp.loadbalancing_logs"
+          },
+          "vars": {
+            "topic": {
+              "value": "${lb_log_topic}",
+              "type": "text"
+            },
+            "subscription_name": {
+              "value": "${lb_log_topic}",
+              "type": "text"
+            },
+            "subscription_create": {
+              "value": true,
+              "type": "bool"
+            },
+            "alternative_host": {
+              "type": "text"
+            },
+            "tags": {
+              "value": [
+                "forwarded",
+                "gcp-loadbalancing_logs"
+              ],
+              "type": "text"
+            },
+            "preserve_original_event": {
+              "value": false,
+              "type": "bool"
+            },
+            "processors": {
+              "type": "yaml"
+            }
+          }
+        }
+      ]
+    },
+    {
+      "type": "gcp/metrics",
+      "policy_template": "storage",
+      "enabled": true,
+      "streams": [
+        {
+          "enabled": true,
+          "data_stream": {
+            "type": "metrics",
+            "dataset": "gcp.storage"
+          },
+          "vars": {
+            "zone": {
+              "type": "text"
+            },
+            "region": {
+              "type": "text"
+            },
+            "period": {
+              "value": "60s",
+              "type": "text"
+            },
+            "exclude_labels": {
+              "type": "bool"
+            }
+          }
+        }
+      ]
+    }
+  ],
+  "package": {
+    "name": "gcp",
+    "title": "Google Cloud Platform",
+    "version": "2.7.0"
+  },
+  "vars": {
+    "project_id": {
+      "value": "${gcp_project}",
+      "type": "text"
+    },
+    "credentials_file": {
+      "type": "text"
+    },
+    "credentials_json": {
+	  "value": ${gcp_credentials_json},	
+    "type": "text"
+    }
+  }
+}
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/GoogleCloud/terraform/dataflow.tf b/examples/multi-cloud-setup/GoogleCloud/terraform/dataflow.tf
new file mode 100644
index 000000000..d2089ec1b
--- /dev/null
+++ b/examples/multi-cloud-setup/GoogleCloud/terraform/dataflow.tf
@@ -0,0 +1,20 @@
+# -------------------------------------------------------------
+# Create a Dataflow job to read from BigQuery and write to Elastic
+# -------------------------------------------------------------
+# resource "google_dataflow_flex_template_job" "read_from_bigquery_to_elasticserach" {
+#   project                 = var.google_cloud_project
+#   provider                = google-beta
+#   name                    = var.google_cloud_dataflow_job_name
+#   region                  = var.google_cloud_region
+#   container_spec_gcs_path = var.google_cloud_container_spec_gcs_path
+#   parameters = {
+#     connectionUrl         = ec_deployment.elastic_gc_deployment.elasticsearch[0].cloud_id
+#     apiKey                = data.external.elastic_generate_api_key.result.encoded
+#     index                 = var.elastic_index_name
+#     inputTableSpec        = var.google_cloud_inputTableSpec
+#     maxNumWorkers         = var.google_cloud_maxNumWorkers
+#     maxRetryAttempts      = var.google_cloud_maxRetryAttempts
+#     maxRetryDuration      = var.google_cloud_maxRetryDuration
+#   }
+#   depends_on = [data.external.elastic_generate_api_key]
+# }
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/GoogleCloud/terraform/ec_deployment.tf b/examples/multi-cloud-setup/GoogleCloud/terraform/ec_deployment.tf
new file mode 100644
index 000000000..a13ba6be2
--- /dev/null
+++ b/examples/multi-cloud-setup/GoogleCloud/terraform/ec_deployment.tf
@@ -0,0 +1,237 @@
+# -------------------------------------------------------------
+#  Deploy Elastic Cloud
+# -------------------------------------------------------------
+data "ec_stack" "latest" {
+  version_regex = "latest"
+  region        = var.elastic_region
+}
+
+resource "ec_deployment" "elastic_deployment" {
+  name                    = var.elastic_deployment_name
+  region                  = var.elastic_region
+  version                 = var.elastic_version == "latest" ? data.ec_stack.latest.version : var.elastic_version
+  deployment_template_id  = var.elastic_deployment_template_id
+  elasticsearch {
+	  autoscale = "true"
+
+    dynamic "remote_cluster" {
+      for_each = var.elastic_remotes
+      content {
+        deployment_id = remote_cluster.value["id"]
+        alias         = remote_cluster.value["alias"]
+      }
+    }
+  }
+  kibana {}
+  integrations_server {}
+}
+
+output "elastic_cluster_id_google" {
+  value = ec_deployment.elastic_deployment.id
+}
+
+output "elastic_cluster_alia_google" {
+  value = ec_deployment.elastic_deployment.name
+}
+
+output "elastic_endpoint_google" {
+  value = ec_deployment.elastic_deployment.kibana[0].https_endpoint
+}
+
+output "elastic_cloud_id_google" {
+  value = ec_deployment.elastic_deployment.elasticsearch[0].cloud_id
+}
+
+output "elastic_username_google" {
+  value = ec_deployment.elastic_deployment.elasticsearch_username
+}
+
+# -------------------------------------------------------------
+#  Load Policy
+# -------------------------------------------------------------
+
+data "external" "elastic_create_policy" {
+  query = {
+    kibana_endpoint  = ec_deployment.elastic_deployment.kibana[0].https_endpoint
+    elastic_username  = ec_deployment.elastic_deployment.elasticsearch_username
+    elastic_password  = ec_deployment.elastic_deployment.elasticsearch_password
+    elastic_json_body = templatefile("${path.module}/../json_templates/default-policy.json", {"policy_name": "GC_${var.google_cloud_project}"})
+  }
+  program = ["sh", "${path.module}/../../lib/elastic_api/kb_create_agent_policy.sh" ]
+  depends_on = [ec_deployment.elastic_deployment]
+}
+
+output "elastic_create_policy" {
+  value = data.external.elastic_create_policy.result
+  depends_on = [data.external.elastic_create_policy]
+}
+
+data "external" "elastic_add_integration" {
+  query = {
+    kibana_endpoint  = ec_deployment.elastic_deployment.kibana[0].https_endpoint
+    elastic_username  = ec_deployment.elastic_deployment.elasticsearch_username
+    elastic_password  = ec_deployment.elastic_deployment.elasticsearch_password
+    elastic_json_body = templatefile("${path.module}/../json_templates/gcp_integration.json", 
+    {
+    "policy_id": data.external.elastic_create_policy.result.id,
+    "gcp_project": var.google_cloud_project,
+    "gcp_credentials_json": jsonencode(file(var.google_cloud_service_account_path)),
+    "audit_log_topic": var.google_pubsub_audit_topic,
+    "firewall_log_topic": var.google_pubsub_firewall_topic,
+    "vpcflow_log_topic": var.google_pubsub_vpcflow_topic,
+    "dns_log_topic": var.google_pubsub_dns_topic,
+    "lb_log_topic": var.google_pubsub_lb_topic     
+    }
+    )
+  }
+  program = ["sh", "${path.module}/../../lib/elastic_api/kb_add_integration_to_policy.sh" ]
+  depends_on = [data.external.elastic_create_policy]
+}
+
+output "elastic_add_integration" {
+  value = data.external.elastic_add_integration.result
+  depends_on = [data.external.elastic_add_integration]
+}
+
+# -------------------------------------------------------------
+#  Load Rules
+# -------------------------------------------------------------
+
+data "external" "elastic_load_rules" {
+  query = {
+    kibana_endpoint  = ec_deployment.elastic_deployment.kibana[0].https_endpoint
+    elastic_username  = ec_deployment.elastic_deployment.elasticsearch_username
+    elastic_password  = ec_deployment.elastic_deployment.elasticsearch_password
+  }
+  program = ["sh", "${path.module}/../../lib/elastic_api/kb_load_detection_rules.sh" ]
+  depends_on = [ec_deployment.elastic_deployment]
+}
+
+data "external" "elastic_enable_rules" {
+  query = {
+    kibana_endpoint  = ec_deployment.elastic_deployment.kibana[0].https_endpoint
+    elastic_username  = ec_deployment.elastic_deployment.elasticsearch_username
+    elastic_password  = ec_deployment.elastic_deployment.elasticsearch_password
+    elastic_json_body = templatefile("${path.module}/../json_templates/es_rule_activation.json",{})
+  }
+  program = ["sh", "${path.module}/../../lib/elastic_api/kb_enable_detection_rules.sh" ]
+  depends_on = [data.external.elastic_load_rules]
+}
+
+output "elastic_enable_rules" {
+  value = data.external.elastic_enable_rules.result
+  depends_on = [data.external.elastic_enable_rules]
+}
+
+# -------------------------------------------------------------
+#  Create and Start transforms
+# -------------------------------------------------------------
+
+data "external" "elastic_create_transforms" {
+  query = {
+    elastic_endpoint  = ec_deployment.elastic_deployment.elasticsearch[0].https_endpoint
+    elastic_username  = ec_deployment.elastic_deployment.elasticsearch_username
+    elastic_password  = ec_deployment.elastic_deployment.elasticsearch_password
+    transform_name    = "gcs-repo-transform"
+    elastic_json_body = templatefile("${path.module}/../json_templates/es_repo_transform.json",{})
+  }
+  program = ["sh", "${path.module}/../../lib/elastic_api/es_create_transform.sh" ]
+  depends_on = [ec_deployment.elastic_deployment]
+}
+
+data "external" "elastic_start_transforms" {
+  query = {
+    elastic_endpoint  = ec_deployment.elastic_deployment.elasticsearch[0].https_endpoint
+    elastic_username  = ec_deployment.elastic_deployment.elasticsearch_username
+    elastic_password  = ec_deployment.elastic_deployment.elasticsearch_password
+    transform_name    = "gcs-repo-transform"
+  }
+  program = ["sh", "${path.module}/../../lib/elastic_api/es_start_transform.sh" ]
+  depends_on = [data.external.elastic_create_transforms]
+}
+
+output "elastic_start_transforms" {
+  value = data.external.elastic_start_transforms.result
+  depends_on = [data.external.elastic_start_transforms]
+}
+
+################################################################################
+
+data "external" "elastic_create_transform_host_metrics" {
+  query = {
+    elastic_endpoint  = ec_deployment.elastic_deployment.elasticsearch[0].https_endpoint
+    elastic_username  = ec_deployment.elastic_deployment.elasticsearch_username
+    elastic_password  = ec_deployment.elastic_deployment.elasticsearch_password
+    transform_name    = "host-profile-transform"
+    elastic_json_body = templatefile("${path.module}/../json_templates/es_host_transform.json",{})
+  }
+  program = ["sh", "${path.module}/../../lib/elastic_api/es_create_transform.sh" ]
+  depends_on = [ec_deployment.elastic_deployment]
+}
+
+data "external" "elastic_start_transform_host_metrics" {
+  query = {
+    elastic_endpoint  = ec_deployment.elastic_deployment.elasticsearch[0].https_endpoint
+    elastic_username  = ec_deployment.elastic_deployment.elasticsearch_username
+    elastic_password  = ec_deployment.elastic_deployment.elasticsearch_password
+    transform_name    = "host-profile-transform"
+  }
+  program = ["sh", "${path.module}/../../lib/elastic_api/es_start_transform.sh" ]
+  depends_on = [data.external.elastic_create_transform_host_metrics]
+}
+
+output "elastic_start_transform_host_metrics" {
+  value = data.external.elastic_start_transform_host_metrics.result
+  depends_on = [data.external.elastic_start_transform_host_metrics]
+}
+
+################################################################################
+
+data "external" "elastic_create_transform_vpc_flow" {
+  query = {
+    elastic_endpoint  = ec_deployment.elastic_deployment.elasticsearch[0].https_endpoint
+    elastic_username  = ec_deployment.elastic_deployment.elasticsearch_username
+    elastic_password  = ec_deployment.elastic_deployment.elasticsearch_password
+    transform_name    = "vpc_flow-transform"
+    elastic_json_body = templatefile("${path.module}/../json_templates/es_vpc_flow_transform.json",{})
+  }
+  program = ["sh", "${path.module}/../../lib/elastic_api/es_create_transform.sh" ]
+  depends_on = [ec_deployment.elastic_deployment]
+}
+
+data "external" "elastic_start_transform_vpc_flow" {
+  query = {
+    elastic_endpoint  = ec_deployment.elastic_deployment.elasticsearch[0].https_endpoint
+    elastic_username  = ec_deployment.elastic_deployment.elasticsearch_username
+    elastic_password  = ec_deployment.elastic_deployment.elasticsearch_password
+    transform_name    = "vpc_flow-transform"
+  }
+  program = ["sh", "${path.module}/../../lib/elastic_api/es_start_transform.sh" ]
+  depends_on = [data.external.elastic_create_transform_vpc_flow]
+}
+
+output "elastic_start_transform_vpc_flow" {
+  value = data.external.elastic_start_transform_vpc_flow.result
+  depends_on = [data.external.elastic_start_transform_vpc_flow]
+}
+
+# -------------------------------------------------------------
+#  Load Dashboards
+# -------------------------------------------------------------
+
+data "external" "elastic_upload_saved_objects" {
+  query = {
+	elastic_http_method = "POST"
+    kibana_endpoint  = ec_deployment.elastic_deployment.kibana[0].https_endpoint
+    elastic_username  = ec_deployment.elastic_deployment.elasticsearch_username
+    elastic_password  = ec_deployment.elastic_deployment.elasticsearch_password
+    so_file      		= "${path.module}/../dashboards/google_cloud_dashboards.ndjson"
+  }
+  program = ["sh", "${path.module}/../../lib/elastic_api/kb_upload_saved_objects.sh" ]
+  depends_on = [ec_deployment.elastic_deployment]
+}
+
+output "elastic_upload_saved_objects" {
+  value = data.external.elastic_upload_saved_objects.result
+  depends_on = [data.external.elastic_upload_saved_objects]
+}
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/GoogleCloud/terraform/elastic_agent.tf b/examples/multi-cloud-setup/GoogleCloud/terraform/elastic_agent.tf
new file mode 100644
index 000000000..ebaecb24c
--- /dev/null
+++ b/examples/multi-cloud-setup/GoogleCloud/terraform/elastic_agent.tf
@@ -0,0 +1,40 @@
+# -------------------------------------------------------------
+# Create Compute VM + Elastic Agent
+# -------------------------------------------------------------
+
+data "template_file" "install_agent" {
+  template = file("../../lib/scripts/agent_install.sh")
+  vars = {
+    elastic_version = var.elastic_version
+    elasticsearch_username = ec_deployment.elastic_deployment.elasticsearch_username
+    elasticsearch_password = ec_deployment.elastic_deployment.elasticsearch_password
+    kibana_endpoint = ec_deployment.elastic_deployment.kibana[0].https_endpoint
+    integration_server_endpoint = ec_deployment.elastic_deployment.integrations_server[0].https_endpoint
+    policy_id = data.external.elastic_create_policy.result.id
+  }
+}
+
+resource "google_compute_instance" "vm_instance" {
+  depends_on = [ec_deployment.elastic_deployment, data.external.elastic_create_policy] ## We want to have the elastic deployment before we install the agent
+  
+  name = "elastic-agent"
+  machine_type = "e2-standard-2"
+  tags = ["terraformed"]
+  
+  
+  boot_disk {
+    initialize_params {
+      image = "debian-cloud/debian-11"
+      size = 20
+    }
+  }
+  
+  network_interface {
+    network = var.google_cloud_network
+	access_config {
+      // Ephemeral public IP
+    }
+  }
+
+  metadata_startup_script = "${data.template_file.install_agent.rendered}"
+}
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/GoogleCloud/terraform/logging.tf b/examples/multi-cloud-setup/GoogleCloud/terraform/logging.tf
new file mode 100644
index 000000000..0c0dc1674
--- /dev/null
+++ b/examples/multi-cloud-setup/GoogleCloud/terraform/logging.tf
@@ -0,0 +1,164 @@
+# -------------------------------------------------------------
+# Create Audit Log Route to Elastic Agent
+# -------------------------------------------------------------
+
+
+resource "google_pubsub_topic" "audit" {
+  name = var.google_pubsub_audit_topic
+
+  labels = {
+    elastic-log = "audit"
+  }
+}
+
+resource "google_logging_project_sink" "audit" {
+  name = var.google_pubsub_audit_topic
+
+  # Can export to pubsub, cloud storage, or bigquery
+  destination = "pubsub.googleapis.com/${google_pubsub_topic.audit.id}"
+
+  filter = var.google_pubsub_audit_filter
+
+  # Use a unique writer (creates a unique service account used for writing)
+  unique_writer_identity = true
+
+  depends_on = [google_pubsub_topic.audit]
+}
+
+# -------------------------------------------------------------
+# Create Firewall Log Route to Elastic Agent
+# -------------------------------------------------------------
+
+
+resource "google_pubsub_topic" "firewall" {
+  name = var.google_pubsub_firewall_topic
+
+  labels = {
+    elastic-log = "firewall"
+  }
+}
+
+resource "google_logging_project_sink" "firewall" {
+  name = var.google_pubsub_firewall_topic
+
+  # Can export to pubsub, cloud storage, or bigquery
+  destination = "pubsub.googleapis.com/${google_pubsub_topic.firewall.id}"
+
+  filter = var.google_pubsub_firewall_filter
+
+  # Use a unique writer (creates a unique service account used for writing)
+  unique_writer_identity = true
+
+  depends_on = [google_pubsub_topic.firewall]
+}
+
+
+# -------------------------------------------------------------
+# Create VPC Flow Log Route to Elastic Agent
+# -------------------------------------------------------------
+
+
+resource "google_pubsub_topic" "vpcflow" {
+  name = var.google_pubsub_vpcflow_topic
+
+  labels = {
+    elastic-log = "vpcflow"
+  }
+}
+
+resource "google_logging_project_sink" "vpcflow" {
+  name = var.google_pubsub_vpcflow_topic
+
+  # Can export to pubsub, cloud storage, or bigquery
+  destination = "pubsub.googleapis.com/${google_pubsub_topic.vpcflow.id}"
+
+  filter = var.google_pubsub_vpcflow_filter
+
+  # Use a unique writer (creates a unique service account used for writing)
+  unique_writer_identity = true
+
+  depends_on = [google_pubsub_topic.vpcflow]
+}
+
+
+
+# -------------------------------------------------------------
+# Create DNS Log Route to Elastic Agent
+# -------------------------------------------------------------
+
+
+resource "google_pubsub_topic" "dns" {
+  name = var.google_pubsub_dns_topic
+
+  labels = {
+    elastic-log = "dns"
+  }
+}
+
+resource "google_logging_project_sink" "dns" {
+  name = var.google_pubsub_dns_topic
+
+  # Can export to pubsub, cloud storage, or bigquery
+  destination = "pubsub.googleapis.com/${google_pubsub_topic.dns.id}"
+
+  filter = var.google_pubsub_dns_filter
+
+  # Use a unique writer (creates a unique service account used for writing)
+  unique_writer_identity = true
+
+  depends_on = [google_pubsub_topic.dns]
+}
+
+
+# -------------------------------------------------------------
+# Create Loadbalancer Log Route to Elastic Agent
+# -------------------------------------------------------------
+
+
+resource "google_pubsub_topic" "lb" {
+  name = var.google_pubsub_lb_topic
+
+  labels = {
+    elastic-log = "loadbalancer"
+  }
+}
+
+resource "google_logging_project_sink" "lb" {
+  name = var.google_pubsub_lb_topic
+
+  # Can export to pubsub, cloud storage, or bigquery
+  destination = "pubsub.googleapis.com/${google_pubsub_topic.lb.id}"
+
+  filter = var.google_pubsub_lb_filter
+
+  # Use a unique writer (creates a unique service account used for writing)
+  unique_writer_identity = true
+
+  depends_on = [google_pubsub_topic.lb]
+}
+
+
+# -------------------------------------------------------------
+# Role bindings
+# -------------------------------------------------------------
+
+resource "google_project_iam_binding" "pubsub_writer_logs" {
+  project            = var.google_cloud_project
+  role               = "roles/pubsub.editor"
+
+  members = [
+    google_logging_project_sink.audit.writer_identity,
+    google_logging_project_sink.firewall.writer_identity,
+    google_logging_project_sink.vpcflow.writer_identity,
+    google_logging_project_sink.dns.writer_identity,
+    google_logging_project_sink.lb.writer_identity,
+  ]
+
+  depends_on = [
+    google_logging_project_sink.audit,
+    google_logging_project_sink.firewall,
+    google_logging_project_sink.vpcflow,
+    google_logging_project_sink.dns,
+    google_logging_project_sink.lb
+  ]
+}
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/GoogleCloud/terraform/main.tf b/examples/multi-cloud-setup/GoogleCloud/terraform/main.tf
new file mode 100644
index 000000000..baeeeb9b0
--- /dev/null
+++ b/examples/multi-cloud-setup/GoogleCloud/terraform/main.tf
@@ -0,0 +1,19 @@
+# -------------------------------------------------------------
+# Terraform provider configuration
+# -------------------------------------------------------------
+
+terraform {
+  required_version = ">= 1.0.2"
+
+  required_providers {
+    ec = {
+      source  = "elastic/ec"
+      version = ">= 0.4.1"
+    }
+  }
+}
+
+
+
+
+
diff --git a/examples/multi-cloud-setup/GoogleCloud/terraform/variables.tf b/examples/multi-cloud-setup/GoogleCloud/terraform/variables.tf
new file mode 100644
index 000000000..87ac5c1af
--- /dev/null
+++ b/examples/multi-cloud-setup/GoogleCloud/terraform/variables.tf
@@ -0,0 +1,138 @@
+# -------------------------------------------------------------
+# Elastic configuration
+# -------------------------------------------------------------
+variable "elastic_version" {
+  type = string
+  default = "latest"
+}
+
+variable "elastic_region" {
+  type = string
+  default = "gcp-europe-west3"
+}
+
+variable "elastic_deployment_name" {
+  type = string
+  default = "Google Cloud Observe and Protect"
+}
+
+variable "elastic_deployment_template_id" {
+  type = string
+  default = "gcp-io-optimized-v2"
+}
+
+variable "elastic_remotes" {
+    type = list(
+            object({
+                id    = string
+                alias = string
+        })
+    )
+    default = []
+}
+
+# -------------------------------------------------------------
+# GCP configuration
+# -------------------------------------------------------------
+
+variable "google_cloud_project" {
+  type = string
+  default = "elastic-pme-team"
+}
+
+variable "google_cloud_region" {
+  type = string
+  default = "europe-west3"
+}
+
+variable "google_cloud_service_account_path" {
+  type = string
+}
+
+variable "google_cloud_network" {
+  type = string
+  default = "default"
+}
+
+# -------------------------------------------------------------
+# PubSub configuration
+# -------------------------------------------------------------
+
+//Audit Logs
+variable "google_pubsub_audit_topic" {
+  type = string
+  default = "elastic-audit-logs"
+}
+
+variable "google_pubsub_audit_filter" {
+  type = string
+  default = "protoPayload.@type=\"type.googleapis.com/google.cloud.audit.AuditLog\""
+}
+
+//Firewall Logs
+variable "google_pubsub_firewall_topic" {
+  type = string
+  default = "elastic-firewall-logs"
+}
+
+variable "google_pubsub_firewall_filter" {
+  type = string
+  default = "logName:\"compute.googleapis.com%2Ffirewall\""
+}
+
+//VPC Flow Logs
+variable "google_pubsub_vpcflow_topic" {
+  type = string
+  default = "elastic-vpcflow-logs"
+}
+
+variable "google_pubsub_vpcflow_filter" {
+  type = string
+  default = "log_id(\"compute.googleapis.com/vpc_flows\")"
+}
+
+//DNS Logs
+variable "google_pubsub_dns_topic" {
+  type = string
+  default = "elastic-dns-logs"
+}
+
+variable "google_pubsub_dns_filter" {
+  type = string
+  default = "resource.type=\"dns_query\""
+}
+
+//Loadbalancer Logs
+variable "google_pubsub_lb_topic" {
+  type = string
+  default = "elastic-lb-logs"
+}
+
+variable "google_pubsub_lb_filter" {
+  type = string
+  default = "resource.type=\"http_load_balancer\""
+}
+
+# -------------------------------------------------------------
+# BigQuery configuration -- Not used at the moment
+# -------------------------------------------------------------
+
+variable "google_cloud_container_specs_path"  {
+  type = string
+  default = "gs://dataflow-templates/latest/flex/BigQuery_to_Elasticsearch"
+}
+
+variable "google_cloud_maxNumWorkers"  {
+  type = number
+  default = 5
+}
+
+variable "google_cloud_maxRetryAttempts" {
+  type = string
+  default = 1
+}
+
+variable "google_cloud_maxRetryDuration" {
+  type = string
+  default = 30
+}
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/LICENSE b/examples/multi-cloud-setup/LICENSE
new file mode 100644
index 000000000..b09cd7856
--- /dev/null
+++ b/examples/multi-cloud-setup/LICENSE
@@ -0,0 +1,201 @@
+Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/examples/multi-cloud-setup/MultiCloud/.gitignore b/examples/multi-cloud-setup/MultiCloud/.gitignore
new file mode 100644
index 000000000..cbc93ad91
--- /dev/null
+++ b/examples/multi-cloud-setup/MultiCloud/.gitignore
@@ -0,0 +1,8 @@
+
+.vs/slnx.sqlite
+*.tfstate
+*.backup
+terraform/*.tfstate
+terraform/.terraform
+*.hcl
+local_env
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/MultiCloud/README.md b/examples/multi-cloud-setup/MultiCloud/README.md
new file mode 100644
index 000000000..d51075f4a
--- /dev/null
+++ b/examples/multi-cloud-setup/MultiCloud/README.md
@@ -0,0 +1,137 @@
+# Multi Cloud terraform setup for Elasticsearch
+
+The project in this repository is creating an Elastic Cloud environment in order to getting started with monitoring and protecting your Cloud Service Providers(CSP) environment in Google, AWS and/or Azure. It is creating all necessary components within the CSPs as well as the in Elastic Cloud using terraform. The whole process will be done in less than 1h. 
+
+You can either install every Cloud Environment separatly or choose the MultiCloud project to install everything at once. By choosing MultiCloud the terraform script will also configure the necessary connection between the clusters in order to do Cross Cluster Search(CSS). Because of that each cluster can live in its own Cloud Provider environment (GCP cluster in GCP, AWS cluser in AWS and so on). This will guarantee a low cost footprint when collecting the relevant data from the providers. But because of CCS every cluster can get queried by one main cluster. 
+
+## Getting started
+
+You can decide if you like to install the environment for all Cloud Providers at once or each once independently from each other. No matter what you prefer you need to deploy it within the [MultiCloud](MultiCloud) folder. Before you do that you need to prepare your environment.
+
+### Prepare software dependencies
+
+- [jq](https://stedolan.github.io/jq/download/)
+- [terraform](https://www.terraform.io/downloads)
+
+### Clone the repository
+
+```bash
+git clone https://github.com/felix-lessoer/elastic-terraform-examples.git
+```
+
+### Create Elastic Cloud ID following this steps
+
+[Create EC API key](https://registry.terraform.io/providers/elastic/ec/latest/docs#api-key-authentication-recommended)
+
+Set env variable for Elastic Cloud:
+
+```bash
+export EC_API_KEY="[PUT YOUR ELASTIC CLOUD API KEY HERE]"
+```
+
+### Create local env files within the repo
+
+Target is to have the *aws.json* file and the *gcp.json* file in *<Repo root>MultiCloud/local_env/* to make the terraform commands below working correctly. 
+```bash
+mkdir local_env
+touch aws.json
+touch gcp.json
+```
+
+Modify the terraform environment settings to prepare your local env.
+
+#### For AWS
+More AWS configuration remarks you can find in the [AWS](../AWS) folder.
+
+Minimal config:
+```json
+{
+    "deploy_aws" : true,
+	"aws_region" : "eu-west-2",	 
+	"aws_access_key" : "<YOUR ACCESS KEY>",
+	"aws_secret_key" : "<YOUR SECRET KEY>"
+}
+```
+
+List of other optional parameters that can be added to terraform.tfvars.json 
+| Parameter Name  | Default value | Example | Description |
+| ------------- | ------------- | ------------- | ------------- |
+| elastic_version  | latest  | 8.4.1  | Used to define the Elastic Search version  |
+| elastic_region  | aws-eu-west-2  | aws-eu-west-2  | Used to set the Elastic Cloud region for the AWS deployment  |
+| elastic_deployment_name  | AWS Observe and Protect  | AWS Observe and Protect  | Used to define the name for the Elastic deployment  |
+
+#### For Google Cloud
+More Google CLoud configuration remarks you can find in the [Google Cloud](../GoogleCloud) folder.
+
+Minimal config:
+```json
+{
+    "deploy_gc" : true,
+	"google_cloud_project" : "<Google Project>",
+	"google_cloud_service_account_path" : "/path/to/service/account/file"
+}
+```
+
+List of other optional parameters that can be added to terraform.tfvars.json 
+| Parameter Name  | Default value | Example | Description |
+| ------------- | ------------- | ------------- | ------------- |
+| elastic_version  | latest  | 8.4.1  | Used to define the Elastic Search version  |
+| elastic_region  | gcp-europe-west3  | gcp-europe-west3  | Used to set the Elastic Cloud region for the Google Cloud deployment  |
+| elastic_deployment_name  | Google Cloud Observe and Protect  | Google Cloud Observe and Protect  | Used to define the name for the Elastic deployment  |
+| google_cloud_region  | europe-west3  | europe-west3  | Used to change the region where the Google Cloud objects getting installed  |
+| google_cloud_network  | default | my-network  | Used to change the network the Elastic Agent VM is installed in. (Network needs to be existent)  |
+
+## Deploy
+
+For the  setup you need to init and apply the terraform configuration in the [Multi Cloud](MultiCloud) root module and start in the terraform folder. Before the apply you need to provide credentials for Elastic Cloud as well as for every Cloud Provider that you want to deploy. Terraform needs access to perform actions in your name.
+
+After you prepared the settings for each cloud provider you've choosen you should be able to execute the deployment process.
+
+### All in one aka Multi Cloud
+
+If you prefer you install everything at once you need to configure all Cloud Providers. This is the default configuration. 
+
+### Each example separately
+
+To install each setup independenly from each other you can disable the creation of the unnecessary clusters also within the [Multi Cloud](MultiCloud) folder. Each module can run on its own. 
+If you want to add more environments later you just need to change the configuration.
+
+
+List of parameters to de/activate one or more cloud provider environments completly:
+| Parameter Name  | Default value | Example | Description |
+| ------------- | ------------- | ------------- | ------------- |
+| deploy_gc  | true  | false  | Used to de/activate the Google Cloud Environment  |
+| deploy_aws  | true  | false  | Used to de/activate the AWS Environment   |
+
+
+### Run terraform
+
+#### Initialize within 'terraform' folder in the Multi Cloud module
+
+```bash
+terraform init
+```
+
+#### Check plan to see what will be created by terraform
+
+```bash
+terraform plan -var-file="../local_env/aws.json" -var-file="../local_env/gcp.json"
+```
+
+#### Run with auto-approve will install everything
+
+First run:
+```bash
+terraform apply -var-file="../local_env/aws.json" -var-file="../local_env/gcp.json" -auto-approve
+```
+
+The replace part is necessary if you deploy the AWS environment. Without that the Cloud Formation template that is used usually have issues on re apply 
+```bash
+terraform apply -var-file="../local_env/aws.json" -var-file="../local_env/gcp.json" -replace module.aws_environment[0].aws_serverlessapplicationrepository_cloudformation_stack.esf_cf_stack -auto-approve
+```
+
+#### Cleanup (Deletes every component that was created by terraform)
+
+```bash
+terraform destroy -var-file="../local_env/aws.json" -var-file="../local_env/gcp.json" -auto-approve
+```
diff --git a/examples/multi-cloud-setup/MultiCloud/terraform/aws_provider.tf b/examples/multi-cloud-setup/MultiCloud/terraform/aws_provider.tf
new file mode 100644
index 000000000..0819e9630
--- /dev/null
+++ b/examples/multi-cloud-setup/MultiCloud/terraform/aws_provider.tf
@@ -0,0 +1,5 @@
+provider "aws" {
+  region     = var.aws_region
+  access_key = var.aws_access_key
+  secret_key = var.aws_secret_key
+}
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/MultiCloud/terraform/aws_variables.tf b/examples/multi-cloud-setup/MultiCloud/terraform/aws_variables.tf
new file mode 100644
index 000000000..12b1811bb
--- /dev/null
+++ b/examples/multi-cloud-setup/MultiCloud/terraform/aws_variables.tf
@@ -0,0 +1,34 @@
+# -------------------------------------------------------------
+# Elastic configuration
+# -------------------------------------------------------------
+variable "elastic_aws_region" {
+  type = string
+  default = "aws-eu-west-2"
+}
+
+variable "elastic_aws_deployment_name" {
+  type = string
+  default = "AWS"
+}
+
+variable "elastic_aws_deployment_template_id" {
+  type = string
+  default = "aws-general-purpose-arm-v5"
+}
+
+# -------------------------------------------------------------
+# AWS configuration
+# -------------------------------------------------------------
+
+variable "aws_region" {
+  type = string
+  default = "eu-west-1"
+}
+
+variable "aws_access_key" {
+  type = string
+}
+
+variable "aws_secret_key" {
+  type = string
+}
diff --git a/examples/multi-cloud-setup/MultiCloud/terraform/azure_provider.tf b/examples/multi-cloud-setup/MultiCloud/terraform/azure_provider.tf
new file mode 100644
index 000000000..0fe4d0925
--- /dev/null
+++ b/examples/multi-cloud-setup/MultiCloud/terraform/azure_provider.tf
@@ -0,0 +1,12 @@
+provider "azurerm" {
+  features {
+    key_vault {
+      purge_soft_delete_on_destroy = true
+    }
+  }
+
+  subscription_id = var.azure_subscription_id
+  client_id       = var.azure_client_id
+  client_secret   = var.azure_client_secret
+  tenant_id       = var.azure_tenant_id
+}
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/MultiCloud/terraform/azure_variables.tf b/examples/multi-cloud-setup/MultiCloud/terraform/azure_variables.tf
new file mode 100644
index 000000000..e7ecdaab1
--- /dev/null
+++ b/examples/multi-cloud-setup/MultiCloud/terraform/azure_variables.tf
@@ -0,0 +1,45 @@
+# -------------------------------------------------------------
+# Elastic configuration
+# -------------------------------------------------------------
+variable "elastic_azure_region" {
+  type = string
+  default = "azure-westeurope"
+}
+
+variable "elastic_azure_deployment_name" {
+  type = string
+  default = "Azure Observe and Protect"
+}
+
+variable "elastic_azure_deployment_template_id" {
+  type = string
+  default = "azure-general-purpose"
+}
+
+# -------------------------------------------------------------
+# AWS configuration
+# -------------------------------------------------------------
+
+variable "azure_region" {
+  type = string
+  default = "West Europe"
+}
+
+variable  "azure_subscription_id" {
+ type = string   
+}
+
+variable  "azure_client_id" {
+ type = string   
+}
+
+variable  "azure_client_secret" {
+ type = string   
+}
+
+variable  "azure_tenant_id" {
+ type = string   
+}
+
+
+
diff --git a/examples/multi-cloud-setup/MultiCloud/terraform/ec_variables.tf b/examples/multi-cloud-setup/MultiCloud/terraform/ec_variables.tf
new file mode 100644
index 000000000..feb3c485d
--- /dev/null
+++ b/examples/multi-cloud-setup/MultiCloud/terraform/ec_variables.tf
@@ -0,0 +1,12 @@
+# -------------------------------------------------------------
+# Elastic configuration for every cluster
+# -------------------------------------------------------------
+variable "elastic_version" {
+  type = string
+  default = "latest"
+}
+
+variable "elastic_agent_vm_name" {
+  type = string
+  default = "elastic-agent"
+}
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/MultiCloud/terraform/gc_provider.tf b/examples/multi-cloud-setup/MultiCloud/terraform/gc_provider.tf
new file mode 100644
index 000000000..2d38c3949
--- /dev/null
+++ b/examples/multi-cloud-setup/MultiCloud/terraform/gc_provider.tf
@@ -0,0 +1,6 @@
+provider "google" {
+  project     = var.google_cloud_project
+  region      = var.google_cloud_region
+  zone    	  = "${var.google_cloud_region}-a"
+  credentials = var.google_cloud_service_account_path
+}
diff --git a/examples/multi-cloud-setup/MultiCloud/terraform/gc_variables.tf b/examples/multi-cloud-setup/MultiCloud/terraform/gc_variables.tf
new file mode 100644
index 000000000..58b328aea
--- /dev/null
+++ b/examples/multi-cloud-setup/MultiCloud/terraform/gc_variables.tf
@@ -0,0 +1,123 @@
+# -------------------------------------------------------------
+# Elastic configuration
+# -------------------------------------------------------------
+variable "elastic_gc_region" {
+  type = string
+  default = "gcp-europe-west3"
+}
+
+variable "elastic_gc_deployment_name" {
+  type = string
+  default = "Google Cloud Observe and Protect"
+}
+
+variable "elastic_gc_deployment_template_id" {
+  type = string
+  default = "gcp-io-optimized-v2"
+}
+
+# -------------------------------------------------------------
+# GCP configuration
+# -------------------------------------------------------------
+
+variable "google_cloud_project" {
+  type = string
+  default = "elastic-pme-team"
+}
+
+variable "google_cloud_region" {
+  type = string
+  default = "europe-west3"
+}
+
+variable "google_cloud_service_account_path" {
+  type = string
+}
+
+variable "google_cloud_network" {
+  type = string
+  default = "default"
+}
+
+# -------------------------------------------------------------
+# PubSub configuration
+# -------------------------------------------------------------
+
+//Audit Logs
+variable "google_pubsub_audit_topic" {
+  type = string
+  default = "elastic-audit-logs"
+}
+
+variable "google_pubsub_audit_filter" {
+  type = string
+  default = "protoPayload.@type=\"type.googleapis.com/google.cloud.audit.AuditLog\""
+}
+
+//Firewall Logs
+variable "google_pubsub_firewall_topic" {
+  type = string
+  default = "elastic-firewall-logs"
+}
+
+variable "google_pubsub_firewall_filter" {
+  type = string
+  default = "logName:\"compute.googleapis.com%2Ffirewall\""
+}
+
+//VPC Flow Logs
+variable "google_pubsub_vpcflow_topic" {
+  type = string
+  default = "elastic-vpcflow-logs"
+}
+
+variable "google_pubsub_vpcflow_filter" {
+  type = string
+  default = "log_id(\"compute.googleapis.com/vpc_flows\")"
+}
+
+//DNS Logs
+variable "google_pubsub_dns_topic" {
+  type = string
+  default = "elastic-dns-logs"
+}
+
+variable "google_pubsub_dns_filter" {
+  type = string
+  default = "resource.type=\"dns_query\""
+}
+
+//Loadbalancer Logs
+variable "google_pubsub_lb_topic" {
+  type = string
+  default = "elastic-lb-logs"
+}
+
+variable "google_pubsub_lb_filter" {
+  type = string
+  default = "resource.type=\"http_load_balancer\""
+}
+
+# -------------------------------------------------------------
+# BigQuery configuration -- Not used at the moment
+# -------------------------------------------------------------
+
+variable "google_cloud_container_spec_gcs_path"  {
+  type = string
+  default = "gs://dataflow-templates/latest/flex/BigQuery_to_Elasticsearch"
+}
+
+variable "google_cloud_maxNumWorkers"  {
+  type = number
+  default = 5
+}
+
+variable "google_cloud_maxRetryAttempts" {
+  type = string
+  default = 1
+}
+
+variable "google_cloud_maxRetryDuration" {
+  type = string
+  default = 30
+}
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/MultiCloud/terraform/main.tf b/examples/multi-cloud-setup/MultiCloud/terraform/main.tf
new file mode 100644
index 000000000..30483eebb
--- /dev/null
+++ b/examples/multi-cloud-setup/MultiCloud/terraform/main.tf
@@ -0,0 +1,23 @@
+terraform {
+  required_version = ">= 1.0.2"
+
+  required_providers {
+    ec = {
+      source  = "elastic/ec"
+      version = ">= 0.4.1"
+    }
+	  google = {
+      source = "hashicorp/google"
+      version = ">= 4.35.0" 
+    }
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.0"
+    }
+    kubectl = {
+      source  = "gavinbunney/kubectl"
+      version = ">= 1.7.0"
+    }
+  }
+}
+
diff --git a/examples/multi-cloud-setup/MultiCloud/terraform/modules.tf b/examples/multi-cloud-setup/MultiCloud/terraform/modules.tf
new file mode 100644
index 000000000..9f12bef6c
--- /dev/null
+++ b/examples/multi-cloud-setup/MultiCloud/terraform/modules.tf
@@ -0,0 +1,77 @@
+variable "deploy_aws" {
+  type = bool
+  default = true
+}
+
+variable "deploy_gc" {
+  type = bool
+  default = true
+}
+
+variable "deploy_azure" {
+  type = bool
+  default = true
+}
+
+module "aws_environment" {
+  source = "../../AWS/terraform"
+
+  elastic_version = var.elastic_version
+  elastic_region = var.elastic_aws_region
+  elastic_deployment_name = var.elastic_aws_deployment_name
+  elastic_deployment_template_id = var.elastic_aws_deployment_template_id
+  aws_region = var.aws_region
+  aws_access_key = var.aws_access_key
+  aws_secret_key = var.aws_secret_key
+  
+  ###
+  # Uncomment the following line to make the AWS cluster the All in One Cluster via CCS
+  ###
+  //elastic_remotes = [{id = module.gc_environment[0].elastic_cluster_id_google, alias = module.gc_environment[0].elastic_cluster_alias_google}]
+
+  count  = (var.deploy_aws == true) ? 1 : 0
+}
+
+module "gc_environment" {
+  source = "../../GoogleCloud/terraform"
+
+  elastic_version = var.elastic_version
+  elastic_region = var.elastic_gc_region
+  elastic_deployment_name = var.elastic_gc_deployment_name
+  elastic_deployment_template_id = var.elastic_gc_deployment_template_id
+
+  google_cloud_project = var.google_cloud_project
+  google_cloud_region = var.google_cloud_region
+  google_cloud_service_account_path = var.google_cloud_service_account_path
+  google_cloud_network = var.google_cloud_network
+  
+  ###
+  # Uncomment the following line to make the Google Cloud cluster the All in One Cluster via CCS
+  ###
+  //elastic_remotes = [{id = module.aws_environment[0].elastic_cluster_id_aws, alias = module.aws_environment[0].elastic_cluster_alias_aws}]
+
+  count  = (var.deploy_gc == true) ? 1 : 0
+}
+
+module "azure_environment" {
+  source = "../../Azure/terraform"
+
+  elastic_version = var.elastic_version
+  elastic_region = var.elastic_azure_region
+  elastic_deployment_name = var.elastic_azure_deployment_name
+  elastic_deployment_template_id = var.elastic_azure_deployment_template_id
+  elastic_agent_vm_name = var.elastic_agent_vm_name
+
+  azure_region = var.azure_region
+  azure_client_id = var.azure_client_id
+  azure_client_secret = var.azure_client_secret
+  azure_subscription_id = var.azure_subscription_id
+  azure_tenant_id = var.azure_tenant_id
+  
+  ###
+  # Uncomment the following line to make the Google Cloud cluster the All in One Cluster via CCS
+  ###
+  //elastic_remotes = [{id = module.aws_environment[0].elastic_cluster_id_aws, alias = module.aws_environment[0].elastic_cluster_alias_aws}]
+
+  count  = (var.deploy_azure == true) ? 1 : 0
+}
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/README.md b/examples/multi-cloud-setup/README.md
new file mode 100644
index 000000000..c66abed06
--- /dev/null
+++ b/examples/multi-cloud-setup/README.md
@@ -0,0 +1,49 @@
+# Elastic Terraform Examples to build an Multi Cloud Monitoring environment
+
+The project in this repository is creating an Elastic Cloud environment in order to getting started with monitoring and protecting your Cloud Service Providers(CSP) environment in Google, AWS and/or Azure. It is creating all necessary components within the CSPs as well as the in Elastic Cloud using terraform. The whole process will be done in less than 1h. 
+
+You can either install every Cloud Environment separatly or choose the MultiCloud project to install everything at once. By choosing MultiCloud the terraform script will also configure the necessary connection between the clusters in order to do Cross Cluster Search(CSS). Because of that each cluster can live in its own Cloud Provider environment (GCP cluster in GCP, AWS cluser in AWS and so on). This will guarantee a low cost footprint when collecting the relevant data from the providers. But because of CCS every cluster can get queried by one main cluster. 
+
+## The AWS environment
+
+The AWS example is creating an AWS Monitoring and Enhanced Security environment. It creates all necessary AWS Services as well as the Elastic Cloud Cluster for you. The only thing you need to provide is are AWS account credentials that provide the right permissions as well as the Elastic Cloud API Key. It works both: In [Elastic Cloud directly](https://cloud.elastic.co) or via the [AWS Marketplace option for Elastic Cloud](https://ela.st/aws).
+
+This example will install and configure:
+- Elastic Cluster
+- AWS EC2 instance with Elastic Agent installed and configured to talk to the Elastic Cluster 
+- Elastic Agent will be configured to collect available Metric datasets with zero manual configuration
+- Elastic SAR app will be used to install the elastic serverless forwarder to collect Logs from S3 and CloudWatch Log Groups 
+- The Elastic Cluster will be configured with the following additional capabilities
+	- Preloaded all Elastic Security Detection rules and enabled all AWS related rules
+
+## The Google Cloud Environment
+
+The Google Cloud example is creating a Google Cloud Monitoring and Enhanced Security environment. It creates all necessary Google Cloud Services as well as the Elastic Cloud Cluster for you. The only thing you need to provide is an appropriate Google Cloud Service account that has the right permissions and the Elastic Cloud API Key. It works both: In [Elastic Cloud directly](https://cloud.elastic.co) or via the [Google Cloud Marketplace option for Elastic Cloud](https://ela.st/google).
+
+This example will install and configure:
+- Elastic Cluster
+- Google Cloud Compute engine with Elastic Agent installed and configured to talk to the Elastic Cluster
+- Google Cloud Log routers (Log sinks) with the appropriate filters for Audit, Firewall, VPC Flow, DNS and Loadbalancer Logs. 
+- Google Cloud PubSub topics to collects the log types above
+- Elastic Agent will be configured to collect all the logs and all available Google Cloud Metric datasets with zero manual configuration
+- The Elastic Cluster will be configured with the following additional capabilities
+	- Single pane of glass Google Cloud Dashboard
+	- Google Cloud Cost optimizer dashboard
+	- Google Cloud Storage bucket analyzer dashboard
+	- Elastic transforms to prepare the data for the installed dashboards
+	- Preloaded all Elastic Security Detection rules and enabled all Google Cloud related rules
+
+## Getting started
+
+You can decide if you like to install the environment for all Cloud Providers at once or each once independently from each other. No matter what you prefer you need to deploy it within the [MultiCloud](MultiCloud) folder. Before you do that you need to prepare your environment. You will find the comprehensive Getting Started description also within the [MultiCloud](MultiCloud) folder.
+
+# More Elasticsearch terraform examples
+
+Other terraform + elastic examples can be found here:
+- [Patent Search](https://github.com/MarxDimitri/solution-accelerators/tree/main/patent-search) using Google Cloud BigQuery public dataset
+
+Kibana Dashboards and other Elastic extensions can be found here
+- [Elastic Content Share](https://elastic-content-share.eu/)
+- [AWS Cloudformation template](https://elastic-content-share.eu/blog/how-to-create-elastic-cloud-cluster-via-aws-cloud-formation-template/)
+
+ 
diff --git a/examples/multi-cloud-setup/lib/elastic_api/es_api_key.sh b/examples/multi-cloud-setup/lib/elastic_api/es_api_key.sh
new file mode 100644
index 000000000..d4ac79962
--- /dev/null
+++ b/examples/multi-cloud-setup/lib/elastic_api/es_api_key.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+eval "$(jq -r '@sh "ELASTIC_ENDPOINT=\(.elastic_endpoint) ELASTIC_USERNAME=\(.elastic_username) ELASTIC_PASSWORD=\(.elastic_password) API_KEY_BODY=\(.api_key_body)"')"
+
+output=$(curl -s -X POST -u "$ELASTIC_USERNAME:$ELASTIC_PASSWORD" \
+   -H 'Content-Type:application/json' -d "$API_KEY_BODY" \
+   ${ELASTIC_ENDPOINT}/_security/api_key | jq '.')
+
+ENCODED=$( echo $output | jq -r '.encoded' )
+jq -n --arg encoded "$ENCODED" '{"encoded" : $encoded}'
diff --git a/examples/multi-cloud-setup/lib/elastic_api/es_create_ilm_policy.sh b/examples/multi-cloud-setup/lib/elastic_api/es_create_ilm_policy.sh
new file mode 100644
index 000000000..5ac8fda54
--- /dev/null
+++ b/examples/multi-cloud-setup/lib/elastic_api/es_create_ilm_policy.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+eval "$(jq -r '@sh "ELASTIC_HTTP_METHOD=\(.elastic_http_method) ELASTIC_ENDPOINT=\(.elastic_endpoint) ELASTIC_USERNAME=\(.elastic_username) ELASTIC_PASSWORD=\(.elastic_password) ELASTIC_JSON_BODY=\(.elastic_json_body)"')"
+
+# Define mapping
+output=$(curl -s -X ${ELASTIC_HTTP_METHOD} -u "$ELASTIC_USERNAME:$ELASTIC_PASSWORD" \
+   -H 'Content-Type:application/json' -d "$ELASTIC_JSON_BODY" \
+   ${ELASTIC_ENDPOINT}/_ilm/policy/patent_search_rollover_policy | jq '.')
+
+# Return response
+ACKNOWLEDGED=$( echo $output | jq -r '.acknowledged' )
+jq -n --arg acknowledged "$ACKNOWLEDGED" '{"acknowledged" : $acknowledged}'
diff --git a/examples/multi-cloud-setup/lib/elastic_api/es_create_mapping.sh b/examples/multi-cloud-setup/lib/elastic_api/es_create_mapping.sh
new file mode 100644
index 000000000..b6ffd3432
--- /dev/null
+++ b/examples/multi-cloud-setup/lib/elastic_api/es_create_mapping.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+eval "$(jq -r '@sh "ELASTIC_HTTP_METHOD=\(.elastic_http_method) ELASTIC_ENDPOINT=\(.elastic_endpoint) ELASTIC_USERNAME=\(.elastic_username) ELASTIC_PASSWORD=\(.elastic_password) ELASTIC_JSON_BODY=\(.elastic_json_body) ELASTIC_INDEX_NAME=\(.elastic_index_name)"')"
+
+# Create index
+# output=$(curl -s -X ${ELASTIC_HTTP_METHOD} -u "$ELASTIC_USERNAME:$ELASTIC_PASSWORD" \
+#   ${ELASTIC_ENDPOINT}/${ELASTIC_INDEX_NAME})
+
+# Define mapping
+output=$(curl -s -X ${ELASTIC_HTTP_METHOD} -u "$ELASTIC_USERNAME:$ELASTIC_PASSWORD" \
+   -H 'Content-Type:application/json' -d "$ELASTIC_JSON_BODY" \
+   ${ELASTIC_ENDPOINT}/${ELASTIC_INDEX_NAME} | jq '.')
+
+# Return response
+ACKNOWLEDGED=$( echo $output | jq -r '.acknowledged' )
+jq -n --arg acknowledged "$ACKNOWLEDGED" '{"acknowledged" : $acknowledged}'
diff --git a/examples/multi-cloud-setup/lib/elastic_api/es_create_transform.sh b/examples/multi-cloud-setup/lib/elastic_api/es_create_transform.sh
new file mode 100644
index 000000000..c3d9e0a96
--- /dev/null
+++ b/examples/multi-cloud-setup/lib/elastic_api/es_create_transform.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+eval "$(jq -r '@sh "TRANSFORM_NAME=\(.transform_name) ELASTIC_ENDPOINT=\(.elastic_endpoint) ELASTIC_USERNAME=\(.elastic_username) ELASTIC_PASSWORD=\(.elastic_password) ELASTIC_JSON_BODY=\(.elastic_json_body)"')"
+
+# Define mapping
+output=$(curl -s -X PUT -u "$ELASTIC_USERNAME:$ELASTIC_PASSWORD" \
+   -H 'Content-Type:application/json' -d "$ELASTIC_JSON_BODY" \
+   ${ELASTIC_ENDPOINT}/_transform/${TRANSFORM_NAME} | jq '.')
+
+# Return response
+ACKNOWLEDGED=$( echo $output | jq -r '.acknowledged' )
+jq -n --arg acknowledged "$ACKNOWLEDGED" '{"acknowledged" : $acknowledged}'
+
+
diff --git a/examples/multi-cloud-setup/lib/elastic_api/es_start_transform.sh b/examples/multi-cloud-setup/lib/elastic_api/es_start_transform.sh
new file mode 100644
index 000000000..b9070a8dc
--- /dev/null
+++ b/examples/multi-cloud-setup/lib/elastic_api/es_start_transform.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+eval "$(jq -r '@sh "TRANSFORM_NAME=\(.transform_name) ELASTIC_ENDPOINT=\(.elastic_endpoint) ELASTIC_USERNAME=\(.elastic_username) ELASTIC_PASSWORD=\(.elastic_password) ELASTIC_JSON_BODY=\(.elastic_json_body)"')"
+
+# Define mapping
+output=$(curl -s -X POST -u "$ELASTIC_USERNAME:$ELASTIC_PASSWORD" \
+   ${ELASTIC_ENDPOINT}/_transform/${TRANSFORM_NAME}/_start | jq '.')
+
+# Return response
+ACKNOWLEDGED=$( echo $output | jq -r '.acknowledged' )
+jq -n --arg acknowledged "$ACKNOWLEDGED" '{"acknowledged" : $acknowledged}'
+
+
diff --git a/examples/multi-cloud-setup/lib/elastic_api/kb_add_integration_to_policy.sh b/examples/multi-cloud-setup/lib/elastic_api/kb_add_integration_to_policy.sh
new file mode 100644
index 000000000..96ee8b9a4
--- /dev/null
+++ b/examples/multi-cloud-setup/lib/elastic_api/kb_add_integration_to_policy.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+eval "$(jq -r '@sh "ELASTIC_HTTP_METHOD=\(.elastic_http_method) ELASTIC_ENDPOINT=\(.kibana_endpoint) ELASTIC_USERNAME=\(.elastic_username) ELASTIC_PASSWORD=\(.elastic_password) ELASTIC_JSON_BODY=\(.elastic_json_body)"')"
+
+# Define mapping
+output=$(curl -s -X POST -u "$ELASTIC_USERNAME:$ELASTIC_PASSWORD" \
+	-H "kbn-xsrf: true" -H 'Content-Type:application/json' -d "$ELASTIC_JSON_BODY" \
+   ${ELASTIC_ENDPOINT}/api/fleet/package_policies | jq '.')
+
+# Return response
+ID=$( echo $output | jq -r '.item.id' )
+SUCCESS=$( echo $output | jq -r '.success' )
+ERROR=$( echo $output | jq -r '.error' )
+MESSAGE=$( echo $output | jq -r '.message' )
+
+jq -n --arg id "$ID" --arg success "$SUCCESS" --arg error "$ERROR" --arg message "$MESSAGE" '{"id": $id, "success" : $success, "error": $error, "message": $message}'
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/lib/elastic_api/kb_create_agent_policy.sh b/examples/multi-cloud-setup/lib/elastic_api/kb_create_agent_policy.sh
new file mode 100644
index 000000000..10eee3467
--- /dev/null
+++ b/examples/multi-cloud-setup/lib/elastic_api/kb_create_agent_policy.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+eval "$(jq -r '@sh "ELASTIC_HTTP_METHOD=\(.elastic_http_method) ELASTIC_ENDPOINT=\(.kibana_endpoint) ELASTIC_USERNAME=\(.elastic_username) ELASTIC_PASSWORD=\(.elastic_password) ELASTIC_JSON_BODY=\(.elastic_json_body)"')"
+
+# Define mapping
+output=$(curl -s -X POST -u "$ELASTIC_USERNAME:$ELASTIC_PASSWORD" \
+	-H "kbn-xsrf: true" -H 'Content-Type:application/json' -d "$ELASTIC_JSON_BODY" \
+   ${ELASTIC_ENDPOINT}/api/fleet/agent_policies?sys_monitoring=true | jq '.')
+
+# Return response
+ID=$( echo $output | jq -r '.item.id' )
+SUCCESS=$( echo $output | jq -r '.success' )
+ERROR=$( echo $output | jq -r '.error' )
+MESSAGE=$( echo $output | jq -r '.message' )
+
+if [ "${ERROR}" = "Conflict" ] ;then
+   ##Regex to extract agent ID from the error message
+   ID=$( echo $MESSAGE | grep -P "'[0-9a-z\-]+'" -o | grep -P "[0-9a-z\-]+" -o )
+fi
+
+jq -n --arg id "$ID" --arg success "$SUCCESS" --arg error "$ERROR" --arg message "$MESSAGE" '{"id": $id, "success" : $success, "error": $error, "message": $message}'
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/lib/elastic_api/kb_enable_detection_rules.sh b/examples/multi-cloud-setup/lib/elastic_api/kb_enable_detection_rules.sh
new file mode 100644
index 000000000..479b6b142
--- /dev/null
+++ b/examples/multi-cloud-setup/lib/elastic_api/kb_enable_detection_rules.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+eval "$(jq -r '@sh "ELASTIC_HTTP_METHOD=\(.elastic_http_method) ELASTIC_ENDPOINT=\(.kibana_endpoint) ELASTIC_USERNAME=\(.elastic_username) ELASTIC_PASSWORD=\(.elastic_password) ELASTIC_JSON_BODY=\(.elastic_json_body)"')"
+
+# Define mapping
+output=$(curl -s -X POST -u "$ELASTIC_USERNAME:$ELASTIC_PASSWORD" \
+	-H "kbn-xsrf: true" -H 'Content-Type:application/json' -d "$ELASTIC_JSON_BODY"  \
+   ${ELASTIC_ENDPOINT}/api/detection_engine/rules/_bulk_action | jq '.')
+
+# Return response
+SUCCESS=$( echo $output | jq -r '.success' )
+
+jq -n --arg success "$SUCCESS" '{"success" : $success}'
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/lib/elastic_api/kb_load_detection_rules.sh b/examples/multi-cloud-setup/lib/elastic_api/kb_load_detection_rules.sh
new file mode 100644
index 000000000..975785bc3
--- /dev/null
+++ b/examples/multi-cloud-setup/lib/elastic_api/kb_load_detection_rules.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+eval "$(jq -r '@sh "ELASTIC_HTTP_METHOD=\(.elastic_http_method) ELASTIC_ENDPOINT=\(.kibana_endpoint) ELASTIC_USERNAME=\(.elastic_username) ELASTIC_PASSWORD=\(.elastic_password) SO_FILE=\(.so_file)"')"
+
+# Define mapping
+output=$(curl -s -X PUT -u "$ELASTIC_USERNAME:$ELASTIC_PASSWORD" \
+	-H "kbn-xsrf: true"  \
+   ${ELASTIC_ENDPOINT}/api/detection_engine/rules/prepackaged | jq '.')
+
+# Return response
+RULES=$( echo $output | jq -r '.rules_installed' )
+
+jq -n --arg rules "$RULES" '{"rules" : $rules}'
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/lib/elastic_api/kb_upload_saved_objects.sh b/examples/multi-cloud-setup/lib/elastic_api/kb_upload_saved_objects.sh
new file mode 100644
index 000000000..215348ae4
--- /dev/null
+++ b/examples/multi-cloud-setup/lib/elastic_api/kb_upload_saved_objects.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+eval "$(jq -r '@sh "ELASTIC_HTTP_METHOD=\(.elastic_http_method) ELASTIC_ENDPOINT=\(.kibana_endpoint) ELASTIC_USERNAME=\(.elastic_username) ELASTIC_PASSWORD=\(.elastic_password) SO_FILE=\(.so_file)"')"
+
+# Define mapping
+output=$(curl -s -X ${ELASTIC_HTTP_METHOD} -u "$ELASTIC_USERNAME:$ELASTIC_PASSWORD" \
+	-H "kbn-xsrf: true" --form file=@${SO_FILE} \
+   ${ELASTIC_ENDPOINT}/api/saved_objects/_import | jq '.')
+
+# Return response
+SUCCESS=$( echo $output | jq -r '.success' )
+ERROR=$( echo $output | jq -r '.error' )
+MESSAGE=$( echo $output | jq -r '.message' )
+
+jq -n --arg success "$SUCCESS" --arg error "$ERROR" --arg message "$MESSAGE" '{"success" : $success, "error": $error, "message": $message}'
\ No newline at end of file
diff --git a/examples/multi-cloud-setup/lib/scripts/agent_install.sh b/examples/multi-cloud-setup/lib/scripts/agent_install.sh
new file mode 100644
index 000000000..c3682556c
--- /dev/null
+++ b/examples/multi-cloud-setup/lib/scripts/agent_install.sh
@@ -0,0 +1,52 @@
+#!/bin/bash
+	
+#######
+## INIT
+######
+
+export ES_VERSION=${elastic_version}
+export CLOUD_AUTH=${elasticsearch_username}:${elasticsearch_password}
+export KIBANA_URL=${kibana_endpoint}
+integration_server_endpoint=${integration_server_endpoint}
+export FLEET_URL=$${integration_server_endpoint//apm/fleet}
+export HOST_POLICY_ID=${policy_id}
+
+
+echo "deb http://us.archive.ubuntu.com/ubuntu vivid main universe" | sudo tee -a /etc/apt/sources.list
+sudo apt-get update
+sudo apt-get --assume-yes install jq
+
+#########
+## install agent
+#########
+
+## get version
+version=$(curl -XGET -u $CLOUD_AUTH "$${KIBANA_URL}/api/status" -H "kbn-xsrf: true" -H "Content-Type: application/json" | jq -r '.version.number')
+echo ES_VERSION=$version >> /etc/.env
+export ES_VERSION=$version
+
+echo "Command: curl -XGET -u $CLOUD_AUTH \"$${KIBANA_URL}/api/fleet/enrollment_api_keys\""
+
+response=$(curl -XGET -u $CLOUD_AUTH "$${KIBANA_URL}/api/fleet/enrollment_api_keys" -H "kbn-xsrf: true" -H "Content-Type: application/json") 
+echo $response 
+
+echo "using $${HOST_POLICY_ID}"
+
+endpoint_enroll_key=$( jq -r --arg policy_id "$${HOST_POLICY_ID}" '.list[] | select(.policy_id == $policy_id) | .api_key' <<< "$${response}" )
+export HOST_ENROLL_KEY=$endpoint_enroll_key
+echo HOST_ENROLL_KEY=$endpoint_enroll_key >> /etc/.env
+
+echo "Loading agent"
+curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-$ES_VERSION-linux-x86_64.tar.gz
+sleep 30
+
+echo "Unpack agent"
+tar xzvf elastic-agent-$ES_VERSION-linux-x86_64.tar.gz
+cd elastic-agent-$ES_VERSION-linux-x86_64
+
+echo "Install agent"
+echo "Command: ./elastic-agent install --url=$FLEET_URL --enrollment-token=$HOST_ENROLL_KEY -f"
+./elastic-agent install --url=$FLEET_URL --enrollment-token=$HOST_ENROLL_KEY -f
+cd ..
+rm elastic-agent-$ES_VERSION-linux-x86_64 -r
+rm elastic-agent-$ES_VERSION-linux-x86_64.tar.gz
\ No newline at end of file