diff --git a/packages/cisco_duo/_dev/build/docs/README.md b/packages/cisco_duo/_dev/build/docs/README.md index 37740f9a8c5..2acee3a9f90 100644 --- a/packages/cisco_duo/_dev/build/docs/README.md +++ b/packages/cisco_duo/_dev/build/docs/README.md @@ -1,6 +1,6 @@ # Cisco Duo -The Cisco Duo integration collects and parses data from the [Cisco Duo Admin APIs](https://duo.com/docs/adminapi). +The Cisco Duo integration collects and parses data from the [Cisco Duo Admin APIs](https://duo.com/docs/adminapi). The Duo Admin API provides programmatic access to the administrative functionality of Duo Security's two-factor authentication platform. ## Compatibility @@ -16,11 +16,33 @@ In order to ingest data from the Cisco Duo Admin API you must: - For this integration you will require **Grant read information** and **Grant read log** permissions. - Make sure you have whitelisted your IP Address. -## Note +More details for each step can be found at [First steps](https://duo.com/docs/adminapi#first-steps). -While setting up the interval take care of following. -- `Interval has to be greater than 1m.` -- `Larger values of interval might cause delay in data ingestion.` +## Data streams + +The Cisco Duo integration collects logs for the following types of events. + +- [**Administrator Logs**](https://duo.com/docs/adminapi#administrator-logs) +- [**Authentication Logs**](https://duo.com/docs/adminapi#authentication-logs) +- [**Offline Enrollment Logs**](https://duo.com/docs/adminapi#offline-enrollment-logs) +- [**Summary**](https://duo.com/docs/adminapi#retrieve-summary) +- [**Telephony Logs**](https://duo.com/docs/adminapi#telephony-logs) +- [**Telephony Logs (legacy)**](https://duo.com/docs/adminapi#telephony-logs-(legacy-v1)) + +## V2 Handlers + +Cisco Duo has implemented v2 handlers for some endpoints. In these cases, the API v1 handler remains supported, but will be limited or deprecated in the future. + +From data streams listed above, v2 handlers are supported for Authentication and Telephony Logs at the moment. It is recommended to migrate data streams to the v2 endpoints when they become available. + +## Configuration + +The following considerations should be taken into account when configuring the integration. + +- Interval has to be greater or equal than `1m`. +- The Duo Admin API retrieves records from the last 180 days up to as recently as two minutes before the API request. Consider this when configuring the `Initial interval` parameter for the v2 API endpoints, as it doesn't support `d` as a suffix, its maximum value is `4320h` which corresponds to that 180 days. +- For v2 API endpoints, a new parameter `limit` has been added to control the number of records per response. Default value is 100 and can be incresead until 1000. +- Larger values of interval might cause delay in data ingestion. ## Logs @@ -62,4 +84,12 @@ This is the `telephony` dataset. {{event "telephony"}} -{{fields "telephony"}} \ No newline at end of file +{{fields "telephony"}} + +### Telephony v2 + +This is the `telephony_v2` dataset. + +{{event "telephony_v2"}} + +{{fields "telephony_v2"}} diff --git a/packages/cisco_duo/_dev/deploy/docker/files/config.yml b/packages/cisco_duo/_dev/deploy/docker/files/config.yml index ab3ea945875..57682a0fc0b 100644 --- a/packages/cisco_duo/_dev/deploy/docker/files/config.yml +++ b/packages/cisco_duo/_dev/deploy/docker/files/config.yml @@ -42,3 +42,63 @@ rules: {"response": [ {"context":"administrator login","credits":5,"isotimestamp":"2021-07-22T12:59:30+00:00","phone":"+121234512345","timestamp":1626958770,"type":"phone"},{"context":"verify","credits":1,"isotimestamp":"2021-08-16T06:03:32+00:00","phone":"+121234512345","timestamp":1629093812,"type":"sms"},{"context": "authentication","credits": 1,"isotimestamp":"2020-03-20T15:38:12+00:00","phone":"+121234512345","timestamp":1584718692,"type":"sms"} ], "stat": "OK"} + - path: /admin/v2/logs/telephony + methods: ["GET"] + query_params: + next_offset: "1666714065304,5bf1a860-fe39-49e3-be29-217659663a74" + responses: + - status_code: 200 + body: |- + { + "stat": "OK", + "response": { + "items": [ + { + "context": "administrator login", + "credits": 0, + "phone": "+13135559542", + "telephony_id": "5bf1a860-fe39-49e3-be29-217659663a74", + "ts": "2022-10-25T16:07:45.304526+00:00", + "txid": "fb0c129b-f994-4d3d-953b-c3e764272eb7", + "type": "sms" + } + ], + "metadata": { + "total_objects": 1 + } + } + } + - path: /admin/v2/logs/telephony + methods: ["GET"] + responses: + - status_code: 200 + body: |- + { + "stat": "OK", + "response": { + "items": [ + { + "context": "enrollment", + "credits": 1, + "phone": "+12125556707", + "telephony_id": "220f89ff-bff8-4466-b6cb-b7787940ce68", + "ts": "2023-03-21T22:34:49.466370+00:00", + "txid": "2f5d34d3-053f-422c-9dd4-77a5d58706b1", + "type": "sms" + }, + { + "context": "authentication", + "credits": 2, + "phone": "+17345551311", + "telephony_id": "60799fee-f08f-4ba8-971f-4e53b3473e9a", + "ts": "2023-01-26T20:54:12.573580+00:00", + "txid": "373bd5f3-1e42-4a5d-aefa-b33ae278fac8", + "type": "phone" + } + ], + "metadata": { + "next_offset": "1666714065304,5bf1a860-fe39-49e3-be29-217659663a74", + "total_objects": 2 + } + } + } diff --git a/packages/cisco_duo/changelog.yml b/packages/cisco_duo/changelog.yml index 1409ac514a3..b99a712c892 100644 --- a/packages/cisco_duo/changelog.yml +++ b/packages/cisco_duo/changelog.yml @@ -1,4 +1,15 @@ # newer versions go on top +- version: "2.0.0" + changes: + - description: Migrate to CEL input for data streams that use v2 API. + type: enhancement + link: https://github.com/elastic/integrations/pull/11200 + - description: Add Telephony v2 data stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/11200 + - description: Update dashboards and documentation. + type: enhancement + link: https://github.com/elastic/integrations/pull/11200 - version: "1.26.0" changes: - description: "Allow @custom pipeline access to event.original without setting preserve_original_event." diff --git a/packages/cisco_duo/data_stream/auth/_dev/test/system/test-default-config.yml b/packages/cisco_duo/data_stream/auth/_dev/test/system/test-default-config.yml index 06d22089346..7a5da73e7db 100644 --- a/packages/cisco_duo/data_stream/auth/_dev/test/system/test-default-config.yml +++ b/packages/cisco_duo/data_stream/auth/_dev/test/system/test-default-config.yml @@ -4,7 +4,7 @@ vars: hostname: http://{{Hostname}}:{{Port}} secret_key: 40_characters_long_secret_key integration_key: temp_integration_key + enable_request_tracer: true data_stream: vars: preserve_original_event: true - enable_request_tracer: true diff --git a/packages/cisco_duo/data_stream/auth/agent/stream/cel.yml.hbs b/packages/cisco_duo/data_stream/auth/agent/stream/cel.yml.hbs new file mode 100644 index 00000000000..af089a89886 --- /dev/null +++ b/packages/cisco_duo/data_stream/auth/agent/stream/cel.yml.hbs @@ -0,0 +1,162 @@ +config_version: 2 +interval: {{interval}} +resource.url: {{hostname}} + +{{#if enable_request_tracer}} +resource.tracer.filename: "../../logs/cel/http-request-trace-*.ndjson" +resource.tracer.maxbackups: 5 +resource.tracer.maxsize: 5 +{{/if}} + +regexp: + "next_offset_timestamp": '^\d+' + +state: + url: {{hostname}} + integration_key: {{integration_key}} + secret_key: {{secret_key}} + limit: {{limit}} + initial_interval: {{initial_interval}} + want_more: false +redact: + fields: + - secret_key + +program: | + ( + state.want_more ? + state + : + state.with({ + "mintime": state.?cursor.last_published.orValue(int(now - duration(state.initial_interval)) * 1000), + "maxtime": int(now - duration("2m")) * 1000, + "date": now.format(time_layout.RFC1123Z), + }) + ).as(state, state.with( + request( + "GET", + state.?want_more.orValue(false) ? + state.next_url + : + state.url.trim_right("/") + "/admin/v2/logs/authentication?" + { + "limit": [string(int(state.limit))], + "maxtime": [string(int(state.maxtime))], + "mintime": [string(int(state.mintime))], + "sort": ["ts:asc"], + }.format_query() + ).with( + { + "Header": { + "Content-Type": ["application/x-www-form-urlencoded"], + "Date": [state.date], + "Authorization": ["Basic " + ( + state.integration_key + ":" + ( + [ + state.date, + "GET", + state.url.trim_prefix("https://"), + "/admin/v2/logs/authentication", + { + "limit": [string(int(state.limit))], + "maxtime": [string(int(state.maxtime))], + "mintime": [string(int(state.mintime))], + ?"next_offset": has(state.next_offset) ? + optional.of([string(state.next_offset)]) + : + optional.none(), + "sort": ["ts:asc"], + }.format_query() + ].join("\n") + .hmac("sha1", bytes(state.secret_key)) + .hex() + ) + ).base64()], + }, + } + ).do_request().as(resp, (resp.StatusCode == 200) ? + bytes(resp.Body).decode_json().as(body, has(body.?response.authlogs) && size(body.response.authlogs) > 0 ? + { + "events": body.response.authlogs.map(item, + { + "message": item.encode_json(), + } + ), + "url": state.url, + "integration_key": state.integration_key, + "secret_key": state.secret_key, + "limit": state.limit, + "mintime": state.mintime, + "maxtime": state.maxtime, + "date": now.format(time_layout.RFC1123Z), + "want_more": has(body.?response.?metadata.next_offset), + ?"next_offset": (has(body.?response.?metadata.next_offset) && body.response.metadata.next_offset != null) ? + optional.of(string(body.response.metadata.next_offset)) + : + optional.none(), + "next_url": (has(body.?response.?metadata.next_offset) && body.response.metadata.next_offset != null) ? + ( + state.url.trim_right("/") + "/admin/v2/logs/authentication?" + { + "limit": [string(int(state.limit))], + "maxtime": [string(int(state.maxtime))], + "mintime": [string(int(state.mintime))], + "next_offset": [string(body.response.metadata.next_offset)], + "sort": ["ts:asc"], + }.format_query() + ) + : + state.url, + "cursor": { + ?"last_published": (has(body.?response.?metadata.next_offset) && body.response.metadata.next_offset != null) ? + optional.of(body.response.metadata.next_offset.re_find("next_offset_timestamp")) + : + optional.none(), + } + } + : + { + "events":[], + "want_more": false, + } + + ) + : + bytes(resp.Body).decode_json().as(body, + { + "events": { + "error": { + "code": has(body.code) ? string(body.code) : string(resp.StatusCode), + "id": string(resp.Status), + "message": "GET: " + + ( + (has(body.message) && body.message != "") ? + string(body.message) + + (has(body.message_detail) ? + ": " + string(body.message_detail) + : + "" + ) + : + string(resp.Status) + " (" + string(resp.StatusCode) + ")" + ), + }, + }, + "want_more": false, + } + ) + ) + )) + +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/cisco_duo/data_stream/auth/manifest.yml b/packages/cisco_duo/data_stream/auth/manifest.yml index e0d61088116..8225edec0a7 100644 --- a/packages/cisco_duo/data_stream/auth/manifest.yml +++ b/packages/cisco_duo/data_stream/auth/manifest.yml @@ -1,8 +1,24 @@ type: logs title: Cisco Duo authentication logs streams: - - input: httpjson + - input: cel + enabled: false vars: + - name: initial_interval + type: text + title: Initial Interval + multi: false + show_user: false + required: true + default: 4320h + description: How far back to pull Telephony logs from the Cisco Duo API. Maximum interval is 180 days (4320 hours). Supported units for this parameter are h/m/s. + - name: limit + type: integer + title: Limit + description: Maximum number of records to fetch on each request. Max is 1000. + show_user: false + required: true + default: 100 - name: tags type: text title: Tags @@ -28,6 +44,6 @@ streams: show_user: false description: >- Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - template_path: httpjson.yml.hbs + template_path: cel.yml.hbs title: Cisco Duo authentication logs description: Collect Cisco Duo authentication logs diff --git a/packages/cisco_duo/data_stream/auth/sample_event.json b/packages/cisco_duo/data_stream/auth/sample_event.json index 2022a794799..1b5992d9701 100644 --- a/packages/cisco_duo/data_stream/auth/sample_event.json +++ b/packages/cisco_duo/data_stream/auth/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2020-02-13T18:56:20.000Z", "agent": { - "ephemeral_id": "d12366d8-e76c-4b7a-a521-cf8f709b7fd3", - "id": "cdda426a-7e47-48c4-b2f5-b9f1ad5bf08a", - "name": "docker-fleet-agent", + "ephemeral_id": "1db72ca4-3a98-4d58-9502-353229adb966", + "id": "50f2e03e-cb60-4d41-b1dc-57dd6c65753c", + "name": "elastic-agent-19338", "type": "filebeat", - "version": "8.8.0" + "version": "8.13.0" }, "cisco_duo": { "auth": { @@ -46,25 +46,24 @@ }, "data_stream": { "dataset": "cisco_duo.auth", - "namespace": "ep", + "namespace": "16086", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "cdda426a-7e47-48c4-b2f5-b9f1ad5bf08a", - "snapshot": true, - "version": "8.8.0" + "id": "50f2e03e-cb60-4d41-b1dc-57dd6c65753c", + "snapshot": false, + "version": "8.13.0" }, "event": { "agent_id_status": "verified", "category": [ "authentication" ], - "created": "2023-05-10T14:55:22.717Z", "dataset": "cisco_duo.auth", - "ingested": "2023-05-10T14:55:23Z", + "ingested": "2024-09-30T16:10:27Z", "kind": "event", "original": "{\"access_device\":{\"browser\":\"Chrome\",\"browser_version\":\"67.0.3396.99\",\"flash_version\":\"uninstalled\",\"hostname\":null,\"ip\":\"89.160.20.156\",\"is_encryption_enabled\":true,\"is_firewall_enabled\":true,\"is_password_set\":true,\"java_version\":\"uninstalled\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"os\":\"Mac OS X\",\"os_version\":\"10.14.1\",\"security_agents\":null},\"alias\":\"\",\"application\":{\"key\":\"DIY231J8BR23QK4UKBY8\",\"name\":\"Microsoft Azure Active Directory\"},\"auth_device\":{\"ip\":\"192.168.225.254\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"name\":\"My iPhone X (734-555-2342)\"},\"email\":\"narroway@example.com\",\"event_type\":\"authentication\",\"factor\":\"duo_push\",\"isotimestamp\":\"2020-02-13T18:56:20.351346+00:00\",\"ood_software\":null,\"reason\":\"user_approved\",\"result\":\"success\",\"timestamp\":1581620180,\"trusted_endpoint_status\":\"not trusted\",\"txid\":\"340a23e3-23f3-23c1-87dc-1491a23dfdbb\",\"user\":{\"groups\":[\"Duo Users\",\"CorpHQ Users\"],\"key\":\"DU3KC77WJ06Y5HIV7XKQ\",\"name\":\"narroway@example.com\"}}", "outcome": "success", @@ -74,7 +73,7 @@ ] }, "input": { - "type": "httpjson" + "type": "cel" }, "related": { "hosts": [ diff --git a/packages/cisco_duo/data_stream/telephony/manifest.yml b/packages/cisco_duo/data_stream/telephony/manifest.yml index 9ffac8e0fdf..45c8859b5ca 100644 --- a/packages/cisco_duo/data_stream/telephony/manifest.yml +++ b/packages/cisco_duo/data_stream/telephony/manifest.yml @@ -1,5 +1,5 @@ type: logs -title: Cisco Duo telephony logs +title: Cisco Duo telephony logs (legacy) streams: - input: httpjson vars: @@ -29,5 +29,5 @@ streams: description: >- Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. template_path: httpjson.yml.hbs - title: Cisco Duo telephony logs - description: Collect Cisco Duo telephony logs + title: Cisco Duo telephony logs (legacy) + description: Collect Cisco Duo telephony logs. This is the legacy data stream that collects Telephony logs from the v1 API endpoint. Enable Telephony v2 to collect logs from the v2 API endpoint. diff --git a/packages/cisco_duo/data_stream/telephony/sample_event.json b/packages/cisco_duo/data_stream/telephony/sample_event.json index aa6c2a06551..08a3660adcd 100644 --- a/packages/cisco_duo/data_stream/telephony/sample_event.json +++ b/packages/cisco_duo/data_stream/telephony/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2020-03-20T15:38:12.000Z", "agent": { - "ephemeral_id": "fc6cd027-e67d-45f2-81f3-547c668998c6", - "id": "cdda426a-7e47-48c4-b2f5-b9f1ad5bf08a", - "name": "docker-fleet-agent", + "ephemeral_id": "e8ad4b18-fbaa-4216-91a3-4607968d61f3", + "id": "0e034435-4ea5-4a95-9f07-151a1467f7d9", + "name": "elastic-agent-20659", "type": "filebeat", - "version": "8.8.0" + "version": "8.13.0" }, "cisco_duo": { "telephony": { @@ -17,22 +17,22 @@ }, "data_stream": { "dataset": "cisco_duo.telephony", - "namespace": "ep", + "namespace": "52653", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "cdda426a-7e47-48c4-b2f5-b9f1ad5bf08a", - "snapshot": true, - "version": "8.8.0" + "id": "0e034435-4ea5-4a95-9f07-151a1467f7d9", + "snapshot": false, + "version": "8.13.0" }, "event": { "agent_id_status": "verified", - "created": "2023-05-10T14:57:17.933Z", + "created": "2024-09-30T16:13:10.700Z", "dataset": "cisco_duo.telephony", - "ingested": "2023-05-10T14:57:18Z", + "ingested": "2024-09-30T16:13:11Z", "kind": "event", "original": "{\"context\":\"authentication\",\"credits\":1,\"isotimestamp\":\"2020-03-20T15:38:12+00:00\",\"phone\":\"+121234512345\",\"timestamp\":1584718692,\"type\":\"sms\"}" }, diff --git a/packages/cisco_duo/data_stream/telephony_v2/_dev/test/pipeline/test-common-config.yml b/packages/cisco_duo/data_stream/telephony_v2/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..4da22641654 --- /dev/null +++ b/packages/cisco_duo/data_stream/telephony_v2/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_original_event diff --git a/packages/cisco_duo/data_stream/telephony_v2/_dev/test/pipeline/test-telephony-v2.log b/packages/cisco_duo/data_stream/telephony_v2/_dev/test/pipeline/test-telephony-v2.log new file mode 100644 index 00000000000..e61480cba7a --- /dev/null +++ b/packages/cisco_duo/data_stream/telephony_v2/_dev/test/pipeline/test-telephony-v2.log @@ -0,0 +1,3 @@ +{"context":"enrollment","credits":1,"phone":"+12125556707","telephony_id":"220f89ff-bff8-4466-b6cb-b7787940ce68","ts":"2023-03-21T22:34:49.466370+00:00","txid":"2f5d34d3-053f-422c-9dd4-77a5d58706b1","type":"sms"} +{"context":"authentication","credits":2,"phone":"+17345551311","telephony_id":"60799fee-f08f-4ba8-971f-4e53b3473e9a","ts":"2023-01-26T20:54:12.573580+00:00","txid":"373bd5f3-1e42-4a5d-aefa-b33ae278fac8","type":"phone"} +{"context":"administrator login","credits":0,"phone":"+13135559542","telephony_id":"5bf1a860-fe39-49e3-be29-217659663a74","ts":"2022-10-25T16:07:45.304526+00:00","txid":"fb0c129b-f994-4d3d-953b-c3e764272eb7","type":"sms"} diff --git a/packages/cisco_duo/data_stream/telephony_v2/_dev/test/pipeline/test-telephony-v2.log-expected.json b/packages/cisco_duo/data_stream/telephony_v2/_dev/test/pipeline/test-telephony-v2.log-expected.json new file mode 100644 index 00000000000..8fdbb2ec2fd --- /dev/null +++ b/packages/cisco_duo/data_stream/telephony_v2/_dev/test/pipeline/test-telephony-v2.log-expected.json @@ -0,0 +1,76 @@ +{ + "expected": [ + { + "@timestamp": "2023-03-21T22:34:49.466Z", + "cisco_duo": { + "telephony_v2": { + "credits": 1, + "event_type": "enrollment", + "id": "220f89ff-bff8-4466-b6cb-b7787940ce68", + "phone_number": "+12125556707", + "txid": "2f5d34d3-053f-422c-9dd4-77a5d58706b1", + "type": "sms" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "id": "220f89ff-bff8-4466-b6cb-b7787940ce68", + "kind": "event", + "original": "{\"context\":\"enrollment\",\"credits\":1,\"phone\":\"+12125556707\",\"telephony_id\":\"220f89ff-bff8-4466-b6cb-b7787940ce68\",\"ts\":\"2023-03-21T22:34:49.466370+00:00\",\"txid\":\"2f5d34d3-053f-422c-9dd4-77a5d58706b1\",\"type\":\"sms\"}" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-01-26T20:54:12.573Z", + "cisco_duo": { + "telephony_v2": { + "credits": 2, + "event_type": "authentication", + "id": "60799fee-f08f-4ba8-971f-4e53b3473e9a", + "phone_number": "+17345551311", + "txid": "373bd5f3-1e42-4a5d-aefa-b33ae278fac8", + "type": "phone" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "id": "60799fee-f08f-4ba8-971f-4e53b3473e9a", + "kind": "event", + "original": "{\"context\":\"authentication\",\"credits\":2,\"phone\":\"+17345551311\",\"telephony_id\":\"60799fee-f08f-4ba8-971f-4e53b3473e9a\",\"ts\":\"2023-01-26T20:54:12.573580+00:00\",\"txid\":\"373bd5f3-1e42-4a5d-aefa-b33ae278fac8\",\"type\":\"phone\"}" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-10-25T16:07:45.304Z", + "cisco_duo": { + "telephony_v2": { + "credits": 0, + "event_type": "administrator login", + "id": "5bf1a860-fe39-49e3-be29-217659663a74", + "phone_number": "+13135559542", + "txid": "fb0c129b-f994-4d3d-953b-c3e764272eb7", + "type": "sms" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "id": "5bf1a860-fe39-49e3-be29-217659663a74", + "kind": "event", + "original": "{\"context\":\"administrator login\",\"credits\":0,\"phone\":\"+13135559542\",\"telephony_id\":\"5bf1a860-fe39-49e3-be29-217659663a74\",\"ts\":\"2022-10-25T16:07:45.304526+00:00\",\"txid\":\"fb0c129b-f994-4d3d-953b-c3e764272eb7\",\"type\":\"sms\"}" + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/cisco_duo/data_stream/telephony_v2/_dev/test/system/test-default-config.yml b/packages/cisco_duo/data_stream/telephony_v2/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..86a63c6911c --- /dev/null +++ b/packages/cisco_duo/data_stream/telephony_v2/_dev/test/system/test-default-config.yml @@ -0,0 +1,12 @@ +input: cel +service: cisco_duo +vars: + hostname: http://{{Hostname}}:{{Port}} + secret_key: 40_characters_long_secret_key + integration_key: temp_integration_key + enable_request_tracer: true +data_stream: + vars: + preserve_original_event: true +assert: + hit_count: 3 diff --git a/packages/cisco_duo/data_stream/telephony_v2/agent/stream/cel.yml.hbs b/packages/cisco_duo/data_stream/telephony_v2/agent/stream/cel.yml.hbs new file mode 100644 index 00000000000..58444702db0 --- /dev/null +++ b/packages/cisco_duo/data_stream/telephony_v2/agent/stream/cel.yml.hbs @@ -0,0 +1,162 @@ +config_version: 2 +interval: {{interval}} +resource.url: {{hostname}} + +{{#if enable_request_tracer}} +resource.tracer.filename: "../../logs/cel/http-request-trace-*.ndjson" +resource.tracer.maxbackups: 5 +resource.tracer.maxsize: 5 +{{/if}} + +regexp: + "next_offset_timestamp": '^\d+' + +state: + url: {{hostname}} + integration_key: {{integration_key}} + secret_key: {{secret_key}} + limit: {{limit}} + initial_interval: {{initial_interval}} + want_more: false +redact: + fields: + - secret_key + +program: | + ( + state.want_more ? + state + : + state.with({ + "mintime": state.?cursor.last_published.orValue(int(now - duration(state.initial_interval)) * 1000), + "maxtime": int(now - duration("2m")) * 1000, + "date": now.format(time_layout.RFC1123Z), + }) + ).as(state, state.with( + request( + "GET", + state.?want_more.orValue(false) ? + state.next_url + : + state.url.trim_right("/") + "/admin/v2/logs/telephony?" + { + "limit": [string(int(state.limit))], + "maxtime": [string(int(state.maxtime))], + "mintime": [string(int(state.mintime))], + "sort": ["ts:asc"], + }.format_query() + ).with( + { + "Header": { + "Content-Type": ["application/x-www-form-urlencoded"], + "Date": [state.date], + "Authorization": ["Basic " + ( + state.integration_key + ":" + ( + [ + state.date, + "GET", + state.url.trim_prefix("https://"), + "/admin/v2/logs/telephony", + { + "limit": [string(int(state.limit))], + "maxtime": [string(int(state.maxtime))], + "mintime": [string(int(state.mintime))], + ?"next_offset": has(state.next_offset) ? + optional.of([string(state.next_offset)]) + : + optional.none(), + "sort": ["ts:asc"], + }.format_query() + ].join("\n") + .hmac("sha1", bytes(state.secret_key)) + .hex() + ) + ).base64()], + }, + } + ).do_request().as(resp, (resp.StatusCode == 200) ? + bytes(resp.Body).decode_json().as(body, has(body.?response.items) && size(body.response.items) > 0 ? + { + "events": body.response.items.map(item, + { + "message": item.encode_json(), + } + ), + "url": state.url, + "integration_key": state.integration_key, + "secret_key": state.secret_key, + "limit": state.limit, + "mintime": state.mintime, + "maxtime": state.maxtime, + "date": now.format(time_layout.RFC1123Z), + "want_more": has(body.?response.?metadata.next_offset), + ?"next_offset": (has(body.?response.?metadata.next_offset) && body.response.metadata.next_offset != null) ? + optional.of(string(body.response.metadata.next_offset)) + : + optional.none(), + "next_url": (has(body.?response.?metadata.next_offset) && body.response.metadata.next_offset != null) ? + ( + state.url.trim_right("/") + "/admin/v2/logs/telephony?" + { + "limit": [string(int(state.limit))], + "maxtime": [string(int(state.maxtime))], + "mintime": [string(int(state.mintime))], + "next_offset": [string(body.response.metadata.next_offset)], + "sort": ["ts:asc"], + }.format_query() + ) + : + state.url, + "cursor": { + ?"last_published": (has(body.?response.?metadata.next_offset) && body.response.metadata.next_offset != null) ? + optional.of(body.response.metadata.next_offset.re_find("next_offset_timestamp")) + : + optional.none(), + } + } + : + { + "events":[], + "want_more": false, + } + + ) + : + bytes(resp.Body).decode_json().as(body, + { + "events": { + "error": { + "code": has(body.code) ? string(body.code) : string(resp.StatusCode), + "id": string(resp.Status), + "message": "GET: " + + ( + (has(body.message) && body.message != "") ? + string(body.message) + + (has(body.message_detail) ? + ": " + string(body.message_detail) + : + "" + ) + : + string(resp.Status) + " (" + string(resp.StatusCode) + ")" + ), + }, + }, + "want_more": false, + } + ) + ) + )) + +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/cisco_duo/data_stream/telephony_v2/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_duo/data_stream/telephony_v2/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..168ad63c22d --- /dev/null +++ b/packages/cisco_duo/data_stream/telephony_v2/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,87 @@ +--- +description: Pipeline for parsing cisco_duo telephony v2 logs +processors: + - set: + field: ecs.version + value: '8.11.0' + - set: + field: event.kind + value: event + - rename: + field: message + target_field: event.original + ignore_missing: true + if: ctx.event?.original == null + - json: + field: event.original + target_field: json + on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: |- + Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}" + - drop: + description: Drop if no timestamp (invalid json) + if: ctx.json?.ts == null + - fingerprint: + fields: + - json.ts + - json.phone + - json.telephony_id + - json.txid + target_field: _id + ignore_missing: true + - date: + field: json.ts + if: ctx.json?.ts != null + formats: + - ISO8601 + on_failure: + - append: + field: error.message + value: |- + Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}" + - rename: + field: json.context + target_field: cisco_duo.telephony_v2.event_type + ignore_missing: true + - rename: + field: json.credits + target_field: cisco_duo.telephony_v2.credits + ignore_missing: true + - rename: + field: json.phone + target_field: cisco_duo.telephony_v2.phone_number + ignore_missing: true + - rename: + field: json.type + target_field: cisco_duo.telephony_v2.type + ignore_missing: true + - rename: + field: json.telephony_id + target_field: cisco_duo.telephony_v2.id + ignore_missing: true + - set: + field: event.id + copy_from: cisco_duo.telephony_v2.id + ignore_failure: true + - rename: + field: json.txid + target_field: cisco_duo.telephony_v2.txid + ignore_missing: true + + ## Clean up + - remove: + field: json + ignore_missing: true +on_failure: + - append: + field: error.message + value: |- + Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}" + - set: + field: event.kind + value: pipeline_error diff --git a/packages/cisco_duo/data_stream/telephony_v2/fields/agent.yml b/packages/cisco_duo/data_stream/telephony_v2/fields/agent.yml new file mode 100644 index 00000000000..f833857d0fe --- /dev/null +++ b/packages/cisco_duo/data_stream/telephony_v2/fields/agent.yml @@ -0,0 +1,36 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." + type: group + fields: + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: host + title: Host + group: 2 + description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." + type: group + fields: + - name: containerized + type: boolean + description: >- + If the host is a container. + - name: os.build + type: keyword + example: "18D109" + description: >- + OS build information. + - name: os.codename + type: keyword + example: "stretch" + description: >- + OS codename, if any. +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/cisco_duo/data_stream/telephony_v2/fields/base-fields.yml b/packages/cisco_duo/data_stream/telephony_v2/fields/base-fields.yml new file mode 100644 index 00000000000..f2c8a85b392 --- /dev/null +++ b/packages/cisco_duo/data_stream/telephony_v2/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: cisco_duo +- name: event.dataset + type: constant_keyword + description: Event dataset + value: cisco_duo.telephony_v2 +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/cisco_duo/data_stream/telephony_v2/fields/fields.yml b/packages/cisco_duo/data_stream/telephony_v2/fields/fields.yml new file mode 100644 index 00000000000..337989ffe3b --- /dev/null +++ b/packages/cisco_duo/data_stream/telephony_v2/fields/fields.yml @@ -0,0 +1,27 @@ +- name: cisco_duo.telephony_v2 + type: group + fields: + - name: event_type + type: keyword + description: | + The context under which this telephony event was used (e.g. Administrator Login). + - name: credits + type: integer + description: | + How many telephony credits this event used. + - name: id + type: keyword + description: | + A unique identifier for the telephony event. + - name: phone_number + type: keyword + description: | + The phone number that initiated this event. + - name: txid + type: keyword + description: | + A unique identifier that relates to the successful authentication attempt using this telephony event. + - name: type + type: keyword + description: | + The event type. Either "sms" or "phone". diff --git a/packages/cisco_duo/data_stream/telephony_v2/manifest.yml b/packages/cisco_duo/data_stream/telephony_v2/manifest.yml new file mode 100644 index 00000000000..3517d77bc8b --- /dev/null +++ b/packages/cisco_duo/data_stream/telephony_v2/manifest.yml @@ -0,0 +1,49 @@ +type: logs +title: Cisco Duo authentication logs +streams: + - input: cel + enabled: false + vars: + - name: initial_interval + type: text + title: Initial Interval + multi: false + show_user: false + required: true + default: 4320h + description: How far back to pull Telephony logs from the Cisco Duo API. Maximum interval is 180 days (4320 hours). Supported units for this parameter are h/m/s. + - name: limit + type: integer + title: Limit + description: Maximum number of records to fetch on each request. Max is 1000. + show_user: false + required: true + default: 100 + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - cisco_duo-telephony_v2 + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + template_path: cel.yml.hbs + title: Cisco Duo Telephony v2 logs + description: Collect Cisco Duo Telephony logs. It pulls logs from the v2 API endpoint. diff --git a/packages/cisco_duo/data_stream/telephony_v2/sample_event.json b/packages/cisco_duo/data_stream/telephony_v2/sample_event.json new file mode 100644 index 00000000000..63cb03dec02 --- /dev/null +++ b/packages/cisco_duo/data_stream/telephony_v2/sample_event.json @@ -0,0 +1,49 @@ +{ + "@timestamp": "2022-10-25T16:07:45.304Z", + "agent": { + "ephemeral_id": "cfc63710-9c78-4d83-acc6-cc1f17ea61ae", + "id": "04bc48e2-1bc2-4745-baec-658738d836f3", + "name": "elastic-agent-56970", + "type": "filebeat", + "version": "8.13.0" + }, + "cisco_duo": { + "telephony_v2": { + "credits": 0, + "event_type": "administrator login", + "id": "5bf1a860-fe39-49e3-be29-217659663a74", + "phone_number": "+13135559542", + "txid": "fb0c129b-f994-4d3d-953b-c3e764272eb7", + "type": "sms" + } + }, + "data_stream": { + "dataset": "cisco_duo.telephony_v2", + "namespace": "98588", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "04bc48e2-1bc2-4745-baec-658738d836f3", + "snapshot": false, + "version": "8.13.0" + }, + "event": { + "agent_id_status": "verified", + "dataset": "cisco_duo.telephony_v2", + "id": "5bf1a860-fe39-49e3-be29-217659663a74", + "ingested": "2024-09-30T16:14:08Z", + "kind": "event", + "original": "{\"context\":\"administrator login\",\"credits\":0,\"phone\":\"+13135559542\",\"telephony_id\":\"5bf1a860-fe39-49e3-be29-217659663a74\",\"ts\":\"2022-10-25T16:07:45.304526+00:00\",\"txid\":\"fb0c129b-f994-4d3d-953b-c3e764272eb7\",\"type\":\"sms\"}" + }, + "input": { + "type": "cel" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "cisco_duo-telephony_v2" + ] +} \ No newline at end of file diff --git a/packages/cisco_duo/docs/README.md b/packages/cisco_duo/docs/README.md index 70e2a6e9e59..725d27e4f19 100644 --- a/packages/cisco_duo/docs/README.md +++ b/packages/cisco_duo/docs/README.md @@ -1,6 +1,6 @@ # Cisco Duo -The Cisco Duo integration collects and parses data from the [Cisco Duo Admin APIs](https://duo.com/docs/adminapi). +The Cisco Duo integration collects and parses data from the [Cisco Duo Admin APIs](https://duo.com/docs/adminapi). The Duo Admin API provides programmatic access to the administrative functionality of Duo Security's two-factor authentication platform. ## Compatibility @@ -16,11 +16,33 @@ In order to ingest data from the Cisco Duo Admin API you must: - For this integration you will require **Grant read information** and **Grant read log** permissions. - Make sure you have whitelisted your IP Address. -## Note +More details for each step can be found at [First steps](https://duo.com/docs/adminapi#first-steps). -While setting up the interval take care of following. -- `Interval has to be greater than 1m.` -- `Larger values of interval might cause delay in data ingestion.` +## Data streams + +The Cisco Duo integration collects logs for the following types of events. + +- [**Administrator Logs**](https://duo.com/docs/adminapi#administrator-logs) +- [**Authentication Logs**](https://duo.com/docs/adminapi#authentication-logs) +- [**Offline Enrollment Logs**](https://duo.com/docs/adminapi#offline-enrollment-logs) +- [**Summary**](https://duo.com/docs/adminapi#retrieve-summary) +- [**Telephony Logs**](https://duo.com/docs/adminapi#telephony-logs) +- [**Telephony Logs (legacy)**](https://duo.com/docs/adminapi#telephony-logs-(legacy-v1)) + +## V2 Handlers + +Cisco Duo has implemented v2 handlers for some endpoints. In these cases, the API v1 handler remains supported, but will be limited or deprecated in the future. + +From data streams listed above, v2 handlers are supported for Authentication and Telephony Logs at the moment. It is recommended to migrate data streams to the v2 endpoints when they become available. + +## Configuration + +The following considerations should be taken into account when configuring the integration. + +- Interval has to be greater or equal than `1m`. +- The Duo Admin API retrieves records from the last 180 days up to as recently as two minutes before the API request. Consider this when configuring the `Initial interval` parameter for the v2 API endpoints, as it doesn't support `d` as a suffix, its maximum value is `4320h` which corresponds to that 180 days. +- For v2 API endpoints, a new parameter `limit` has been added to control the number of records per response. Default value is 100 and can be incresead until 1000. +- Larger values of interval might cause delay in data ingestion. ## Logs @@ -126,11 +148,11 @@ An example event for `auth` looks as following: { "@timestamp": "2020-02-13T18:56:20.000Z", "agent": { - "ephemeral_id": "d12366d8-e76c-4b7a-a521-cf8f709b7fd3", - "id": "cdda426a-7e47-48c4-b2f5-b9f1ad5bf08a", - "name": "docker-fleet-agent", + "ephemeral_id": "1db72ca4-3a98-4d58-9502-353229adb966", + "id": "50f2e03e-cb60-4d41-b1dc-57dd6c65753c", + "name": "elastic-agent-19338", "type": "filebeat", - "version": "8.8.0" + "version": "8.13.0" }, "cisco_duo": { "auth": { @@ -171,25 +193,24 @@ An example event for `auth` looks as following: }, "data_stream": { "dataset": "cisco_duo.auth", - "namespace": "ep", + "namespace": "16086", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "cdda426a-7e47-48c4-b2f5-b9f1ad5bf08a", - "snapshot": true, - "version": "8.8.0" + "id": "50f2e03e-cb60-4d41-b1dc-57dd6c65753c", + "snapshot": false, + "version": "8.13.0" }, "event": { "agent_id_status": "verified", "category": [ "authentication" ], - "created": "2023-05-10T14:55:22.717Z", "dataset": "cisco_duo.auth", - "ingested": "2023-05-10T14:55:23Z", + "ingested": "2024-09-30T16:10:27Z", "kind": "event", "original": "{\"access_device\":{\"browser\":\"Chrome\",\"browser_version\":\"67.0.3396.99\",\"flash_version\":\"uninstalled\",\"hostname\":null,\"ip\":\"89.160.20.156\",\"is_encryption_enabled\":true,\"is_firewall_enabled\":true,\"is_password_set\":true,\"java_version\":\"uninstalled\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"os\":\"Mac OS X\",\"os_version\":\"10.14.1\",\"security_agents\":null},\"alias\":\"\",\"application\":{\"key\":\"DIY231J8BR23QK4UKBY8\",\"name\":\"Microsoft Azure Active Directory\"},\"auth_device\":{\"ip\":\"192.168.225.254\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"name\":\"My iPhone X (734-555-2342)\"},\"email\":\"narroway@example.com\",\"event_type\":\"authentication\",\"factor\":\"duo_push\",\"isotimestamp\":\"2020-02-13T18:56:20.351346+00:00\",\"ood_software\":null,\"reason\":\"user_approved\",\"result\":\"success\",\"timestamp\":1581620180,\"trusted_endpoint_status\":\"not trusted\",\"txid\":\"340a23e3-23f3-23c1-87dc-1491a23dfdbb\",\"user\":{\"groups\":[\"Duo Users\",\"CorpHQ Users\"],\"key\":\"DU3KC77WJ06Y5HIV7XKQ\",\"name\":\"narroway@example.com\"}}", "outcome": "success", @@ -199,7 +220,7 @@ An example event for `auth` looks as following: ] }, "input": { - "type": "httpjson" + "type": "cel" }, "related": { "hosts": [ @@ -506,11 +527,11 @@ An example event for `telephony` looks as following: { "@timestamp": "2020-03-20T15:38:12.000Z", "agent": { - "ephemeral_id": "fc6cd027-e67d-45f2-81f3-547c668998c6", - "id": "cdda426a-7e47-48c4-b2f5-b9f1ad5bf08a", - "name": "docker-fleet-agent", + "ephemeral_id": "e8ad4b18-fbaa-4216-91a3-4607968d61f3", + "id": "0e034435-4ea5-4a95-9f07-151a1467f7d9", + "name": "elastic-agent-20659", "type": "filebeat", - "version": "8.8.0" + "version": "8.13.0" }, "cisco_duo": { "telephony": { @@ -522,22 +543,22 @@ An example event for `telephony` looks as following: }, "data_stream": { "dataset": "cisco_duo.telephony", - "namespace": "ep", + "namespace": "52653", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "cdda426a-7e47-48c4-b2f5-b9f1ad5bf08a", - "snapshot": true, - "version": "8.8.0" + "id": "0e034435-4ea5-4a95-9f07-151a1467f7d9", + "snapshot": false, + "version": "8.13.0" }, "event": { "agent_id_status": "verified", - "created": "2023-05-10T14:57:17.933Z", + "created": "2024-09-30T16:13:10.700Z", "dataset": "cisco_duo.telephony", - "ingested": "2023-05-10T14:57:18Z", + "ingested": "2024-09-30T16:13:11Z", "kind": "event", "original": "{\"context\":\"authentication\",\"credits\":1,\"isotimestamp\":\"2020-03-20T15:38:12+00:00\",\"phone\":\"+121234512345\",\"timestamp\":1584718692,\"type\":\"sms\"}" }, @@ -572,3 +593,86 @@ An example event for `telephony` looks as following: | host.os.codename | OS codename, if any. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | + + +### Telephony v2 + +This is the `telephony_v2` dataset. + +An example event for `telephony_v2` looks as following: + +```json +{ + "@timestamp": "2022-10-25T16:07:45.304Z", + "agent": { + "ephemeral_id": "cfc63710-9c78-4d83-acc6-cc1f17ea61ae", + "id": "04bc48e2-1bc2-4745-baec-658738d836f3", + "name": "elastic-agent-56970", + "type": "filebeat", + "version": "8.13.0" + }, + "cisco_duo": { + "telephony_v2": { + "credits": 0, + "event_type": "administrator login", + "id": "5bf1a860-fe39-49e3-be29-217659663a74", + "phone_number": "+13135559542", + "txid": "fb0c129b-f994-4d3d-953b-c3e764272eb7", + "type": "sms" + } + }, + "data_stream": { + "dataset": "cisco_duo.telephony_v2", + "namespace": "98588", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "04bc48e2-1bc2-4745-baec-658738d836f3", + "snapshot": false, + "version": "8.13.0" + }, + "event": { + "agent_id_status": "verified", + "dataset": "cisco_duo.telephony_v2", + "id": "5bf1a860-fe39-49e3-be29-217659663a74", + "ingested": "2024-09-30T16:14:08Z", + "kind": "event", + "original": "{\"context\":\"administrator login\",\"credits\":0,\"phone\":\"+13135559542\",\"telephony_id\":\"5bf1a860-fe39-49e3-be29-217659663a74\",\"ts\":\"2022-10-25T16:07:45.304526+00:00\",\"txid\":\"fb0c129b-f994-4d3d-953b-c3e764272eb7\",\"type\":\"sms\"}" + }, + "input": { + "type": "cel" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "cisco_duo-telephony_v2" + ] +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cisco_duo.telephony_v2.credits | How many telephony credits this event used. | integer | +| cisco_duo.telephony_v2.event_type | The context under which this telephony event was used (e.g. Administrator Login). | keyword | +| cisco_duo.telephony_v2.id | A unique identifier for the telephony event. | keyword | +| cisco_duo.telephony_v2.phone_number | The phone number that initiated this event. | keyword | +| cisco_duo.telephony_v2.txid | A unique identifier that relates to the successful authentication attempt using this telephony event. | keyword | +| cisco_duo.telephony_v2.type | The event type. Either "sms" or "phone". | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| event.dataset | Event dataset | constant_keyword | +| event.module | Event module | constant_keyword | +| host.containerized | If the host is a container. | boolean | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| input.type | Input type | keyword | +| log.offset | Log offset | long | + diff --git a/packages/cisco_duo/img/cisco_duo-screenshot.png b/packages/cisco_duo/img/cisco_duo-screenshot.png deleted file mode 100644 index 1270f7f8cfa..00000000000 Binary files a/packages/cisco_duo/img/cisco_duo-screenshot.png and /dev/null differ diff --git a/packages/cisco_duo/img/dashboard-admin.png b/packages/cisco_duo/img/dashboard-admin.png new file mode 100644 index 00000000000..8a6262537ad Binary files /dev/null and b/packages/cisco_duo/img/dashboard-admin.png differ diff --git a/packages/cisco_duo/img/dashboard-auth.png b/packages/cisco_duo/img/dashboard-auth.png new file mode 100644 index 00000000000..147d239f3e1 Binary files /dev/null and b/packages/cisco_duo/img/dashboard-auth.png differ diff --git a/packages/cisco_duo/img/dashboard-offline-enrollment.png b/packages/cisco_duo/img/dashboard-offline-enrollment.png new file mode 100644 index 00000000000..9b740faeede Binary files /dev/null and b/packages/cisco_duo/img/dashboard-offline-enrollment.png differ diff --git a/packages/cisco_duo/img/dashboard-summary.png b/packages/cisco_duo/img/dashboard-summary.png new file mode 100644 index 00000000000..040107cf457 Binary files /dev/null and b/packages/cisco_duo/img/dashboard-summary.png differ diff --git a/packages/cisco_duo/img/dashboard-telephony.png b/packages/cisco_duo/img/dashboard-telephony.png new file mode 100644 index 00000000000..9506655764f Binary files /dev/null and b/packages/cisco_duo/img/dashboard-telephony.png differ diff --git a/packages/cisco_duo/kibana/dashboard/cisco_duo-2eb22f90-34c3-11ed-81dc-5d9e1bd8e06a.json b/packages/cisco_duo/kibana/dashboard/cisco_duo-5a0b80af-49ad-42ee-89b7-c89faa927826.json similarity index 88% rename from packages/cisco_duo/kibana/dashboard/cisco_duo-2eb22f90-34c3-11ed-81dc-5d9e1bd8e06a.json rename to packages/cisco_duo/kibana/dashboard/cisco_duo-5a0b80af-49ad-42ee-89b7-c89faa927826.json index c0d9abd1069..15adb10e85c 100644 --- a/packages/cisco_duo/kibana/dashboard/cisco_duo-2eb22f90-34c3-11ed-81dc-5d9e1bd8e06a.json +++ b/packages/cisco_duo/kibana/dashboard/cisco_duo-5a0b80af-49ad-42ee-89b7-c89faa927826.json @@ -1,7 +1,6 @@ { "attributes": { "description": "This dashboard shows offline enrollment logs collected by the Cisco Duo integration.", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { "filter": [ @@ -36,6 +35,8 @@ "optionsJSON": { "hidePanelTitles": false, "syncColors": true, + "syncCursor": true, + "syncTooltips": false, "useMargins": true }, "panelsJSON": [ @@ -97,20 +98,18 @@ "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, - "hidePanelTitles": false, - "type": "lens" + "hidePanelTitles": false }, "gridData": { "h": 10, - "i": "7b809536-a834-4eb3-aed0-cefa61cd3c21", + "i": "de790bb8-4fab-4b79-9245-cfc4b17a37ca", "w": 12, "x": 0, "y": 0 }, - "panelIndex": "7b809536-a834-4eb3-aed0-cefa61cd3c21", - "title": "Unique Integration Count [Logs Cisco Duo]", - "type": "lens", - "version": "8.7.0" + "panelIndex": "de790bb8-4fab-4b79-9245-cfc4b17a37ca", + "title": "[Cisco Duo] Unique Integration Count", + "type": "lens" }, { "embeddableConfig": { @@ -170,20 +169,18 @@ "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, - "hidePanelTitles": false, - "type": "lens" + "hidePanelTitles": false }, "gridData": { "h": 10, - "i": "b53df0c5-658b-4856-812d-c85e63cada33", + "i": "91dd45c2-b3fc-49c5-b667-eb271f867e54", "w": 12, "x": 12, "y": 0 }, - "panelIndex": "b53df0c5-658b-4856-812d-c85e63cada33", - "title": "Unique Action Count [Logs Cisco Duo]", - "type": "lens", - "version": "8.7.0" + "panelIndex": "91dd45c2-b3fc-49c5-b667-eb271f867e54", + "title": "[Cisco Duo] Unique Action Count", + "type": "lens" }, { "embeddableConfig": { @@ -243,20 +240,18 @@ "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, - "hidePanelTitles": false, - "type": "lens" + "hidePanelTitles": false }, "gridData": { "h": 10, - "i": "5159139d-2c1e-48e8-926b-01b980b12a67", + "i": "580a4a6a-b22e-49f2-a2e1-05e0f63db27a", "w": 12, "x": 24, "y": 0 }, - "panelIndex": "5159139d-2c1e-48e8-926b-01b980b12a67", - "title": "Unique User Count [Logs Cisco Duo]", - "type": "lens", - "version": "8.7.0" + "panelIndex": "580a4a6a-b22e-49f2-a2e1-05e0f63db27a", + "title": "[Cisco Duo] Unique User Count", + "type": "lens" }, { "embeddableConfig": { @@ -316,30 +311,23 @@ "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, - "hidePanelTitles": false, - "type": "lens" + "hidePanelTitles": false }, "gridData": { "h": 10, - "i": "30541431-2761-42f6-ab92-23c470b97d9d", + "i": "1d9e89df-663d-42f1-8c3b-59c313febead", "w": 12, "x": 36, "y": 0 }, - "panelIndex": "30541431-2761-42f6-ab92-23c470b97d9d", - "title": "Unique Hostname Count [Logs Cisco Duo]", - "type": "lens", - "version": "8.7.0" + "panelIndex": "1d9e89df-663d-42f1-8c3b-59c313febead", + "title": "[Cisco Duo] Unique Hostname Count", + "type": "lens" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "indexpattern-datasource-layer-a892e2ed-02b6-462d-8ea3-1a0cf0326448", @@ -349,6 +337,7 @@ "state": { "datasourceStates": { "formBased": { + "currentIndexPatternId": "logs-*", "layers": { "a892e2ed-02b6-462d-8ea3-1a0cf0326448": { "columnOrder": [ @@ -385,7 +374,8 @@ "sourceField": "cisco_duo.offline_enrollment.description.factor" } }, - "incompleteColumns": {} + "incompleteColumns": {}, + "indexPatternId": "logs-*" } } } @@ -399,6 +389,24 @@ "layers": [ { "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, "layerId": "a892e2ed-02b6-462d-8ea3-1a0cf0326448", "layerType": "data", "legendDisplay": "default", @@ -421,20 +429,18 @@ "visualizationType": "lnsPie" }, "enhancements": {}, - "hidePanelTitles": false, - "type": "lens" + "hidePanelTitles": false }, "gridData": { "h": 15, - "i": "95604399-93ea-4592-8ba4-6c8eeb63d608", + "i": "a855c9ec-27cd-4f9d-afc0-45374fee2023", "w": 24, "x": 0, "y": 10 }, - "panelIndex": "95604399-93ea-4592-8ba4-6c8eeb63d608", - "title": "Factor Used for Offline Enrollment [Logs Cisco Duo]", - "type": "lens", - "version": "8.7.0" + "panelIndex": "a855c9ec-27cd-4f9d-afc0-45374fee2023", + "title": "[Cisco Duo] Factor Used for Offline Enrollment", + "type": "lens" }, { "embeddableConfig": { @@ -520,20 +526,18 @@ "visualizationType": "lnsDatatable" }, "enhancements": {}, - "hidePanelTitles": false, - "type": "lens" + "hidePanelTitles": false }, "gridData": { "h": 15, - "i": "3441f8fd-719d-4a60-a44c-1e2d238425cf", + "i": "b2de6365-fd4b-4074-8943-04139b88c63d", "w": 24, "x": 24, "y": 10 }, - "panelIndex": "3441f8fd-719d-4a60-a44c-1e2d238425cf", - "title": "Top 10 Offline Enrollment Actions by User [Logs Cisco Duo]", - "type": "lens", - "version": "8.7.0" + "panelIndex": "b2de6365-fd4b-4074-8943-04139b88c63d", + "title": "[Cisco Duo] Top 10 Offline Enrollment Actions by User", + "type": "lens" }, { "embeddableConfig": { @@ -648,32 +652,29 @@ "visualizationType": "lnsDatatable" }, "enhancements": {}, - "hidePanelTitles": false, - "type": "lens" + "hidePanelTitles": false }, "gridData": { "h": 15, - "i": "58649ad7-84cd-4a90-98e4-4817d39c429a", + "i": "6bb8d5ec-7e19-4ff3-b147-3d8e873901af", "w": 48, "x": 0, "y": 25 }, - "panelIndex": "58649ad7-84cd-4a90-98e4-4817d39c429a", - "title": "Top 10 Offline Enrollment Actions [Logs Cisco Duo]", - "type": "lens", - "version": "8.7.0" + "panelIndex": "6bb8d5ec-7e19-4ff3-b147-3d8e873901af", + "title": "[Cisco Duo] Top 10 Offline Enrollment Actions", + "type": "lens" } ], "timeRestore": false, "title": "[Logs Cisco Duo] Offline Enrollment", - "version": 1 - }, - "coreMigrationVersion": "8.7.1", - "created_at": "2023-07-05T05:59:59.595Z", - "id": "cisco_duo-2eb22f90-34c3-11ed-81dc-5d9e1bd8e06a", - "migrationVersion": { - "dashboard": "8.7.0" + "version": 2 }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-09-20T14:20:26.779Z", + "created_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0", + "id": "cisco_duo-5a0b80af-49ad-42ee-89b7-c89faa927826", + "managed": false, "references": [ { "id": "metrics-*", @@ -682,74 +683,76 @@ }, { "id": "logs-*", - "name": "7b809536-a834-4eb3-aed0-cefa61cd3c21:indexpattern-datasource-current-indexpattern", + "name": "de790bb8-4fab-4b79-9245-cfc4b17a37ca:indexpattern-datasource-current-indexpattern", "type": "index-pattern" }, { "id": "logs-*", - "name": "7b809536-a834-4eb3-aed0-cefa61cd3c21:indexpattern-datasource-layer-02874d02-f771-41cc-a01e-019bdaefe5e7", + "name": "de790bb8-4fab-4b79-9245-cfc4b17a37ca:indexpattern-datasource-layer-02874d02-f771-41cc-a01e-019bdaefe5e7", "type": "index-pattern" }, { "id": "logs-*", - "name": "b53df0c5-658b-4856-812d-c85e63cada33:indexpattern-datasource-current-indexpattern", + "name": "91dd45c2-b3fc-49c5-b667-eb271f867e54:indexpattern-datasource-current-indexpattern", "type": "index-pattern" }, { "id": "logs-*", - "name": "b53df0c5-658b-4856-812d-c85e63cada33:indexpattern-datasource-layer-010c28dc-70fb-494b-80fe-e82f2052cac9", + "name": "91dd45c2-b3fc-49c5-b667-eb271f867e54:indexpattern-datasource-layer-010c28dc-70fb-494b-80fe-e82f2052cac9", "type": "index-pattern" }, { "id": "logs-*", - "name": "5159139d-2c1e-48e8-926b-01b980b12a67:indexpattern-datasource-current-indexpattern", + "name": "580a4a6a-b22e-49f2-a2e1-05e0f63db27a:indexpattern-datasource-current-indexpattern", "type": "index-pattern" }, { "id": "logs-*", - "name": "5159139d-2c1e-48e8-926b-01b980b12a67:indexpattern-datasource-layer-d581f4a8-527d-4222-bfea-8460aee2a075", + "name": "580a4a6a-b22e-49f2-a2e1-05e0f63db27a:indexpattern-datasource-layer-d581f4a8-527d-4222-bfea-8460aee2a075", "type": "index-pattern" }, { "id": "logs-*", - "name": "30541431-2761-42f6-ab92-23c470b97d9d:indexpattern-datasource-current-indexpattern", + "name": "1d9e89df-663d-42f1-8c3b-59c313febead:indexpattern-datasource-current-indexpattern", "type": "index-pattern" }, { "id": "logs-*", - "name": "30541431-2761-42f6-ab92-23c470b97d9d:indexpattern-datasource-layer-04b82c04-b596-4d12-8a0d-37af27e64a86", + "name": "1d9e89df-663d-42f1-8c3b-59c313febead:indexpattern-datasource-layer-04b82c04-b596-4d12-8a0d-37af27e64a86", "type": "index-pattern" }, { "id": "logs-*", - "name": "95604399-93ea-4592-8ba4-6c8eeb63d608:indexpattern-datasource-current-indexpattern", + "name": "a855c9ec-27cd-4f9d-afc0-45374fee2023:indexpattern-datasource-layer-a892e2ed-02b6-462d-8ea3-1a0cf0326448", "type": "index-pattern" }, { "id": "logs-*", - "name": "95604399-93ea-4592-8ba4-6c8eeb63d608:indexpattern-datasource-layer-a892e2ed-02b6-462d-8ea3-1a0cf0326448", + "name": "b2de6365-fd4b-4074-8943-04139b88c63d:indexpattern-datasource-current-indexpattern", "type": "index-pattern" }, { "id": "logs-*", - "name": "3441f8fd-719d-4a60-a44c-1e2d238425cf:indexpattern-datasource-current-indexpattern", + "name": "b2de6365-fd4b-4074-8943-04139b88c63d:indexpattern-datasource-layer-7e7e8256-99ca-4524-a785-9977f4505134", "type": "index-pattern" }, { "id": "logs-*", - "name": "3441f8fd-719d-4a60-a44c-1e2d238425cf:indexpattern-datasource-layer-7e7e8256-99ca-4524-a785-9977f4505134", + "name": "6bb8d5ec-7e19-4ff3-b147-3d8e873901af:indexpattern-datasource-current-indexpattern", "type": "index-pattern" }, { "id": "logs-*", - "name": "58649ad7-84cd-4a90-98e4-4817d39c429a:indexpattern-datasource-current-indexpattern", + "name": "6bb8d5ec-7e19-4ff3-b147-3d8e873901af:indexpattern-datasource-layer-2554e0ca-ffec-4a0c-8813-137409a317b9", "type": "index-pattern" }, { - "id": "logs-*", - "name": "58649ad7-84cd-4a90-98e4-4817d39c429a:indexpattern-datasource-layer-2554e0ca-ffec-4a0c-8813-137409a317b9", - "type": "index-pattern" + "id": "cisco_duo-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" } ], - "type": "dashboard" -} \ No newline at end of file + "type": "dashboard", + "typeMigrationVersion": "8.9.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" +} diff --git a/packages/cisco_duo/kibana/dashboard/cisco_duo-7e997350-34c9-11ed-81dc-5d9e1bd8e06a.json b/packages/cisco_duo/kibana/dashboard/cisco_duo-7a135061-78a3-45d9-951b-4b9b665fa729.json similarity index 54% rename from packages/cisco_duo/kibana/dashboard/cisco_duo-7e997350-34c9-11ed-81dc-5d9e1bd8e06a.json rename to packages/cisco_duo/kibana/dashboard/cisco_duo-7a135061-78a3-45d9-951b-4b9b665fa729.json index 5c33bc94bfa..18a787556a7 100644 --- a/packages/cisco_duo/kibana/dashboard/cisco_duo-7e997350-34c9-11ed-81dc-5d9e1bd8e06a.json +++ b/packages/cisco_duo/kibana/dashboard/cisco_duo-7a135061-78a3-45d9-951b-4b9b665fa729.json @@ -1,7 +1,6 @@ { "attributes": { - "description": "This dashboard shows telephony logs collected by the Cisco Duo integration.", - "hits": 0, + "description": "This dashboard shows administrator logs collected by the Cisco Duo integration.", "kibanaSavedObjectMeta": { "searchSourceJSON": { "filter": [ @@ -12,17 +11,18 @@ "meta": { "alias": null, "disabled": false, + "field": "data_stream.dataset", "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "key": "data_stream.dataset", "negate": false, "params": { - "query": "cisco_duo.telephony" + "query": "cisco_duo.admin" }, "type": "phrase" }, "query": { "match_phrase": { - "data_stream.dataset": "cisco_duo.telephony" + "data_stream.dataset": "cisco_duo.admin" } } } @@ -36,6 +36,8 @@ "optionsJSON": { "hidePanelTitles": false, "syncColors": true, + "syncCursor": true, + "syncTooltips": false, "useMargins": true }, "panelsJSON": [ @@ -45,104 +47,95 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-2895cd64-3005-4aa0-8806-aebfcec6337b", + "name": "indexpattern-datasource-layer-e1b0ed4b-f945-43ac-9f08-85b3ae396239", "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { "formBased": { + "currentIndexPatternId": "logs-*", "layers": { - "2895cd64-3005-4aa0-8806-aebfcec6337b": { + "e1b0ed4b-f945-43ac-9f08-85b3ae396239": { "columnOrder": [ - "9e1f961e-ec9b-4d87-b039-aee519938af0", - "df5605f4-cf9a-4300-a04e-0d27bd93403c" + "3f89f982-6876-4f85-8e02-5bd78823313e", + "62067742-d1f6-4516-aef7-e20243d5a663" ], "columns": { - "9e1f961e-ec9b-4d87-b039-aee519938af0": { + "3f89f982-6876-4f85-8e02-5bd78823313e": { "customLabel": true, "dataType": "string", "isBucketed": true, - "label": "Phone Number", + "label": "Username", "operationType": "terms", "params": { "missingBucket": false, "orderBy": { - "columnId": "df5605f4-cf9a-4300-a04e-0d27bd93403c", + "columnId": "62067742-d1f6-4516-aef7-e20243d5a663", "type": "column" }, "orderDirection": "desc", - "otherBucket": true, - "size": 5 + "otherBucket": false, + "size": 10 }, "scale": "ordinal", - "sourceField": "cisco_duo.telephony.phone_number" + "sourceField": "user.name" }, - "df5605f4-cf9a-4300-a04e-0d27bd93403c": { + "62067742-d1f6-4516-aef7-e20243d5a663": { "customLabel": true, "dataType": "number", "isBucketed": false, - "label": "Credits", - "operationType": "sum", + "label": "Number of Actions Performed", + "operationType": "count", "scale": "ratio", - "sourceField": "cisco_duo.telephony.credits" + "sourceField": "___records___" } }, - "incompleteColumns": {} + "incompleteColumns": {}, + "indexPatternId": "logs-*" } } } }, "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" }, "visualization": { - "layers": [ + "columns": [ { - "categoryDisplay": "default", - "layerId": "2895cd64-3005-4aa0-8806-aebfcec6337b", - "layerType": "data", - "legendDisplay": "default", - "legendSize": "auto", - "metrics": [ - "df5605f4-cf9a-4300-a04e-0d27bd93403c" - ], - "nestedLegend": false, - "numberDisplay": "percent", - "primaryGroups": [ - "9e1f961e-ec9b-4d87-b039-aee519938af0" - ] + "columnId": "3f89f982-6876-4f85-8e02-5bd78823313e" + }, + { + "columnId": "62067742-d1f6-4516-aef7-e20243d5a663" } ], - "shape": "pie" + "layerId": "e1b0ed4b-f945-43ac-9f08-85b3ae396239", + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 } }, "title": "", "type": "lens", - "visualizationType": "lnsPie" + "visualizationType": "lnsDatatable" }, "enhancements": {}, - "hidePanelTitles": false, - "type": "lens" + "hidePanelTitles": false }, "gridData": { "h": 15, - "i": "28df95dc-7f16-4be5-a857-0087f0aafd79", + "i": "45536fa9-4ac0-4d40-bc51-a4d428396dfd", "w": 24, "x": 0, "y": 0 }, - "panelIndex": "28df95dc-7f16-4be5-a857-0087f0aafd79", - "title": "Telephony Credits Used by Users [Logs Cisco Duo]", - "type": "lens", - "version": "8.7.0" + "panelIndex": "45536fa9-4ac0-4d40-bc51-a4d428396dfd", + "title": "[Cisco Duo] Top 10 Usernames Activity", + "type": "lens" }, { "embeddableConfig": { @@ -150,55 +143,57 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-f766bfa8-25c9-4c13-9c4f-56f8beb93ee7", + "name": "indexpattern-datasource-layer-7c32a803-2a73-4db0-86af-ede2d3eb74b7", "type": "index-pattern" } ], "state": { "datasourceStates": { "formBased": { + "currentIndexPatternId": "logs-*", "layers": { - "f766bfa8-25c9-4c13-9c4f-56f8beb93ee7": { + "7c32a803-2a73-4db0-86af-ede2d3eb74b7": { "columnOrder": [ - "9fb9934c-f735-4c3b-901a-93787ce0803d", - "aedb9709-f0cf-43bc-b817-ff690c268236" + "1c43c117-2d48-4245-937e-a9435d027365", + "df9a7ec9-12f4-4fbc-b5cc-9866e1511032" ], "columns": { - "9fb9934c-f735-4c3b-901a-93787ce0803d": { + "1c43c117-2d48-4245-937e-a9435d027365": { "customLabel": true, "dataType": "string", "isBucketed": true, - "label": "Event Type", + "label": "Operating System", "operationType": "terms", "params": { "missingBucket": false, "orderBy": { - "columnId": "aedb9709-f0cf-43bc-b817-ff690c268236", + "columnId": "df9a7ec9-12f4-4fbc-b5cc-9866e1511032", "type": "column" }, "orderDirection": "desc", "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], "size": 5 }, "scale": "ordinal", - "sourceField": "cisco_duo.telephony.event_type" + "sourceField": "cisco_duo.admin.action" }, - "aedb9709-f0cf-43bc-b817-ff690c268236": { + "df9a7ec9-12f4-4fbc-b5cc-9866e1511032": { "customLabel": true, "dataType": "number", "isBucketed": false, - "label": "Credits", - "operationType": "sum", + "label": "Count", + "operationType": "count", + "params": {}, "scale": "ratio", - "sourceField": "cisco_duo.telephony.credits" + "sourceField": "___records___" } }, - "incompleteColumns": {} + "incompleteColumns": {}, + "indexPatternId": "logs-*" } } } @@ -212,20 +207,42 @@ "layers": [ { "categoryDisplay": "default", - "layerId": "f766bfa8-25c9-4c13-9c4f-56f8beb93ee7", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "7c32a803-2a73-4db0-86af-ede2d3eb74b7", "layerType": "data", - "legendDisplay": "default", + "legendDisplay": "show", "legendSize": "auto", "metrics": [ - "aedb9709-f0cf-43bc-b817-ff690c268236" + "df9a7ec9-12f4-4fbc-b5cc-9866e1511032" ], "nestedLegend": false, "numberDisplay": "percent", "primaryGroups": [ - "9fb9934c-f735-4c3b-901a-93787ce0803d" + "1c43c117-2d48-4245-937e-a9435d027365" ] } ], + "palette": { + "name": "status", + "type": "palette" + }, "shape": "donut" } }, @@ -234,20 +251,18 @@ "visualizationType": "lnsPie" }, "enhancements": {}, - "hidePanelTitles": false, - "type": "lens" + "hidePanelTitles": false }, "gridData": { "h": 15, - "i": "88a04f06-323e-499a-9363-60c4e44525ed", + "i": "732a43f0-18e6-4a3a-a170-2439d42fbeac", "w": 24, "x": 24, "y": 0 }, - "panelIndex": "88a04f06-323e-499a-9363-60c4e44525ed", - "title": "Telephony Credits Used by Types of Telephony Event [Logs Cisco Duo]", - "type": "lens", - "version": "8.7.0" + "panelIndex": "732a43f0-18e6-4a3a-a170-2439d42fbeac", + "title": "[Cisco Duo] Most Repeated Actions", + "type": "lens" }, { "embeddableConfig": { @@ -255,152 +270,164 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-35bad298-cb1d-478f-823e-55e8450f4624", + "name": "indexpattern-datasource-layer-0d343a00-4608-4893-9d51-15b205ead3fd", "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { "formBased": { + "currentIndexPatternId": "logs-*", "layers": { - "35bad298-cb1d-478f-823e-55e8450f4624": { + "0d343a00-4608-4893-9d51-15b205ead3fd": { "columnOrder": [ - "dd0d8160-4e51-425e-8a87-211cedb6ec4f", - "dc6eb145-963d-412d-97eb-f1bb3dbca717" + "464d7146-f0cf-433a-92b3-3a9764538ba7", + "27586231-2b8e-4417-9999-178c2fdca0da" ], "columns": { - "dc6eb145-963d-412d-97eb-f1bb3dbca717": { + "27586231-2b8e-4417-9999-178c2fdca0da": { "customLabel": true, "dataType": "number", "isBucketed": false, - "label": "Credits", - "operationType": "sum", + "label": "Administrator Logs", + "operationType": "count", + "params": { + "emptyAsNull": false + }, "scale": "ratio", - "sourceField": "cisco_duo.telephony.credits" + "sourceField": "___records___" }, - "dd0d8160-4e51-425e-8a87-211cedb6ec4f": { - "customLabel": true, - "dataType": "string", + "464d7146-f0cf-433a-92b3-3a9764538ba7": { + "dataType": "date", "isBucketed": true, - "label": "Type", - "operationType": "terms", + "label": "@timestamp", + "operationType": "date_histogram", "params": { - "missingBucket": false, - "orderBy": { - "columnId": "dc6eb145-963d-412d-97eb-f1bb3dbca717", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 5 + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" }, - "scale": "ordinal", - "sourceField": "cisco_duo.telephony.type" + "scale": "interval", + "sourceField": "@timestamp" } }, - "incompleteColumns": {} + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 } } + }, + "textBased": { + "layers": {} } }, "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" }, "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, "layers": [ { - "categoryDisplay": "default", - "layerId": "35bad298-cb1d-478f-823e-55e8450f4624", - "layerType": "data", - "legendDisplay": "default", - "legendSize": "auto", - "metrics": [ - "dc6eb145-963d-412d-97eb-f1bb3dbca717" + "accessors": [ + "27586231-2b8e-4417-9999-178c2fdca0da" ], - "nestedLegend": false, - "numberDisplay": "percent", - "primaryGroups": [ - "dd0d8160-4e51-425e-8a87-211cedb6ec4f" - ] + "layerId": "0d343a00-4608-4893-9d51-15b205ead3fd", + "layerType": "data", + "position": "top", + "seriesType": "area_stacked", + "showGridlines": false, + "xAccessor": "464d7146-f0cf-433a-92b3-3a9764538ba7" } ], - "shape": "pie" + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right" + }, + "preferredSeriesType": "area_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" } }, "title": "", "type": "lens", - "visualizationType": "lnsPie" + "visualizationType": "lnsXY" }, "enhancements": {}, - "hidePanelTitles": false, - "type": "lens" + "hidePanelTitles": false }, "gridData": { "h": 15, - "i": "2b83f76d-c315-4d49-bf76-967e4d9ef49d", - "w": 24, + "i": "590082d9-5b80-4199-99e1-20489371f7cd", + "w": 48, "x": 0, "y": 15 }, - "panelIndex": "2b83f76d-c315-4d49-bf76-967e4d9ef49d", - "title": "Telephony Credits Used by Telephony Type [Logs Cisco Duo]", - "type": "lens", - "version": "8.7.0" + "panelIndex": "590082d9-5b80-4199-99e1-20489371f7cd", + "title": "[Cisco Duo] Administrator Logs Over Time", + "type": "lens" } ], "timeRestore": false, - "title": "[Logs Cisco Duo] Telephony", - "version": 1 - }, - "coreMigrationVersion": "8.7.1", - "created_at": "2023-07-05T05:59:59.595Z", - "id": "cisco_duo-7e997350-34c9-11ed-81dc-5d9e1bd8e06a", - "migrationVersion": { - "dashboard": "8.7.0" + "title": "[Logs Cisco Duo] Administrator", + "version": 2 }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-09-20T14:41:26.301Z", + "created_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0", + "id": "cisco_duo-7a135061-78a3-45d9-951b-4b9b665fa729", + "managed": false, "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "28df95dc-7f16-4be5-a857-0087f0aafd79:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", - "name": "28df95dc-7f16-4be5-a857-0087f0aafd79:indexpattern-datasource-layer-2895cd64-3005-4aa0-8806-aebfcec6337b", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" }, { "id": "logs-*", - "name": "88a04f06-323e-499a-9363-60c4e44525ed:indexpattern-datasource-current-indexpattern", + "name": "45536fa9-4ac0-4d40-bc51-a4d428396dfd:indexpattern-datasource-layer-e1b0ed4b-f945-43ac-9f08-85b3ae396239", "type": "index-pattern" }, { "id": "logs-*", - "name": "88a04f06-323e-499a-9363-60c4e44525ed:indexpattern-datasource-layer-f766bfa8-25c9-4c13-9c4f-56f8beb93ee7", + "name": "732a43f0-18e6-4a3a-a170-2439d42fbeac:indexpattern-datasource-layer-7c32a803-2a73-4db0-86af-ede2d3eb74b7", "type": "index-pattern" }, { "id": "logs-*", - "name": "2b83f76d-c315-4d49-bf76-967e4d9ef49d:indexpattern-datasource-current-indexpattern", + "name": "590082d9-5b80-4199-99e1-20489371f7cd:indexpattern-datasource-layer-0d343a00-4608-4893-9d51-15b205ead3fd", "type": "index-pattern" }, { - "id": "logs-*", - "name": "2b83f76d-c315-4d49-bf76-967e4d9ef49d:indexpattern-datasource-layer-35bad298-cb1d-478f-823e-55e8450f4624", - "type": "index-pattern" + "id": "cisco_duo-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" } ], - "type": "dashboard" -} \ No newline at end of file + "type": "dashboard", + "typeMigrationVersion": "8.9.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" +} diff --git a/packages/cisco_duo/kibana/dashboard/cisco_duo-b386f94c-0856-4508-ba08-a525a2f3b70f.json b/packages/cisco_duo/kibana/dashboard/cisco_duo-b386f94c-0856-4508-ba08-a525a2f3b70f.json new file mode 100644 index 00000000000..a7a1f57098d --- /dev/null +++ b/packages/cisco_duo/kibana/dashboard/cisco_duo-b386f94c-0856-4508-ba08-a525a2f3b70f.json @@ -0,0 +1,618 @@ +{ + "attributes": { + "description": "This dashboard shows telephony logs collected by the Cisco Duo integration.\n\nFrom the version 2.0.0 of the integration, this dashboard has been updated to support Telephony logs from the v2 API endpoint, ingested by the new data stream Telephony v2.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "cisco_duo.telephony_v2" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "cisco_duo.telephony_v2" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": true, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-2895cd64-3005-4aa0-8806-aebfcec6337b", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "2895cd64-3005-4aa0-8806-aebfcec6337b": { + "columnOrder": [ + "9e1f961e-ec9b-4d87-b039-aee519938af0", + "df5605f4-cf9a-4300-a04e-0d27bd93403c" + ], + "columns": { + "9e1f961e-ec9b-4d87-b039-aee519938af0": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Phone Number", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "df5605f4-cf9a-4300-a04e-0d27bd93403c", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 5 + }, + "scale": "ordinal", + "sourceField": "cisco_duo.telephony_v2.phone_number" + }, + "df5605f4-cf9a-4300-a04e-0d27bd93403c": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Credits", + "operationType": "sum", + "scale": "ratio", + "sourceField": "cisco_duo.telephony_v2.credits" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*" + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "2895cd64-3005-4aa0-8806-aebfcec6337b", + "layerType": "data", + "legendDisplay": "show", + "legendSize": "auto", + "metrics": [ + "df5605f4-cf9a-4300-a04e-0d27bd93403c" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "9e1f961e-ec9b-4d87-b039-aee519938af0" + ] + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "0af2af4d-bdf5-4d68-bb45-82e9d553a7c8", + "w": 16, + "x": 0, + "y": 0 + }, + "panelIndex": "0af2af4d-bdf5-4d68-bb45-82e9d553a7c8", + "title": "[Cisco Duo] Telephony Credits Used by Users", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-f766bfa8-25c9-4c13-9c4f-56f8beb93ee7", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "f766bfa8-25c9-4c13-9c4f-56f8beb93ee7": { + "columnOrder": [ + "9fb9934c-f735-4c3b-901a-93787ce0803d", + "aedb9709-f0cf-43bc-b817-ff690c268236" + ], + "columns": { + "9fb9934c-f735-4c3b-901a-93787ce0803d": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Event Type", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "aedb9709-f0cf-43bc-b817-ff690c268236", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 5 + }, + "scale": "ordinal", + "sourceField": "cisco_duo.telephony_v2.event_type" + }, + "aedb9709-f0cf-43bc-b817-ff690c268236": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Credits", + "operationType": "sum", + "scale": "ratio", + "sourceField": "cisco_duo.telephony_v2.credits" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*" + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "f766bfa8-25c9-4c13-9c4f-56f8beb93ee7", + "layerType": "data", + "legendDisplay": "default", + "legendSize": "auto", + "metrics": [ + "aedb9709-f0cf-43bc-b817-ff690c268236" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "9fb9934c-f735-4c3b-901a-93787ce0803d" + ] + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "fc871019-66aa-4900-aad0-e94b6d3766ca", + "w": 16, + "x": 16, + "y": 0 + }, + "panelIndex": "fc871019-66aa-4900-aad0-e94b6d3766ca", + "title": "[Cisco Duo] Telephony Credits Used by Types of Telephony Event", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-35bad298-cb1d-478f-823e-55e8450f4624", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "35bad298-cb1d-478f-823e-55e8450f4624": { + "columnOrder": [ + "dd0d8160-4e51-425e-8a87-211cedb6ec4f", + "dc6eb145-963d-412d-97eb-f1bb3dbca717" + ], + "columns": { + "dc6eb145-963d-412d-97eb-f1bb3dbca717": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Credits", + "operationType": "sum", + "scale": "ratio", + "sourceField": "cisco_duo.telephony_v2.credits" + }, + "dd0d8160-4e51-425e-8a87-211cedb6ec4f": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Type", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "dc6eb145-963d-412d-97eb-f1bb3dbca717", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 5 + }, + "scale": "ordinal", + "sourceField": "cisco_duo.telephony_v2.type" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*" + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "35bad298-cb1d-478f-823e-55e8450f4624", + "layerType": "data", + "legendDisplay": "default", + "legendSize": "auto", + "metrics": [ + "dc6eb145-963d-412d-97eb-f1bb3dbca717" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "dd0d8160-4e51-425e-8a87-211cedb6ec4f" + ] + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "385c9986-e77f-483c-a34a-6b6343b54399", + "w": 16, + "x": 32, + "y": 0 + }, + "panelIndex": "385c9986-e77f-483c-a34a-6b6343b54399", + "title": "[Cisco Duo] Telephony Credits Used by Telephony Type", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-630bc72b-cd44-4c27-ba08-eb9bca4e3d58", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": { + "tsvb_ad_hoc_logs-*/@timestamp": { + "allowNoIndex": false, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "tsvb_ad_hoc_logs-*/@timestamp", + "name": "logs-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-*" + } + }, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "630bc72b-cd44-4c27-ba08-eb9bca4e3d58": { + "columnOrder": [ + "17e266b8-6643-4571-95cd-4314c2bdc4a4", + "d5f7518a-47ce-40fc-a0fe-6cd0b3e316d2" + ], + "columns": { + "17e266b8-6643-4571-95cd-4314c2bdc4a4": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "d5f7518a-47ce-40fc-a0fe-6cd0b3e316d2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Telephony Credits", + "operationType": "sum", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "cisco_duo.telephony_v2.credits" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*" + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [ + { + "id": "tsvb_ad_hoc_logs-*/@timestamp", + "name": "indexpattern-datasource-layer-630bc72b-cd44-4c27-ba08-eb9bca4e3d58", + "type": "index-pattern" + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fillOpacity": 0.5, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "d5f7518a-47ce-40fc-a0fe-6cd0b3e316d2" + ], + "layerId": "630bc72b-cd44-4c27-ba08-eb9bca4e3d58", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" + }, + "seriesType": "area", + "xAccessor": "17e266b8-6643-4571-95cd-4314c2bdc4a4", + "yConfig": [ + { + "axisMode": "left", + "color": "#68BC00", + "forAccessor": "d5f7518a-47ce-40fc-a0fe-6cd0b3e316d2" + } + ] + } + ], + "legend": { + "isVisible": true, + "maxLines": 1, + "position": "right", + "shouldTruncate": true, + "showSingleSeries": true + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yLeftScale": "linear", + "yRightExtent": { + "mode": "full" + }, + "yRightScale": "linear" + } + }, + "title": "[Cisco Duo] Remaining telephony credits over time (converted)", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "5b8ec5be-601f-4e06-84eb-6d2b9fcbfa52", + "w": 48, + "x": 0, + "y": 15 + }, + "panelIndex": "5b8ec5be-601f-4e06-84eb-6d2b9fcbfa52", + "title": "[Cisco Duo] Telephony Credits Spent Over Time", + "type": "lens" + } + ], + "timeRestore": false, + "title": "[Logs Cisco Duo] Telephony", + "version": 2 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-09-20T14:23:18.004Z", + "created_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0", + "id": "cisco_duo-b386f94c-0856-4508-ba08-a525a2f3b70f", + "managed": false, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0af2af4d-bdf5-4d68-bb45-82e9d553a7c8:indexpattern-datasource-layer-2895cd64-3005-4aa0-8806-aebfcec6337b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fc871019-66aa-4900-aad0-e94b6d3766ca:indexpattern-datasource-layer-f766bfa8-25c9-4c13-9c4f-56f8beb93ee7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "385c9986-e77f-483c-a34a-6b6343b54399:indexpattern-datasource-layer-35bad298-cb1d-478f-823e-55e8450f4624", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5b8ec5be-601f-4e06-84eb-6d2b9fcbfa52:indexpattern-datasource-layer-630bc72b-cd44-4c27-ba08-eb9bca4e3d58", + "type": "index-pattern" + }, + { + "id": "cisco_duo-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" + } + ], + "type": "dashboard", + "typeMigrationVersion": "8.9.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" +} diff --git a/packages/cisco_duo/kibana/dashboard/cisco_duo-fc635930-342f-11ed-8943-5bb82a29aed1.json b/packages/cisco_duo/kibana/dashboard/cisco_duo-c3336a66-68ff-4bcd-95ff-fb388793f721.json similarity index 79% rename from packages/cisco_duo/kibana/dashboard/cisco_duo-fc635930-342f-11ed-8943-5bb82a29aed1.json rename to packages/cisco_duo/kibana/dashboard/cisco_duo-c3336a66-68ff-4bcd-95ff-fb388793f721.json index 880a9d2f913..1dfbbff95f5 100644 --- a/packages/cisco_duo/kibana/dashboard/cisco_duo-fc635930-342f-11ed-8943-5bb82a29aed1.json +++ b/packages/cisco_duo/kibana/dashboard/cisco_duo-c3336a66-68ff-4bcd-95ff-fb388793f721.json @@ -44,20 +44,121 @@ "embeddableConfig": { "attributes": { "description": "", - "layerListJSON": "[{\"alpha\":1,\"id\":\"ce0cde1e-240f-4a56-bc83-60374450e029\",\"includeInFitToBounds\":true,\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"isAutoSelect\":true,\"type\":\"EMS_TMS\",\"lightModeDefault\":\"road_map\"},\"style\":{\"type\":\"TILE\"},\"type\":\"EMS_VECTOR_TILE\",\"visible\":true},{\"alpha\":0.75,\"id\":\"4e14ab8b-6ac0-4c0d-92e4-56b7074b28f6\",\"includeInFitToBounds\":true,\"label\":\"Failed login attempts\",\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"geoField\":\"source.geo.location\",\"id\":\"768d716e-4cb1-435c-b301-f26d08954838\",\"metrics\":[{\"type\":\"count\"}],\"requestType\":\"heatmap\",\"resolution\":\"COARSE\",\"type\":\"ES_GEO_GRID\",\"indexPatternRefName\":\"layer_1_source_index_pattern\"},\"style\":{\"colorRampName\":\"theclassic\",\"type\":\"HEATMAP\"},\"type\":\"HEATMAP\",\"visible\":true}]", - "mapStateJSON": "{\"zoom\":0.99,\"center\":{\"lon\":0,\"lat\":19.94277},\"timeFilters\":{\"from\":\"now-15m\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":true,\"interval\":0},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"disableInteractive\":false,\"disableTooltipControl\":false,\"hideToolbarOverlay\":false,\"hideLayerControl\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"browserLocation\":{\"zoom\":2},\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"showTimesliderToggleButton\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"}}", + "layerListJSON": [ + { + "alpha": 1, + "id": "ce0cde1e-240f-4a56-bc83-60374450e029", + "includeInFitToBounds": true, + "label": null, + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "isAutoSelect": true, + "lightModeDefault": "road_map", + "type": "EMS_TMS" + }, + "style": { + "type": "TILE" + }, + "type": "EMS_VECTOR_TILE", + "visible": true + }, + { + "alpha": 0.75, + "id": "4e14ab8b-6ac0-4c0d-92e4-56b7074b28f6", + "includeInFitToBounds": true, + "label": "Failed login attempts", + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "applyGlobalQuery": true, + "applyGlobalTime": true, + "geoField": "source.geo.location", + "id": "768d716e-4cb1-435c-b301-f26d08954838", + "indexPatternRefName": "layer_1_source_index_pattern", + "metrics": [ + { + "type": "count" + } + ], + "requestType": "heatmap", + "resolution": "COARSE", + "type": "ES_GEO_GRID" + }, + "style": { + "colorRampName": "theclassic", + "type": "HEATMAP" + }, + "type": "HEATMAP", + "visible": true + } + ], + "mapStateJSON": { + "center": { + "lat": 19.94277, + "lon": 0 + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "refreshConfig": { + "interval": 0, + "isPaused": true + }, + "settings": { + "autoFitToDataBounds": false, + "backgroundColor": "#ffffff", + "browserLocation": { + "zoom": 2 + }, + "disableInteractive": false, + "disableTooltipControl": false, + "fixedLocation": { + "lat": 0, + "lon": 0, + "zoom": 2 + }, + "hideLayerControl": false, + "hideToolbarOverlay": false, + "hideViewControl": false, + "initialLocation": "LAST_SAVED_LOCATION", + "maxZoom": 24, + "minZoom": 0, + "showScaleControl": false, + "showSpatialFilters": true, + "showTimesliderToggleButton": true, + "spatialFiltersAlpa": 0.3, + "spatialFiltersFillColor": "#DA8B45", + "spatialFiltersLineColor": "#DA8B45" + }, + "timeFilters": { + "from": "now-15m", + "to": "now" + }, + "zoom": 0.99 + }, "title": "", - "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}" + "uiStateJSON": { + "isLayerTOCOpen": true, + "openTOCDetails": [] + } + }, + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } }, - "enhancements": {}, "hiddenLayers": [], "hidePanelTitles": false, "isLayerTOCOpen": true, "mapBuffer": { "maxLat": 85.05113, - "maxLon": 180, + "maxLon": 360, "minLat": -85.05113, - "minLon": -180 + "minLon": -360 }, "mapCenter": { "lat": 19.94277, @@ -68,39 +169,29 @@ }, "gridData": { "h": 19, - "i": "26f5ca91-aee7-4afb-9c3d-0ce30815989c", + "i": "d1300cab-6318-427a-ac49-ea993ad6ef1c", "w": 48, "x": 0, "y": 0 }, - "panelIndex": "26f5ca91-aee7-4afb-9c3d-0ce30815989c", - "title": "Failed Login Attempts [Logs Cisco Duo]", - "type": "map", - "version": "8.7.1" + "panelIndex": "d1300cab-6318-427a-ac49-ea993ad6ef1c", + "title": "[Cisco Duo] Failed Login Attempts", + "type": "map" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "indexpattern-datasource-layer-f54144b0-13ad-42da-8000-f50af854cc52", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-0", - "type": "index-pattern" } ], "state": { "datasourceStates": { "formBased": { + "currentIndexPatternId": "logs-*", "layers": { "f54144b0-13ad-42da-8000-f50af854cc52": { "columnOrder": [ @@ -133,11 +224,15 @@ "isBucketed": false, "label": "Number of failed attempts", "operationType": "count", + "params": { + "emptyAsNull": false + }, "scale": "ratio", "sourceField": "___records___" } }, - "incompleteColumns": {} + "incompleteColumns": {}, + "indexPatternId": "logs-*" } } } @@ -208,25 +303,19 @@ }, "gridData": { "h": 15, - "i": "818ff904-2b6d-44ba-9de3-2d908faf4fe4", + "i": "7fee51ee-8ff0-4a06-be3e-ed66bcaa4bc6", "w": 24, "x": 0, "y": 19 }, - "panelIndex": "818ff904-2b6d-44ba-9de3-2d908faf4fe4", - "title": "Authentication Failed Login Attempts by Source IP [Logs Cisco Duo]", - "type": "lens", - "version": "8.7.1" + "panelIndex": "7fee51ee-8ff0-4a06-be3e-ed66bcaa4bc6", + "title": "[Cisco Duo] Authentication Failed Login Attempts by Source IP", + "type": "lens" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "indexpattern-datasource-layer-7c32a803-2a73-4db0-86af-ede2d3eb74b7", @@ -236,6 +325,7 @@ "state": { "datasourceStates": { "formBased": { + "currentIndexPatternId": "logs-*", "layers": { "7c32a803-2a73-4db0-86af-ede2d3eb74b7": { "columnOrder": [ @@ -292,7 +382,8 @@ "sourceField": "___records___" } }, - "incompleteColumns": {} + "incompleteColumns": {}, + "indexPatternId": "logs-*" } } } @@ -306,6 +397,24 @@ "layers": [ { "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, "layerId": "7c32a803-2a73-4db0-86af-ede2d3eb74b7", "layerType": "data", "legendDisplay": "default", @@ -322,7 +431,7 @@ } ], "palette": { - "name": "default", + "name": "status", "type": "palette" }, "shape": "donut" @@ -337,15 +446,14 @@ }, "gridData": { "h": 15, - "i": "22c8c310-56b7-4097-9fa9-a495af55a8c7", + "i": "eb050a40-45ba-4d77-ba47-190e2047c729", "w": 24, "x": 24, "y": 19 }, - "panelIndex": "22c8c310-56b7-4097-9fa9-a495af55a8c7", - "title": "Login Attempts by OS [Logs Cisco Duo]", - "type": "lens", - "version": "8.7.1" + "panelIndex": "eb050a40-45ba-4d77-ba47-190e2047c729", + "title": "[Cisco Duo] Login Attempts by OS", + "type": "lens" }, { "embeddableConfig": { @@ -462,15 +570,14 @@ }, "gridData": { "h": 15, - "i": "51dd4756-cff1-475b-96b8-98d3fcf7c5e8", + "i": "f21992a9-8114-4a9a-9cd7-040ac9773b03", "w": 24, "x": 0, "y": 34 }, - "panelIndex": "51dd4756-cff1-475b-96b8-98d3fcf7c5e8", - "title": "Top 10 Failed Login Attempts by Username [Logs Cisco Duo]", - "type": "lens", - "version": "8.7.1" + "panelIndex": "f21992a9-8114-4a9a-9cd7-040ac9773b03", + "title": "[Cisco Duo] Top 10 Failed Login Attempts by Username", + "type": "lens" }, { "embeddableConfig": { @@ -589,119 +696,14 @@ }, "gridData": { "h": 15, - "i": "7acb2d14-3660-4613-a3f5-609bc84eae4d", + "i": "0431dc45-6447-473c-a76f-86d4248a93e8", "w": 24, "x": 24, "y": 34 }, - "panelIndex": "7acb2d14-3660-4613-a3f5-609bc84eae4d", - "title": "Top 10 Successful Login Attempts by Application Name [Logs Cisco Duo]", - "type": "lens", - "version": "8.7.1" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-8b629203-8568-42cf-8f8d-076234fa1e80", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "8b629203-8568-42cf-8f8d-076234fa1e80": { - "columnOrder": [ - "c8880d3e-ddf8-4fdd-a2db-a62cef721233", - "ebe9dd6c-1aec-4b8f-bc43-db3f72e03caf" - ], - "columns": { - "c8880d3e-ddf8-4fdd-a2db-a62cef721233": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Firewall Enabled", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "ebe9dd6c-1aec-4b8f-bc43-db3f72e03caf", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "cisco_duo.auth.access_device.is_firewall_enabled" - }, - "ebe9dd6c-1aec-4b8f-bc43-db3f72e03caf": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Username", - "operationType": "unique_count", - "scale": "ratio", - "sourceField": "user.name" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "layerId": "8b629203-8568-42cf-8f8d-076234fa1e80", - "layerType": "data", - "legendDisplay": "default", - "legendSize": "auto", - "metrics": [ - "ebe9dd6c-1aec-4b8f-bc43-db3f72e03caf" - ], - "nestedLegend": false, - "numberDisplay": "percent", - "primaryGroups": [ - "c8880d3e-ddf8-4fdd-a2db-a62cef721233" - ] - } - ], - "shape": "donut" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsPie" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 15, - "i": "268b0b87-2daa-432c-8abc-fc31368a3f24", - "w": 24, - "x": 24, - "y": 49 - }, - "panelIndex": "268b0b87-2daa-432c-8abc-fc31368a3f24", - "title": "Firewall Enabled in User Devices [Logs Cisco Duo]", - "type": "lens", - "version": "8.7.1" + "panelIndex": "0431dc45-6447-473c-a76f-86d4248a93e8", + "title": "[Cisco Duo] Top 10 Successful Login Attempts by Application Name", + "type": "lens" }, { "embeddableConfig": { @@ -717,6 +719,7 @@ "adHocDataViews": {}, "datasourceStates": { "formBased": { + "currentIndexPatternId": "logs-*", "layers": { "0d343a00-4608-4893-9d51-15b205ead3fd": { "columnOrder": [ @@ -732,7 +735,7 @@ "label": "Count", "operationType": "count", "params": { - "emptyAsNull": true + "emptyAsNull": false }, "scale": "ratio", "sourceField": "___records___" @@ -777,6 +780,7 @@ } }, "incompleteColumns": {}, + "indexPatternId": "logs-*", "sampling": 1 } } @@ -824,6 +828,7 @@ ], "legend": { "isVisible": true, + "legendSize": "large", "position": "right" }, "preferredSeriesType": "line", @@ -844,15 +849,14 @@ }, "gridData": { "h": 15, - "i": "d9c08902-7c72-4340-918f-d9087f77f00a", - "w": 24, + "i": "d10d1c8a-0622-4170-a85d-8eaa14fad2b5", + "w": 48, "x": 0, "y": 49 }, - "panelIndex": "d9c08902-7c72-4340-918f-d9087f77f00a", - "title": "Failed Login Attempts by Reason Over Time [Logs Cisco Duo]", - "type": "lens", - "version": "8.7.1" + "panelIndex": "d10d1c8a-0622-4170-a85d-8eaa14fad2b5", + "title": "[Cisco Duo] Failed Login Attempts by Reason Over Time", + "type": "lens" }, { "embeddableConfig": { @@ -860,35 +864,149 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", + "name": "indexpattern-datasource-layer-ee60d920-e863-40bd-8838-544eb257deb6", "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "ee60d920-e863-40bd-8838-544eb257deb6": { + "columnOrder": [ + "999a537c-b73e-4246-bb00-4437d229edc4", + "6ed7b42e-40ca-4c6c-b681-9114f7492243" + ], + "columns": { + "6ed7b42e-40ca-4c6c-b681-9114f7492243": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Username", + "operationType": "unique_count", + "scale": "ratio", + "sourceField": "user.name" + }, + "999a537c-b73e-4246-bb00-4437d229edc4": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Encryption Enabled", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "6ed7b42e-40ca-4c6c-b681-9114f7492243", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "cisco_duo.auth.access_device.is_encryption_enabled" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*" + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "ee60d920-e863-40bd-8838-544eb257deb6", + "layerType": "data", + "legendDisplay": "default", + "legendSize": "auto", + "metrics": [ + "6ed7b42e-40ca-4c6c-b681-9114f7492243" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "999a537c-b73e-4246-bb00-4437d229edc4" + ] + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 11, + "i": "30afe6db-b65b-4aca-9aa4-5409de2cfa37", + "w": 16, + "x": 0, + "y": 64 + }, + "panelIndex": "30afe6db-b65b-4aca-9aa4-5409de2cfa37", + "title": "[Cisco Duo] Encryption Enabled in User Devices", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-5a02ce05-fb02-44ed-a440-921646f93e28", + "name": "indexpattern-datasource-layer-8b629203-8568-42cf-8f8d-076234fa1e80", "type": "index-pattern" } ], "state": { "datasourceStates": { "formBased": { + "currentIndexPatternId": "logs-*", "layers": { - "5a02ce05-fb02-44ed-a440-921646f93e28": { + "8b629203-8568-42cf-8f8d-076234fa1e80": { "columnOrder": [ - "407c26d4-a100-44be-b267-09a4397ce62f", - "d71774fb-92c5-4803-bf7f-b6bf0484c371" + "c8880d3e-ddf8-4fdd-a2db-a62cef721233", + "ebe9dd6c-1aec-4b8f-bc43-db3f72e03caf" ], "columns": { - "407c26d4-a100-44be-b267-09a4397ce62f": { + "c8880d3e-ddf8-4fdd-a2db-a62cef721233": { "customLabel": true, "dataType": "string", "isBucketed": true, - "label": "Password Set", + "label": "Firewall Enabled", "operationType": "terms", "params": { "missingBucket": false, "orderBy": { - "columnId": "d71774fb-92c5-4803-bf7f-b6bf0484c371", + "columnId": "ebe9dd6c-1aec-4b8f-bc43-db3f72e03caf", "type": "column" }, "orderDirection": "desc", @@ -896,9 +1014,9 @@ "size": 5 }, "scale": "ordinal", - "sourceField": "cisco_duo.auth.access_device.is_password_set" + "sourceField": "cisco_duo.auth.access_device.is_firewall_enabled" }, - "d71774fb-92c5-4803-bf7f-b6bf0484c371": { + "ebe9dd6c-1aec-4b8f-bc43-db3f72e03caf": { "customLabel": true, "dataType": "number", "isBucketed": false, @@ -908,7 +1026,8 @@ "sourceField": "user.name" } }, - "incompleteColumns": {} + "incompleteColumns": {}, + "indexPatternId": "logs-*" } } } @@ -922,17 +1041,35 @@ "layers": [ { "categoryDisplay": "default", - "layerId": "5a02ce05-fb02-44ed-a440-921646f93e28", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "8b629203-8568-42cf-8f8d-076234fa1e80", "layerType": "data", "legendDisplay": "default", "legendSize": "auto", "metrics": [ - "d71774fb-92c5-4803-bf7f-b6bf0484c371" + "ebe9dd6c-1aec-4b8f-bc43-db3f72e03caf" ], "nestedLegend": false, "numberDisplay": "percent", "primaryGroups": [ - "407c26d4-a100-44be-b267-09a4397ce62f" + "c8880d3e-ddf8-4fdd-a2db-a62cef721233" ] } ], @@ -947,16 +1084,15 @@ "hidePanelTitles": false }, "gridData": { - "h": 15, - "i": "2fc646fa-5152-441e-8cfa-9466d97f38a5", - "w": 24, - "x": 24, + "h": 11, + "i": "d2c9ba4f-4db4-4fa6-ab1c-9db607594f80", + "w": 16, + "x": 16, "y": 64 }, - "panelIndex": "2fc646fa-5152-441e-8cfa-9466d97f38a5", - "title": "Password Set in User Devices [Logs Cisco Duo]", - "type": "lens", - "version": "8.7.1" + "panelIndex": "d2c9ba4f-4db4-4fa6-ab1c-9db607594f80", + "title": "[Cisco Duo] Firewall Enabled in User Devices", + "type": "lens" }, { "embeddableConfig": { @@ -964,44 +1100,31 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-ee60d920-e863-40bd-8838-544eb257deb6", + "name": "indexpattern-datasource-layer-5a02ce05-fb02-44ed-a440-921646f93e28", "type": "index-pattern" } ], "state": { "datasourceStates": { "formBased": { + "currentIndexPatternId": "logs-*", "layers": { - "ee60d920-e863-40bd-8838-544eb257deb6": { + "5a02ce05-fb02-44ed-a440-921646f93e28": { "columnOrder": [ - "999a537c-b73e-4246-bb00-4437d229edc4", - "6ed7b42e-40ca-4c6c-b681-9114f7492243" + "407c26d4-a100-44be-b267-09a4397ce62f", + "d71774fb-92c5-4803-bf7f-b6bf0484c371" ], "columns": { - "6ed7b42e-40ca-4c6c-b681-9114f7492243": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Username", - "operationType": "unique_count", - "scale": "ratio", - "sourceField": "user.name" - }, - "999a537c-b73e-4246-bb00-4437d229edc4": { + "407c26d4-a100-44be-b267-09a4397ce62f": { "customLabel": true, "dataType": "string", "isBucketed": true, - "label": "Encryption Enabled", + "label": "Password Set", "operationType": "terms", "params": { "missingBucket": false, "orderBy": { - "columnId": "6ed7b42e-40ca-4c6c-b681-9114f7492243", + "columnId": "d71774fb-92c5-4803-bf7f-b6bf0484c371", "type": "column" }, "orderDirection": "desc", @@ -1009,10 +1132,20 @@ "size": 5 }, "scale": "ordinal", - "sourceField": "cisco_duo.auth.access_device.is_encryption_enabled" + "sourceField": "cisco_duo.auth.access_device.is_password_set" + }, + "d71774fb-92c5-4803-bf7f-b6bf0484c371": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Username", + "operationType": "unique_count", + "scale": "ratio", + "sourceField": "user.name" } }, - "incompleteColumns": {} + "incompleteColumns": {}, + "indexPatternId": "logs-*" } } } @@ -1026,17 +1159,35 @@ "layers": [ { "categoryDisplay": "default", - "layerId": "ee60d920-e863-40bd-8838-544eb257deb6", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "5a02ce05-fb02-44ed-a440-921646f93e28", "layerType": "data", "legendDisplay": "default", "legendSize": "auto", "metrics": [ - "6ed7b42e-40ca-4c6c-b681-9114f7492243" + "d71774fb-92c5-4803-bf7f-b6bf0484c371" ], "nestedLegend": false, "numberDisplay": "percent", "primaryGroups": [ - "999a537c-b73e-4246-bb00-4437d229edc4" + "407c26d4-a100-44be-b267-09a4397ce62f" ] } ], @@ -1051,16 +1202,15 @@ "hidePanelTitles": false }, "gridData": { - "h": 15, - "i": "a3d0f019-eea7-4378-95c9-20841a6136e1", - "w": 24, - "x": 0, + "h": 11, + "i": "19a4feaa-74a2-49ac-b68e-6f2182d1f611", + "w": 16, + "x": 32, "y": 64 }, - "panelIndex": "a3d0f019-eea7-4378-95c9-20841a6136e1", - "title": "Encryption Enabled in User Devices [Logs Cisco Duo]", - "type": "lens", - "version": "8.7.1" + "panelIndex": "19a4feaa-74a2-49ac-b68e-6f2182d1f611", + "title": "[Cisco Duo] Password Set in User Devices", + "type": "lens" }, { "embeddableConfig": { @@ -1068,31 +1218,22 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-f6dd2418-f99a-425f-bf65-2837cb4a3a6c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-0", + "name": "indexpattern-datasource-layer-a27579ed-2c14-4688-8abd-eebb621a1488", "type": "index-pattern" } ], "state": { "datasourceStates": { "formBased": { + "currentIndexPatternId": "logs-*", "layers": { - "f6dd2418-f99a-425f-bf65-2837cb4a3a6c": { + "a27579ed-2c14-4688-8abd-eebb621a1488": { "columnOrder": [ - "27fa1ab5-471e-47cc-9add-9ed20c8f2b9b", - "106f69af-66b6-4931-bf03-0cfdeb819341" + "f5303345-19ce-4123-87f5-abdc29652cfb", + "8e5fb845-afb2-4d7f-8e16-ba9ab246a8e3" ], "columns": { - "106f69af-66b6-4931-bf03-0cfdeb819341": { + "8e5fb845-afb2-4d7f-8e16-ba9ab246a8e3": { "customLabel": true, "dataType": "number", "isBucketed": false, @@ -1101,7 +1242,7 @@ "scale": "ratio", "sourceField": "___records___" }, - "27fa1ab5-471e-47cc-9add-9ed20c8f2b9b": { + "f5303345-19ce-4123-87f5-abdc29652cfb": { "customLabel": true, "dataType": "string", "isBucketed": true, @@ -1110,7 +1251,7 @@ "params": { "missingBucket": false, "orderBy": { - "columnId": "106f69af-66b6-4931-bf03-0cfdeb819341", + "columnId": "8e5fb845-afb2-4d7f-8e16-ba9ab246a8e3", "type": "column" }, "orderDirection": "desc", @@ -1121,7 +1262,8 @@ "sourceField": "cisco_duo.auth.factor" } }, - "incompleteColumns": {} + "incompleteColumns": {}, + "indexPatternId": "logs-*" } } } @@ -1138,13 +1280,13 @@ "key": "event.outcome", "negate": false, "params": { - "query": "failure" + "query": "success" }, "type": "phrase" }, "query": { "match_phrase": { - "event.outcome": "failure" + "event.outcome": "success" } } } @@ -1157,20 +1299,42 @@ "layers": [ { "categoryDisplay": "default", - "layerId": "f6dd2418-f99a-425f-bf65-2837cb4a3a6c", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "a27579ed-2c14-4688-8abd-eebb621a1488", "layerType": "data", "legendDisplay": "default", "legendSize": "auto", "metrics": [ - "106f69af-66b6-4931-bf03-0cfdeb819341" + "8e5fb845-afb2-4d7f-8e16-ba9ab246a8e3" ], "nestedLegend": false, "numberDisplay": "percent", "primaryGroups": [ - "27fa1ab5-471e-47cc-9add-9ed20c8f2b9b" + "f5303345-19ce-4123-87f5-abdc29652cfb" ] } ], + "palette": { + "name": "default", + "type": "palette" + }, "shape": "donut" } }, @@ -1183,15 +1347,14 @@ }, "gridData": { "h": 15, - "i": "a754afca-bd5d-4135-bc61-d4009e4657bb", + "i": "98e97211-17a3-43fc-be49-5931e3b62c75", "w": 24, - "x": 24, - "y": 79 + "x": 0, + "y": 75 }, - "panelIndex": "a754afca-bd5d-4135-bc61-d4009e4657bb", - "title": "Failure Login Attempts by Authentication Factor [Logs Cisco Duo]", - "type": "lens", - "version": "8.7.1" + "panelIndex": "98e97211-17a3-43fc-be49-5931e3b62c75", + "title": "[Cisco Duo] Success Login Attempts by Authentication Factor", + "type": "lens" }, { "embeddableConfig": { @@ -1199,31 +1362,22 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-a27579ed-2c14-4688-8abd-eebb621a1488", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-0", + "name": "indexpattern-datasource-layer-f6dd2418-f99a-425f-bf65-2837cb4a3a6c", "type": "index-pattern" } ], "state": { "datasourceStates": { "formBased": { + "currentIndexPatternId": "logs-*", "layers": { - "a27579ed-2c14-4688-8abd-eebb621a1488": { + "f6dd2418-f99a-425f-bf65-2837cb4a3a6c": { "columnOrder": [ - "f5303345-19ce-4123-87f5-abdc29652cfb", - "8e5fb845-afb2-4d7f-8e16-ba9ab246a8e3" + "27fa1ab5-471e-47cc-9add-9ed20c8f2b9b", + "106f69af-66b6-4931-bf03-0cfdeb819341" ], "columns": { - "8e5fb845-afb2-4d7f-8e16-ba9ab246a8e3": { + "106f69af-66b6-4931-bf03-0cfdeb819341": { "customLabel": true, "dataType": "number", "isBucketed": false, @@ -1232,7 +1386,7 @@ "scale": "ratio", "sourceField": "___records___" }, - "f5303345-19ce-4123-87f5-abdc29652cfb": { + "27fa1ab5-471e-47cc-9add-9ed20c8f2b9b": { "customLabel": true, "dataType": "string", "isBucketed": true, @@ -1241,7 +1395,7 @@ "params": { "missingBucket": false, "orderBy": { - "columnId": "8e5fb845-afb2-4d7f-8e16-ba9ab246a8e3", + "columnId": "106f69af-66b6-4931-bf03-0cfdeb819341", "type": "column" }, "orderDirection": "desc", @@ -1252,7 +1406,8 @@ "sourceField": "cisco_duo.auth.factor" } }, - "incompleteColumns": {} + "incompleteColumns": {}, + "indexPatternId": "logs-*" } } } @@ -1269,13 +1424,13 @@ "key": "event.outcome", "negate": false, "params": { - "query": "success" + "query": "failure" }, "type": "phrase" }, "query": { "match_phrase": { - "event.outcome": "success" + "event.outcome": "failure" } } } @@ -1288,24 +1443,38 @@ "layers": [ { "categoryDisplay": "default", - "layerId": "a27579ed-2c14-4688-8abd-eebb621a1488", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "f6dd2418-f99a-425f-bf65-2837cb4a3a6c", "layerType": "data", "legendDisplay": "default", "legendSize": "auto", "metrics": [ - "8e5fb845-afb2-4d7f-8e16-ba9ab246a8e3" + "106f69af-66b6-4931-bf03-0cfdeb819341" ], "nestedLegend": false, "numberDisplay": "percent", "primaryGroups": [ - "f5303345-19ce-4123-87f5-abdc29652cfb" + "27fa1ab5-471e-47cc-9add-9ed20c8f2b9b" ] } ], - "palette": { - "name": "default", - "type": "palette" - }, "shape": "donut" } }, @@ -1318,27 +1487,25 @@ }, "gridData": { "h": 15, - "i": "1e7cca3e-e9ff-461b-aa54-d68e4724a10c", + "i": "8d71355e-6451-4b79-9515-6821d352ae32", "w": 24, - "x": 0, - "y": 79 + "x": 24, + "y": 75 }, - "panelIndex": "1e7cca3e-e9ff-461b-aa54-d68e4724a10c", - "title": "Success Login Attempts by Authentication Factor [Logs Cisco Duo]", - "type": "lens", - "version": "8.7.1" + "panelIndex": "8d71355e-6451-4b79-9515-6821d352ae32", + "title": "[Cisco Duo] Failure Login Attempts by Authentication Factor", + "type": "lens" } ], "timeRestore": false, "title": "[Logs Cisco Duo] Authentication", - "version": 1 - }, - "coreMigrationVersion": "8.7.1", - "created_at": "2023-07-05T06:06:55.292Z", - "id": "cisco_duo-fc635930-342f-11ed-8943-5bb82a29aed1", - "migrationVersion": { - "dashboard": "8.7.0" + "version": 2 }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-09-20T14:06:14.779Z", + "created_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0", + "id": "cisco_duo-c3336a66-68ff-4bcd-95ff-fb388793f721", + "managed": false, "references": [ { "id": "metrics-*", @@ -1347,129 +1514,86 @@ }, { "id": "logs-*", - "name": "26f5ca91-aee7-4afb-9c3d-0ce30815989c:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "818ff904-2b6d-44ba-9de3-2d908faf4fe4:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "818ff904-2b6d-44ba-9de3-2d908faf4fe4:indexpattern-datasource-layer-f54144b0-13ad-42da-8000-f50af854cc52", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "818ff904-2b6d-44ba-9de3-2d908faf4fe4:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "22c8c310-56b7-4097-9fa9-a495af55a8c7:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "22c8c310-56b7-4097-9fa9-a495af55a8c7:indexpattern-datasource-layer-7c32a803-2a73-4db0-86af-ede2d3eb74b7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "51dd4756-cff1-475b-96b8-98d3fcf7c5e8:indexpattern-datasource-current-indexpattern", + "name": "7fee51ee-8ff0-4a06-be3e-ed66bcaa4bc6:indexpattern-datasource-layer-f54144b0-13ad-42da-8000-f50af854cc52", "type": "index-pattern" }, { "id": "logs-*", - "name": "51dd4756-cff1-475b-96b8-98d3fcf7c5e8:indexpattern-datasource-layer-e1b0ed4b-f945-43ac-9f08-85b3ae396239", + "name": "eb050a40-45ba-4d77-ba47-190e2047c729:indexpattern-datasource-layer-7c32a803-2a73-4db0-86af-ede2d3eb74b7", "type": "index-pattern" }, { "id": "logs-*", - "name": "51dd4756-cff1-475b-96b8-98d3fcf7c5e8:filter-index-pattern-0", + "name": "f21992a9-8114-4a9a-9cd7-040ac9773b03:indexpattern-datasource-current-indexpattern", "type": "index-pattern" }, { "id": "logs-*", - "name": "7acb2d14-3660-4613-a3f5-609bc84eae4d:indexpattern-datasource-current-indexpattern", + "name": "f21992a9-8114-4a9a-9cd7-040ac9773b03:indexpattern-datasource-layer-e1b0ed4b-f945-43ac-9f08-85b3ae396239", "type": "index-pattern" }, { "id": "logs-*", - "name": "7acb2d14-3660-4613-a3f5-609bc84eae4d:indexpattern-datasource-layer-a12c19bd-f6ef-4379-ba4f-20f78350271b", + "name": "f21992a9-8114-4a9a-9cd7-040ac9773b03:filter-index-pattern-0", "type": "index-pattern" }, { "id": "logs-*", - "name": "7acb2d14-3660-4613-a3f5-609bc84eae4d:filter-index-pattern-0", + "name": "0431dc45-6447-473c-a76f-86d4248a93e8:indexpattern-datasource-current-indexpattern", "type": "index-pattern" }, { "id": "logs-*", - "name": "268b0b87-2daa-432c-8abc-fc31368a3f24:indexpattern-datasource-current-indexpattern", + "name": "0431dc45-6447-473c-a76f-86d4248a93e8:indexpattern-datasource-layer-a12c19bd-f6ef-4379-ba4f-20f78350271b", "type": "index-pattern" }, { "id": "logs-*", - "name": "268b0b87-2daa-432c-8abc-fc31368a3f24:indexpattern-datasource-layer-8b629203-8568-42cf-8f8d-076234fa1e80", + "name": "0431dc45-6447-473c-a76f-86d4248a93e8:filter-index-pattern-0", "type": "index-pattern" }, { "id": "logs-*", - "name": "d9c08902-7c72-4340-918f-d9087f77f00a:indexpattern-datasource-layer-0d343a00-4608-4893-9d51-15b205ead3fd", + "name": "d10d1c8a-0622-4170-a85d-8eaa14fad2b5:indexpattern-datasource-layer-0d343a00-4608-4893-9d51-15b205ead3fd", "type": "index-pattern" }, { "id": "logs-*", - "name": "2fc646fa-5152-441e-8cfa-9466d97f38a5:indexpattern-datasource-current-indexpattern", + "name": "30afe6db-b65b-4aca-9aa4-5409de2cfa37:indexpattern-datasource-layer-ee60d920-e863-40bd-8838-544eb257deb6", "type": "index-pattern" }, { "id": "logs-*", - "name": "2fc646fa-5152-441e-8cfa-9466d97f38a5:indexpattern-datasource-layer-5a02ce05-fb02-44ed-a440-921646f93e28", + "name": "d2c9ba4f-4db4-4fa6-ab1c-9db607594f80:indexpattern-datasource-layer-8b629203-8568-42cf-8f8d-076234fa1e80", "type": "index-pattern" }, { "id": "logs-*", - "name": "a3d0f019-eea7-4378-95c9-20841a6136e1:indexpattern-datasource-current-indexpattern", + "name": "19a4feaa-74a2-49ac-b68e-6f2182d1f611:indexpattern-datasource-layer-5a02ce05-fb02-44ed-a440-921646f93e28", "type": "index-pattern" }, { "id": "logs-*", - "name": "a3d0f019-eea7-4378-95c9-20841a6136e1:indexpattern-datasource-layer-ee60d920-e863-40bd-8838-544eb257deb6", + "name": "98e97211-17a3-43fc-be49-5931e3b62c75:indexpattern-datasource-layer-a27579ed-2c14-4688-8abd-eebb621a1488", "type": "index-pattern" }, { "id": "logs-*", - "name": "a754afca-bd5d-4135-bc61-d4009e4657bb:indexpattern-datasource-current-indexpattern", + "name": "8d71355e-6451-4b79-9515-6821d352ae32:indexpattern-datasource-layer-f6dd2418-f99a-425f-bf65-2837cb4a3a6c", "type": "index-pattern" }, { - "id": "logs-*", - "name": "a754afca-bd5d-4135-bc61-d4009e4657bb:indexpattern-datasource-layer-f6dd2418-f99a-425f-bf65-2837cb4a3a6c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a754afca-bd5d-4135-bc61-d4009e4657bb:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1e7cca3e-e9ff-461b-aa54-d68e4724a10c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1e7cca3e-e9ff-461b-aa54-d68e4724a10c:indexpattern-datasource-layer-a27579ed-2c14-4688-8abd-eebb621a1488", - "type": "index-pattern" + "id": "cisco_duo-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" }, { "id": "logs-*", - "name": "1e7cca3e-e9ff-461b-aa54-d68e4724a10c:filter-index-pattern-0", + "name": "d1300cab-6318-427a-ac49-ea993ad6ef1c:layer_1_source_index_pattern", "type": "index-pattern" } ], - "type": "dashboard" -} \ No newline at end of file + "type": "dashboard", + "typeMigrationVersion": "8.9.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" +} diff --git a/packages/cisco_duo/kibana/dashboard/cisco_duo-f4c25e10-3420-11ed-a766-d751fb2ca0fe.json b/packages/cisco_duo/kibana/dashboard/cisco_duo-e91470e5-2ded-4ff1-8bb5-24e06b949c1d.json similarity index 89% rename from packages/cisco_duo/kibana/dashboard/cisco_duo-f4c25e10-3420-11ed-a766-d751fb2ca0fe.json rename to packages/cisco_duo/kibana/dashboard/cisco_duo-e91470e5-2ded-4ff1-8bb5-24e06b949c1d.json index 115bb67bf68..f0b9530abc1 100644 --- a/packages/cisco_duo/kibana/dashboard/cisco_duo-f4c25e10-3420-11ed-a766-d751fb2ca0fe.json +++ b/packages/cisco_duo/kibana/dashboard/cisco_duo-e91470e5-2ded-4ff1-8bb5-24e06b949c1d.json @@ -1,6 +1,6 @@ { "attributes": { - "description": "This dashboard shows summary logs collected by the Cisco Duo integration.", + "description": "This dashboard shows summary logs collected by the Cisco Duo integration, including account utilization information.", "kibanaSavedObjectMeta": { "searchSourceJSON": { "filter": [ @@ -43,7 +43,13 @@ { "embeddableConfig": { "attributes": { - "references": [], + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-630bc72b-cd44-4c27-ba08-eb9bca4e3d58", + "type": "index-pattern" + } + ], "state": { "adHocDataViews": { "tsvb_ad_hoc_logs-*/@timestamp": { @@ -60,6 +66,7 @@ }, "datasourceStates": { "formBased": { + "currentIndexPatternId": "logs-*", "layers": { "630bc72b-cd44-4c27-ba08-eb9bca4e3d58": { "columnOrder": [ @@ -98,7 +105,8 @@ "sourceField": "cisco_duo.summary.telephony_credits_remaining" } }, - "incompleteColumns": {} + "incompleteColumns": {}, + "indexPatternId": "logs-*" } } }, @@ -191,14 +199,14 @@ }, "gridData": { "h": 15, - "i": "875823d5-4d16-4ef0-b463-9a99298b8ed9", + "i": "79c747c4-0e11-4abc-b73d-a348cb0e14c8", "w": 48, "x": 0, "y": 0 }, - "panelIndex": "875823d5-4d16-4ef0-b463-9a99298b8ed9", - "type": "lens", - "version": "8.7.1" + "panelIndex": "79c747c4-0e11-4abc-b73d-a348cb0e14c8", + "title": "[Cisco Duo] Remaining telephony credits over time", + "type": "lens" }, { "embeddableConfig": { @@ -266,15 +274,14 @@ }, "gridData": { "h": 10, - "i": "99e70c63-9d54-4124-b897-ff8d35031b1a", + "i": "ea96aaa0-30af-4804-a98c-11d707e6a8f1", "w": 12, "x": 0, "y": 15 }, - "panelIndex": "99e70c63-9d54-4124-b897-ff8d35031b1a", - "title": "Integrations Count [Logs Cisco Duo]", - "type": "lens", - "version": "8.7.1" + "panelIndex": "ea96aaa0-30af-4804-a98c-11d707e6a8f1", + "title": "[Cisco Duo] Integrations Count", + "type": "lens" }, { "embeddableConfig": { @@ -342,15 +349,14 @@ }, "gridData": { "h": 10, - "i": "b17843de-0101-4a6c-a884-34cbeef1cfa0", + "i": "1cba59f9-21f1-4ecb-973d-8a3f05b81f38", "w": 12, "x": 12, "y": 15 }, - "panelIndex": "b17843de-0101-4a6c-a884-34cbeef1cfa0", - "title": "Admin Count [Logs Cisco Duo]", - "type": "lens", - "version": "8.7.1" + "panelIndex": "1cba59f9-21f1-4ecb-973d-8a3f05b81f38", + "title": "[Cisco Duo] Admin Count", + "type": "lens" }, { "embeddableConfig": { @@ -418,15 +424,14 @@ }, "gridData": { "h": 10, - "i": "07a76b39-2500-4493-94ee-31277eb2a97a", + "i": "0b986d68-ad43-4241-b172-2d95164000b9", "w": 12, "x": 24, "y": 15 }, - "panelIndex": "07a76b39-2500-4493-94ee-31277eb2a97a", - "title": "User Count [Logs Cisco Duo]", - "type": "lens", - "version": "8.7.1" + "panelIndex": "0b986d68-ad43-4241-b172-2d95164000b9", + "title": "[Cisco Duo] User Count", + "type": "lens" }, { "embeddableConfig": { @@ -494,27 +499,25 @@ }, "gridData": { "h": 10, - "i": "70d33225-16eb-492f-a2fa-3e8ae6ac2065", + "i": "651e5157-6ca2-4861-999d-e7c1bdbd4b94", "w": 12, "x": 36, "y": 15 }, - "panelIndex": "70d33225-16eb-492f-a2fa-3e8ae6ac2065", - "title": "Telephony Credits Remaining [Logs Cisco Duo]", - "type": "lens", - "version": "8.7.1" + "panelIndex": "651e5157-6ca2-4861-999d-e7c1bdbd4b94", + "title": "[Cisco Duo] Telephony Credits Remaining", + "type": "lens" } ], "timeRestore": false, "title": "[Logs Cisco Duo] Summary", - "version": 1 - }, - "coreMigrationVersion": "8.7.1", - "created_at": "2023-07-05T05:59:59.595Z", - "id": "cisco_duo-f4c25e10-3420-11ed-a766-d751fb2ca0fe", - "migrationVersion": { - "dashboard": "8.7.0" + "version": 2 }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-09-20T14:04:01.528Z", + "created_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0", + "id": "cisco_duo-e91470e5-2ded-4ff1-8bb5-24e06b949c1d", + "managed": false, "references": [ { "id": "metrics-*", @@ -523,44 +526,56 @@ }, { "id": "logs-*", - "name": "99e70c63-9d54-4124-b897-ff8d35031b1a:indexpattern-datasource-current-indexpattern", + "name": "79c747c4-0e11-4abc-b73d-a348cb0e14c8:indexpattern-datasource-layer-630bc72b-cd44-4c27-ba08-eb9bca4e3d58", "type": "index-pattern" }, { "id": "logs-*", - "name": "99e70c63-9d54-4124-b897-ff8d35031b1a:indexpattern-datasource-layer-8979948f-f9ce-405f-bb6f-abd720b767a2", + "name": "ea96aaa0-30af-4804-a98c-11d707e6a8f1:indexpattern-datasource-current-indexpattern", "type": "index-pattern" }, { "id": "logs-*", - "name": "b17843de-0101-4a6c-a884-34cbeef1cfa0:indexpattern-datasource-current-indexpattern", + "name": "ea96aaa0-30af-4804-a98c-11d707e6a8f1:indexpattern-datasource-layer-8979948f-f9ce-405f-bb6f-abd720b767a2", "type": "index-pattern" }, { "id": "logs-*", - "name": "b17843de-0101-4a6c-a884-34cbeef1cfa0:indexpattern-datasource-layer-6e6732b0-cdfb-4221-b378-1e7c30e66935", + "name": "1cba59f9-21f1-4ecb-973d-8a3f05b81f38:indexpattern-datasource-current-indexpattern", "type": "index-pattern" }, { "id": "logs-*", - "name": "07a76b39-2500-4493-94ee-31277eb2a97a:indexpattern-datasource-current-indexpattern", + "name": "1cba59f9-21f1-4ecb-973d-8a3f05b81f38:indexpattern-datasource-layer-6e6732b0-cdfb-4221-b378-1e7c30e66935", "type": "index-pattern" }, { "id": "logs-*", - "name": "07a76b39-2500-4493-94ee-31277eb2a97a:indexpattern-datasource-layer-7fb24c40-44ba-48a1-8055-ce664b16df4c", + "name": "0b986d68-ad43-4241-b172-2d95164000b9:indexpattern-datasource-current-indexpattern", "type": "index-pattern" }, { "id": "logs-*", - "name": "70d33225-16eb-492f-a2fa-3e8ae6ac2065:indexpattern-datasource-current-indexpattern", + "name": "0b986d68-ad43-4241-b172-2d95164000b9:indexpattern-datasource-layer-7fb24c40-44ba-48a1-8055-ce664b16df4c", "type": "index-pattern" }, { "id": "logs-*", - "name": "70d33225-16eb-492f-a2fa-3e8ae6ac2065:indexpattern-datasource-layer-d3843af6-1a73-455d-ab46-d5d4573ebbcd", + "name": "651e5157-6ca2-4861-999d-e7c1bdbd4b94:indexpattern-datasource-current-indexpattern", "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "651e5157-6ca2-4861-999d-e7c1bdbd4b94:indexpattern-datasource-layer-d3843af6-1a73-455d-ab46-d5d4573ebbcd", + "type": "index-pattern" + }, + { + "id": "cisco_duo-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" } ], - "type": "dashboard" -} \ No newline at end of file + "type": "dashboard", + "typeMigrationVersion": "8.9.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" +} diff --git a/packages/cisco_duo/kibana/tag/cisco_duo-security-solution-default.json b/packages/cisco_duo/kibana/tag/cisco_duo-security-solution-default.json new file mode 100644 index 00000000000..53fed78ee01 --- /dev/null +++ b/packages/cisco_duo/kibana/tag/cisco_duo-security-solution-default.json @@ -0,0 +1,14 @@ +{ + "attributes": { + "color": "#BADA55", + "description": "Tag defined in package-spec", + "name": "Security Solution" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-09-20T13:51:50.048Z", + "id": "cisco_duo-security-solution-default", + "managed": true, + "references": [], + "type": "tag", + "typeMigrationVersion": "8.0.0" +} \ No newline at end of file diff --git a/packages/cisco_duo/kibana/tags.yml b/packages/cisco_duo/kibana/tags.yml deleted file mode 100644 index 47f20a8f551..00000000000 --- a/packages/cisco_duo/kibana/tags.yml +++ /dev/null @@ -1,4 +0,0 @@ -- text: Security Solution - asset_types: - - dashboard - - search diff --git a/packages/cisco_duo/manifest.yml b/packages/cisco_duo/manifest.yml index 33d37822707..566618f9af4 100644 --- a/packages/cisco_duo/manifest.yml +++ b/packages/cisco_duo/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: cisco_duo title: Cisco Duo -version: "1.26.0" +version: "2.0.0" description: Collect logs from Cisco Duo with Elastic Agent. type: integration categories: @@ -11,9 +11,25 @@ conditions: kibana: version: "^8.13.0" screenshots: - - src: /img/cisco_duo-screenshot.png - title: Cisco Duo authentication log dashboard - size: 600x600 + - src: /img/dashboard-telephony.png + title: Cisco Duo administrator logs dashboard + size: 1850x948 + type: image/png + - src: /img/dashboard-auth.png + title: Cisco Duo authentication logs dashboard + size: 1850x948 + type: image/png + - src: /img/dashboard-admin.png + title: Cisco Duo authentication logs dashboard + size: 1850x948 + type: image/png + - src: /img/dashboard-summary.png + title: Cisco Duo authentication logs dashboard + size: 1850x948 + type: image/png + - src: /img/dashboard-offline-enrollment.png + title: Cisco Duo authentication logs dashboard + size: 1850x948 type: image/png icons: - src: /img/cisco_duo-logo.svg @@ -58,8 +74,43 @@ policy_templates: required: true show_user: true default: 1m - title: Collect Cisco Duo logs via API - description: Collect Cisco Duo Administrator, Authentication, Offline Enrollment, Summary, and Telephony logs + title: Collect Cisco Duo logs via API v1 + description: Collect Cisco Duo Administrator, Offline Enrollment, Summary, and Telephony (legacy) logs + - type: cel + vars: + - name: hostname + type: text + title: Hostname + description: Hostname for the Cisco Duo Admin API. All API methods use your API hostname, https://api-XXXXXXXX.duosecurity.com. Obtain this value from the Duo Admin Panel and use it exactly as shown there. + required: true + - name: enable_request_tracer + type: bool + title: Enable request tracing + multi: false + required: false + show_user: false + description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details. + - name: integration_key + type: text + title: Integration Key + description: Integration key for the Cisco Duo Admin API. + required: true + - name: secret_key + type: password + title: Secret Key + description: Secret key for the Cisco Duo Admin API. + required: true + secret: true + - name: interval + type: text + title: Interval + description: "Interval to query Cisco Duo Admin API. Not recommended requesting logs more than once per minute. NOTE: Supported units for this parameter are h/m/s." + multi: false + required: true + show_user: true + default: 1m + title: Collect Cisco Duo logs via API v2 + description: Collect Cisco Duo Authentication, and Telephony logs owner: github: elastic/security-service-integrations type: elastic diff --git a/packages/cisco_duo/validation.yml b/packages/cisco_duo/validation.yml deleted file mode 100644 index a96151416a6..00000000000 --- a/packages/cisco_duo/validation.yml +++ /dev/null @@ -1,3 +0,0 @@ -errors: - exclude_checks: - - SVR00005 # Kibana version for saved tags.