diff --git a/x-pack/filebeat/module/salesforce/_meta/config.yml b/x-pack/filebeat/module/salesforce/_meta/config.yml new file mode 100644 index 000000000000..dfe54fc31894 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/_meta/config.yml @@ -0,0 +1,127 @@ +- module: salesforce + + apex-rest: + enabled: false + + # Oauth Client ID + # var.client_id: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + + # Oauth Client Secret + # var.client_secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + + # Oauth Token URL + # var.token_url: "https://login.salesforce.com/services/oauth2/token" + + # Oauth User, should include the User mail + # var.user: "abc.xyz@mail.com" + + # Oauth password, should include the User password + # var.password: "P@$$W0₹D" + + # URL, should include the instance_url + # var.url: "https://instance_id.my.salesforce.com" + + login-rest: + enabled: false + + # Oauth Client ID + # var.client_id: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + + # Oauth Client Secret + # var.client_secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + + # Oauth Token URL + # var.token_url: "https://login.salesforce.com/services/oauth2/token" + + # Oauth User, should include the User mail + # var.user: "abc.xyz@mail.com" + + # Oauth password, should include the User password + # var.password: "P@$$W0₹D" + + # URL, should include the instance_url + # var.url: "https://instance_id.my.salesforce.com" + + login-stream: + enabled: false + + # Oauth Client ID + # var.client_id: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + + # Oauth Client Secret + # var.client_secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + + # Oauth Token URL + # var.token_url: "https://login.salesforce.com/services/oauth2/token" + + # Oauth User, should include the User mail + # var.user: "abc.xyz@mail.com" + + # Oauth password, should include the User password + # var.password: "P@$$W0₹D" + + # URL, should include the instance_url + # var.url: "https://instance_id.my.salesforce.com" + + logout-rest: + enabled: false + + # Oauth Client ID + # var.client_id: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + + # Oauth Client Secret + # var.client_secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + + # Oauth Token URL + # var.token_url: "https://login.salesforce.com/services/oauth2/token" + + # Oauth User, should include the User mail + # var.user: "abc.xyz@mail.com" + + # Oauth password, should include the User password + # var.password: "P@$$W0₹D" + + # URL, should include the instance_url + # var.url: "https://instance_id.my.salesforce.com" + + logout-stream: + enabled: false + + # Oauth Client ID + # var.client_id: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + + # Oauth Client Secret + # var.client_secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + + # Oauth Token URL + # var.token_url: "https://login.salesforce.com/services/oauth2/token" + + # Oauth User, should include the User mail + # var.user: "abc.xyz@mail.com" + + # Oauth password, should include the User password + # var.password: "P@$$W0₹D" + + # URL, should include the instance_url + # var.url: "https://instance_id.my.salesforce.com" + + setupaudittrail-rest: + enabled: false + + # Oauth Client ID + # var.client_id: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + + # Oauth Client Secret + # var.client_secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + + # Oauth Token URL + # var.token_url: "https://login.salesforce.com/services/oauth2/token" + + # Oauth User, should include the User mail + # var.user: "abc.xyz@mail.com" + + # Oauth password, should include the User password + # var.password: "P@$$W0₹D" + + # URL, should include the instance_url + # var.url: "https://instance_id.my.salesforce.com" diff --git a/x-pack/filebeat/module/salesforce/_meta/docs.asciidoc b/x-pack/filebeat/module/salesforce/_meta/docs.asciidoc new file mode 100644 index 000000000000..909a336e2832 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/_meta/docs.asciidoc @@ -0,0 +1,305 @@ +[role="xpack"] + +:modulename: salesforce +:has-dashboards: false + +== Salesforce module + +This is a module for Salesforce logs. +It collects the logs using the following two different types of inputs: + +- `httpjson` input: collects historical data from Salesforce REST API. +- `cometd` input: collects real-time data from Salesforce Streaming API. + +It includes the following filesets for receiving logs: + +- `login-rest` fileset: supports Salesforce Login logs received from the REST API. +- `login-stream` fileset: supports Salesforce Login logs received from the Streaming API. +- `logout-rest` fileset: supports Salesforce Logout logs received from the REST API. +- `logout-stream` fileset: supports Salesforce Logout logs received from the Streaming API. +- `apex-rest` fileset: supports Salesforce Apex logs received from the REST API. +- `setupaudittrail-rest` fileset: supports logs generated when admins make in your org’s Setup area. + +Note: We can leverage the inputs provided above to collect the rest of the events from the Salesforce REST or Streaming API. + +include::../include/what-happens.asciidoc[] + +include::../include/gs-link.asciidoc[] + +[float] +==== `login-rest` fileset settings + +Example config: + +[source,yaml] +---- +- module: salesforce + login-rest: + enabled: true + var.client_id: "my-client-id" + var.client_secret: "my-client-secret" + var.token_url: "https://login.salesforce.com/services/oauth2/token" + var.user: "my.email@here.com" + var.password: "password" + var.url: "https://instance-url.salesforce.com" +---- + +include::../include/var-paths.asciidoc[] + +*`var.client_id`*:: + +Oauth client ID. + +*`var.client_secret`*:: + +Oauth client secret. + +*`var.token_url`*:: + +Oauth token URL. + +*`var.user`*:: + +The user used as part of the authentication flow. It is required for authentication - grant type password. + +*`var.password`*:: + +The password used as part of the authentication flow. It is required for authentication - grant type password. + +*`var.url`*:: + +The URL of the Saleforce instance. + +[float] +==== `login-stream` fileset settings + +Example config: + +[source,yaml] +---- +- module: salesforce + login-stream: + enabled: true + var.client_id: "my-client-id" + var.client_secret: "my-client-secret" + var.token_url: "https://login.salesforce.com/services/oauth2/token" + var.user: "my.email@here.com" + var.password: "password" + var.url: "https://instance-url.salesforce.com" +---- + +include::../include/var-paths.asciidoc[] + +*`var.client_id`*:: + +Oauth client ID. + +*`var.client_secret`*:: + +Oauth client secret. + +*`var.token_url`*:: + +Oauth token URL. + +*`var.user`*:: + +The user used as part of the authentication flow. It is required for authentication - grant type password. + +*`var.password`*:: + +The password used as part of the authentication flow. It is required for authentication - grant type password. + +*`var.url`*:: + +The URL of the Saleforce instance. + +[float] +==== `logout-rest` fileset settings + +Example config: + +[source,yaml] +---- +- module: salesforce + logout-rest: + enabled: true + var.client_id: "my-client-id" + var.client_secret: "my-client-secret" + var.token_url: "https://login.salesforce.com/services/oauth2/token" + var.user: "my.email@here.com" + var.password: "password" + var.url: "https://instance-url.salesforce.com" +---- + +include::../include/var-paths.asciidoc[] + +*`var.client_id`*:: + +Oauth client ID. + +*`var.client_secret`*:: + +Oauth client secret. + +*`var.token_url`*:: + +Oauth token URL. + +*`var.user`*:: + +The user used as part of the authentication flow. It is required for authentication - grant type password. + +*`var.password`*:: + +The password used as part of the authentication flow. It is required for authentication - grant type password. + +*`var.url`*:: + +The URL of the Saleforce instance. + +[float] +==== `logout-stream` fileset settings + +Example config: + +[source,yaml] +---- +- module: salesforce + logout-stream: + enabled: true + var.client_id: "my-client-id" + var.client_secret: "my-client-secret" + var.token_url: "https://login.salesforce.com/services/oauth2/token" + var.user: "my.email@here.com" + var.password: "password" + var.url: "https://instance-url.salesforce.com" +---- + +include::../include/var-paths.asciidoc[] + +*`var.client_id`*:: + +Oauth client ID. + +*`var.client_secret`*:: + +Oauth client secret. + +*`var.token_url`*:: + +Oauth token URL. + +*`var.user`*:: + +The user used as part of the authentication flow. It is required for authentication - grant type password. + +*`var.password`*:: + +The password used as part of the authentication flow. It is required for authentication - grant type password. + +*`var.url`*:: + +The URL of the Saleforce instance. + +[float] +==== `setupaudittrail-rest` fileset settings + +Example config: + +[source,yaml] +---- +- module: salesforce + setupaudittrail-rest: + enabled: true + var.client_id: "my-client-id" + var.client_secret: "my-client-secret" + var.token_url: "https://login.salesforce.com/services/oauth2/token" + var.user: "my.email@here.com" + var.password: "password" + var.url: "https://instance-url.salesforce.com" +---- + +include::../include/var-paths.asciidoc[] + +*`var.client_id`*:: + +Oauth client ID. + +*`var.client_secret`*:: + +Oauth client secret. + +*`var.token_url`*:: + +Oauth token URL. + +*`var.user`*:: + +The user used as part of the authentication flow. It is required for authentication - grant type password. + +*`var.password`*:: + +The password used as part of the authentication flow. It is required for authentication - grant type password. + +*`var.url`*:: + +The URL of the Saleforce instance. + +[float] +==== `apex-rest` fileset settings + +Example config: + +[source,yaml] +---- +- module: salesforce + apex-rest: + enabled: true + var.client_id: "my-client-id" + var.client_secret: "my-client-secret" + var.token_url: "https://login.salesforce.com/services/oauth2/token" + var.user: "my.email@here.com" + var.password: "password" + var.url: "https://instance-url.salesforce.com" +---- + +include::../include/var-paths.asciidoc[] + +*`var.client_id`*:: + +Oauth client ID. + +*`var.client_secret`*:: + +Oauth client secret. + +*`var.token_url`*:: + +Oauth token URL. + +*`var.user`*:: + +The user used as part of the authentication flow. It is required for authentication - grant type password. + +*`var.password`*:: + +The password used as part of the authentication flow. It is required for authentication - grant type password. + +*`var.url`*:: + +The URL of the Saleforce instance. + +[float] +=== Example dashboard + +This module comes with a sample dashboard. For example: + +TODO: include an image of a sample dashboard. If you do not include a dashboard, +remove this section and set `:has-dashboards: false` at the top of this file. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: diff --git a/x-pack/filebeat/module/salesforce/_meta/fields.yml b/x-pack/filebeat/module/salesforce/_meta/fields.yml new file mode 100644 index 000000000000..bc16ec35c598 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: salesforce + title: "Salesforce" + description: > + Salesforce Module + fields: diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/dashboard/salesforce-1659aef0-574c-11ec-8f0b-05e8b06e1b10.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/dashboard/salesforce-1659aef0-574c-11ec-8f0b-05e8b06e1b10.json new file mode 100644 index 000000000000..4b68ab629fad --- /dev/null +++ b/x-pack/filebeat/module/salesforce/_meta/kibana/7/dashboard/salesforce-1659aef0-574c-11ec-8f0b-05e8b06e1b10.json @@ -0,0 +1,475 @@ +{ + "attributes": { + "description": "Login EventLogFile Data", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": false + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 4, + "i": "4556b8a4-b5c8-4bb2-bc03-23b4f40b3af0", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "4556b8a4-b5c8-4bb2-bc03-23b4f40b3af0", + "panelRefName": "panel_4556b8a4-b5c8-4bb2-bc03-23b4f40b3af0", + "type": "visualization", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "df92b3a0-d885-4bac-a98b-ab94d1d65936", + "w": 12, + "x": 0, + "y": 4 + }, + "panelIndex": "df92b3a0-d885-4bac-a98b-ab94d1d65936", + "panelRefName": "panel_df92b3a0-d885-4bac-a98b-ab94d1d65936", + "type": "visualization", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "ae31f75c-4943-48ee-8177-f7ad58a91553", + "w": 12, + "x": 12, + "y": 4 + }, + "panelIndex": "ae31f75c-4943-48ee-8177-f7ad58a91553", + "panelRefName": "panel_ae31f75c-4943-48ee-8177-f7ad58a91553", + "type": "visualization", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hiddenLayers": [], + "hidePanelTitles": false, + "isLayerTOCOpen": false, + "mapBuffer": { + "maxLat": 66.51326, + "maxLon": 180, + "minLat": -66.51326, + "minLon": -90 + }, + "mapCenter": { + "lat": 14.75725, + "lon": 26.27964, + "zoom": 1.31 + }, + "openTOCDetails": [] + }, + "gridData": { + "h": 15, + "i": "9caaed64-6c42-40af-a6af-ae58cce576e3", + "w": 24, + "x": 24, + "y": 4 + }, + "panelIndex": "9caaed64-6c42-40af-a6af-ae58cce576e3", + "panelRefName": "panel_9caaed64-6c42-40af-a6af-ae58cce576e3", + "title": "[Filebeat Salesforce][Login] Salesforce activity by region", + "type": "map", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "157cf178-6669-496e-9f0e-7d9ac8bab21d", + "w": 48, + "x": 0, + "y": 19 + }, + "panelIndex": "157cf178-6669-496e-9f0e-7d9ac8bab21d", + "panelRefName": "panel_157cf178-6669-496e-9f0e-7d9ac8bab21d", + "type": "visualization", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "a2a1513d-f5fb-4d1d-a7ce-d7a3903d55ca", + "w": 24, + "x": 0, + "y": 34 + }, + "panelIndex": "a2a1513d-f5fb-4d1d-a7ce-d7a3903d55ca", + "panelRefName": "panel_a2a1513d-f5fb-4d1d-a7ce-d7a3903d55ca", + "title": "[Filebeat Salesforce][Login] User ID", + "type": "visualization", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "eb23e36d-9001-4fd2-ad9f-aacf62811beb", + "w": 24, + "x": 24, + "y": 34 + }, + "panelIndex": "eb23e36d-9001-4fd2-ad9f-aacf62811beb", + "panelRefName": "panel_eb23e36d-9001-4fd2-ad9f-aacf62811beb", + "type": "visualization", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "1436e9ad-013d-4416-a616-9a3c134af834", + "w": 24, + "x": 0, + "y": 49 + }, + "panelIndex": "1436e9ad-013d-4416-a616-9a3c134af834", + "panelRefName": "panel_1436e9ad-013d-4416-a616-9a3c134af834", + "type": "visualization", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "83337583-735d-44c1-8dc9-8e4f032d42fb", + "w": 24, + "x": 24, + "y": 49 + }, + "panelIndex": "83337583-735d-44c1-8dc9-8e4f032d42fb", + "panelRefName": "panel_83337583-735d-44c1-8dc9-8e4f032d42fb", + "type": "visualization", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "20a81ce2-6345-4cad-936e-4337ac6bb3b0", + "w": 24, + "x": 0, + "y": 64 + }, + "panelIndex": "20a81ce2-6345-4cad-936e-4337ac6bb3b0", + "panelRefName": "panel_20a81ce2-6345-4cad-936e-4337ac6bb3b0", + "type": "visualization", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "savedVis": { + "data": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Application Type", + "field": "salesforce.login.application", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "searchSource": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "filebeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "salesforce.login" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "salesforce.login" + } + } + } + ], + "index": "filebeat-*", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 200 + }, + "position": "left", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "detailedTooltip": true, + "grid": { + "categoryLines": true, + "valueAxis": "ValueAxis-1" + }, + "labels": {}, + "legendPosition": "right", + "maxLegendLines": 1, + "palette": { + "name": "default", + "type": "palette" + }, + "radiusRatio": 0, + "seriesParams": [ + { + "circlesRadius": 1, + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "interpolate": "linear", + "lineWidth": 2, + "mode": "normal", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "truncateLegend": true, + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": true, + "rotate": 75, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "bottom", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "" + }, + "type": "value" + } + ] + }, + "title": "", + "type": "horizontal_bar", + "uiState": {} + }, + "type": "visualization" + }, + "gridData": { + "h": 15, + "i": "c36f7834-49af-49af-87e9-8d1b77a47446", + "w": 24, + "x": 24, + "y": 64 + }, + "panelIndex": "c36f7834-49af-49af-87e9-8d1b77a47446", + "title": "[Filebeat Salesforce][Login] Application type", + "type": "visualization", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 28, + "i": "8b648987-21fb-4b71-8d63-0e406180f168", + "w": 48, + "x": 0, + "y": 79 + }, + "panelIndex": "8b648987-21fb-4b71-8d63-0e406180f168", + "panelRefName": "panel_8b648987-21fb-4b71-8d63-0e406180f168", + "type": "search", + "version": "7.15.0" + } + ], + "refreshInterval": { + "pause": false, + "value": 900000 + }, + "timeFrom": "now-7d/d", + "timeRestore": true, + "timeTo": "now", + "title": "[Filebeat Salesforce] Login Dashboard", + "version": 1 + }, + "coreMigrationVersion": "7.15.0", + "id": "salesforce-1659aef0-574c-11ec-8f0b-05e8b06e1b10", + "migrationVersion": { + "dashboard": "7.15.0" + }, + "references": [ + { + "id": "7a22ead0-5758-11ec-8f0b-05e8b06e1b10", + "name": "4556b8a4-b5c8-4bb2-bc03-23b4f40b3af0:panel_4556b8a4-b5c8-4bb2-bc03-23b4f40b3af0", + "type": "visualization" + }, + { + "id": "c69e97e0-5d72-11ec-9523-d1b667ac64c0", + "name": "df92b3a0-d885-4bac-a98b-ab94d1d65936:panel_df92b3a0-d885-4bac-a98b-ab94d1d65936", + "type": "visualization" + }, + { + "id": "f4e05440-5d72-11ec-9523-d1b667ac64c0", + "name": "ae31f75c-4943-48ee-8177-f7ad58a91553:panel_ae31f75c-4943-48ee-8177-f7ad58a91553", + "type": "visualization" + }, + { + "id": "5c2e6bc0-5d6c-11ec-9523-d1b667ac64c0", + "name": "9caaed64-6c42-40af-a6af-ae58cce576e3:panel_9caaed64-6c42-40af-a6af-ae58cce576e3", + "type": "map" + }, + { + "id": "fbb560f0-5d8e-11ec-9523-d1b667ac64c0", + "name": "157cf178-6669-496e-9f0e-7d9ac8bab21d:panel_157cf178-6669-496e-9f0e-7d9ac8bab21d", + "type": "visualization" + }, + { + "id": "e6da1080-5d8f-11ec-9523-d1b667ac64c0", + "name": "a2a1513d-f5fb-4d1d-a7ce-d7a3903d55ca:panel_a2a1513d-f5fb-4d1d-a7ce-d7a3903d55ca", + "type": "visualization" + }, + { + "id": "33be8340-5d90-11ec-9523-d1b667ac64c0", + "name": "eb23e36d-9001-4fd2-ad9f-aacf62811beb:panel_eb23e36d-9001-4fd2-ad9f-aacf62811beb", + "type": "visualization" + }, + { + "id": "80c0b730-5d90-11ec-9523-d1b667ac64c0", + "name": "1436e9ad-013d-4416-a616-9a3c134af834:panel_1436e9ad-013d-4416-a616-9a3c134af834", + "type": "visualization" + }, + { + "id": "ab958760-5d90-11ec-9523-d1b667ac64c0", + "name": "83337583-735d-44c1-8dc9-8e4f032d42fb:panel_83337583-735d-44c1-8dc9-8e4f032d42fb", + "type": "visualization" + }, + { + "id": "e8175600-5d90-11ec-9523-d1b667ac64c0", + "name": "20a81ce2-6345-4cad-936e-4337ac6bb3b0:panel_20a81ce2-6345-4cad-936e-4337ac6bb3b0", + "type": "visualization" + }, + { + "id": "filebeat-*", + "name": "c36f7834-49af-49af-87e9-8d1b77a47446:kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "c36f7834-49af-49af-87e9-8d1b77a47446:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "51d23250-5d8b-11ec-9523-d1b667ac64c0", + "name": "8b648987-21fb-4b71-8d63-0e406180f168:panel_8b648987-21fb-4b71-8d63-0e406180f168", + "type": "search" + }, + { + "id": "50e50c20-5749-11ec-8f0b-05e8b06e1b10", + "name": "tag-50e50c20-5749-11ec-8f0b-05e8b06e1b10", + "type": "tag" + } + ], + "type": "dashboard", + "updated_at": "2021-12-17T10:39:08.695Z", + "version": "WzIzNDcxLDJd" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/dashboard/salesforce-59ef0af0-5749-11ec-8f0b-05e8b06e1b10.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/dashboard/salesforce-59ef0af0-5749-11ec-8f0b-05e8b06e1b10.json new file mode 100644 index 000000000000..31924a886500 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/_meta/kibana/7/dashboard/salesforce-59ef0af0-5749-11ec-8f0b-05e8b06e1b10.json @@ -0,0 +1,291 @@ +{ + "attributes": { + "description": "Apex EventLogFile Data", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": false + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 4, + "i": "92fa5f55-44db-44e6-9e32-f47c34335706", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "92fa5f55-44db-44e6-9e32-f47c34335706", + "panelRefName": "panel_92fa5f55-44db-44e6-9e32-f47c34335706", + "type": "visualization", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "f7680bb8-ec0c-4bd5-8ace-140d023384dc", + "w": 12, + "x": 0, + "y": 4 + }, + "panelIndex": "f7680bb8-ec0c-4bd5-8ace-140d023384dc", + "panelRefName": "panel_f7680bb8-ec0c-4bd5-8ace-140d023384dc", + "title": "[Filebeat Salesforce][Apex] Successful requests", + "type": "visualization", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "5b18dcde-0147-462b-85eb-154fcb9abffd", + "w": 12, + "x": 12, + "y": 4 + }, + "panelIndex": "5b18dcde-0147-462b-85eb-154fcb9abffd", + "panelRefName": "panel_5b18dcde-0147-462b-85eb-154fcb9abffd", + "title": "[Filebeat Salesforce][Apex] Failed requests", + "type": "visualization", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "b9d36aa1-9cb3-4a1a-a010-413d72a57dd0", + "w": 24, + "x": 24, + "y": 4 + }, + "panelIndex": "b9d36aa1-9cb3-4a1a-a010-413d72a57dd0", + "panelRefName": "panel_b9d36aa1-9cb3-4a1a-a010-413d72a57dd0", + "type": "visualization", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 16, + "i": "97595594-bd12-4341-9287-aba4ee2642c3", + "w": 24, + "x": 0, + "y": 19 + }, + "panelIndex": "97595594-bd12-4341-9287-aba4ee2642c3", + "panelRefName": "panel_97595594-bd12-4341-9287-aba4ee2642c3", + "type": "visualization", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "vis": null + }, + "gridData": { + "h": 16, + "i": "1aef58f1-8aca-4225-bc5c-c1a6ceda4a8b", + "w": 24, + "x": 24, + "y": 19 + }, + "panelIndex": "1aef58f1-8aca-4225-bc5c-c1a6ceda4a8b", + "panelRefName": "panel_1aef58f1-8aca-4225-bc5c-c1a6ceda4a8b", + "title": "[Filebeat Salesforce][Apex] Categorization by User type", + "type": "visualization", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "b2885132-edfc-4c17-99f9-31b56ca2f109", + "w": 48, + "x": 0, + "y": 35 + }, + "panelIndex": "b2885132-edfc-4c17-99f9-31b56ca2f109", + "panelRefName": "panel_b2885132-edfc-4c17-99f9-31b56ca2f109", + "type": "visualization", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "4f5803fa-0c1e-4bd6-84ca-b8710f52c0a7", + "w": 24, + "x": 0, + "y": 50 + }, + "panelIndex": "4f5803fa-0c1e-4bd6-84ca-b8710f52c0a7", + "panelRefName": "panel_4f5803fa-0c1e-4bd6-84ca-b8710f52c0a7", + "type": "visualization", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "vis": { + "legendOpen": false + } + }, + "gridData": { + "h": 13, + "i": "58a8cf54-9a2e-4b7d-a579-5b01e656030e", + "w": 21, + "x": 0, + "y": 65 + }, + "panelIndex": "58a8cf54-9a2e-4b7d-a579-5b01e656030e", + "panelRefName": "panel_58a8cf54-9a2e-4b7d-a579-5b01e656030e", + "title": "[Filebeat Salesforce][Apex] Response by Media type", + "type": "visualization", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 13, + "i": "03390f0c-c585-4cf0-8a93-06479965a0e9", + "w": 27, + "x": 21, + "y": 65 + }, + "panelIndex": "03390f0c-c585-4cf0-8a93-06479965a0e9", + "panelRefName": "panel_03390f0c-c585-4cf0-8a93-06479965a0e9", + "title": "[Filebeat Salesforce][Apex] Response categorization by user agent", + "type": "visualization", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "60adaf8e-785f-4c89-9ff8-c842b2a64f73", + "w": 24, + "x": 24, + "y": 50 + }, + "panelIndex": "60adaf8e-785f-4c89-9ff8-c842b2a64f73", + "panelRefName": "panel_60adaf8e-785f-4c89-9ff8-c842b2a64f73", + "type": "visualization", + "version": "7.15.0" + } + ], + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-7d/d", + "timeRestore": true, + "timeTo": "now", + "title": "[Filebeat Salesforce] Apex Dashboards", + "version": 1 + }, + "coreMigrationVersion": "7.15.0", + "id": "salesforce-59ef0af0-5749-11ec-8f0b-05e8b06e1b10", + "migrationVersion": { + "dashboard": "7.15.0" + }, + "references": [ + { + "id": "7a22ead0-5758-11ec-8f0b-05e8b06e1b10", + "name": "92fa5f55-44db-44e6-9e32-f47c34335706:panel_92fa5f55-44db-44e6-9e32-f47c34335706", + "type": "visualization" + }, + { + "id": "4f9923d0-574c-11ec-8f0b-05e8b06e1b10", + "name": "f7680bb8-ec0c-4bd5-8ace-140d023384dc:panel_f7680bb8-ec0c-4bd5-8ace-140d023384dc", + "type": "visualization" + }, + { + "id": "8cec4c30-574c-11ec-8f0b-05e8b06e1b10", + "name": "5b18dcde-0147-462b-85eb-154fcb9abffd:panel_5b18dcde-0147-462b-85eb-154fcb9abffd", + "type": "visualization" + }, + { + "id": "86081670-5d95-11ec-9523-d1b667ac64c0", + "name": "b9d36aa1-9cb3-4a1a-a010-413d72a57dd0:panel_b9d36aa1-9cb3-4a1a-a010-413d72a57dd0", + "type": "visualization" + }, + { + "id": "24c39ae0-574d-11ec-8f0b-05e8b06e1b10", + "name": "97595594-bd12-4341-9287-aba4ee2642c3:panel_97595594-bd12-4341-9287-aba4ee2642c3", + "type": "visualization" + }, + { + "id": "416da3a0-574f-11ec-8f0b-05e8b06e1b10", + "name": "1aef58f1-8aca-4225-bc5c-c1a6ceda4a8b:panel_1aef58f1-8aca-4225-bc5c-c1a6ceda4a8b", + "type": "visualization" + }, + { + "id": "93c37330-5751-11ec-8f0b-05e8b06e1b10", + "name": "b2885132-edfc-4c17-99f9-31b56ca2f109:panel_b2885132-edfc-4c17-99f9-31b56ca2f109", + "type": "visualization" + }, + { + "id": "31366a60-5751-11ec-8f0b-05e8b06e1b10", + "name": "4f5803fa-0c1e-4bd6-84ca-b8710f52c0a7:panel_4f5803fa-0c1e-4bd6-84ca-b8710f52c0a7", + "type": "visualization" + }, + { + "id": "17f0a5d0-5750-11ec-8f0b-05e8b06e1b10", + "name": "58a8cf54-9a2e-4b7d-a579-5b01e656030e:panel_58a8cf54-9a2e-4b7d-a579-5b01e656030e", + "type": "visualization" + }, + { + "id": "61eec180-5750-11ec-8f0b-05e8b06e1b10", + "name": "03390f0c-c585-4cf0-8a93-06479965a0e9:panel_03390f0c-c585-4cf0-8a93-06479965a0e9", + "type": "visualization" + }, + { + "id": "6d86efd0-5751-11ec-8f0b-05e8b06e1b10", + "name": "60adaf8e-785f-4c89-9ff8-c842b2a64f73:panel_60adaf8e-785f-4c89-9ff8-c842b2a64f73", + "type": "visualization" + }, + { + "id": "50e50c20-5749-11ec-8f0b-05e8b06e1b10", + "name": "tag-50e50c20-5749-11ec-8f0b-05e8b06e1b10", + "type": "tag" + } + ], + "type": "dashboard", + "updated_at": "2021-12-17T10:39:09.725Z", + "version": "WzIzNDg0LDJd" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/dashboard/salesforce-6c750440-5749-11ec-8f0b-05e8b06e1b10.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/dashboard/salesforce-6c750440-5749-11ec-8f0b-05e8b06e1b10.json new file mode 100644 index 000000000000..7d9d4fae5c76 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/_meta/kibana/7/dashboard/salesforce-6c750440-5749-11ec-8f0b-05e8b06e1b10.json @@ -0,0 +1,154 @@ +{ + "attributes": { + "description": "Logout EventLogFile Data", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": false + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 4, + "i": "a8f9096a-18a7-4aaa-aadf-9b1264c25ff9", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "a8f9096a-18a7-4aaa-aadf-9b1264c25ff9", + "panelRefName": "panel_a8f9096a-18a7-4aaa-aadf-9b1264c25ff9", + "type": "visualization", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 17, + "i": "b32f64f1-b5dd-4ae5-b655-e921fe591508", + "w": 48, + "x": 0, + "y": 4 + }, + "panelIndex": "b32f64f1-b5dd-4ae5-b655-e921fe591508", + "panelRefName": "panel_b32f64f1-b5dd-4ae5-b655-e921fe591508", + "type": "visualization", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "vis": { + "legendOpen": false + } + }, + "gridData": { + "h": 15, + "i": "e94002ab-ee04-4bdf-80f6-fca80b3cf1b1", + "w": 24, + "x": 0, + "y": 21 + }, + "panelIndex": "e94002ab-ee04-4bdf-80f6-fca80b3cf1b1", + "panelRefName": "panel_e94002ab-ee04-4bdf-80f6-fca80b3cf1b1", + "type": "visualization", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "12145dd1-e578-4f41-a09d-7bece9d79985", + "w": 24, + "x": 24, + "y": 21 + }, + "panelIndex": "12145dd1-e578-4f41-a09d-7bece9d79985", + "panelRefName": "panel_12145dd1-e578-4f41-a09d-7bece9d79985", + "type": "visualization", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 37, + "i": "4c956f84-ce21-4b40-9b6c-d0c079aa2630", + "w": 48, + "x": 0, + "y": 36 + }, + "panelIndex": "4c956f84-ce21-4b40-9b6c-d0c079aa2630", + "panelRefName": "panel_4c956f84-ce21-4b40-9b6c-d0c079aa2630", + "type": "search", + "version": "7.15.0" + } + ], + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-7d/d", + "timeRestore": true, + "timeTo": "now", + "title": "[Filebeat Salesforce] Logout Dashboard", + "version": 1 + }, + "coreMigrationVersion": "7.15.0", + "id": "salesforce-6c750440-5749-11ec-8f0b-05e8b06e1b10", + "migrationVersion": { + "dashboard": "7.15.0" + }, + "references": [ + { + "id": "7a22ead0-5758-11ec-8f0b-05e8b06e1b10", + "name": "a8f9096a-18a7-4aaa-aadf-9b1264c25ff9:panel_a8f9096a-18a7-4aaa-aadf-9b1264c25ff9", + "type": "visualization" + }, + { + "id": "24970c20-5d6d-11ec-9523-d1b667ac64c0", + "name": "b32f64f1-b5dd-4ae5-b655-e921fe591508:panel_b32f64f1-b5dd-4ae5-b655-e921fe591508", + "type": "visualization" + }, + { + "id": "2b7921e0-5d6d-11ec-9523-d1b667ac64c0", + "name": "e94002ab-ee04-4bdf-80f6-fca80b3cf1b1:panel_e94002ab-ee04-4bdf-80f6-fca80b3cf1b1", + "type": "visualization" + }, + { + "id": "27897120-5d6d-11ec-9523-d1b667ac64c0", + "name": "12145dd1-e578-4f41-a09d-7bece9d79985:panel_12145dd1-e578-4f41-a09d-7bece9d79985", + "type": "visualization" + }, + { + "id": "b3b98110-5d92-11ec-9523-d1b667ac64c0", + "name": "4c956f84-ce21-4b40-9b6c-d0c079aa2630:panel_4c956f84-ce21-4b40-9b6c-d0c079aa2630", + "type": "search" + }, + { + "id": "50e50c20-5749-11ec-8f0b-05e8b06e1b10", + "name": "tag-50e50c20-5749-11ec-8f0b-05e8b06e1b10", + "type": "tag" + } + ], + "type": "dashboard", + "updated_at": "2021-12-17T10:39:10.754Z", + "version": "WzIzNDkwLDJd" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/dashboard/salesforce-790da810-5749-11ec-8f0b-05e8b06e1b10.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/dashboard/salesforce-790da810-5749-11ec-8f0b-05e8b06e1b10.json new file mode 100644 index 000000000000..df39dcd233eb --- /dev/null +++ b/x-pack/filebeat/module/salesforce/_meta/kibana/7/dashboard/salesforce-790da810-5749-11ec-8f0b-05e8b06e1b10.json @@ -0,0 +1,159 @@ +{ + "attributes": { + "description": "SetupAuditTrail EventLogFile Data", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": false + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 4, + "i": "c7fd367e-26a0-440d-abdf-6c217aaa3d82", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "c7fd367e-26a0-440d-abdf-6c217aaa3d82", + "panelRefName": "panel_c7fd367e-26a0-440d-abdf-6c217aaa3d82", + "type": "visualization", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "vis": { + "legendOpen": false + } + }, + "gridData": { + "h": 13, + "i": "cd348728-bab4-44b0-96cb-6f29b1095701", + "w": 16, + "x": 16, + "y": 4 + }, + "panelIndex": "cd348728-bab4-44b0-96cb-6f29b1095701", + "panelRefName": "panel_cd348728-bab4-44b0-96cb-6f29b1095701", + "type": "visualization", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "vis": { + "legendOpen": false + } + }, + "gridData": { + "h": 13, + "i": "ecb2c974-d2ed-4256-a467-451be88465a7", + "w": 16, + "x": 32, + "y": 4 + }, + "panelIndex": "ecb2c974-d2ed-4256-a467-451be88465a7", + "panelRefName": "panel_ecb2c974-d2ed-4256-a467-451be88465a7", + "title": "[Filebeat Salesforce][SetupAuditTrail] Number of Actions performed over URLs", + "type": "visualization", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 27, + "i": "fcd86baf-07ec-4c31-b1f6-054bbab0152c", + "w": 48, + "x": 0, + "y": 17 + }, + "panelIndex": "fcd86baf-07ec-4c31-b1f6-054bbab0152c", + "panelRefName": "panel_fcd86baf-07ec-4c31-b1f6-054bbab0152c", + "type": "search", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 13, + "i": "701cda8c-8a8a-4e39-ac16-52397b712b87", + "w": 16, + "x": 0, + "y": 4 + }, + "panelIndex": "701cda8c-8a8a-4e39-ac16-52397b712b87", + "panelRefName": "panel_701cda8c-8a8a-4e39-ac16-52397b712b87", + "type": "visualization", + "version": "7.15.0" + } + ], + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-7d/d", + "timeRestore": true, + "timeTo": "now", + "title": "[Filebeat Salesforce] Setup Audit Trail Dashboard", + "version": 1 + }, + "coreMigrationVersion": "7.15.0", + "id": "salesforce-790da810-5749-11ec-8f0b-05e8b06e1b10", + "migrationVersion": { + "dashboard": "7.15.0" + }, + "references": [ + { + "id": "7a22ead0-5758-11ec-8f0b-05e8b06e1b10", + "name": "c7fd367e-26a0-440d-abdf-6c217aaa3d82:panel_c7fd367e-26a0-440d-abdf-6c217aaa3d82", + "type": "visualization" + }, + { + "id": "cf5f92c0-4b8a-11ec-9959-a3c0f68b1e4f", + "name": "cd348728-bab4-44b0-96cb-6f29b1095701:panel_cd348728-bab4-44b0-96cb-6f29b1095701", + "type": "visualization" + }, + { + "id": "5b503310-4b8c-11ec-9959-a3c0f68b1e4f", + "name": "ecb2c974-d2ed-4256-a467-451be88465a7:panel_ecb2c974-d2ed-4256-a467-451be88465a7", + "type": "visualization" + }, + { + "id": "769ba1c0-4b84-11ec-9959-a3c0f68b1e4f", + "name": "fcd86baf-07ec-4c31-b1f6-054bbab0152c:panel_fcd86baf-07ec-4c31-b1f6-054bbab0152c", + "type": "search" + }, + { + "id": "f5942600-5d95-11ec-9523-d1b667ac64c0", + "name": "701cda8c-8a8a-4e39-ac16-52397b712b87:panel_701cda8c-8a8a-4e39-ac16-52397b712b87", + "type": "visualization" + }, + { + "id": "50e50c20-5749-11ec-8f0b-05e8b06e1b10", + "name": "tag-50e50c20-5749-11ec-8f0b-05e8b06e1b10", + "type": "tag" + } + ], + "type": "dashboard", + "updated_at": "2021-12-17T10:39:11.743Z", + "version": "WzIzNDk3LDJd" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/map/5c2e6bc0-5d6c-11ec-9523-d1b667ac64c0.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/map/5c2e6bc0-5d6c-11ec-9523-d1b667ac64c0.json new file mode 100644 index 000000000000..8267caede230 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/_meta/kibana/7/map/5c2e6bc0-5d6c-11ec-9523-d1b667ac64c0.json @@ -0,0 +1,142 @@ +{ + "attributes": { + "description": "", + "layerListJSON": [ + { + "alpha": 1, + "id": "166258a6-0b30-4bd1-8a12-67f32cfbeb97", + "includeInFitToBounds": true, + "label": null, + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "isAutoSelect": true, + "type": "EMS_TMS" + }, + "style": { + "type": "TILE" + }, + "type": "VECTOR_TILE", + "visible": true + }, + { + "alpha": 0.75, + "id": "696a68f4-f7f0-4720-9c7a-eac4f6cba560", + "includeInFitToBounds": true, + "label": null, + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "applyForceRefresh": true, + "applyGlobalQuery": true, + "applyGlobalTime": true, + "geoField": "source.geo.location", + "id": "608c9dc4-0997-4e15-af24-9334271838bb", + "indexPatternRefName": "layer_1_source_index_pattern", + "metrics": [ + { + "type": "count" + } + ], + "requestType": "heatmap", + "resolution": "COARSE", + "type": "ES_GEO_GRID" + }, + "style": { + "colorRampName": "theclassic", + "type": "HEATMAP" + }, + "type": "HEATMAP", + "visible": true + } + ], + "mapStateJSON": { + "center": { + "lat": 23.00882, + "lon": 13.35724 + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "filebeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "salesforce.login" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "salesforce.login" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "refreshConfig": { + "interval": 900000, + "isPaused": false + }, + "settings": { + "autoFitToDataBounds": false, + "backgroundColor": "#ffffff", + "browserLocation": { + "zoom": 2 + }, + "disableInteractive": false, + "disableTooltipControl": false, + "fixedLocation": { + "lat": 0, + "lon": 0, + "zoom": 2 + }, + "hideLayerControl": false, + "hideToolbarOverlay": false, + "hideViewControl": false, + "initialLocation": "LAST_SAVED_LOCATION", + "maxZoom": 24, + "minZoom": 0, + "showScaleControl": false, + "showSpatialFilters": true, + "showTimesliderToggleButton": true, + "spatialFiltersAlpa": 0.3, + "spatialFiltersFillColor": "#DA8B45", + "spatialFiltersLineColor": "#DA8B45" + }, + "timeFilters": { + "from": "2021-10-21T02:19:14.117Z", + "to": "2021-10-22T10:30:00.000Z" + }, + "zoom": 1.25 + }, + "title": "[Filebeat Salesforce][Login] Salesforce activity by region", + "uiStateJSON": { + "isLayerTOCOpen": true, + "openTOCDetails": [] + } + }, + "coreMigrationVersion": "7.15.0", + "id": "5c2e6bc0-5d6c-11ec-9523-d1b667ac64c0", + "migrationVersion": { + "map": "7.14.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "layer_1_source_index_pattern", + "type": "index-pattern" + } + ], + "type": "map", + "updated_at": "2021-12-17T10:39:08.695Z", + "version": "WzIzNDYyLDJd" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/search/51d23250-5d8b-11ec-9523-d1b667ac64c0.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/search/51d23250-5d8b-11ec-9523-d1b667ac64c0.json new file mode 100644 index 000000000000..813793ed68c6 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/_meta/kibana/7/search/51d23250-5d8b-11ec-9523-d1b667ac64c0.json @@ -0,0 +1,75 @@ +{ + "attributes": { + "columns": [ + "salesforce.access_mode", + "salesforce.login.db_total_time", + "salesforce.login.evaluation_time", + "salesforce.login.login_type", + "salesforce.login.request_status", + "salesforce.login.run_time", + "salesforce.login.session_level" + ], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "salesforce.login" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "salesforce.login" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Filebeat Salesforce][Login] Login Log Table" + }, + "coreMigrationVersion": "7.15.0", + "id": "51d23250-5d8b-11ec-9523-d1b667ac64c0", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2021-12-17T10:39:08.695Z", + "version": "WzIzNDY5LDJd" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/search/769ba1c0-4b84-11ec-9959-a3c0f68b1e4f.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/search/769ba1c0-4b84-11ec-9959-a3c0f68b1e4f.json new file mode 100644 index 000000000000..74ad2adb7427 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/_meta/kibana/7/search/769ba1c0-4b84-11ec-9959-a3c0f68b1e4f.json @@ -0,0 +1,73 @@ +{ + "attributes": { + "columns": [ + "salesforce.setup_audit_trail.section", + "event.action", + "salesforce.setup_audit_trail.display" + ], + "description": "", + "grid": {}, + "hideChart": false, + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "salesforce.setupaudittrail" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "salesforce.setupaudittrail" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Filebeat Salesforce][SetupAuditTrail] SetupAuditTrail Log Stream", + "version": 1 + }, + "coreMigrationVersion": "7.15.0", + "id": "769ba1c0-4b84-11ec-9959-a3c0f68b1e4f", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2021-12-17T10:43:15.540Z", + "version": "WzIzNTg2LDJd" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/search/b3b98110-5d92-11ec-9523-d1b667ac64c0.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/search/b3b98110-5d92-11ec-9523-d1b667ac64c0.json new file mode 100644 index 000000000000..4d83dd230368 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/_meta/kibana/7/search/b3b98110-5d92-11ec-9523-d1b667ac64c0.json @@ -0,0 +1,71 @@ +{ + "attributes": { + "columns": [ + "source.ip", + "source.geo.city_name", + "user.id" + ], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "salesforce.logout" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "salesforce.logout" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Filebeat Salesforce][Logout] Logout Logs Table" + }, + "coreMigrationVersion": "7.15.0", + "id": "b3b98110-5d92-11ec-9523-d1b667ac64c0", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2021-12-17T10:39:10.754Z", + "version": "WzIzNDg5LDJd" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/search/ef8b6070-5d6d-11ec-9523-d1b667ac64c0.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/search/ef8b6070-5d6d-11ec-9523-d1b667ac64c0.json new file mode 100644 index 000000000000..b20e0ad6eb0b --- /dev/null +++ b/x-pack/filebeat/module/salesforce/_meta/kibana/7/search/ef8b6070-5d6d-11ec-9523-d1b667ac64c0.json @@ -0,0 +1,67 @@ +{ + "attributes": { + "columns": [], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "salesforce.login" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "salesforce.login" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Filebeat Salesforce][Login] Search" + }, + "coreMigrationVersion": "7.15.0", + "id": "ef8b6070-5d6d-11ec-9523-d1b667ac64c0", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2021-12-17T10:39:08.695Z", + "version": "WzIzNDU5LDJd" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/tag/50e50c20-5749-11ec-8f0b-05e8b06e1b10.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/tag/50e50c20-5749-11ec-8f0b-05e8b06e1b10.json new file mode 100644 index 000000000000..5baed7d923b5 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/_meta/kibana/7/tag/50e50c20-5749-11ec-8f0b-05e8b06e1b10.json @@ -0,0 +1,13 @@ +{ + "attributes": { + "color": "#414273", + "description": "", + "name": "beats" + }, + "coreMigrationVersion": "7.15.0", + "id": "50e50c20-5749-11ec-8f0b-05e8b06e1b10", + "references": [], + "type": "tag", + "updated_at": "2021-12-17T10:39:08.695Z", + "version": "WzIzNDcwLDJd" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/17f0a5d0-5750-11ec-8f0b-05e8b06e1b10.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/17f0a5d0-5750-11ec-8f0b-05e8b06e1b10.json new file mode 100644 index 000000000000..56c7258fffca --- /dev/null +++ b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/17f0a5d0-5750-11ec-8f0b-05e8b06e1b10.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "salesforce.apex" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "salesforce.apex" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "[Filebeat Salesforce] Response by Media type", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "salesforce.apex.media_type", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 20 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "distinctColors": false, + "isDonut": true, + "labels": { + "last_level": false, + "percentDecimals": 2, + "position": "default", + "show": true, + "truncate": 100, + "values": true, + "valuesFormat": "percent" + }, + "legendPosition": "right", + "maxLegendLines": 1, + "nestedLegend": false, + "palette": { + "name": "default", + "type": "palette" + }, + "truncateLegend": true, + "type": "pie" + }, + "title": "[Filebeat Salesforce] Response by Media type", + "type": "pie" + } + }, + "coreMigrationVersion": "7.15.0", + "id": "17f0a5d0-5750-11ec-8f0b-05e8b06e1b10", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-12-17T10:39:09.725Z", + "version": "WzIzNDgxLDJd" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/24970c20-5d6d-11ec-9523-d1b667ac64c0.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/24970c20-5d6d-11ec-9523-d1b667ac64c0.json new file mode 100644 index 000000000000..6a684f52ff90 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/24970c20-5d6d-11ec-9523-d1b667ac64c0.json @@ -0,0 +1,180 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "salesforce.logout" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "salesforce.logout" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "[Filebeat Salesforce][Logout] Logout Over Time", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "m", + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "now-7d/d", + "to": "now" + }, + "useNormalizedEsInterval": true, + "used_interval": "1h" + }, + "schema": "segment", + "type": "date_histogram" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "detailedTooltip": true, + "fittingFunction": "linear", + "grid": { + "categoryLines": true, + "valueAxis": "ValueAxis-1" + }, + "labels": {}, + "legendPosition": "right", + "maxLegendLines": 1, + "palette": { + "name": "default", + "type": "palette" + }, + "radiusRatio": 9, + "seriesParams": [ + { + "circlesRadius": 3, + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "interpolate": "linear", + "lineWidth": 2, + "mode": "stacked", + "show": true, + "showCircles": true, + "type": "area", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "truncateLegend": true, + "type": "area", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "[Filebeat Salesforce][Logout] Logout Over Time", + "type": "area" + } + }, + "coreMigrationVersion": "7.15.0", + "id": "24970c20-5d6d-11ec-9523-d1b667ac64c0", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-12-17T10:39:10.754Z", + "version": "WzIzNDg2LDJd" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/24c39ae0-574d-11ec-8f0b-05e8b06e1b10.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/24c39ae0-574d-11ec-8f0b-05e8b06e1b10.json new file mode 100644 index 000000000000..41c4fb1319ab --- /dev/null +++ b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/24c39ae0-574d-11ec-8f0b-05e8b06e1b10.json @@ -0,0 +1,166 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "[Filebeat Salesforce][ApexTrigger] Trigger-Entity categorisation", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Trigger Name", + "field": "salesforce.apex.trigger.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "group", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "salesforce.apex.entity_name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "group", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 200 + }, + "position": "left", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "detailedTooltip": true, + "grid": { + "categoryLines": true, + "valueAxis": "ValueAxis-1" + }, + "labels": {}, + "legendPosition": "right", + "maxLegendLines": 1, + "palette": { + "name": "default", + "type": "palette" + }, + "radiusRatio": 0, + "seriesParams": [ + { + "circlesRadius": 3, + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "interpolate": "linear", + "lineWidth": 2, + "mode": "normal", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "truncateLegend": true, + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": true, + "rotate": 75, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "bottom", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "[Filebeat Salesforce][ApexTrigger] Trigger-Entity categorisation", + "type": "horizontal_bar" + } + }, + "coreMigrationVersion": "7.15.0", + "id": "24c39ae0-574d-11ec-8f0b-05e8b06e1b10", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-12-17T10:39:09.725Z", + "version": "WzIzNDc3LDJd" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/27897120-5d6d-11ec-9523-d1b667ac64c0.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/27897120-5d6d-11ec-9523-d1b667ac64c0.json new file mode 100644 index 000000000000..5677983b9499 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/27897120-5d6d-11ec-9523-d1b667ac64c0.json @@ -0,0 +1,178 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "salesforce.logout" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "salesforce.logout" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : \"salesforce.logout\" " + } + } + }, + "title": "[Filebeat Salesforce][Logout] Top 10 IP addresses over time", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "IP Address", + "field": "source.ip", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 9 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "detailedTooltip": true, + "fittingFunction": "linear", + "grid": { + "categoryLines": true, + "valueAxis": "ValueAxis-1" + }, + "labels": {}, + "legendPosition": "right", + "maxLegendLines": 1, + "palette": { + "name": "default", + "type": "palette" + }, + "radiusRatio": 9, + "seriesParams": [ + { + "circlesRadius": 3, + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "interpolate": "linear", + "lineWidth": 2, + "mode": "stacked", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "truncateLegend": true, + "type": "area", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "[Filebeat Salesforce][Logout] Top 10 IP addresses over time", + "type": "area" + } + }, + "coreMigrationVersion": "7.15.0", + "id": "27897120-5d6d-11ec-9523-d1b667ac64c0", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-12-17T10:39:10.754Z", + "version": "WzIzNDg4LDJd" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/2b7921e0-5d6d-11ec-9523-d1b667ac64c0.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/2b7921e0-5d6d-11ec-9523-d1b667ac64c0.json new file mode 100644 index 000000000000..09e766c0e83c --- /dev/null +++ b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/2b7921e0-5d6d-11ec-9523-d1b667ac64c0.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "salesforce.logout" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "salesforce.logout" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "[Filebeat Salesforce][Logout] Distribution of Session Levels used while logging out", + "uiStateJSON": { + "vis": { + "legendOpen": false + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "salesforce.logout.session_level", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "distinctColors": false, + "isDonut": false, + "labels": { + "last_level": false, + "percentDecimals": 2, + "position": "default", + "show": true, + "truncate": 100, + "values": true, + "valuesFormat": "value" + }, + "legendPosition": "right", + "maxLegendLines": 1, + "nestedLegend": false, + "palette": { + "name": "default", + "type": "palette" + }, + "truncateLegend": true, + "type": "pie" + }, + "title": "[Filebeat Salesforce][Logout] Distribution of Session Levels used while logging out", + "type": "pie" + } + }, + "coreMigrationVersion": "7.15.0", + "id": "2b7921e0-5d6d-11ec-9523-d1b667ac64c0", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-12-17T10:39:10.754Z", + "version": "WzIzNDg3LDJd" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/31366a60-5751-11ec-8f0b-05e8b06e1b10.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/31366a60-5751-11ec-8f0b-05e8b06e1b10.json new file mode 100644 index 000000000000..0a89192c16f9 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/31366a60-5751-11ec-8f0b-05e8b06e1b10.json @@ -0,0 +1,183 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.action", + "negate": false, + "params": { + "query": "apex-execution" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.action": "apex-execution" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "[Filebeat Salesforce][ApexExecution] Apex Performance over time", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Average Execution Time (ms)", + "field": "event.duration" + }, + "schema": "metric", + "type": "avg" + }, + { + "enabled": true, + "id": "2", + "params": { + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "m", + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "now-7d/d", + "to": "now" + }, + "useNormalizedEsInterval": true, + "used_interval": "1h" + }, + "schema": "segment", + "type": "date_histogram" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "detailedTooltip": true, + "fittingFunction": "linear", + "grid": { + "categoryLines": true, + "valueAxis": "ValueAxis-1" + }, + "labels": {}, + "legendPosition": "right", + "maxLegendLines": 1, + "palette": { + "name": "default", + "type": "palette" + }, + "radiusRatio": 9, + "seriesParams": [ + { + "circlesRadius": 3, + "data": { + "id": "1", + "label": "Average Execution Time (ms)" + }, + "drawLinesBetweenPoints": true, + "interpolate": "cardinal", + "lineWidth": 2, + "mode": "normal", + "show": true, + "showCircles": true, + "type": "area", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "truncateLegend": true, + "type": "line", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Average Execution Time (ms)" + }, + "type": "value" + } + ] + }, + "title": "[Filebeat Salesforce][ApexExecution] Apex Performance over time", + "type": "line" + } + }, + "coreMigrationVersion": "7.15.0", + "id": "31366a60-5751-11ec-8f0b-05e8b06e1b10", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-12-17T10:39:09.725Z", + "version": "WzIzNDgwLDJd" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/33be8340-5d90-11ec-9523-d1b667ac64c0.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/33be8340-5d90-11ec-9523-d1b667ac64c0.json new file mode 100644 index 000000000000..af7f486bf5c3 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/33be8340-5d90-11ec-9523-d1b667ac64c0.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "salesforce.login" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "salesforce.login" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "[Filebeat Salesforce][Login] Success rate", + "uiStateJSON": { + "vis": { + "legendOpen": false + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "event.outcome", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "distinctColors": false, + "isDonut": true, + "labels": { + "last_level": false, + "percentDecimals": 2, + "position": "default", + "show": true, + "truncate": 100, + "values": true, + "valuesFormat": "percent" + }, + "legendPosition": "right", + "maxLegendLines": 1, + "nestedLegend": false, + "palette": { + "name": "default", + "type": "palette" + }, + "truncateLegend": true, + "type": "pie" + }, + "title": "[Filebeat Salesforce][Login] Success rate", + "type": "pie" + } + }, + "coreMigrationVersion": "7.15.0", + "id": "33be8340-5d90-11ec-9523-d1b667ac64c0", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-12-17T10:39:08.695Z", + "version": "WzIzNDY1LDJd" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/416da3a0-574f-11ec-8f0b-05e8b06e1b10.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/416da3a0-574f-11ec-8f0b-05e8b06e1b10.json new file mode 100644 index 000000000000..9227778b94f7 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/416da3a0-574f-11ec-8f0b-05e8b06e1b10.json @@ -0,0 +1,120 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "salesforce.apex" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "salesforce.apex" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "[Filebeat Salesforce] Categorization by User type", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "user.roles", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 20 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "colorSchema": "Greens", + "colorsNumber": 4, + "colorsRange": [], + "enableHover": false, + "invertColors": false, + "legendPosition": "right", + "percentageMode": false, + "setColorRange": false, + "times": [], + "type": "heatmap", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "color": "black", + "overwriteColor": false, + "rotate": 0, + "show": false + }, + "scale": { + "defaultYExtents": false, + "type": "linear" + }, + "show": false, + "type": "value" + } + ] + }, + "title": "[Filebeat Salesforce] Categorization by User type", + "type": "heatmap" + } + }, + "coreMigrationVersion": "7.15.0", + "id": "416da3a0-574f-11ec-8f0b-05e8b06e1b10", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-12-17T10:39:09.725Z", + "version": "WzIzNDc4LDJd" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/4f9923d0-574c-11ec-8f0b-05e8b06e1b10.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/4f9923d0-574c-11ec-8f0b-05e8b06e1b10.json new file mode 100644 index 000000000000..46203db9885d --- /dev/null +++ b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/4f9923d0-574c-11ec-8f0b-05e8b06e1b10.json @@ -0,0 +1,127 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.outcome", + "negate": false, + "params": { + "query": "success" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.outcome": "success" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "salesforce.apex" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "salesforce.apex" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "[Filebeat Salesforce] Successful requests", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "[Filebeat Salesforce] Successful requests", + "type": "metric" + } + }, + "coreMigrationVersion": "7.15.0", + "id": "4f9923d0-574c-11ec-8f0b-05e8b06e1b10", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-12-17T10:39:09.725Z", + "version": "WzIzNDc0LDJd" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/5b503310-4b8c-11ec-9959-a3c0f68b1e4f.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/5b503310-4b8c-11ec-9959-a3c0f68b1e4f.json new file mode 100644 index 000000000000..e36f29f0d3f6 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/5b503310-4b8c-11ec-9959-a3c0f68b1e4f.json @@ -0,0 +1,194 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "salesforce.setupaudittrail" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "salesforce.setupaudittrail" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "[Filebeat Salesforce][SetupAuditTrail] Number of Actions performed by Top 10 Delegated Users", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "event.action", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 7 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "event.url", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "group", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "detailedTooltip": true, + "grid": { + "categoryLines": true, + "valueAxis": "ValueAxis-1" + }, + "labels": { + "show": false + }, + "legendPosition": "right", + "maxLegendLines": 1, + "palette": { + "name": "default", + "type": "palette" + }, + "radiusRatio": 0, + "seriesParams": [ + { + "circlesRadius": 3, + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "interpolate": "linear", + "lineWidth": 2, + "mode": "stacked", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "truncateLegend": true, + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "[Filebeat Salesforce][SetupAuditTrail] Number of Actions performed by Top 10 Delegated Users", + "type": "histogram" + } + }, + "coreMigrationVersion": "7.15.0", + "id": "5b503310-4b8c-11ec-9959-a3c0f68b1e4f", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-12-17T10:39:11.743Z", + "version": "WzIzNDk0LDJd" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/61eec180-5750-11ec-8f0b-05e8b06e1b10.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/61eec180-5750-11ec-8f0b-05e8b06e1b10.json new file mode 100644 index 000000000000..cd96cb58dd0b --- /dev/null +++ b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/61eec180-5750-11ec-8f0b-05e8b06e1b10.json @@ -0,0 +1,176 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "salesforce.apex" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "salesforce.apex" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "[Filebeat Salesforce] Response categorization by user agent", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "salesforce.apex.user_agent", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 20 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "detailedTooltip": true, + "grid": { + "categoryLines": false + }, + "labels": { + "show": false + }, + "legendPosition": "right", + "maxLegendLines": 1, + "palette": { + "name": "default", + "type": "palette" + }, + "radiusRatio": 0, + "seriesParams": [ + { + "circlesRadius": 3, + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "interpolate": "linear", + "lineWidth": 2, + "mode": "stacked", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "truncateLegend": true, + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "[Filebeat Salesforce] Response categorization by user agent", + "type": "histogram" + } + }, + "coreMigrationVersion": "7.15.0", + "id": "61eec180-5750-11ec-8f0b-05e8b06e1b10", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-12-17T10:39:09.725Z", + "version": "WzIzNDgyLDJd" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/6d86efd0-5751-11ec-8f0b-05e8b06e1b10.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/6d86efd0-5751-11ec-8f0b-05e8b06e1b10.json new file mode 100644 index 000000000000..47d4c4c3434d --- /dev/null +++ b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/6d86efd0-5751-11ec-8f0b-05e8b06e1b10.json @@ -0,0 +1,197 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "salesforce.apex" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "salesforce.apex" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "[Filebeat Salesforce][ApexExecution] Number of SOQL Queries per Entry Point", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "m", + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "now-7d/d", + "to": "now" + }, + "useNormalizedEsInterval": true, + "used_interval": "1h" + }, + "schema": "segment", + "type": "date_histogram" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "salesforce.apex.entry_point", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "group", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "detailedTooltip": true, + "grid": { + "categoryLines": true, + "valueAxis": "ValueAxis-1" + }, + "labels": { + "show": false + }, + "legendPosition": "right", + "maxLegendLines": 1, + "palette": { + "name": "default", + "type": "palette" + }, + "radiusRatio": 0, + "seriesParams": [ + { + "circlesRadius": 3, + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "interpolate": "linear", + "lineWidth": 2, + "mode": "stacked", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "truncateLegend": true, + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "[Filebeat Salesforce][ApexExecution] Number of SOQL Queries per Entry Point", + "type": "histogram" + } + }, + "coreMigrationVersion": "7.15.0", + "id": "6d86efd0-5751-11ec-8f0b-05e8b06e1b10", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-12-17T10:39:09.725Z", + "version": "WzIzNDgzLDJd" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/7a22ead0-5758-11ec-8f0b-05e8b06e1b10.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/7a22ead0-5758-11ec-8f0b-05e8b06e1b10.json new file mode 100644 index 000000000000..b6d984047add --- /dev/null +++ b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/7a22ead0-5758-11ec-8f0b-05e8b06e1b10.json @@ -0,0 +1,36 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "[Filebeat salesforce] Dashboards", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 12, + "markdown": "[Apex Dashboard](#/dashboard/salesforce-59ef0af0-5749-11ec-8f0b-05e8b06e1b10) | [Login Dashboard](#/dashboard/salesforce-1659aef0-574c-11ec-8f0b-05e8b06e1b10) | [Logout Dashboard](#/dashboard/salesforce-6c750440-5749-11ec-8f0b-05e8b06e1b10) | [SetupAuditTrail Dashboard](#/dashboard/salesforce-790da810-5749-11ec-8f0b-05e8b06e1b10)", + "openLinksInNewTab": false + }, + "title": "[Filebeat salesforce] Dashboards", + "type": "markdown" + } + }, + "coreMigrationVersion": "7.15.0", + "id": "7a22ead0-5758-11ec-8f0b-05e8b06e1b10", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2021-12-17T10:39:08.695Z", + "version": "WzIzNDU4LDJd" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/80c0b730-5d90-11ec-9523-d1b667ac64c0.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/80c0b730-5d90-11ec-9523-d1b667ac64c0.json new file mode 100644 index 000000000000..485bf1f3b5d9 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/80c0b730-5d90-11ec-9523-d1b667ac64c0.json @@ -0,0 +1,178 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "salesforce.login" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "salesforce.login" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "[Filebeat Salesforce][Login] Top IP addresses by request count", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "source.ip", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "detailedTooltip": true, + "grid": { + "categoryLines": true, + "valueAxis": "ValueAxis-1" + }, + "labels": { + "show": false + }, + "legendPosition": "right", + "maxLegendLines": 1, + "palette": { + "name": "default", + "type": "palette" + }, + "radiusRatio": 0, + "seriesParams": [ + { + "circlesRadius": 1, + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "interpolate": "linear", + "lineWidth": 2, + "mode": "stacked", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "truncateLegend": true, + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "" + }, + "type": "value" + } + ] + }, + "title": "[Filebeat Salesforce][Login] Top IP addresses by request count", + "type": "histogram" + } + }, + "coreMigrationVersion": "7.15.0", + "id": "80c0b730-5d90-11ec-9523-d1b667ac64c0", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-12-17T10:39:08.695Z", + "version": "WzIzNDY2LDJd" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/86081670-5d95-11ec-9523-d1b667ac64c0.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/86081670-5d95-11ec-9523-d1b667ac64c0.json new file mode 100644 index 000000000000..2a0f6dc04206 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/86081670-5d95-11ec-9523-d1b667ac64c0.json @@ -0,0 +1,212 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "salesforce.apex" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "salesforce.apex" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "[Filebeat Salesforce][Apex] DB_TOTAL_TIME-CPU_TIME comparision", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "now-7d/d", + "to": "now" + }, + "useNormalizedEsInterval": true, + "used_interval": "3h" + }, + "schema": "segment", + "type": "date_histogram" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "salesforce.apex.cpu_time", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "group", + "type": "terms" + }, + { + "enabled": true, + "id": "4", + "params": { + "field": "salesforce.apex.db_total_time", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "group", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "detailedTooltip": true, + "fittingFunction": "linear", + "grid": { + "categoryLines": true, + "valueAxis": "ValueAxis-1" + }, + "labels": {}, + "legendPosition": "right", + "maxLegendLines": 1, + "palette": { + "name": "default", + "type": "palette" + }, + "radiusRatio": 9, + "seriesParams": [ + { + "circlesRadius": 1, + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "interpolate": "linear", + "lineWidth": 2, + "mode": "stacked", + "show": true, + "showCircles": true, + "type": "area", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "truncateLegend": true, + "type": "area", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "" + }, + "type": "value" + } + ] + }, + "title": "[Filebeat Salesforce][Apex] DB_TOTAL_TIME-CPU_TIME comparision", + "type": "area" + } + }, + "coreMigrationVersion": "7.15.0", + "id": "86081670-5d95-11ec-9523-d1b667ac64c0", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-12-17T10:39:09.725Z", + "version": "WzIzNDc2LDJd" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/8cec4c30-574c-11ec-8f0b-05e8b06e1b10.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/8cec4c30-574c-11ec-8f0b-05e8b06e1b10.json new file mode 100644 index 000000000000..f62aac0fdfa2 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/8cec4c30-574c-11ec-8f0b-05e8b06e1b10.json @@ -0,0 +1,127 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.outcome", + "negate": false, + "params": { + "query": "failure" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.outcome": "failure" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "salesforce.apex" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "salesforce.apex" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "[Filebeat Salesforce] Failed requests", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "[Filebeat Salesforce] Failed requests", + "type": "metric" + } + }, + "coreMigrationVersion": "7.15.0", + "id": "8cec4c30-574c-11ec-8f0b-05e8b06e1b10", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-12-17T10:39:09.725Z", + "version": "WzIzNDc1LDJd" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/93c37330-5751-11ec-8f0b-05e8b06e1b10.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/93c37330-5751-11ec-8f0b-05e8b06e1b10.json new file mode 100644 index 000000000000..130dd58430f1 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/93c37330-5751-11ec-8f0b-05e8b06e1b10.json @@ -0,0 +1,179 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "salesforce.apex" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "salesforce.apex" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "[Filebeat Salesforce][ApexExecution] Top Entrypoints by Request Count", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Entrypoint", + "field": "salesforce.apex.entry_point", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "detailedTooltip": true, + "grid": { + "categoryLines": true, + "valueAxis": "ValueAxis-1" + }, + "labels": { + "show": false + }, + "legendPosition": "right", + "maxLegendLines": 1, + "palette": { + "name": "default", + "type": "palette" + }, + "radiusRatio": 0, + "seriesParams": [ + { + "circlesRadius": 3, + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "interpolate": "linear", + "lineWidth": 2, + "mode": "stacked", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "truncateLegend": true, + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "[Filebeat Salesforce][ApexExecution] Top Entrypoints by Request Count", + "type": "histogram" + } + }, + "coreMigrationVersion": "7.15.0", + "id": "93c37330-5751-11ec-8f0b-05e8b06e1b10", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-12-17T10:39:09.725Z", + "version": "WzIzNDc5LDJd" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/ab958760-5d90-11ec-9523-d1b667ac64c0.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/ab958760-5d90-11ec-9523-d1b667ac64c0.json new file mode 100644 index 000000000000..1ad451ae91d0 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/ab958760-5d90-11ec-9523-d1b667ac64c0.json @@ -0,0 +1,176 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "salesforce.login" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "salesforce.login" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "[Filebeat Salesforce][Login] Login type", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "salesforce.login.login_type", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 200 + }, + "position": "left", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "detailedTooltip": true, + "grid": { + "categoryLines": true, + "valueAxis": "ValueAxis-1" + }, + "labels": {}, + "legendPosition": "right", + "maxLegendLines": 1, + "palette": { + "name": "default", + "type": "palette" + }, + "radiusRatio": 0, + "seriesParams": [ + { + "circlesRadius": 1, + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "interpolate": "linear", + "lineWidth": 2, + "mode": "normal", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "truncateLegend": true, + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": true, + "rotate": 75, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "bottom", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "" + }, + "type": "value" + } + ] + }, + "title": "[Filebeat Salesforce][Login] Login type", + "type": "horizontal_bar" + } + }, + "coreMigrationVersion": "7.15.0", + "id": "ab958760-5d90-11ec-9523-d1b667ac64c0", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-12-17T10:39:08.695Z", + "version": "WzIzNDY3LDJd" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/c69e97e0-5d72-11ec-9523-d1b667ac64c0.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/c69e97e0-5d72-11ec-9523-d1b667ac64c0.json new file mode 100644 index 000000000000..fa0f0447259d --- /dev/null +++ b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/c69e97e0-5d72-11ec-9523-d1b667ac64c0.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.outcome", + "negate": false, + "params": { + "query": "success" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.outcome": "success" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "[Filebeat Salesforce][Login] Successful login", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "[Filebeat Salesforce][Login] Successful login", + "type": "metric" + } + }, + "coreMigrationVersion": "7.15.0", + "id": "c69e97e0-5d72-11ec-9523-d1b667ac64c0", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "ef8b6070-5d6d-11ec-9523-d1b667ac64c0", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2021-12-17T10:39:08.695Z", + "version": "WzIzNDYwLDJd" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/cf5f92c0-4b8a-11ec-9959-a3c0f68b1e4f.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/cf5f92c0-4b8a-11ec-9959-a3c0f68b1e4f.json new file mode 100644 index 000000000000..89a1726f788e --- /dev/null +++ b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/cf5f92c0-4b8a-11ec-9959-a3c0f68b1e4f.json @@ -0,0 +1,178 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "salesforce.setupaudittrail" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "salesforce.setupaudittrail" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "[Filebeat Salesforce][SetupAuditTrail] Top 10 Section Over Time", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Salesforce Section", + "field": "salesforce.setup_audit_trail.section", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 9 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "detailedTooltip": true, + "fittingFunction": "linear", + "grid": { + "categoryLines": true, + "valueAxis": "ValueAxis-1" + }, + "labels": {}, + "legendPosition": "right", + "maxLegendLines": 1, + "palette": { + "name": "default", + "type": "palette" + }, + "radiusRatio": 9, + "seriesParams": [ + { + "circlesRadius": 3, + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "interpolate": "linear", + "lineWidth": 2, + "mode": "stacked", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "truncateLegend": true, + "type": "area", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "[Filebeat Salesforce][SetupAuditTrail] Top 10 Section Over Time", + "type": "area" + } + }, + "coreMigrationVersion": "7.15.0", + "id": "cf5f92c0-4b8a-11ec-9959-a3c0f68b1e4f", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-12-17T10:39:11.743Z", + "version": "WzIzNDkzLDJd" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/e6da1080-5d8f-11ec-9523-d1b667ac64c0.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/e6da1080-5d8f-11ec-9523-d1b667ac64c0.json new file mode 100644 index 000000000000..de7ab8cb3fb9 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/e6da1080-5d8f-11ec-9523-d1b667ac64c0.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "salesforce.login" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "salesforce.login" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "[Filebeat Salesforce][Login] User Names", + "uiStateJSON": { + "vis": { + "legendOpen": false + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "user.id", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "distinctColors": false, + "isDonut": true, + "labels": { + "last_level": false, + "percentDecimals": 2, + "position": "default", + "show": true, + "truncate": 100, + "values": true, + "valuesFormat": "percent" + }, + "legendPosition": "right", + "maxLegendLines": 1, + "nestedLegend": false, + "palette": { + "name": "default", + "type": "palette" + }, + "truncateLegend": true, + "type": "pie" + }, + "title": "[Filebeat Salesforce][Login] User Names", + "type": "pie" + } + }, + "coreMigrationVersion": "7.15.0", + "id": "e6da1080-5d8f-11ec-9523-d1b667ac64c0", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-12-17T10:39:08.695Z", + "version": "WzIzNDY0LDJd" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/e8175600-5d90-11ec-9523-d1b667ac64c0.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/e8175600-5d90-11ec-9523-d1b667ac64c0.json new file mode 100644 index 000000000000..0dbbfbf77de8 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/e8175600-5d90-11ec-9523-d1b667ac64c0.json @@ -0,0 +1,118 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "salesforce.login" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "salesforce.login" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "[Filebeat Salesforce][Login] Activity segmentation by browser/client", + "uiStateJSON": { + "vis": { + "legendOpen": false + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "User Agent", + "field": "user_agent.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "distinctColors": false, + "isDonut": true, + "labels": { + "last_level": false, + "percentDecimals": 2, + "position": "default", + "show": true, + "truncate": 100, + "values": true, + "valuesFormat": "percent" + }, + "legendPosition": "right", + "maxLegendLines": 1, + "nestedLegend": false, + "palette": { + "name": "default", + "type": "palette" + }, + "truncateLegend": true, + "type": "pie" + }, + "title": "[Filebeat Salesforce][Login] Activity segmentation by browser/client", + "type": "pie" + } + }, + "coreMigrationVersion": "7.15.0", + "id": "e8175600-5d90-11ec-9523-d1b667ac64c0", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-12-17T10:39:08.695Z", + "version": "WzIzNDY4LDJd" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/f4e05440-5d72-11ec-9523-d1b667ac64c0.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/f4e05440-5d72-11ec-9523-d1b667ac64c0.json new file mode 100644 index 000000000000..b08c7fe9a4b0 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/f4e05440-5d72-11ec-9523-d1b667ac64c0.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.outcome", + "negate": false, + "params": { + "query": "failure" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.outcome": "failure" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "[Filebeat Salesforce][Login] Failed login attempts", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "[Filebeat Salesforce][Login] Failed login attempts", + "type": "metric" + } + }, + "coreMigrationVersion": "7.15.0", + "id": "f4e05440-5d72-11ec-9523-d1b667ac64c0", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "ef8b6070-5d6d-11ec-9523-d1b667ac64c0", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2021-12-17T10:39:08.695Z", + "version": "WzIzNDYxLDJd" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/f5942600-5d95-11ec-9523-d1b667ac64c0.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/f5942600-5d95-11ec-9523-d1b667ac64c0.json new file mode 100644 index 000000000000..42512898359c --- /dev/null +++ b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/f5942600-5d95-11ec-9523-d1b667ac64c0.json @@ -0,0 +1,179 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "salesforce.setupaudittrail" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "salesforce.setupaudittrail" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "[Filebeat Salesforce][SetupAuditTrail] Top 10 Actions Performed", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Action Performed", + "field": "event.action", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 9 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "detailedTooltip": true, + "grid": { + "categoryLines": true, + "valueAxis": "ValueAxis-1" + }, + "labels": { + "show": false + }, + "legendPosition": "right", + "maxLegendLines": 1, + "palette": { + "name": "default", + "type": "palette" + }, + "radiusRatio": 0, + "seriesParams": [ + { + "circlesRadius": 3, + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "interpolate": "linear", + "lineWidth": 2, + "mode": "stacked", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "truncateLegend": true, + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "[Filebeat Salesforce][SetupAuditTrail] Top 10 Actions Performed", + "type": "histogram" + } + }, + "coreMigrationVersion": "7.15.0", + "id": "f5942600-5d95-11ec-9523-d1b667ac64c0", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-12-17T10:43:46.854Z", + "version": "WzIzNjExLDJd" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/fbb560f0-5d8e-11ec-9523-d1b667ac64c0.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/fbb560f0-5d8e-11ec-9523-d1b667ac64c0.json new file mode 100644 index 000000000000..15e8ac5fa6b0 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/fbb560f0-5d8e-11ec-9523-d1b667ac64c0.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "salesforce.login" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "salesforce.login" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "[Filebeat Salesforce][Login] Login over time", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "drop_last_bucket": 0, + "id": "ad12785a-5d43-469d-9114-6a83add168c3", + "index_pattern": "", + "interval": "", + "isModelInvalid": false, + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "default", + "id": "24098913-4cc2-4304-ab59-1003aa7a9655", + "line_width": 1, + "metrics": [ + { + "id": "434e8b7d-76b7-4947-95d1-aabedd41f524", + "type": "count" + } + ], + "palette": { + "name": "default", + "type": "palette" + }, + "point_size": 1, + "separate_axis": 0, + "split_mode": "everything", + "stacked": "none", + "time_range_mode": "entire_time_range" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "", + "time_range_mode": "entire_time_range", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "timeseries", + "use_kibana_indexes": true + }, + "title": "[Filebeat Salesforce][Login] Login over time", + "type": "metrics" + } + }, + "coreMigrationVersion": "7.15.0", + "id": "fbb560f0-5d8e-11ec-9523-d1b667ac64c0", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-12-17T10:39:08.695Z", + "version": "WzIzNDYzLDJd" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/apex-rest/_meta/fields.yml b/x-pack/filebeat/module/salesforce/apex-rest/_meta/fields.yml new file mode 100644 index 000000000000..6657b6673ae7 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/apex-rest/_meta/fields.yml @@ -0,0 +1,200 @@ +- name: salesforce + type: group + release: beta + description: > + Fileset for ingesting Salesforce Apex logs. + fields: + - name: access_mode + type: keyword + description: > + The mode of collecting logs from Salesforce - "rest" or "stream". + - name: apex + type: group + release: beta + description: > + Fileset for ingesting Salesforce Apex logs. + fields: + - name: action + type: keyword + description: > + Action performed by the callout. + - name: callout_time + type: keyword + description: > + Time spent waiting on webservice callouts, in milliseconds. + - name: class_name + type: keyword + description: > + The Apex class name. If the class is part of a managed package, this string includes the package namespace. + - name: client_name + type: keyword + description: > + The name of the client that’s using Salesforce services. This field is an optional parameter that can be passed in API calls. If blank, the caller didnt specify a client in the CallOptions header. + - name: cpu_time + type: keyword + description: > + The CPU time in milliseconds used to complete the request. + - name: db_blocks + type: keyword + description: > + Indicates how much activity is occurring in the database. A high value for this field suggests that adding indexes or filters on your queries would benefit performance. + - name: db_cpu_time + type: keyword + description: > + The CPU time in milliseconds to complete the request. Indicates the amount of activity taking place in the database layer during the request. + - name: db_total_time + type: keyword + description: > + Time (in milliseconds) spent waiting for database processing in aggregate for all operations in the request. Compare this field to CPU_TIME to determine whether performance issues are occurring in the database layer or in your own code. + - name: entity + type: keyword + description: > + Name of the external object being accessed. + - name: entity_name + type: keyword + description: > + The name of the object affected by the trigger. + - name: entry_point + type: keyword + description: > + The entry point for this Apex execution. + - name: event_type + type: keyword + description: > + The type of event. The value is always ApexCallout. + - name: execute_ms + type: keyword + description: > + How long it took (in milliseconds) for Salesforce to prepare and execute the query. Available in API version 42.0 and later. + - name: fetch_ms + type: keyword + description: > + How long it took (in milliseconds) to retrieve the query results from the external system. Available in API version 42.0 and later. + - name: filter + type: keyword + description: > + Field expressions to filter which rows to return. Corresponds to WHERE in SOQL queries. + - name: is_long_running_request + type: keyword + description: > + Indicates whether the request is counted against your org’s concurrent long-running Apex request limit (true) or not (false). + - name: limit + type: keyword + description: > + Maximum number of rows to return for a query. Corresponds to LIMIT in SOQL queries. + - name: limit_usage_percent + type: keyword + description: > + The percentage of Apex SOAP calls that were made against the organization’s limit. + - name: login_key + type: keyword + description: > + The string that ties together all events in a given user’s login session. It starts with a login event and ends with either a logout event or the user session expiring. + - name: media_type + type: keyword + description: > + The media type of the response. + - name: message + type: keyword + description: > + Error or warning message associated with the failed call. + - name: method_name + type: keyword + description: > + The name of the calling Apex method. + - name: number_fields + type: keyword + description: > + The number of fields or columns, where applicable. + - name: number_soql_queries + type: keyword + description: > + The number of SOQL queries that were executed during the event. + - name: offset + type: keyword + description: > + Number of rows to skip when paging through a result set. Corresponds to OFFSET in SOQL queries. + - name: orderby + type: keyword + description: > + Field or column to use for sorting query results, and whether to sort the results in ascending (default) or descending order. Corresponds to ORDER BY in SOQL queries. + - name: organization_id + type: keyword + description: > + The 15-character ID of the organization. + - name: query + type: keyword + description: > + The SOQL query, if one was performed. + - name: quiddity + type: keyword + description: > + The type of outer execution associated with this event. + - name: request.id + type: keyword + description: > + The unique ID of a single transaction. A transaction can contain one or more events. Each event in a given transaction has the same REQUEST_ID. + - name: request.status + type: keyword + description: > + The status of the request for a page view or user interface action. + - name: rows.total + type: keyword + description: > + Total number of records in the result set. The value is always -1 if the custom adapter’s DataSource.Provider class doesn’t declare the QUERY_TOTAL_SIZE capability. + - name: rows.fetched + type: keyword + description: > + Number of rows fetched by the callout. Available in API version 42.0 and later. + - name: rows.processed + type: keyword + description: > + The number of rows that were processed in the request. + - name: run_time + type: keyword + description: > + Not used for this event type. Use the TIME field instead. + - name: select + type: keyword + description: > + Comma-separated list of fields being queried. Corresponds to SELECT in SOQL queries. + - name: subqueries + type: keyword + description: > + Reserved for future use. + - name: throughput + type: keyword + description: > + Number of records retrieved in one second. + - name: triggerid + type: keyword + description: > + The 15-character ID of the trigger that was fired. + - name: trigger.name + type: keyword + description: > + For triggers coming from managed packages, TRIGGER_NAME includes a namespace prefix separated with a . character. If no namespace prefix is present, the trigger is from an unmanaged trigger. + - name: trigger.type + type: keyword + description: > + The type of this trigger. + - name: type + type: keyword + description: > + The type of Apex callout. + - name: uri + type: keyword + description: > + The URI of the page that’s receiving the request. + - name: uri_id_derived + type: keyword + description: > + The 18-character case-safe ID of the URI of the page that’s receiving the request. + - name: user_agent + type: keyword + description: > + The numeric code for the type of client used to make the request (for example, the browser, application, or API). + - name: user_id_derived + type: keyword + description: > + The 18-character case-safe ID of the user who’s using Salesforce services through the UI or the API. diff --git a/x-pack/filebeat/module/salesforce/apex-rest/config/apex-rest.yml b/x-pack/filebeat/module/salesforce/apex-rest/config/apex-rest.yml new file mode 100644 index 000000000000..ef7cb29ef82b --- /dev/null +++ b/x-pack/filebeat/module/salesforce/apex-rest/config/apex-rest.yml @@ -0,0 +1,46 @@ +type: httpjson + +interval: {{ .interval }} +request.method: GET +auth.oauth2: + enabled: true + client.id: {{ .client_id }} + client.secret: {{ .client_secret }} + token_url: {{ .token_url }} + user: {{ .user }} + password: {{ .password }} +# Query params will be overwritten by request.transforms from start of the input and +# it is to indicate that this url is for Apex type of events as cursor stores the url as source. +# Each filebeat input cursor source needs to be uniquely identified with a name. +request.url: {{ .url }}/services/data/v52.0/query?q=apex+rest +{{ if .proxy_url }} +request.proxy_url: {{ .proxy_url }} +{{ end }} +request.transforms: + - set: + target: url.params.q + value: "SELECT Id,CreatedDate,LogDate,LogFile FROM EventLogFile WHERE Interval = 'Hourly' AND CreatedDate > [[.cursor.last_published_apex]] AND (EventType = 'ApexCallout' OR EventType = 'ApexExecution' OR EventType = 'ApexRestApi' OR EventType = 'ApexSoap' OR EventType = 'ApexTrigger' OR EventType = 'ExternalCustomApexCallout') ORDER BY CreatedDate ASC NULLS FIRST" + default: "SELECT Id,CreatedDate,LogDate,LogFile FROM EventLogFile WHERE Interval = 'Hourly' AND (EventType = 'ApexCallout' OR EventType = 'ApexExecution' OR EventType = 'ApexRestApi' OR EventType = 'ApexSoap' OR EventType = 'ApexTrigger' OR EventType = 'ExternalCustomApexCallout') ORDER BY CreatedDate ASC NULLS FIRST" +response.split: + target: body.records +chain: + - step: + request.url: {{ .url }}/services/data/v52.0/sobjects/EventLogFile/records.#.Id/LogFile + request.method: GET + replace: records.#.Id +cursor: + last_published_apex: + value: '[[.last_event.CreatedDate]]' + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - decode_json_fields: + fields: [message] + target: "json" + - add_fields: + target: '' + fields: + ecs.version: 1.12.0 + - add_locale: ~ diff --git a/x-pack/filebeat/module/salesforce/apex-rest/ingest/pipeline.yml b/x-pack/filebeat/module/salesforce/apex-rest/ingest/pipeline.yml new file mode 100644 index 000000000000..9af3151aba2b --- /dev/null +++ b/x-pack/filebeat/module/salesforce/apex-rest/ingest/pipeline.yml @@ -0,0 +1,353 @@ +--- +description: Pipeline for parsing Salesforce apex logs +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- remove: + field: + - message + ignore_missing: true + +- set: + field: salesforce.access_mode + value: rest + ignore_failure: true + +- date: + field: json.TIMESTAMP_DERIVED + target_field: "@timestamp" + formats: + - ISO8601 + ignore_failure: true + +- rename: + field: json.CALLOUT_TIME + target_field: salesforce.apex.callout_time + ignore_missing: true +- rename: + field: json.CPU_TIME + target_field: salesforce.apex.cpu_time + ignore_missing: true +- rename: + field: json.DB_BLOCKS + target_field: salesforce.apex.db_blocks + ignore_missing: true +- rename: + field: json.DB_CPU_TIME + target_field: salesforce.apex.db_cpu_time + ignore_missing: true +- rename: + field: json.DB_TOTAL_TIME + target_field: salesforce.apex.db_total_time + ignore_missing: true +- rename: + field: json.ENTITY_NAME + target_field: salesforce.apex.entity_name + ignore_missing: true +- rename: + field: json.ENTRY_POINT + target_field: salesforce.apex.entry_point + ignore_missing: true +- rename: + field: json.EVENT_TYPE + target_field: salesforce.apex.event_type + ignore_missing: true +- rename: + field: json.IS_LONG_RUNNING_REQUEST + target_field: salesforce.apex.is_long_running_request + ignore_missing: true +- rename: + field: json.LOGIN_KEY + target_field: salesforce.apex.login_key + ignore_missing: true +- rename: + field: json.MEDIA_TYPE + target_field: salesforce.apex.media_type + ignore_missing: true +- rename: + field: json.METHOD_NAME + target_field: salesforce.apex.method_name + ignore_missing: true +- rename: + field: json.NUMBER_FIELDS + target_field: salesforce.apex.number_fields + ignore_missing: true +- rename: + field: json.NUMBER_SOQL_QUERIES + target_field: salesforce.apex.number_soql_queries + ignore_missing: true +- rename: + field: json.OFFSET + target_field: salesforce.apex.offset + ignore_missing: true +- rename: + field: json.ORDERBY + target_field: salesforce.apex.orderby + ignore_missing: true +- rename: + field: json.ORGANIZATION_ID + target_field: salesforce.apex.organization_id + ignore_missing: true +- rename: + field: json.QUERY + target_field: salesforce.apex.query + ignore_missing: true +- rename: + field: json.QUIDDITY + target_field: salesforce.apex.quiddity + ignore_missing: true +- rename: + field: json.REQUEST_ID + target_field: salesforce.apex.request.id + ignore_missing: true +- rename: + field: json.REQUEST_STATUS + target_field: salesforce.apex.request.status + ignore_missing: true +- rename: + field: json.ROWS + target_field: salesforce.apex.rows.total + ignore_missing: true +- rename: + field: json.ROWS_FETCHED + target_field: salesforce.apex.rows.fetched + ignore_missing: true +- rename: + field: json.ROWS_PROCESSED + target_field: salesforce.apex.rows.processed + ignore_missing: true +- rename: + field: json.RUN_TIME + target_field: salesforce.apex.run_time + ignore_missing: true +- rename: + field: json.SELECT + target_field: salesforce.apex.select + ignore_missing: true +- rename: + field: json.SUBQUERIES + target_field: salesforce.apex.subqueries + ignore_missing: true +- rename: + field: json.THROUGHPUT + target_field: salesforce.apex.throughput + ignore_missing: true +- rename: + field: json.TRIGGER_ID + target_field: salesforce.apex.trigger.id + ignore_missing: true +- rename: + field: json.TRIGGER_NAME + target_field: salesforce.apex.trigger.name + ignore_missing: true +- rename: + field: json.TRIGGER_TYPE + target_field: salesforce.apex.trigger.type + ignore_missing: true +- rename: + field: json.TYPE + target_field: salesforce.apex.type + ignore_missing: true +- rename: + field: json.URI + target_field: salesforce.apex.uri + ignore_missing: true +- rename: + field: json.URI_ID_DERIVED + target_field: salesforce.apex.uri_id_derived + ignore_missing: true +- rename: + field: json.USER_AGENT + target_field: salesforce.apex.user_agent + ignore_missing: true +- rename: + field: json.USER_ID_DERIVED + target_field: salesforce.apex.user_id_derived + ignore_missing: true + +####################### +## ECS Event Mapping ## +####################### + +- set: + field: event.dataset + value: "salesforce.apex" +- set: + field: event.kind + value: "event" +- set: + field: event.module + value: "salesforce" + +- set: + field: event.type + value: "connection" + if: 'ctx?.salesforce?.apex?.event_type != "ApexExecution"' + +- set: + field: event.category + value: "network" + if: 'ctx?.salesforce?.apex?.event_type != "ApexTrigger" && ctx?.salesforce?.apex?.event_type != "ApexExecution"' + +- script: + if: ctx?.salesforce?.apex?.event_type != null && ctx?.salesforce?.apex?.event_type != "" + lang: painless + source: | + def eventType = ctx?.salesforce?.apex?.event_type?.toLowerCase(); + Map referenceTable = [ + "apexcallout": "apex-callout", + "apextrigger": "apex-trigger", + "apexexecution": "apex-execution", + "apexrestApi": "apex-rest", + "apexsoap": "apex-soap", + "externalcustomapexcallout": ["apex-external-custom-callout"] + ]; + + ctx.event.action = referenceTable[eventType]; + +- rename: + field: json.TIME + target_field: event.duration + if: 'ctx?.salesforce?.apex?.event_type == "ApexCallout" && ctx?.json?.TIME != ""' +- rename: + field: json.EXEC_TIME + target_field: event.duration + if: '(ctx?.salesforce?.apex?.event_type == "ApexTrigger" || ctx?.salesforce?.apex?.event_type == "ApexExecution") && ctx?.json?.EXEC_TIME != ""' +- rename: + field: salesforce.apex.run_time + target_field: event.duration + if: '(ctx?.salesforce?.apex?.event_type == "ApexRestApi" || ctx?.salesforce?.apex?.event_type == "ApexSoap") && ctx?.salesforce?.apex?.run_time != ""' +- rename: + field: json.TOTAL_MS + target_field: event.duration + if: 'ctx?.salesforce?.apex?.event_type == "ExternalCustomApexCallout" && ctx?.json?.TOTAL_MS != ""' + +- set: + field: event.outcome + value: success + if: 'ctx?.json?.SUCCESS == "1" && ctx?.json?.SUCCESS != null' + ignore_failure: true +- set: + field: event.outcome + value: failure + if: 'ctx?.json?.SUCCESS != "1" && ctx?.json?.SUCCESS != null' + ignore_failure: true +- set: + field: event.outcome + value: success + if: 'ctx?.json?.STATUS == "1" && ctx?.json?.STATUS != null' + ignore_failure: true +- set: + field: event.outcome + value: failure + if: 'ctx?.json?.STATUS != "1" && ctx?.json?.STATUS != null' + ignore_failure: true + +- rename: + field: json.URL + target_field: event.url + ignore_missing: true + if: 'ctx?.salesforce?.apex?.event_type == "ApexCallout"' +- rename: + field: salesforce.apex.uri + target_field: event.url + ignore_missing: true + if: 'ctx?.salesforce?.apex?.event_type != "ApexCallout" && ctx?.salesforce?.apex?.event_type != "ExternalCustomApexCallout"' + +###################### +## ECS User Mapping ## +###################### + +- rename: + field: json.USER_ID + target_field: user.id + ignore_missing: true +- rename: + field: json.USER_TYPE + target_field: user.roles + ignore_missing: true + +######################## +## ECS Source Mapping ## +######################## + +# A Salesforce internal IP (such as a login from Salesforce Workbench or AppExchange) is shown as “Salesforce.com IP” +- rename: + field: json.CLIENT_IP + target_field: source.ip + ignore_missing: true + if: 'ctx?.json?.CLIENT_IP != "Salesforce.com IP" && ctx?.json?.CLIENT_IP != "" && ctx?.json?.CLIENT_IP != null' + +############################ +## ECS Source.Geo Mapping ## +############################ + +# A Salesforce internal IP (such as a login from Salesforce Workbench or AppExchange) is shown as “Salesforce.com IP” +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: 'ctx?.source?.ip != "Salesforce.com IP" && ctx?.source?.ip != "" && ctx?.source?.ip != null' + +############################ +## ECS Related.ip Mapping ## +############################ + +- append: + field: related.ip + value: "{{{source.ip}}}" + if: ctx?.source?.ip != null + allow_duplicates: false + ignore_failure: true + +###################### +## ECS HTTP Mapping ## +###################### + +- rename: + field: json.METHOD + target_field: http.request.method + ignore_missing: true +- rename: + field: json.REQUEST_SIZE + target_field: http.request.bytes + ignore_missing: true +- rename: + field: json.RESPONSE_SIZE + target_field: http.response.bytes + ignore_missing: true +- rename: + field: json.STATUS_CODE + target_field: http.response.status_code + ignore_missing: true + +############# +## Cleanup ## +############# + +- script: + description: Drops null/empty values recursively + lang: painless + source: | + boolean dropEmptyFields(Object object) { + if (object == null || object == "") { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); +- remove: + field: + - json + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{_ingest.on_failure_message}}' diff --git a/x-pack/filebeat/module/salesforce/apex-rest/manifest.yml b/x-pack/filebeat/module/salesforce/apex-rest/manifest.yml new file mode 100644 index 000000000000..ef2e87fa266c --- /dev/null +++ b/x-pack/filebeat/module/salesforce/apex-rest/manifest.yml @@ -0,0 +1,12 @@ +module_version: 1.0 + +var: + - name: interval + default: 1h + - name: tags + default: [salesforce-apex-rest,forwarded] + - name: proxy_url + +ingest_pipeline: + - ingest/pipeline.yml +input: config/apex-rest.yml diff --git a/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_callout.ndjson.log b/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_callout.ndjson.log new file mode 100644 index 000000000000..e3c5435ed7ad --- /dev/null +++ b/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_callout.ndjson.log @@ -0,0 +1 @@ +{"json":{"EVENT_TYPE":"ApexCallout","TIMESTAMP":20211102091250.49,"REQUEST_ID":"","ORGANIZATION_ID":"00D5j000000VI3n","USER_ID":"0055j000000utlP","RUN_TIME":1305,"CPU_TIME":-1,"URI":"CALLOUT-LOG","SESSION_KEY":"","LOGIN_KEY":"","TYPE":"OData","METHOD":"GET","SUCCESS":1,"TIME":1293,"REQUEST_SIZE":-1,"RESPONSE_SIZE":256,"URL":"https://api-prod.guidance.sfdc.sh/odata/Accounts?%24top=1&%24filter=%28startswith%28Organization_id_dw__c%2C%2700D5j000000VI3n%27%29%29&%24select=Aov_band__c%2CCombo_sector__c%2CCsg_coverage__c%2CCsg_portfolio__c%2CId%2CIndustry%2CL1_aov_cloud1__c%2CL1_aov_cloud2__c%2CLocked_industry__c%2CLocked_sector__c%2CSfdc_sector__c%2CSfid%2CSub_sector__c%2CSupportLevel__c%2CTotal_aov__c","TIMESTAMP_DERIVED":"2021-11-02T09:12:50.488Z","USER_ID_DERIVED":"0055j000000utlPAAQ","CLIENT_IP":"10.0.1.123","URI_ID_DERIVED":""}} diff --git a/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_callout.ndjson.log-expected.json b/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_callout.ndjson.log-expected.json new file mode 100644 index 000000000000..57a4c9b45cb4 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_callout.ndjson.log-expected.json @@ -0,0 +1,61 @@ +{ + "docs": [ + { + "doc": { + "_index": "_index", + "_type": "_doc", + "_id": "_id", + "_source": { + "salesforce": { + "access_mode": "rest", + "apex": { + "cpu_time": -1, + "user_id_derived": "0055j000000utlPAAQ", + "event_type": "ApexCallout", + "run_time": 1305, + "organization_id": "00D5j000000VI3n", + "type": "OData", + "uri": "CALLOUT-LOG" + } + }, + "@timestamp": "2021-11-02T09:12:50.488Z", + "related": { + "ip": [ + "10.0.1.123" + ] + }, + "http": { + "request": { + "method": "GET", + "bytes": -1 + }, + "response": { + "bytes": 256 + } + }, + "source": { + "ip": "10.0.1.123" + }, + "event": { + "duration": 1293, + "ingested": "2021-12-14T10:54:30.634665260Z", + "kind": "event", + "module": "salesforce", + "action": "apex-callout", + "type": "connection", + "category": "network", + "dataset": "salesforce.apex", + "outcome": "failure", + "url": "https://api-prod.guidance.sfdc.sh/odata/Accounts?%24top=1&%24filter=%28startswith%28Organization_id_dw__c%2C%2700D5j000000VI3n%27%29%29&%24select=Aov_band__c%2CCombo_sector__c%2CCsg_coverage__c%2CCsg_portfolio__c%2CId%2CIndustry%2CL1_aov_cloud1__c%2CL1_aov_cloud2__c%2CLocked_industry__c%2CLocked_sector__c%2CSfdc_sector__c%2CSfid%2CSub_sector__c%2CSupportLevel__c%2CTotal_aov__c" + }, + "user": { + "id": "0055j000000utlP" + } + }, + "_ingest": { + "timestamp": "2021-12-14T10:54:30.63466526Z" + } + } + } + ] +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_execution.ndjson.log b/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_execution.ndjson.log new file mode 100644 index 000000000000..2f3a593909f4 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_execution.ndjson.log @@ -0,0 +1 @@ +{"json":{"EVENT_TYPE":"ApexExecution","TIMESTAMP":20211102092046.004,"REQUEST_ID":"4fDkD4xoOfMXKFl1cJOo_V","ORGANIZATION_ID":"00D5j000000VI3n","USER_ID":"0055j000000utlP","RUN_TIME":162,"CPU_TIME":79,"URI":"","SESSION_KEY":"1f1dGk9niHxpmUQX","LOGIN_KEY":"MroEDyLplzWdOHPJ","EXEC_TIME":1,"DB_TOTAL_TIME":0,"CALLOUT_TIME":0,"NUMBER_SOQL_QUERIES":0,"ENTRY_POINT":"VF- /apex/listApexClass.apexp","QUIDDITY":"V","IS_LONG_RUNNING_REQUEST":0,"TIMESTAMP_DERIVED":"2021-11-02T09:20:46.003Z","USER_ID_DERIVED":"0055j000000utlPAAQ","CLIENT_IP":"","URI_ID_DERIVED":""}} diff --git a/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_execution.ndjson.log-expected.json b/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_execution.ndjson.log-expected.json new file mode 100644 index 000000000000..3168d8e9bf80 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_execution.ndjson.log-expected.json @@ -0,0 +1,48 @@ +{ + "docs": [ + { + "doc": { + "_index": "_index", + "_type": "_doc", + "_id": "_id", + "_source": { + "salesforce": { + "access_mode": "rest", + "apex": { + "cpu_time": 79, + "login_key": "MroEDyLplzWdOHPJ", + "run_time": 162, + "number_soql_queries": 0, + "db_total_time": 0, + "callout_time": 0, + "uri_id_derived": "", + "user_id_derived": "0055j000000utlPAAQ", + "event_type": "ApexExecution", + "quiddity": "V", + "is_long_running_request": 0, + "organization_id": "00D5j000000VI3n", + "entry_point": "VF- /apex/listApexClass.apexp", + "request_id": "4fDkD4xoOfMXKFl1cJOo_V" + } + }, + "@timestamp": "2021-11-02T09:20:46.003Z", + "event": { + "duration": 1, + "ingested": "2021-12-09T11:48:01.881644602Z", + "kind": "event", + "module": "salesforce", + "action": "apex-execution", + "dataset": "salesforce.apex", + "url": "" + }, + "user": { + "id": "0055j000000utlP" + } + }, + "_ingest": { + "timestamp": "2021-12-09T11:48:01.881644602Z" + } + } + } + ] +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_external_callout.ndjson.log b/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_external_callout.ndjson.log new file mode 100644 index 000000000000..447f95fc9382 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_external_callout.ndjson.log @@ -0,0 +1 @@ +{"json":{"EVENT_TYPE":"ExternalCustomApexCallout","TIMESTAMP":20211110101109.996,"REQUEST_ID":"TID:10799890000ce8142a","ORGANIZATION_ID":"00D5j000000VI3n","USER_ID":"0055j000000utlP","ENTITY":"HealthcareBlog","OFFSET":0,"LIMIT":51,"SELECT":"(ColumnSelection:[aggregation=NONE, columnName=DisplayUrl, tableName=HealthcareBlog], ColumnSelection:[aggregation=NONE, columnName=ExternalId, tableName=HealthcareBlog])","FILTER":"","ORDERBY":"(Order:[columnName=ExternalId, direction=ASCENDING, tableName=HealthcareBlog], Order:[columnName=ExternalId, direction=ASCENDING, tableName=HealthcareBlog])","STATUS":0,"TOTAL_MS":13,"EXECUTE_MS":8,"FETCH_MS":5,"ROWS":"","ROWS_FETCHED":"","THROUGHPUT":"","MESSAGE":"Unauthorized endpoint, please check Setup->Security->Remote site settings. endpoint = https://www.healthcare.gov/api/blog.json : ()","SUBQUERIES":"","ACTION":"query","TIMESTAMP_DERIVED":"2021-11-10T10:11:09.997Z"}} diff --git a/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_external_callout.ndjson.log-expected.json b/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_external_callout.ndjson.log-expected.json new file mode 100644 index 000000000000..4efd042f9c8e --- /dev/null +++ b/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_external_callout.ndjson.log-expected.json @@ -0,0 +1,46 @@ +{ + "docs": [ + { + "doc": { + "_index": "_index", + "_type": "_doc", + "_id": "_id", + "_source": { + "salesforce": { + "access_mode": "rest", + "apex": { + "event_type": "ExternalCustomApexCallout", + "select": "(ColumnSelection:[aggregation=NONE, columnName=DisplayUrl, tableName=HealthcareBlog], ColumnSelection:[aggregation=NONE, columnName=ExternalId, tableName=HealthcareBlog])", + "offset": 0, + "subqueries": "", + "organization_id": "00D5j000000VI3n", + "orderby": "(Order:[columnName=ExternalId, direction=ASCENDING, tableName=HealthcareBlog], Order:[columnName=ExternalId, direction=ASCENDING, tableName=HealthcareBlog])", + "throughput": "", + "rows": "", + "request_id": "TID:10799890000ce8142a", + "rows_fetched": "" + } + }, + "@timestamp": "2021-11-10T10:11:09.997Z", + "event": { + "duration": 13, + "ingested": "2021-12-09T11:47:31.534284618Z", + "kind": "event", + "module": "salesforce", + "action": "apex-external-custom-callout", + "type": "connection", + "category": "network", + "dataset": "salesforce.apex", + "outcome": "failure" + }, + "user": { + "id": "0055j000000utlP" + } + }, + "_ingest": { + "timestamp": "2021-12-09T11:47:31.534284618Z" + } + } + } + ] +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_rest.ndjson.log b/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_rest.ndjson.log new file mode 100644 index 000000000000..886082105a7b --- /dev/null +++ b/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_rest.ndjson.log @@ -0,0 +1 @@ +{"json":{"EVENT_TYPE":"ApexRestApi","TIMESTAMP":20211109060001.637,"REQUEST_ID":"4fMAJzbahOQk2kl1cJ0uSV","ORGANIZATION_ID":"00D5j000000VI3n","USER_ID":"0055j000000utlP","RUN_TIME":478,"CPU_TIME":94,"URI":"/Account/","SESSION_KEY":"CkGUvyJgLVAaxyk3","LOGIN_KEY":"ieC2BVibz9GliuON","USER_TYPE":"Standard","REQUEST_STATUS":"S","DB_TOTAL_TIME":232002551,"METHOD":"POST","MEDIA_TYPE":"application/json;charset=UTF-8","STATUS_CODE":200,"USER_AGENT":5236,"ROWS_PROCESSED":"","NUMBER_FIELDS":"","DB_BLOCKS":4401,"DB_CPU_TIME":130,"REQUEST_SIZE":"","RESPONSE_SIZE":"","ENTITY_NAME":"","TIMESTAMP_DERIVED":"2021-11-09T06:00:01.635Z","USER_ID_DERIVED":"0055j000000utlPAAQ","CLIENT_IP":"43.224.11.237","URI_ID_DERIVED":""}} diff --git a/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_rest.ndjson.log-expected.json b/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_rest.ndjson.log-expected.json new file mode 100644 index 000000000000..ee429d5f4128 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_rest.ndjson.log-expected.json @@ -0,0 +1,63 @@ +{ + "docs": [ + { + "doc": { + "_index": "_index", + "_type": "_doc", + "_id": "_id", + "_source": { + "salesforce": { + "access_mode": "rest", + "apex": { + "request_status": "S", + "uri_id_derived": "", + "cpu_time": 17, + "user_id_derived": "0055j000000utlPAAQ", + "login_key": "1HQDaq9tglsI4Nlo", + "event_type": "ApexSoap", + "method_name": "getContactIdAndNames", + "query": "", + "organization_id": "00D5j000000VI3n", + "db_total_time": 14928037, + "request_id": "4fMTLXm8qV3kTVl1cJNxMV" + } + }, + "@timestamp": "2021-11-09T11:48:38.534Z", + "source": { + "geo": { + "continent_name": "Asia", + "region_iso_code": "IN-GJ", + "city_name": "Khambhat", + "country_iso_code": "IN", + "country_name": "India", + "region_name": "Gujarat", + "location": { + "lon": 72.6256, + "lat": 22.3143 + } + }, + "ip": "43.224.11.237" + }, + "event": { + "duration": 36, + "ingested": "2021-12-09T12:02:13.050789403Z", + "kind": "event", + "module": "salesforce", + "action": "apex-soap", + "type": "connection", + "category": "network", + "dataset": "salesforce.apex", + "url": "APEXSOAP" + }, + "user": { + "roles": "Standard", + "id": "0055j000000utlP" + } + }, + "_ingest": { + "timestamp": "2021-12-09T12:02:13.050789403Z" + } + } + } + ] +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_soap.ndjson.log b/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_soap.ndjson.log new file mode 100644 index 000000000000..639a4970de4b --- /dev/null +++ b/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_soap.ndjson.log @@ -0,0 +1 @@ +{"json":{"EVENT_TYPE":"ApexSoap","TIMESTAMP":20211109114838.535,"REQUEST_ID":"4fMTLXm8qV3kTVl1cJNxMV","ORGANIZATION_ID":"00D5j000000VI3n","USER_ID":"0055j000000utlP","RUN_TIME":36,"CPU_TIME":17,"URI":"APEXSOAP","SESSION_KEY":"roWyYYsG7pyVNmZX","LOGIN_KEY":"1HQDaq9tglsI4Nlo","USER_TYPE":"Standard","REQUEST_STATUS":"S","DB_TOTAL_TIME":14928037,"CLIENT_NAME":"","CLASS_NAME":"ContactResource","METHOD_NAME":"getContactIdAndNames","LIMIT_USAGE_PERCENT":2.67,"QUERY":"","TIMESTAMP_DERIVED":"2021-11-09T11:48:38.534Z","USER_ID_DERIVED":"0055j000000utlPAAQ","CLIENT_IP":"43.224.11.237","URI_ID_DERIVED":""}} diff --git a/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_soap.ndjson.log-expected.json b/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_soap.ndjson.log-expected.json new file mode 100644 index 000000000000..83f051a7e6e9 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_soap.ndjson.log-expected.json @@ -0,0 +1,63 @@ +{ + "docs": [ + { + "doc": { + "_index": "_index", + "_type": "_doc", + "_id": "_id", + "_source": { + "salesforce": { + "access_mode": "rest", + "apex": { + "request_status": "S", + "uri_id_derived": "", + "cpu_time": 17, + "user_id_derived": "0055j000000utlPAAQ", + "login_key": "1HQDaq9tglsI4Nlo", + "event_type": "ApexSoap", + "method_name": "getContactIdAndNames", + "query": "", + "organization_id": "00D5j000000VI3n", + "db_total_time": 14928037, + "request_id": "4fMTLXm8qV3kTVl1cJNxMV" + } + }, + "@timestamp": "2021-11-09T11:48:38.534Z", + "source": { + "geo": { + "continent_name": "Asia", + "region_iso_code": "IN-GJ", + "city_name": "Khambhat", + "country_iso_code": "IN", + "country_name": "India", + "region_name": "Gujarat", + "location": { + "lon": 72.6256, + "lat": 22.3143 + } + }, + "ip": "43.224.11.237" + }, + "event": { + "duration": 36, + "ingested": "2021-12-09T12:01:24.401313803Z", + "kind": "event", + "module": "salesforce", + "action": "apex-soap", + "type": "connection", + "category": "network", + "dataset": "salesforce.apex", + "url": "APEXSOAP" + }, + "user": { + "roles": "Standard", + "id": "0055j000000utlP" + } + }, + "_ingest": { + "timestamp": "2021-12-09T12:01:24.401313803Z" + } + } + } + ] +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_trigger.ndjson.log b/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_trigger.ndjson.log new file mode 100644 index 000000000000..9b57cf94bb95 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_trigger.ndjson.log @@ -0,0 +1 @@ +{"json":{"EVENT_TYPE":"ApexTrigger","TIMESTAMP":20211102092502.895,"REQUEST_ID":"4fDkS1iz2_p5i-l1cJOqAV","ORGANIZATION_ID":"00D5j000000VI3n","USER_ID":"0055j000000utlP","RUN_TIME":"","CPU_TIME":3,"URI":"","SESSION_KEY":"","LOGIN_KEY":"","USER_TYPE":"","REQUEST_STATUS":"","DB_TOTAL_TIME":"","TRIGGER_ID":"01q5j000000ClvF","TRIGGER_NAME":"HelloWorldTrigger","ENTITY_NAME":"Book__c","TRIGGER_TYPE":"BeforeInsert","EXEC_TIME":4,"TIMESTAMP_DERIVED":"2021-11-02T09:25:02.894Z","USER_ID_DERIVED":"0055j000000utlPAAQ","CLIENT_IP":"","URI_ID_DERIVED":""}} diff --git a/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_trigger.ndjson.log-expected.json b/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_trigger.ndjson.log-expected.json new file mode 100644 index 000000000000..1b1a5b485182 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_trigger.ndjson.log-expected.json @@ -0,0 +1,50 @@ +{ + "docs": [ + { + "doc": { + "_index": "_index", + "_type": "_doc", + "_id": "_id", + "_source": { + "salesforce": { + "access_mode": "rest", + "apex": { + "request_status": "", + "cpu_time": 3, + "login_key": "", + "run_time": "", + "entity_name": "Book__c", + "trigger_type": "BeforeInsert", + "db_total_time": "", + "uri_id_derived": "", + "trigger_name": "HelloWorldTrigger", + "user_id_derived": "0055j000000utlPAAQ", + "event_type": "ApexTrigger", + "organization_id": "00D5j000000VI3n", + "request_id": "4fDkS1iz2_p5i-l1cJOqAV", + "trgger_id": "01q5j000000ClvF" + } + }, + "@timestamp": "2021-11-02T09:25:02.894Z", + "event": { + "duration": 4, + "ingested": "2021-12-09T11:55:32.584460538Z", + "kind": "event", + "module": "salesforce", + "action": "apex-trigger", + "type": "connection", + "dataset": "salesforce.apex", + "url": "" + }, + "user": { + "roles": "", + "id": "0055j000000utlP" + } + }, + "_ingest": { + "timestamp": "2021-12-09T11:55:32.584460538Z" + } + } + } + ] +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/fields.go b/x-pack/filebeat/module/salesforce/fields.go new file mode 100644 index 000000000000..daa58892fcc3 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package salesforce + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "salesforce", asset.ModuleFieldsPri, AssetSalesforce); err != nil { + panic(err) + } +} + +// AssetSalesforce returns asset data. +// This is the base64 encoded zlib format compressed contents of module/salesforce. +func AssetSalesforce() string { + return "eJzsXN1uG7mSvs9TFHKVALL2zO4OcJCLBTSxMtEiPx7bweDsjUCxSxLXbLKHP5a1V3mNBc55uTzJQRXZrVZbP06sduYMRjdxpG7yq2Kx6qtidZ/BDa5fgRca/dw6ic8AggoaX8Hzq+bL588ACvTSqSooa17Bfz0DANhcAO9tETXdPFeoC/+Kf6fPGRhRYmeG+hPWFb6ChbOxan3rUKPw+ApmGETr+x0I6s8bpdFjgLl1oMwCfVBm0cY3qvAOtF34Yeu+LtY2XiElej8tbYFbv9egb3C9sq7o/HYAIn2ulwg0Itg5SKs1SsZJuGDubNlGfAbPHfrwHKyD5z44FOXz4W6oFd7txNhV7CHlPgD9tyl5n6K3lU1z3vv5sK4fgJg+Ix4bKnRz60osYLaGsESQQmsbQxfqBlS+YBpU2TWBE0G7ViWCr9AEWAnF2rQGVjjz6G6VbDD6ASgDpdJaeZTWFPcU3EKthfdT+rsnzMu8zjwRTzqEyTyplL9SHirhAtm4gFIYscACKiFvxAIHEJbKgw+OhFVG6lig55vzFTyir4TEQzIqNKFnIWl0kiEJRhNCWIrw5fP/e4i+Y/l5wfwQrkk+tndShDBgeSahSSmixICOxwEpDMxIbO+xoPUdXUx4wT3rc6aFuRk0looOClWYQOYi1XwNogalDF/0Wmj9kafysERRoDugvyr2adWE5uIT0Axdu4VIwgYL0paVxoCM3eFvEf2BrVjMpjNt5Y3vB/HEFEqKgB6WdgVllEv2SLcqrGkRrZTRZYNlvIUIYiY8DmEES7VYwq3QEdkvhs3y+7ggH+nTcouiSCMUeIeenPpc6YDO05Zf2+jgt4hOoYeVjbqAGRqcq1D7LWEObYhiNv2Oa7pvOVt6pa9FaaNJbqFWbhA3pJRKC4ld5YIWa7L6yJp/qJkEG4Tu22W/6GjgZceJkyE0YlTOEpPI5iMWC4cLEZK1CK3BVuhE2rdZA43+XtuyEg7bRhUsrcP0evJ+TH8X5E9KZRBWSwxLdG17AeV9RA80xF4bzmrmkJ7s0K4MSFscMDc0QYV1Pwr+0HK7eBfQkeu0s/9FGWCGJEBiZlgcw/eE8SHjE/M5yrChGMGpxeKQI0YT3HpaWWVCf0B5EuBJNi6KQzjeoYx0+wGEtxRpCUl/AGkY0iTPNeSvkkOlAKpXYp3gvj5G2JI4OC17ChNv7Qq0pS0UIFh7s8MPkH5btCBYqBzyHhamqAGybZC3Xw9hdCuUFjONNQO4ReeJr/7nvw//wjdpEQ6Z0ByDXH5PkYMFh8EpvG0JBg591CFnNVt72a99wPIUknP87EfuN+xs8a5y5LrJNwebJ4TVUsklOLvyWfboDPlq59BXdUD89e34ckySXX385V0d2vfLovyU1Dx10RhF/6YQ0DfdqYNGK+rQppMUqLEAsRDK+JDDglsw95XWUCiheEeQzzLk5FHqQbQqVYAXwUV8SbHF2AAv5kJ7fLlfCXxTPyK/F3eqjCWYWM4o2s0765eicb0pO2v5bvJ+cv3wtWQxptGLBU4rdBL7dO55Akqc7DytwdXH0UVKJBLzXKFDKEWBzXpyyHILYdT/MfPgdWXYB6SyC2WmN9hT2CdZclbIoAMx4WAXyT6JJ3F0YI4kYKFu0VAu4RJ0wgY+bdUhTAL4IFzwsFJhCSL/zgMkP0wLy7+hSuPTJTaGfI1NO4LGr0clX6AI3n4NlVgo0XOo5DmagJm2LRmqP8DWSvRki/2AGjtnmT2uhGM3kGcD4b2VSpAbYU0T1rlQGgu2zUNww9IWT5ncC60bB5Zm348uOZBpKmj1iK/xU2km0rC0OpbGD8hrE6GoKq0kBdCjaL39TU+z33oKzG0/2fJBmf4U7Zwucb69Atj53GNP7vPDvVjgb1RF2jVQiUVC6GxckAtJfAY8hnvh4eObN1fjr4gP1hXoZj350URcGmshfNGnZNNbx9npFkEbsENseIDlq2rHwgyOHK6XaLh88aLAuYg6cFAnOPl7lum+Zi7Px5fw09++RjebqDRVu3RwImP94cczuRROSGJ0k/MmkWvNvx8la7A/bI2q1gNQc7CU3Qu/qWAfAqaKorfUvJ2r2UiKaxLIHe5e+WObu65z9LnO0ajfIuYVFuCVWWhKzIXx6dBhCKP2f7ksK60JQhnWvHVQWpcdlR/CWMhlpgktKtIeYSlSvctTjLkc//JpfHU9nZwf14MPIsQeHXQaf0McElVPzLeimH2rcEUCM/FRJqCbC4n5dOYAfrvyQy689YSdhm5Td5TWFa1y2cY176odnP1Au4gjffTBliAKUYVMHc9FEFc2OonDC2dvVYEuH2MUFj0x4wAFSp3KcAi/fBpf/m16/fF69G56NfmfMUhRiZnSKqyPKIgTdezJ1DuxLM/VPep6fM7NkuSKZl+ybHOJFJsbDtHM3S2W7occTY/14A82pDONprKWfAMNPYRPPlkNl2vzoZDxAcUBH+5Ro+yJ8ry2ZSnOPFbCsavWyocWyUz11RSki3vR/Gr8bvz6K3iOj7NeOeclenS3WfXzGKLjlG0/oMzmqtg/ocweqi6MsbVSNElVswMQU8X4OzCfPHPeasLDXLlDVKOubfeXp72hHZVm8SBtyScrzpbdM2U/gOvLyc8/jy+nH0bvx5tTZbE5S4bK4Vzdwcb0c2lgCI0y+NjV2Ps3KU9/eTRhsKUqlcubwkA0NaijNf/6gqepqbNLOo7pSbCktoFjVfzoVH9QPl1OaoNnxtOc6DuUqG4ffNIYnZqqYlqgU7d9xsEf/trarFJ4PPNijq1tezKBPLqpWPRaqzSxRKckHy7meLkxjtzNUPcHlOJm6zAZXtANeCfKSmPahjOiBugGdSWEph8QfR1dTA5UmVnS38XaMc1eLe3hlpKmCMHLPamLk6OLyUbG+012Q655PusK9RStdu+42vricnx1/fLrWu4qtat8+sh+u8b7XEx2b4P29JkPnxZBTbLzshOQZpsmyhXvHWcfK7s/EtK/YKm9WaYYlmhC3vDTXC52OEeHRp7YeLYny9Xh5KRmaxAUXl1xVgkX1qAKunJeX1vV6SQn2AY+Vmgm5/DaGoMy1JUIrxbmLF0drLT6XgPZvoztxx/2Z2ydPjnV7QF9pFImFyCKwqH339AfN2p/zTUGIzQN+cJz35VvjKjbEPurdTczNHLJPr6qxndyKcwCX5Ke/NKuDN395fPfN/cMpS1hcvHl8z/2KGh309Qj9fNtzW9bC/8tjVOiqljP6FJPz26RD/VIPdbTZpmNMLYWOVWXmmYjZ6NhjlwNYdJ0f27aYLMo/33+02soKD67ARgMK+tuSHHtxqVUuT7/aVr3Q/2++qWONtCcKKwdaJrhQLwb1eE6+yOhfXVtvVMIPTmg32sRuCv3zgLwoyP96Yq+R0pqj421jZtjh5C4SQsz9x8d7IN/UHb2WOPusnpQxqPxKqjbUyVmD0tVnkiQP3aWcsUP1iiz+NpUpUk5T7wJNgM3dCE1vNY+dAgX1ntFlJAdvq8LXq/apGgAP9XpcUto1sbHq63vzvEWta3QeeaX47tKW0f3ffi30V4C/oej3fslzRZ++ij51+0omfF2RK+fBEoOu5VdHWT8vaaxm7MZssgEKc1bV1A7V7bTmAER9E/mxtiV+fL5H/Rb6sDblwBLhyJgMZ2tT7oCn0wDaQ9tEzometR7pKt7a4Otp8VcZ97wCY8yOmL+ldVKro88ELZdPVigPbn1thzIJlSwT/0ZbdMPv6MHLNlLU0/Y5JKHJFgqH6w7rQVcOyFvKNvcqj14S6Q+E0DnkLLrdEWTe+VKB3kfJaMWLsukjA/8mE43hdfetvJ4aza6epvkGsAohuVVgpDymvbPWZ1+AGVK+1QAFF6lhp3giK7lks1MSLYjsdGwdWqhKMfe9iyH1N1fttKsfjew1RWlnaiSzZ/chtuHX3t32oM7WzpgbQzSntpx5FaHHajTrPvSC80uNKWidby81zr/KGxtg69sFXlGsEavU0MdFyia6kWi9s1heWmNCtZ5ZsPKoQe8C050LHYAdYWojDqos7mQgaLitlnDxKShJdcIWn5qgQYdF1VauRxvNo8hWeFl0tSYfpo0esqSZa0bXNX35opEyrvzzwfvbfZiztpTf0Cju8ZJ7h6EK0e1TxJa5wQiqbpOTVME3qW/FGtZwcWgPa3y6WnT3daTd+ZUE088nclkb3fGw242HWXdzmpf+9zkICzMUYTo6nZSH6vKugAqbIxCJoaHBXHotK4Oq9TzeJ8zC4ev4O3k57fT0dXVp8vRh9fjAbz7+OsArq5HH85Hl+dH0ha71UXQS95SCddNt96l2vk3HK70tIzbj3j63Yuarb+OsU1mn0oOfKjA7bYkmp13WmmG/0KmAn+e3Bw6ufnzfG8HqKoHnbSrCKyfpqsnsS+IlTXtbbcbXD5h7wHghoTUBl1ngXXPYp47cUURknl+v6T3/kHX16vz+x4F7IW1dRZw4jT7UccBlRZhbl3Zg8q2WlDyotbTMYcSnJqTt5MipSspd7UxdLmTid3HmTbE21sdUxHh5CJ46RBNa45tGz2dFDVz6EGEmhBsuSgGyknD0R31tAXy/vp37stkVOCcc3qPap5AssY7NJ3xzeGPSS+r0WtWPqVwMezaseSmpVbypj7IyMx0FkNgerEZl9XTLLUq86BF5OfjlWnSQi6AWuYaqqQApkJNOVKWO2ilW8rDX44dLXxfjv6NRwvfqeD5Z5HgzyLBtxcJHFZanNZgLzE3XfNbtCbnWYNsFlv2kwljeq9ETubm6BrNV9ardnxszu03/0mv1xvSnFqsm8k490vPAC2icMIETIXLGXL2qRbRxtTjIq3x/Czc7aZLYAQ+zkjGGQcQAz6QTYmsrY1MhJlopApgOaKn26rE31vv1ygVP/pSWxa/V8ohm0TzOEz24bBSprCrPSFdLrHsvv3vxM5lh0v2GGI1FbFQYRqcULpv77zz5PeKUIwIxDVh+Crn3AeFHzcPDB2LB2RzeHdiMpAHhWiK5uUmZEmsJkinyczLSlHgkJ/KaNqw1RzG/EBTyoM8SG1jcRbsGf/R4kC5o1vUAyqTJhh0nWPb4dRjP/HJIB9OHp3S+3jK6Pigp5maJj7U/BKxKfGr05oDHzydjXzDbjeP7dfhmaJEXr6cZWzfVKgiOc3cW9e6cXdIeWjP63/8eLzntVCenOtplTKPWrev4wcW2JDTtmjpo7s/mOsnpSUBl9zi2lj8BbryCsNrtqy0G86TCDuu1+oG4cvnv6erC1IwhYR0bBXg/ej8VeIHvA5aSTS+fVa7N02trOGa57R5+GmaHn56mn3lcdcLYB+dXTa2uvFnJZqYX6DRMufU7YlFZ/ne8zNdRMAcv4GD+0vNGi6cnSuNw2f/DAAA//+Zp8ke" +} diff --git a/x-pack/filebeat/module/salesforce/login-rest/_meta/fields.yml b/x-pack/filebeat/module/salesforce/login-rest/_meta/fields.yml new file mode 100644 index 000000000000..afbfae384e22 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/login-rest/_meta/fields.yml @@ -0,0 +1,62 @@ +- name: salesforce.login + type: group + release: beta + description: > + Fileset for ingesting Salesforce Login (REST) logs. + fields: + - name: api_type + type: keyword + description: > + The type of API request. + - name: api_version + type: keyword + description: > + The version of the API that’s being used. + - name: login_key + type: keyword + description: > + The string that ties together all events in a given user’s login session. It starts with a login event and ends with either a logout event or the user session expiring. + - name: authentication_method_reference + type: keyword + description: > + The authentication method used by a third-party identification provider for an OpenID Connect single sign-on protocol. This field is available in API version 51.0 and later. + - name: client_ip + type: keyword + description: > + The IP address of the client that’s using Salesforce services. A Salesforce internal IP (such as a login from Salesforce Workbench or AppExchange) is shown as “Salesforce.com IP”. + - name: cpu_time + type: keyword + description: > + The CPU time in milliseconds used to complete the request. This field indicates the amount of activity taking place in the app server layer. + - name: db_total_time + type: keyword + description: > + The time in nanoseconds for a database round trip. Includes time spent in the JDBC driver, network to the database, and DB_CPU_TIME. Compare this field to CPU_TIME to determine whether performance issues are occurring in the database layer or in your own code. + - name: event_type + type: keyword + description: > + The type of event. The value is always Login. + - name: organization_id + type: keyword + description: > + The 15-character ID of the organization. + - name: request_id + type: keyword + description: > + The unique ID of a single transaction. A transaction can contain one or more events. Each event in a given transaction has the same REQUEST_ID. + - name: request_status + type: keyword + description: > + The status of the request for a page view or user interface action. + - name: run_time + type: keyword + description: > + The amount of time that the request took in milliseconds. + - name: uri_id_derived + type: keyword + description: > + The 18-character case insensitive ID of the URI of the page that’s receiving the request. + - name: user_id_derived + type: keyword + description: > + The 18-character case insensitive ID of the user who’s using Salesforce services through the UI or the API. \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/login-rest/config/login-rest.yml b/x-pack/filebeat/module/salesforce/login-rest/config/login-rest.yml new file mode 100644 index 000000000000..5baf6df9fe32 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/login-rest/config/login-rest.yml @@ -0,0 +1,46 @@ +type: httpjson + +interval: {{ .interval }} +request.method: GET +auth.oauth2: + enabled: true + client.id: {{ .client_id }} + client.secret: {{ .client_secret }} + token_url: {{ .token_url }} + user: {{ .user }} + password: {{ .password }} +# Query params will be overwritten by request.transforms from start of the input and +# it is to indicate that this url is for Login type of events as cursor stores the url as source. +# Each filebeat input cursor source needs to be uniquely identified with a name. +request.url: {{ .url }}/services/data/v52.0/query?q=login+rest +{{ if .proxy_url }} +request.proxy_url: {{ .proxy_url }} +{{ end }} +request.transforms: + - set: + target: url.params.q + value: "SELECT Id,CreatedDate,LogDate,LogFile FROM EventLogFile WHERE Interval = 'Hourly' AND EventType = 'Login' AND CreatedDate > [[.cursor.last_published_login]] ORDER BY CreatedDate ASC NULLS FIRST" + default: "SELECT Id,CreatedDate,LogDate,LogFile FROM EventLogFile WHERE Interval = 'Hourly' AND EventType = 'Login' ORDER BY CreatedDate ASC NULLS FIRST" +response.split: + target: body.records +chain: + - step: + request.url: {{ .url }}/services/data/v52.0/sobjects/EventLogFile/records.#.Id/LogFile + request.method: GET + replace: records.#.Id +cursor: + last_published_login: + value: '[[.last_event.CreatedDate]]' + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - decode_json_fields: + fields: [message] + target: "json" + - add_fields: + target: '' + fields: + ecs.version: 1.12.0 + - add_locale: ~ diff --git a/x-pack/filebeat/module/salesforce/login-rest/ingest/pipeline.yml b/x-pack/filebeat/module/salesforce/login-rest/ingest/pipeline.yml new file mode 100644 index 000000000000..2f2de778a0fc --- /dev/null +++ b/x-pack/filebeat/module/salesforce/login-rest/ingest/pipeline.yml @@ -0,0 +1,224 @@ +--- +description: Pipeline for parsing Salesforce Login (REST) logs +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- remove: + field: + - message + ignore_missing: true + +- set: + field: salesforce.access_mode + value: rest + ignore_failure: true + +- date: + field: json.TIMESTAMP_DERIVED + target_field: "@timestamp" + formats: + - ISO8601 + ignore_failure: true + +- rename: + field: json.API_TYPE + target_field: salesforce.login.api_type + ignore_missing: true +- rename: + field: json.AUTHENTICATION_METHOD_REFERENCE + target_field: salesforce.login.authentication_method_reference + ignore_missing: true +- rename: + field: json.REQUEST_STATUS + target_field: salesforce.login.request_status + ignore_missing: true +- rename: + field: json.API_VERSION + target_field: salesforce.login.api_version + ignore_missing: true +- rename: + field: json.USER_ID_DERIVED + target_field: salesforce.login.user_id_derived + ignore_missing: true +- rename: + field: json.LOGIN_KEY + target_field: salesforce.login.login_key + ignore_missing: true +- rename: + field: json.EVENT_TYPE + target_field: salesforce.login.event_type + ignore_missing: true +- rename: + field: json.REQUEST_ID + target_field: salesforce.login.request_id + ignore_missing: true +- rename: + field: json.ORGANIZATION_ID + target_field: salesforce.login.organization_id + ignore_missing: true +- rename: + field: json.RUN_TIME + target_field: salesforce.login.run_time + ignore_missing: true +- rename: + field: json.CPU_TIME + target_field: salesforce.login.cpu_time + ignore_missing: true +- rename: + field: json.DB_TOTAL_TIME + target_field: salesforce.login.db_total_time + ignore_missing: true +- rename: + field: json.CLIENT_IP + target_field: salesforce.login.client_ip + ignore_missing: true +- rename: + field: json.URI_ID_DERIVED + target_field: salesforce.login.uri_id_derived + ignore_missing: true + +####################### +## ECS Event Mapping ## +####################### + +- rename: + field: json.URI + target_field: event.url + ignore_missing: true +- set: + field: event.outcome + value: success + if: 'ctx?.json?.LOGIN_STATUS == "LOGIN_NO_ERROR" && ctx?.json?.LOGIN_STATUS != null' + ignore_failure: true +- set: + field: event.outcome + value: failure + if: 'ctx?.json?.LOGIN_STATUS != "LOGIN_NO_ERROR" && ctx?.json?.LOGIN_STATUS != null' + ignore_failure: true +- set: + field: event.type + value: "info" +- set: + field: event.kind + value: "event" +- set: + field: event.action + value: "login-attempt" +- set: + field: event.category + value: "authentication" +- set: + field: event.dataset + value: "salesforce.login" +- set: + field: event.module + value: "salesforce" + +###################### +## ECS User Mapping ## +###################### + +# As per the following article, the username must be in the format of an email address. +# Reference: https://help.salesforce.com/s/articleView?language=en_US&type=5&id=sf.basics_intro_usernames_passwords.htm +- rename: + field: json.USER_NAME + target_field: user.email + ignore_missing: true +- rename: + field: json.USER_ID + target_field: user.id + ignore_missing: true +- rename: + field: json.USER_TYPE + target_field: user.roles + ignore_missing: true + +######################## +## ECS Source Mapping ## +######################## + +- rename: + field: json.SOURCE_IP + target_field: source.ip + ignore_missing: true + if: 'ctx?.json?.SOURCE_IP != "Salesforce.com IP"' + +############################ +## ECS Source.Geo Mapping ## +############################ + +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + +############################ +## ECS Related.ip Mapping ## +############################ + +- append: + field: related.ip + value: "{{{source.ip}}}" + if: ctx?.source?.ip != null + allow_duplicates: false + ignore_failure: true + +- append: + field: related.ip + value: "{{{salesforce.login.client_ip}}}" + if: 'ctx?.salesforce?.login?.client_ip != "Salesforce.com IP" && ctx?.salesforce?.login?.client_ip != null' + allow_duplicates: false + ignore_failure: true + +############################ +## ECS User Agent Mapping ## +############################ + +- rename: + field: json.BROWSER_TYPE + target_field: user_agent.name + ignore_missing: true + +##################### +## ECS TLS Mapping ## +##################### + +- rename: + field: json.CIPHER_SUITE + target_field: tls.cipher + ignore_missing: true +- dissect: + pattern: "%{tls.version_protocol}v%{tls.version}" + field: "json.TLS_PROTOCOL" + ignore_failure: true + +############# +## Cleanup ## +############# + +- script: + description: Drops null/empty values recursively + lang: painless + source: | + boolean dropEmptyFields(Object object) { + if (object == null || object == "") { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); +- remove: + field: + - json + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{_ingest.on_failure_message}}' diff --git a/x-pack/filebeat/module/salesforce/login-rest/manifest.yml b/x-pack/filebeat/module/salesforce/login-rest/manifest.yml new file mode 100644 index 000000000000..79a31376bc75 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/login-rest/manifest.yml @@ -0,0 +1,12 @@ +module_version: 1.0 + +var: + - name: interval + default: 1h + - name: tags + default: [salesforce-login-rest, forwarded] + - name: proxy_url + +ingest_pipeline: + - ingest/pipeline.yml +input: config/login-rest.yml diff --git a/x-pack/filebeat/module/salesforce/login-rest/test/salesforce_login.ndjson.log b/x-pack/filebeat/module/salesforce/login-rest/test/salesforce_login.ndjson.log new file mode 100644 index 000000000000..1cebbd89e2a0 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/login-rest/test/salesforce_login.ndjson.log @@ -0,0 +1 @@ +{"json":{"EVENT_TYPE":"Login","TIMESTAMP":20211019044204.258,"REQUEST_ID":"4exJslfc21z80-l1cJOnxV","ORGANIZATION_ID":"00D5j000000VI3n","USER_ID":"0055j000000utlP","RUN_TIME":94,"CPU_TIME":54,"URI":"/index.jsp","SESSION_KEY":"","LOGIN_KEY":"iQzw40l45YkJUNKj","USER_TYPE":"Standard","REQUEST_STATUS":"","DB_TOTAL_TIME":37142518,"BROWSER_TYPE":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36","API_TYPE":"","API_VERSION":9998,"USER_NAME":"kush.rana@elastic.co","TLS_PROTOCOL":"TLSv1.2","CIPHER_SUITE":"ECDHE-RSA-AES256-GCM-SHA384","AUTHENTICATION_METHOD_REFERENCE":"","TIMESTAMP_DERIVED":"2021-10-19T04:42:04.256Z","USER_ID_DERIVED":"0055j000000utlPAAQ","CLIENT_IP":"43.224.11.237","URI_ID_DERIVED":"","LOGIN_STATUS":"LOGIN_NO_ERROR","SOURCE_IP":"43.224.11.237"}} diff --git a/x-pack/filebeat/module/salesforce/login-rest/test/salesforce_login.ndjson.log-expected.json b/x-pack/filebeat/module/salesforce/login-rest/test/salesforce_login.ndjson.log-expected.json new file mode 100644 index 000000000000..548cc1e9ced9 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/login-rest/test/salesforce_login.ndjson.log-expected.json @@ -0,0 +1,76 @@ +{ + "docs": [ + { + "doc": { + "_index": "_index", + "_type": "_doc", + "_id": "_id", + "_source": { + "salesforce": { + "login": { + "cpu_time": 54, + "user_id_derived": "0055j000000utlPAAQ", + "login_key": "iQzw40l45YkJUNKj", + "event_type": "Login", + "run_time": 94, + "organization_id": "00D5j000000VI3n", + "client_ip": "43.224.11.237", + "db_total_time": 37142518, + "api_version": 9998, + "request_id": "4exJslfc21z80-l1cJOnxV" + }, + "access_mode": "rest" + }, + "@timestamp": "2021-10-19T04:42:04.256Z", + "related": { + "ip": [ + "43.224.11.237" + ] + }, + "tls": { + "cipher": "ECDHE-RSA-AES256-GCM-SHA384", + "version": "1.2", + "version_protocol": "TLS" + }, + "source": { + "geo": { + "continent_name": "Asia", + "region_iso_code": "IN-GJ", + "city_name": "Khambhat", + "country_iso_code": "IN", + "country_name": "India", + "region_name": "Gujarat", + "location": { + "lon": 72.6256, + "lat": 22.3143 + } + }, + "ip": "43.224.11.237" + }, + "event": { + "ingested": "2021-12-14T10:17:15.769277803Z", + "kind": "event", + "module": "salesforce", + "action": "login-attempt", + "type": "info", + "category": "authentication", + "dataset": "salesforce.login", + "url": "/index.jsp", + "outcome": "success" + }, + "user": { + "email": "kush.rana@elastic.co", + "roles": "Standard", + "id": "0055j000000utlP" + }, + "user_agent": { + "name": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36" + } + }, + "_ingest": { + "timestamp": "2021-12-14T10:17:15.769277803Z" + } + } + } + ] +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/login-stream/_meta/fields.yml b/x-pack/filebeat/module/salesforce/login-stream/_meta/fields.yml new file mode 100644 index 000000000000..9d807a7bf778 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/login-stream/_meta/fields.yml @@ -0,0 +1,58 @@ +- name: salesforce.login + type: group + release: beta + description: > + Fileset for ingesting Salesforce Login (Streaming) logs. + fields: + - name: application + type: keyword + description: > + The application used to access the org. Possible values include: AppExchange, Browser, Salesforce for iOS, Salesforce Developers API Explorer, N/A + - name: auth_method_reference + type: keyword + description: > + The authentication method used by a third-party identification provider for an OpenID Connect single sign-on protocol. + - name: auth_service_id + type: keyword + description: > + The 18-character ID for an authentication service for a login event. + - name: client_version + type: keyword + description: > + The version number of the login client. If no version number is available, “Unknown” is returned. + - name: created_by_id + type: keyword + description: > + Unavailable + - name: evaluation_time + type: keyword + description: > + The amount of time it took to evaluate the transaction security policy, in milliseconds. + - name: login_geo_id + type: keyword + description: > + The Salesforce ID of the LoginGeo object associated with the login user’s IP address. + - name: login_history_id + type: keyword + description: > + Tracks a user session so you can correlate user activity with a particular login instance. This field is also available on the LoginHistory, AuthSession, and LoginHistory objects, making it easier to trace events back to a user’s original authentication. + - name: login_type + type: keyword + description: > + The type of login used to access the session. + - name: policy_id + type: keyword + description: > + The ID of the transaction security policy associated with this event. + - name: policy_outcome + type: keyword + description: > + The result of the transaction policy. + - name: related_event_identifier + type: keyword + description: > + This field is populated only when the activity that this event monitors requires extra authentication, such as multi-factor authentication. In this case, Salesforce generates more events and sets the RelatedEventIdentifier field of the new events to the value of the EventIdentifier field of the original event. Use this field with the EventIdentifier field to correlate all the related events. If no extra authentication is required, this field is blank. + - name: session_level + type: keyword + description: > + Session-level security controls user access to features that support it, such as connected apps and reporting. Possible values are: HIGH_ASSURANCE, LOW, STANDARD \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/login-stream/config/login-stream.yml b/x-pack/filebeat/module/salesforce/login-stream/config/login-stream.yml new file mode 100644 index 000000000000..d7f8c02963c7 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/login-stream/config/login-stream.yml @@ -0,0 +1,22 @@ +type: cometd + +channel_name: /event/LoginEventStream +auth.oauth2: + client.id: {{ .client_id }} + client.secret: {{ .client_secret }} + token_url: {{ .token_url }} + user: {{ .user }} + password: {{ .password }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - decode_json_fields: + fields: [message] + target: "json" + - add_fields: + target: '' + fields: + ecs.version: 1.12.0 + - add_locale: ~ diff --git a/x-pack/filebeat/module/salesforce/login-stream/ingest/pipeline.yml b/x-pack/filebeat/module/salesforce/login-stream/ingest/pipeline.yml new file mode 100644 index 000000000000..a24e65d1a212 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/login-stream/ingest/pipeline.yml @@ -0,0 +1,278 @@ +--- +description: Pipeline for parsing Salesforce Login (Streaming) logs +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- remove: + field: + - message + ignore_missing: true + +- set: + field: salesforce.access_mode + value: stream + ignore_failure: true + +- date: + field: json.EventDate + target_field: "@timestamp" + formats: + - ISO8601 + ignore_failure: true +- rename: + field: json.schema + target_field: salesforce.login.schema + ignore_missing: true +- rename: + field: json.ApiType + target_field: salesforce.login.api_type + ignore_missing: true +- rename: + field: json.AuthMethodReference + target_field: salesforce.login.auth_method_reference + ignore_missing: true +- rename: + field: json.LoginType + target_field: salesforce.login.login_type + ignore_missing: true +- rename: + field: json.PolicyOutcome + target_field: salesforce.login.policy_outcome + ignore_missing: true +- rename: + field: json.AuthServiceId + target_field: salesforce.login.auth_service_id + ignore_missing: true +- rename: + field: json.EvaluationTime + target_field: salesforce.login.evaluation_time + ignore_missing: true +- rename: + field: json.ClientVersion + target_field: salesforce.login.client_version + ignore_missing: true +- rename: + field: json.LoginGeoId + target_field: salesforce.login.login_geo_id + ignore_missing: true +- rename: + field: json.LoginHistoryId + target_field: salesforce.login.login_history_id + ignore_missing: true +- rename: + field: json.CreatedById + target_field: salesforce.login.created_by_id + ignore_missing: true +- rename: + field: json.ApiVersion + target_field: salesforce.login.api_version + ignore_missing: true +- rename: + field: json.RelatedEventIdentifier + target_field: salesforce.login.related_event_identifier + ignore_missing: true +- rename: + field: json.LoginKey + target_field: salesforce.login.login_key + ignore_missing: true +- rename: + field: json.Application + target_field: salesforce.login.application + ignore_missing: true +- rename: + field: json.PolicyId + target_field: salesforce.login.policy_id + ignore_missing: true +- rename: + field: json.SessionLevel + target_field: salesforce.login.session_level + ignore_missing: true +- rename: + field: json.replayId + target_field: salesforce.login.replay_id + ignore_missing: true + +####################### +## ECS Event Mapping ## +####################### + +- set: + field: event.outcome + value: success + if: 'ctx?.json?.Status == "Success" && ctx?.json?.Status != null' + ignore_failure: true +- set: + field: event.outcome + value: failure + if: 'ctx?.json?.Status != "Success" && ctx?.json?.Status != null' + ignore_failure: true +- date: + field: json.CreatedDate + target_field: event.created + formats: + - ISO8601 + ignore_failure: true +- rename: + field: json.LoginUrl + target_field: event.url + ignore_missing: true +- set: + field: event.type + value: "info" +- set: + field: event.kind + value: "event" +- set: + field: event.action + value: "login-attempt" +- set: + field: event.category + value: "authentication" +- set: + field: event.dataset + value: "salesforce.login" +- set: + field: event.module + value: "salesforce" + +###################### +## ECS User Mapping ## +###################### + +# As per the following article, the username must be in the format of an email address. +# Reference: https://help.salesforce.com/s/articleView?language=en_US&type=5&id=sf.basics_intro_usernames_passwords.htm +- rename: + field: json.Username + target_field: user.email + ignore_missing: true +- rename: + field: json.UserId + target_field: user.id + ignore_missing: true +- rename: + field: json.UserType + target_field: user.roles + ignore_missing: true + +######################## +## ECS Source Mapping ## +######################## + +- rename: + field: json.SourceIp + target_field: source.ip + ignore_missing: true + +############################ +## ECS Related.ip Mapping ## +############################ + +- append: + field: related.ip + value: "{{{source.ip}}}" + if: ctx?.source?.ip != null + allow_duplicates: false + ignore_failure: true + +############################ +## ECS Source.Geo Mapping ## +############################ + +- rename: + field: json.LoginLatitude + target_field: source.geo.location.lat + ignore_missing: true +- rename: + field: json.LoginLongitude + target_field: source.geo.location.lon + ignore_missing: true +- rename: + field: json.CountryIso + target_field: source.geo.country_iso_code + ignore_missing: true +- rename: + field: json.PostalCode + target_field: source.geo.postal_code + ignore_missing: true +- rename: + field: json.City + target_field: source.geo.city_name + ignore_missing: true +- rename: + field: json.Subdivision + target_field: source.geo.region_name + ignore_missing: true +- rename: + field: json.Country + target_field: source.geo.country_name + ignore_missing: true + +############################ +## ECS User Agent Mapping ## +############################ + +- rename: + field: json.Browser + target_field: user_agent.name + ignore_missing: true +- rename: + field: json.Platform + target_field: user_agent.os.platform + ignore_missing: true + +###################### +## ECS HTTP Mapping ## +###################### + +- rename: + field: json.HttpMethod + target_field: http.request.method + ignore_missing: true +- rename: + field: json.AdditionalInfo + target_field: http.request.body.content + ignore_missing: true + +##################### +## ECS TLS Mapping ## +##################### + +- rename: + field: json.CipherSuite + target_field: tls.cipher + ignore_missing: true +- dissect: + pattern: "%{tls.version_protocol} %{tls.version}" + field: "json.TlsProtocol" + ignore_failure: true + +############# +## Cleanup ## +############# + +- script: + description: Drops null/empty values recursively + lang: painless + source: | + boolean dropEmptyFields(Object object) { + if (object == null || object == "") { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); +- remove: + field: + - json + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{_ingest.on_failure_message}}' diff --git a/x-pack/filebeat/module/salesforce/login-stream/manifest.yml b/x-pack/filebeat/module/salesforce/login-stream/manifest.yml new file mode 100644 index 000000000000..643d587224c8 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/login-stream/manifest.yml @@ -0,0 +1,9 @@ +module_version: 1.0 + +var: + - name: tags + default: [salesforce-login-stream, forwarded] + +ingest_pipeline: + - ingest/pipeline.yml +input: config/login-stream.yml diff --git a/x-pack/filebeat/module/salesforce/login-stream/test/salesforce_login.ndjson.log b/x-pack/filebeat/module/salesforce/login-stream/test/salesforce_login.ndjson.log new file mode 100644 index 000000000000..2cb3cf1d5b8e --- /dev/null +++ b/x-pack/filebeat/module/salesforce/login-stream/test/salesforce_login.ndjson.log @@ -0,0 +1 @@ +{"json":{"EventDate":"2021-10-19T11:47:22Z","AuthServiceId":null,"CountryIso":"IN","Platform":"Unknown","EvaluationTime":0,"CipherSuite":"ECDHE-RSA-AES256-GCM-SHA384","PostalCode":"395007","ClientVersion":"N/A","LoginGeoId":"04F5j00000FadrI","LoginUrl":"login.salesforce.com","LoginHistoryId":"0Ya5j00000GLxCdCAL","CreatedById":"0055j000000q9s7AAA","SessionKey":null,"ApiType":"N/A","AuthMethodReference":null,"LoginType":"Remote Access 2.0","PolicyOutcome":null,"Status":"Success","AdditionalInfo":"{}","ApiVersion":"N/A","EventIdentifier":"06af6d92-1167-467d-a826-ee8583f7134d","RelatedEventIdentifier":null,"LoginLatitude":21.1888,"City":"Surat","Subdivision":"Gujarat","SourceIp":"123.201.231.106","Username":"kush.rana@elastic.co","UserId":"0055j000000utlPAAQ","CreatedDate":"2021-10-19T11:47:30Z","Country":"India","LoginLongitude":72.8293,"TlsProtocol":"TLS 1.2","LoginKey":"o3vhFaSRBb0OzpCl","Application":"elastic integration","UserType":"Standard","PolicyId":null,"HttpMethod":"POST","SessionLevel":"STANDARD","Browser":"Unknown"}} diff --git a/x-pack/filebeat/module/salesforce/login-stream/test/salesforce_login.ndjson.log-expected.json b/x-pack/filebeat/module/salesforce/login-stream/test/salesforce_login.ndjson.log-expected.json new file mode 100644 index 000000000000..8d1e5049b724 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/login-stream/test/salesforce_login.ndjson.log-expected.json @@ -0,0 +1,88 @@ +{ + "docs": [ + { + "doc": { + "_index": "_index", + "_type": "_doc", + "_id": "_id", + "_source": { + "salesforce": { + "login": { + "session_level": "STANDARD", + "login_key": "o3vhFaSRBb0OzpCl", + "evaluation_time": 0, + "application": "elastic integration", + "login_type": "Remote Access 2.0", + "api_type": "N/A", + "login_history_id": "0Ya5j00000GLxCdCAL", + "created_by_id": "0055j000000q9s7AAA", + "api_version": "N/A", + "client_version": "N/A", + "login_geo_id": "04F5j00000FadrI" + }, + "access_mode": "stream" + }, + "@timestamp": "2021-10-19T11:47:22.000Z", + "related": { + "ip": [ + "123.201.231.106" + ] + }, + "http": { + "request": { + "method": "POST", + "body": { + "content": "{}" + } + } + }, + "tls": { + "cipher": "ECDHE-RSA-AES256-GCM-SHA384", + "version": "1.2", + "version_protocol": "TLS" + }, + "source": { + "geo": { + "country_name": "India", + "city_name": "Surat", + "location": { + "lon": 72.8293, + "lat": 21.1888 + }, + "region_name": "Gujarat", + "country_iso_code": "IN", + "postal_code": "395007" + }, + "ip": "123.201.231.106" + }, + "event": { + "ingested": "2021-12-14T10:22:39.935387334Z", + "created": "2021-10-19T11:47:30.000Z", + "kind": "event", + "module": "salesforce", + "action": "login-attempt", + "type": "info", + "category": "authentication", + "dataset": "salesforce.login", + "outcome": "success", + "url": "login.salesforce.com" + }, + "user": { + "email": "kush.rana@elastic.co", + "roles": "Standard", + "id": "0055j000000utlPAAQ" + }, + "user_agent": { + "os": { + "platform": "Unknown" + }, + "name": "Unknown" + } + }, + "_ingest": { + "timestamp": "2021-12-14T10:22:39.935387334Z" + } + } + } + ] +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/logout-rest/_meta/fields.yml b/x-pack/filebeat/module/salesforce/logout-rest/_meta/fields.yml new file mode 100644 index 000000000000..7ec7dcfc683c --- /dev/null +++ b/x-pack/filebeat/module/salesforce/logout-rest/_meta/fields.yml @@ -0,0 +1,62 @@ +- name: salesforce.logout + type: group + release: beta + description: > + Fileset for parsing Salesforce Logout (REST) logs. + fields: + - name: session_level + type: keyword + description: > + Indicates the session-level security of the session that the user is logging out of for this event. Session-level security controls user access to features that support it, such as connected apps and reporting. Possible values are: HIGH_ASSURANCE, LOW, STANDARD + - name: login_key + type: keyword + description: > + The string that ties together all events in a given user’s login session. It starts with a login event and ends with either a logout event or the user session expiring. + - name: api_type + type: keyword + description: > + The type of API request. + - name: api_version + type: keyword + description: > + The version of the API that’s being used. + - name: app_type + type: keyword + description: > + The application type that was in use upon logging out. + - name: browser_type + type: keyword + description: > + The identifier string returned by the browser used at login. + - name: client_version + type: keyword + description: > + The version of the client that was in use upon logging out. + - name: event_type + type: keyword + description: > + The type of event. The value is always Logout. + - name: organization_by_id + type: keyword + description: > + The 15-character ID of the organization. + - name: platform_type + type: keyword + description: > + The code for the client platform. If a timeout caused the logout, this field is null. + - name: resolution_type + type: keyword + description: > + The screen resolution of the client. If a timeout caused the logout, this field is null. + - name: session_type + type: keyword + description: > + The session type that was used when logging out. + - name: user_id_derived + type: keyword + description: > + The 18-character case-safe ID of the user who’s using Salesforce services through the UI or the API. + - name: user_initiated_logout + type: keyword + description: > + The value is 1 if the user intentionally logged out of the organization by clicking the Logout button. If the user’s session timed out due to inactivity or another implicit logout action, the value is 0. \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/logout-rest/config/logout-rest.yml b/x-pack/filebeat/module/salesforce/logout-rest/config/logout-rest.yml new file mode 100644 index 000000000000..2690da0a3c20 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/logout-rest/config/logout-rest.yml @@ -0,0 +1,46 @@ +type: httpjson + +interval: {{ .interval }} +request.method: GET +auth.oauth2: + enabled: true + client.id: {{ .client_id }} + client.secret: {{ .client_secret }} + token_url: {{ .token_url }} + user: {{ .user }} + password: {{ .password }} +# Query params will be overwritten by request.transforms from start of the input and +# it is to indicate that this url is for Logout type of events as cursor stores the url as source. +# Each filebeat input cursor source needs to be uniquely identified with a name. +request.url: {{ .url }}/services/data/v52.0/query?q=logout+rest +{{ if .proxy_url }} +request.proxy_url: {{ .proxy_url }} +{{ end }} +request.transforms: + - set: + target: url.params.q + value: "SELECT Id,CreatedDate,LogDate,LogFile FROM EventLogFile WHERE Interval = 'Hourly' AND EventType = 'Logout' AND CreatedDate > [[.cursor.last_published_logout]] ORDER BY CreatedDate ASC NULLS FIRST" + default: "SELECT Id,CreatedDate,LogDate,LogFile FROM EventLogFile WHERE Interval = 'Hourly' AND EventType = 'Logout' ORDER BY CreatedDate ASC NULLS FIRST" +response.split: + target: body.records +chain: + - step: + request.url: {{ .url }}/services/data/v52.0/sobjects/EventLogFile/records.#.Id/LogFile + request.method: GET + replace: records.#.Id +cursor: + last_published_logout: + value: '[[.last_event.CreatedDate]]' + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - decode_json_fields: + fields: [message] + target: "json" + - add_fields: + target: '' + fields: + ecs.version: 1.12.0 + - add_locale: ~ diff --git a/x-pack/filebeat/module/salesforce/logout-rest/ingest/pipeline.yml b/x-pack/filebeat/module/salesforce/logout-rest/ingest/pipeline.yml new file mode 100644 index 000000000000..8222f65372a2 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/logout-rest/ingest/pipeline.yml @@ -0,0 +1,180 @@ +--- +description: Pipeline for parsing Salesforce Logout (REST) logs +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- remove: + field: + - message + ignore_missing: true + +- set: + field: salesforce.access_mode + value: rest + ignore_failure: true + +- date: + field: json.TIMESTAMP_DERIVED + target_field: "@timestamp" + formats: + - ISO8601 + ignore_failure: true + +- rename: + field: json.SESSION_TYPE + target_field: salesforce.logout.session_type + ignore_missing: true +- rename: + field: json.EVENT_TYPE + target_field: salesforce.logout.event_type + ignore_missing: true +- rename: + field: json.SESSION_LEVEL + target_field: salesforce.logout.session_level + ignore_missing: true +- rename: + field: json.BROWSER_TYPE + target_field: salesforce.logout.browser_type + ignore_missing: true +- rename: + field: json.PLATFORM_TYPE + target_field: salesforce.logout.platform_type + ignore_missing: true +- rename: + field: json.RESOLUTION_TYPE + target_field: salesforce.logout.resolution_type + ignore_missing: true +- rename: + field: json.APP_TYPE + target_field: salesforce.logout.app_type + ignore_missing: true +- rename: + field: json.CLIENT_VERSION + target_field: salesforce.logout.client_version + ignore_missing: true +- rename: + field: json.API_TYPE + target_field: salesforce.logout.api_type + ignore_missing: true +- rename: + field: json.API_VERSION + target_field: salesforce.logout.api_version + ignore_missing: true +- rename: + field: json.USER_INITIATED_LOGOUT + target_field: salesforce.logout.user_initiated_logout + ignore_missing: true +- rename: + field: json.LOGIN_KEY + target_field: salesforce.logout.login_key + ignore_missing: true +- rename: + field: json.USER_ID_DERIVED + target_field: salesforce.logout.user_id_derived + ignore_missing: true +- rename: + field: json.ORGANIZATION_ID + target_field: salesforce.logout.organization_by_id + ignore_missing: true + +####################### +## ECS Event Mapping ## +####################### + +- set: + field: event.type + value: "info" +- set: + field: event.kind + value: "event" +- set: + field: event.action + value: "logout" +- set: + field: event.category + value: "authentication" +- set: + field: event.dataset + value: "salesforce.logout" +- set: + field: event.module + value: "salesforce" +- rename: + field: json.REQUEST_ID + target_field: event.code + ignore_missing: true + +###################### +## ECS User Mapping ## +###################### + +- rename: + field: json.USER_TYPE + target_field: user.roles + ignore_missing: true +- rename: + field: json.USER_ID + target_field: user.id + ignore_missing: true + +######################## +## ECS Source Mapping ## +######################## + +# A Salesforce internal IP (such as a login from Salesforce Workbench or AppExchange) is shown as “Salesforce.com IP” +- rename: + field: json.CLIENT_IP + target_field: source.ip + ignore_missing: true + if: 'ctx?.json?.CLIENT_IP != "Salesforce.com IP" && ctx?.json?.CLIENT_IP != ""' + +############################ +## ECS Source.Geo Mapping ## +############################ + +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + +############################ +## ECS Related.ip Mapping ## +############################ + +- append: + field: related.ip + value: "{{{source.ip}}}" + if: ctx?.source?.ip != null + allow_duplicates: false + ignore_failure: true + +############# +## Cleanup ## +############# + +- script: + description: Drops null/empty values recursively + lang: painless + source: | + boolean dropEmptyFields(Object object) { + if (object == null || object == "") { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); +- remove: + field: + - json + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{_ingest.on_failure_message}}' diff --git a/x-pack/filebeat/module/salesforce/logout-rest/manifest.yml b/x-pack/filebeat/module/salesforce/logout-rest/manifest.yml new file mode 100644 index 000000000000..d3d740e67d7f --- /dev/null +++ b/x-pack/filebeat/module/salesforce/logout-rest/manifest.yml @@ -0,0 +1,11 @@ +module_version: 1.0 + +var: + - name: interval + default: 1h + - name: tags + default: [salesforce-logout-rest, forwarded] + - name: proxy_url + +ingest_pipeline: ingest/pipeline.yml +input: config/logout-rest.yml diff --git a/x-pack/filebeat/module/salesforce/logout-rest/test/salesforce_logout.ndjson.log b/x-pack/filebeat/module/salesforce/logout-rest/test/salesforce_logout.ndjson.log new file mode 100644 index 000000000000..ff94a1ce68ee --- /dev/null +++ b/x-pack/filebeat/module/salesforce/logout-rest/test/salesforce_logout.ndjson.log @@ -0,0 +1 @@ +{"json":{"EVENT_TYPE":"Logout","TIMESTAMP":20211019050707.13,"REQUEST_ID":"4exLFFQZNa5xxFl1cJNwOV","ORGANIZATION_ID":"00D5j000000VI3n","USER_ID":"0055j000000utlP","USER_TYPE":"Standard(db=S,api=Standard)","SESSION_TYPE":"UI","SESSION_LEVEL":"STANDARD(db=1,api=STANDARD)","BROWSER_TYPE":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36","PLATFORM_TYPE":1015,"RESOLUTION_TYPE":9999,"APP_TYPE":1000,"CLIENT_VERSION":9998,"API_TYPE":"","API_VERSION":"","USER_INITIATED_LOGOUT":1,"SESSION_KEY":"/b1/CZnHg6WXplkT","LOGIN_KEY":"OKyrFuSUIZVr9YzF","TIMESTAMP_DERIVED":"2021-10-19T05:07:07.128Z","USER_ID_DERIVED":"0055j000000utlPAAQ","CLIENT_IP":"123.201.231.42"}} diff --git a/x-pack/filebeat/module/salesforce/logout-rest/test/salesforce_logout.ndjson.log-expected.json b/x-pack/filebeat/module/salesforce/logout-rest/test/salesforce_logout.ndjson.log-expected.json new file mode 100644 index 000000000000..820005ace1f7 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/logout-rest/test/salesforce_logout.ndjson.log-expected.json @@ -0,0 +1,68 @@ +{ + "docs": [ + { + "doc": { + "_index": "_index", + "_type": "_doc", + "_id": "_id", + "_source": { + "salesforce": { + "access_mode": "rest", + "logout": { + "session_level": "STANDARD(db=1,api=STANDARD)", + "organization_by_id": "00D5j000000VI3n", + "resolution_type": 9999, + "user_id_derived": "0055j000000utlPAAQ", + "app_type": 1000, + "login_key": "OKyrFuSUIZVr9YzF", + "event_type": "Logout", + "platform_type": 1015, + "browser_type": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36", + "session_type": "UI", + "client_version": 9998, + "user_initiated_logout": 1 + } + }, + "@timestamp": "2021-10-19T05:07:07.128Z", + "related": { + "ip": [ + "123.201.231.42" + ] + }, + "source": { + "geo": { + "continent_name": "Asia", + "region_iso_code": "IN-GJ", + "city_name": "Navsari", + "country_iso_code": "IN", + "country_name": "India", + "region_name": "Gujarat", + "location": { + "lon": 72.9257, + "lat": 20.9468 + } + }, + "ip": "123.201.231.42" + }, + "event": { + "ingested": "2021-12-14T10:28:11.360868016Z", + "code": "4exLFFQZNa5xxFl1cJNwOV", + "kind": "event", + "module": "salesforce", + "action": "logout", + "type": "info", + "category": "authentication", + "dataset": "salesforce.logout" + }, + "user": { + "roles": "Standard(db=S,api=Standard)", + "id": "0055j000000utlP" + } + }, + "_ingest": { + "timestamp": "2021-12-14T10:28:11.360868016Z" + } + } + } + ] +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/logout-stream/_meta/fields.yml b/x-pack/filebeat/module/salesforce/logout-stream/_meta/fields.yml new file mode 100644 index 000000000000..fe1ade9745d2 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/logout-stream/_meta/fields.yml @@ -0,0 +1,22 @@ +- name: salesforce.logout + type: group + release: beta + description: > + Fileset for parsing Salesforce Logout (Streaming) logs. + fields: + - name: created_by_id + type: keyword + description: > + Unavailable + - name: related_event_identifier + type: keyword + description: > + This field is populated only when the activity that this event monitors requires extra authentication, such as multi-factor authentication. In this case, Salesforce generates more events and sets the RelatedEventIdentifier field of the new events to the value of the EventIdentifier field of the original event. Use this field with the EventIdentifier field to correlate all the related events. If no extra authentication is required, this field is blank. + - name: replay_id + type: keyword + description: > + Represents an ID value that is populated by the system and refers to the position of the event in the event stream. Replay ID values aren’t guaranteed to be contiguous for consecutive events. A subscriber can store a replay ID value and use it on resubscription to retrieve missed events that are within the retention window. + - name: schema + type: keyword + description: > + Unavailable \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/logout-stream/config/logout-stream.yml b/x-pack/filebeat/module/salesforce/logout-stream/config/logout-stream.yml new file mode 100644 index 000000000000..ad0a6355db8f --- /dev/null +++ b/x-pack/filebeat/module/salesforce/logout-stream/config/logout-stream.yml @@ -0,0 +1,21 @@ +type: cometd +channel_name: /event/LogoutEventStream +auth.oauth2: + client.id: {{ .client_id }} + client.secret: {{ .client_secret }} + token_url: {{ .token_url }} + user: {{ .user }} + password: {{ .password }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - decode_json_fields: + fields: [message] + target: "json" + - add_fields: + target: '' + fields: + ecs.version: 1.12.0 + - add_locale: ~ diff --git a/x-pack/filebeat/module/salesforce/logout-stream/ingest/pipeline.yml b/x-pack/filebeat/module/salesforce/logout-stream/ingest/pipeline.yml new file mode 100644 index 000000000000..3bc74b68e213 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/logout-stream/ingest/pipeline.yml @@ -0,0 +1,147 @@ +--- +description: Pipeline for parsing Salesforce Logout (Streaming) logs +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- remove: + field: + - message + ignore_missing: true + +- set: + field: salesforce.access_mode + value: stream + ignore_failure: true + +- date: + field: json.EventDate + target_field: "@timestamp" + formats: + - ISO8601 + ignore_failure: true + +- rename: + field: json.schema + target_field: salesforce.logout.schema + ignore_missing: true +- rename: + field: json.CreatedById + target_field: salesforce.logout.created_by_id + ignore_missing: true +- rename: + field: json.RelatedEventIdentifier + target_field: salesforce.logout.related_event_identifier + ignore_missing: true +- rename: + field: json.LoginKey + target_field: salesforce.logout.login_key + ignore_missing: true +- rename: + field: json.SessionLevel + target_field: salesforce.logout.session_level + ignore_missing: true +- rename: + field: json.replayId + target_field: salesforce.logout.replay_id + ignore_missing: true + +####################### +## ECS Event Mapping ## +####################### + +- date: + field: json.CreatedDate + target_field: event.created + formats: ["yyyy-MM-ddTHH:mm:ssZ"] + ignore_failure: true +- set: + field: event.type + value: "info" +- set: + field: event.kind + value: "event" +- set: + field: event.action + value: "logout" +- set: + field: event.category + value: "authentication" +- set: + field: event.dataset + value: "salesforce.logout" +- set: + field: event.module + value: "salesforce" + +###################### +## ECS User Mapping ## +###################### + +- rename: + field: json.Username + target_field: user.email + ignore_missing: true +- rename: + field: json.UserId + target_field: user.id + ignore_missing: true + +######################## +## ECS Source Mapping ## +######################## + +- rename: + field: json.SourceIp + target_field: source.ip + ignore_missing: true + +############################ +## ECS Source.Geo Mapping ## +############################ + +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + +############################ +## ECS Related.ip Mapping ## +############################ + +- append: + field: related.ip + value: "{{{source.ip}}}" + if: ctx?.source?.ip != null + allow_duplicates: false + ignore_failure: true + +############# +## Cleanup ## +############# + +- script: + description: Drops null/empty values recursively + lang: painless + source: | + boolean dropEmptyFields(Object object) { + if (object == null || object == "") { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); +- remove: + field: + - json + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{_ingest.on_failure_message}}' diff --git a/x-pack/filebeat/module/salesforce/logout-stream/manifest.yml b/x-pack/filebeat/module/salesforce/logout-stream/manifest.yml new file mode 100644 index 000000000000..d022aded7a17 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/logout-stream/manifest.yml @@ -0,0 +1,8 @@ +module_version: 1.0 + +var: + - name: tags + default: [salesforce-logout-stream, forwarded] + +ingest_pipeline: ingest/pipeline.yml +input: config/logout-stream.yml diff --git a/x-pack/filebeat/module/salesforce/logout-stream/test/salesforce_logout.ndjson.log b/x-pack/filebeat/module/salesforce/logout-stream/test/salesforce_logout.ndjson.log new file mode 100644 index 000000000000..39ec23d5bec0 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/logout-stream/test/salesforce_logout.ndjson.log @@ -0,0 +1 @@ +{"json":{"EventDate":"2021-10-19T11:38:54Z","EventIdentifier":"06ce4a9d-8d6b-4a71-aad8-04d28c9a43df","SourceIp":"123.201.231.106","CreatedById":"0055j000000q9s7AAA","Username":"kush.rana@elastic.co","UserId":"0055j000000utlPAAQ","RelatedEventIdentifier":null,"SessionKey":"6/HAElgoPCwskqBU","CreatedDate":"2021-10-19T11:38:54Z","LoginKey":"CuRVtbMjat6xxbTH","SessionLevel":"STANDARD"}} diff --git a/x-pack/filebeat/module/salesforce/logout-stream/test/salesforce_logout.ndjson.log-expected.json b/x-pack/filebeat/module/salesforce/logout-stream/test/salesforce_logout.ndjson.log-expected.json new file mode 100644 index 000000000000..0e4ebace435f --- /dev/null +++ b/x-pack/filebeat/module/salesforce/logout-stream/test/salesforce_logout.ndjson.log-expected.json @@ -0,0 +1,58 @@ +{ + "docs": [ + { + "doc": { + "_index": "_index", + "_type": "_doc", + "_id": "_id", + "_source": { + "salesforce": { + "access_mode": "stream", + "logout": { + "session_level": "STANDARD", + "login_key": "CuRVtbMjat6xxbTH", + "created_by_id": "0055j000000q9s7AAA" + } + }, + "@timestamp": "2021-10-19T11:38:54.000Z", + "related": { + "ip": [ + "123.201.231.106" + ] + }, + "source": { + "geo": { + "continent_name": "Asia", + "region_iso_code": "IN-GJ", + "city_name": "Vapi", + "country_iso_code": "IN", + "country_name": "India", + "region_name": "Gujarat", + "location": { + "lon": 72.8998, + "lat": 20.3661 + } + }, + "ip": "123.201.231.106" + }, + "event": { + "ingested": "2021-12-14T10:31:37.625223214Z", + "kind": "event", + "module": "salesforce", + "action": "logout", + "type": "info", + "category": "authentication", + "dataset": "salesforce.logout" + }, + "user": { + "email": "kush.rana@elastic.co", + "id": "0055j000000utlPAAQ" + } + }, + "_ingest": { + "timestamp": "2021-12-14T10:31:37.625223214Z" + } + } + } + ] +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/module.yml b/x-pack/filebeat/module/salesforce/module.yml new file mode 100644 index 000000000000..bec0d7ed8b10 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/module.yml @@ -0,0 +1,9 @@ +dashboards: +- id: salesforce-6c750440-5749-11ec-8f0b-05e8b06e1b10 + file: salesforce-6c750440-5749-11ec-8f0b-05e8b06e1b10.json +- id: salesforce-59ef0af0-5749-11ec-8f0b-05e8b06e1b10 + file: salesforce-59ef0af0-5749-11ec-8f0b-05e8b06e1b10.json +- id: salesforce-790da810-5749-11ec-8f0b-05e8b06e1b10 + file: salesforce-790da810-5749-11ec-8f0b-05e8b06e1b10.json +- id: salesforce-1659aef0-574c-11ec-8f0b-05e8b06e1b10 + file: salesforce-1659aef0-574c-11ec-8f0b-05e8b06e1b10.json diff --git a/x-pack/filebeat/module/salesforce/setupaudittrail-rest/_meta/fields.yml b/x-pack/filebeat/module/salesforce/setupaudittrail-rest/_meta/fields.yml new file mode 100644 index 000000000000..edd774250d14 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/setupaudittrail-rest/_meta/fields.yml @@ -0,0 +1,38 @@ +- name: salesforce.setup_audit_trail + type: group + release: beta + description: > + Fileset for ingesting Salesforce SetupAuditTrail logs. + fields: + - name: event_type + type: keyword + description: > + Event type + - name: created_by_context + type: keyword + description: > + The context under which the Setup change was made. For example, if Einstein uses cloud-to-cloud services to make a change in Setup, the value of this field is Einstein. + - name: created_by_id + type: keyword + description: > + Unknown + - name: created_by_issuer + type: keyword + description: > + Reserved for future use. + - name: delegate_user + type: keyword + description: > + The Login-As user who executed the action in Setup. If a Login-As user didn’t perform the action, this field is blank. This field is available in API version 35.0 and later. + - name: display + type: keyword + description: > + The full description of changes made in Setup. For example, if the Action field has a value of PermSetCreate, the Display field has a value like “Created permission set MAD: with user license Salesforce. + - name: responsible_namespace_prefix + type: keyword + description: > + Unknown + - name: section + type: keyword + description: > + The section in the Setup menu where the action occurred. For example, Manage Users or Company Profile. diff --git a/x-pack/filebeat/module/salesforce/setupaudittrail-rest/config/setupaudittrail-rest.yml b/x-pack/filebeat/module/salesforce/setupaudittrail-rest/config/setupaudittrail-rest.yml new file mode 100644 index 000000000000..f576764bfbf4 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/setupaudittrail-rest/config/setupaudittrail-rest.yml @@ -0,0 +1,41 @@ +type: httpjson + +interval: {{ .interval }} +request.method: GET +auth.oauth2: + enabled: true + client.id: {{ .client_id }} + client.secret: {{ .client_secret }} + token_url: {{ .token_url }} + user: {{ .user }} + password: {{ .password }} +# Query params will be overwritten by request.transforms from start of the input and +# it is to indicate that this url is for SetupAuditTratil type of events as cursor stores the url as source. +# Each filebeat input cursor source needs to be uniquely identified with a name. +request.url: {{ .url }}/services/data/v52.0/query?q=setupaudittrail+rest +{{ if .proxy_url }} +request.proxy_url: {{ .proxy_url }} +{{ end }} +request.transforms: + - set: + target: url.params.q + value: "SELECT Action,CreatedByContext,CreatedById,CreatedByIssuer,CreatedDate,DelegateUser,Display,Id,ResponsibleNamespacePrefix,Section FROM SetupAuditTrail WHERE CreatedDate > [[.cursor.last_published_setupaudittrail]] ORDER BY CreatedDate ASC NULLS FIRST" + default: "SELECT Action,CreatedByContext,CreatedById,CreatedByIssuer,CreatedDate,DelegateUser,Display,Id,ResponsibleNamespacePrefix,Section FROM SetupAuditTrail ORDER BY CreatedDate ASC NULLS FIRST" +response.split: + target: body.records +cursor: + last_published_setupaudittrail: + value: '[[.last_event.CreatedDate]]' + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - decode_json_fields: + fields: [message] + target: "json" + - add_fields: + target: '' + fields: + ecs.version: 1.12.0 + - add_locale: ~ diff --git a/x-pack/filebeat/module/salesforce/setupaudittrail-rest/ingest/pipeline.yml b/x-pack/filebeat/module/salesforce/setupaudittrail-rest/ingest/pipeline.yml new file mode 100644 index 000000000000..49165c22c626 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/setupaudittrail-rest/ingest/pipeline.yml @@ -0,0 +1,138 @@ +--- +description: Pipeline for parsing Salesforce SetupAuditTrail logs +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- remove: + field: + - message + ignore_missing: true + +- set: + field: salesforce.access_mode + value: rest + ignore_failure: true + +- date: + field: json.CreatedDate + target_field: "@timestamp" + formats: + - ISO8601 + ignore_failure: true + +- rename: + field: json.attributes.type + target_field: salesforce.setup_audit_trail.event_type + ignore_missing: true +- rename: + field: json.CreatedByContext + target_field: salesforce.setup_audit_trail.created_by_context + ignore_missing: true +- rename: + field: json.CreatedById + target_field: salesforce.setup_audit_trail.created_by_id + ignore_missing: true +- rename: + field: json.CreatedByIssuer + target_field: salesforce.setup_audit_trail.created_by_issuer + ignore_missing: true +- rename: + field: json.DelegateUser + target_field: salesforce.setup_audit_trail.delegate_user + ignore_missing: true +- rename: + field: json.Display + target_field: salesforce.setup_audit_trail.display + ignore_missing: true +- rename: + field: json.ResponsibleNamespacePrefix + target_field: salesforce.setup_audit_trail.responsible_namespace_prefix + ignore_missing: true +- rename: + field: json.Section + target_field: salesforce.setup_audit_trail.section + ignore_missing: true + +####################### +## ECS Event Mapping ## +####################### + +- rename: + field: json.Id + target_field: event.id + ignore_missing: true +- rename: + field: json.Action + target_field: event.action + ignore_missing: true +- rename: + field: json.attributes.url + target_field: event.url + ignore_missing: true +- date: + field: json.CreatedDate + target_field: event.created + formats: + - ISO8601 + ignore_failure: true +- set: + field: event.type + value: "admin" +- set: + field: event.kind + value: "event" +- set: + field: event.dataset + value: "salesforce.setupaudittrail" +- set: + field: event.module + value: "salesforce" + +###################### +## ECS User Mapping ## +###################### + +- set: + field: user.id + copy_from: salesforce.setup_audit_trail.created_by_id + ignore_failure: true +- set: + field: temp_setup_audit_trail_display + copy_from: salesforce.setup_audit_trail.display + ignore_failure: true +- dissect: + field: temp_setup_audit_trail_display + pattern: "For user %{user.target.user.name}, %{?}" + ignore_failure: true + +############# +## Cleanup ## +############# + +- script: + description: Drops null/empty values recursively + lang: painless + source: | + boolean dropEmptyFields(Object object) { + if (object == null || object == "") { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); +- remove: + field: + - json + - temp_setup_audit_trail_display + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{_ingest.on_failure_message}}' diff --git a/x-pack/filebeat/module/salesforce/setupaudittrail-rest/manifest.yml b/x-pack/filebeat/module/salesforce/setupaudittrail-rest/manifest.yml new file mode 100644 index 000000000000..8d6e6fdabe32 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/setupaudittrail-rest/manifest.yml @@ -0,0 +1,11 @@ +module_version: 1.0 + +var: + - name: interval + default: 1h + - name: tags + default: [salesforce-setupaudittrail-rest, forwarded] + - name: proxy_url + +ingest_pipeline: ingest/pipeline.yml +input: config/setupaudittrail-rest.yml diff --git a/x-pack/filebeat/module/salesforce/setupaudittrail-rest/test/salesforce_setupaudittrail.ndjson.log b/x-pack/filebeat/module/salesforce/setupaudittrail-rest/test/salesforce_setupaudittrail.ndjson.log new file mode 100644 index 000000000000..a9e5a4f7d2cd --- /dev/null +++ b/x-pack/filebeat/module/salesforce/setupaudittrail-rest/test/salesforce_setupaudittrail.ndjson.log @@ -0,0 +1 @@ +{"json":{"attributes":{"type":"SetupAuditTrail","url":"/services/data/v52.0/sobjects/SetupAuditTrail/0Ym5j12345BJKvZCAX"},"Action":"changedUserEmailVerifiedStatusVerified","CreatedByContext":null,"CreatedById":"1234j000000q9s7ABC","CreatedByIssuer":null,"CreatedDate":"2021-10-06T07:13:07.000+0000","DelegateUser":null,"Display":"For user abc.def@mail.com, the User Verified Email status changed to verified","Id":"0Ym5j12345BJKvABCD","ResponsibleNamespacePrefix":null,"Section":"Manage Users"}} diff --git a/x-pack/filebeat/module/salesforce/setupaudittrail-rest/test/salesforce_setupaudittrail.ndjson.log-expected.json b/x-pack/filebeat/module/salesforce/setupaudittrail-rest/test/salesforce_setupaudittrail.ndjson.log-expected.json new file mode 100644 index 000000000000..5054acac3c77 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/setupaudittrail-rest/test/salesforce_setupaudittrail.ndjson.log-expected.json @@ -0,0 +1,45 @@ +{ + "docs": [ + { + "doc": { + "_index": "_index", + "_type": "_doc", + "_id": "_id", + "_source": { + "salesforce": { + "access_mode": "rest", + "setup_audit_trail": { + "section": "Manage Users", + "event_type": "SetupAuditTrail", + "created_by_id": "1234j000000q9s7ABC", + "display": "For user abc.def@mail.com, the User Verified Email status changed to verified" + } + }, + "@timestamp": "2021-10-06T07:13:07.000Z", + "event": { + "ingested": "2021-12-10T09:40:12.878386514Z", + "created": "2021-10-06T07:13:07.000Z", + "kind": "event", + "module": "salesforce", + "action": "changedUserEmailVerifiedStatusVerified", + "id": "0Ym5j12345BJKvABCD", + "type": "admin", + "dataset": "salesforce.setupaudittrail", + "url": "/services/data/v52.0/sobjects/SetupAuditTrail/0Ym5j12345BJKvZCAX" + }, + "user": { + "id": "1234j000000q9s7ABC", + "target": { + "user": { + "name": "abc.def@mail.com" + } + } + } + }, + "_ingest": { + "timestamp": "2021-12-14T09:45:04.174461015Z" + } + } + } + ] +} \ No newline at end of file