@RylandHerrick
Thanks, we are using the standard dashboards we get when we fire the auditbeat setup command to create the index and the dashboards, we don't have any custom settings or dashboards or data yet, here is the request I was able to extract from the open socket visualize in the [Auditbeat System] Socket Dashboard ECS .
"aggs": {},
"size": 0,
"stored_fields": [
"*"
],
"script_fields": {},
"docvalue_fields": [
{
"field": "@timestamp",
"format": "date_time"
},
{
"field": "event.created",
"format": "date_time"
},
{
"field": "event.end",
"format": "date_time"
},
{
"field": "event.ingested",
"format": "date_time"
},
{
"field": "event.start",
"format": "date_time"
},
{
"field": "file.accessed",
"format": "date_time"
},
{
"field": "file.created",
"format": "date_time"
},
{
"field": "file.ctime",
"format": "date_time"
},
{
"field": "file.mtime",
"format": "date_time"
},
{
"field": "package.installed",
"format": "date_time"
},
{
"field": "process.parent.start",
"format": "date_time"
},
{
"field": "process.start",
"format": "date_time"
},
{
"field": "system.audit.host.boottime",
"format": "date_time"
},
{
"field": "system.audit.package.installtime",
"format": "date_time"
},
{
"field": "system.audit.user.password.last_changed",
"format": "date_time"
},
{
"field": "tls.client.not_after",
"format": "date_time"
},
{
"field": "tls.client.not_before",
"format": "date_time"
},
{
"field": "tls.server.not_after",
"format": "date_time"
},
{
"field": "tls.server.not_before",
"format": "date_time"
}
],
"_source": {
"excludes": []
},
"query": {
"bool": {
"must": [],
"filter": [
{
"match_all": {}
},
{
"match_phrase": {
"event.dataset": {
"query": "socket"
}
}
},
{
"match_phrase": {
"event.action": {
"query": "socket_opened"
}
}
},
{
"range": {
"@timestamp": {
"gte": "2020-08-20T19:50:29.720Z",
"lte": "2020-08-20T20:50:29.720Z",
"format": "strict_date_optional_time"
}
}
}
],
"should": [],
"must_not": []
}
}
}
here is the response
{
"took": 1,
"timed_out": false,
"_shards": {
"total": 2,
"successful": 2,
"skipped": 0,
"failed": 0
},
"hits": {
"total": 0,
"max_score": null,
"hits": []
}
}
Thank you!