How to modify overview tap in elastic security app

111387 · November 4, 2020, 1:01am

I set some IPS logs into ECS format using Fluentd and then delivered them to elasticsearch.

And you can see that the log is coming in from kibana.

The problem is that Elastic Security's Overview tap doesn't show the number of incoming events in Network events.

It is checked in the events at the top, but the number of events cannot be checked in the host events and network events below.

I'm not going to use beats. However, it seems that you can only check specific equipment events coming to beats.

How can I express the number of events of different equipment?

Andrew_G · November 4, 2020, 3:53am

Hi @111387!

By default, the Security solution uses the following Elasticsearch indices specified by the securitySolution:defaultIndex setting in Kibana Advanced settings:

apm-*-transaction*, auditbeat-*, endgame-*, filebeat-*, logs-*, packetbeat-*, winlogbeat-*

You may add additional ECS-conforming indices to the setting shown in the screenshot above.

After adding the indices to the securitySolution:defaultIndex setting, they will be represented in the Events widget shown in the screenshot you provided, however they will not be shown in the Network events widget on the Overview, because that widget counts events from specific agent.types, i.e. agent.type: "auditbeat".

We're always open: Inspect the queries that power the Security app

Tip: You may hover over widgets throughout the Security app and click Inspect to view the Elasticsearch query that powers the widget.

For example, hover over the Network events widget and click the Inspect button:

the Request tab shown in the screenshot below will display the Elasticsearch query used to retrieve the counts shown in the Network events widget:

Thanks for your question!

111387 · November 6, 2020, 4:41am

i know to bring results through Inspect Network events Ruquests.

But is it possible for me to edit the Inspect Network events Ruquests?

Andrew_G · November 6, 2020, 6:14pm

Thanks again for your question and feedback @111387! It's not possible to customize the query in the current implementation, so I created the following Github issue to track this feature as part of a refreshed design of the Host events and Network events:

github.com/elastic/kibana

[Security Solution] Support Elastic Agent integrations and custom data sources in the Overview `Host events` and `Network events` widgets

opened 05:54PM - 06 Nov 20 UTC

andrew-goldstein

Team:Threat Hunting Team: SecuritySolution Feature:SecurityOverview

The `Host events` and `Network events` widgets on the Security Solution `Overvie…w` page, shown in the screenshot below: - Were developed before the existence of [Elastic Agent](https://www.elastic.co/guide/en/ingest-management/master/fleet-overview.html) integrations. Thus, they are mostly organized around Beats, and don't display counts from Elastic Agent integrations - Don't count data ingested from custom data sources, [as requested here](https://discuss.elastic.co/t/how-to-modify-overview-tap-in-elastic-security-app/254193) - Do not provide a means of hiding data sources that will always return a count of `0` when users know those sources are not providing data, because they are not in use <img width="762" alt="host-events-network-events" src="https://user-images.githubusercontent.com/4459398/98397472-a25b5600-201c-11eb-9c61-2ab022aaa31b.png"> ### Considerations for a refreshed design A refreshed design of these widgets should take into consideration: - Fleet's [integrations for popular services and platforms](https://www.elastic.co/guide/en/ingest-management/master/fleet-overview.html#fleet) ingested via Elastic Agent, as illustrated by the screenshot below ![integrations](https://user-images.githubusercontent.com/4459398/98396468-fbc28580-201a-11eb-8f01-6664c2660395.png) - The ability to display counts of data ingested by custom data sources [as requested here](https://discuss.elastic.co/t/how-to-modify-overview-tap-in-elastic-security-app/254193). The refreshed design should consider whether this can / should be achieved by convention, configuration, or a combination thereof. - An option for users to hide data sources that will always be reported with a count of `0`, because data from those sources will not be ingested, as requested by @stiltz **Kibana/Elasticsearch Stack version:** `7.10`

I linked the issue above to this post. Please feel free to comment directly in that issue or in this post with any additional details that might be relevant to your specific use case, as this may help inform the new design.

Topic		Replies	Views
Elastic siem overview dashboard config SIEM	2	364	November 19, 2020
Reading existing indexes not created by beats/agents Elastic Security	6	296	March 2, 2022
Unable to see winlogbeat events Beats winlogbeat	8	1703	July 31, 2020
Elastic Security - APIs on Resolver Elastic Security	1	243	June 27, 2022
Auditbeats traffic is reaching ELK but no index is created Beats auditbeat	2	587	January 3, 2019

How to modify overview tap in elastic security app

We're always open: Inspect the queries that power the Security app

Related topics