diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 1b7a9eb33bfaa..b5c9132fbf6a9 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -640,6 +640,11 @@ plaid/assets/logs/ @DataDog/saa /checkpoint_harmony_endpoint/manifest.json @DataDog/agent-integrations @DataDog/documentation /checkpoint_harmony_endpoint/assets/logs/ @DataDog/agent-integrations @DataDog/documentation @DataDog/logs-backend @DataDog/logs-core +/push_security/ @DataDog/saas-integrations +/push_security/*.md @DataDog/saas-integrations @DataDog/documentation +/push_security/manifest.json @DataDog/saas-integrations @DataDog/documentation +/push_security/assets/logs/ @DataDog/saas-integrations @DataDog/documentation @DataDog/logs-integrations-reviewers + # To keep Security up-to-date with changes to the signing tool. /datadog_checks_dev/datadog_checks/dev/tooling/signing.py @DataDog/agent-integrations # As well as the secure downloader. diff --git a/.github/workflows/config/labeler.yml b/.github/workflows/config/labeler.yml index def21bcde5106..1482c9f5d179e 100644 --- a/.github/workflows/config/labeler.yml +++ b/.github/workflows/config/labeler.yml @@ -555,6 +555,8 @@ integration/proxysql: - proxysql/**/* integration/pulsar: - pulsar/**/* +integration/push_security: +- push_security/**/* integration/quarkus: - quarkus/**/* integration/rabbitmq: diff --git a/push_security/CHANGELOG.md b/push_security/CHANGELOG.md new file mode 100644 index 0000000000000..6eb3bc699c9fa --- /dev/null +++ b/push_security/CHANGELOG.md @@ -0,0 +1,7 @@ +# CHANGELOG - Push Security + +## 1.0.0 / 2025-09-10 + +***Added***: + +* Initial Release \ No newline at end of file diff --git a/push_security/README.md b/push_security/README.md new file mode 100644 index 0000000000000..cbd34939ce1ac --- /dev/null +++ b/push_security/README.md @@ -0,0 +1,51 @@ +# Push Security + +## Overview + +[Push Security][1] is an identity security platform that focuses on securing workforce identities through browser-level monitoring. It uses a browser extension to provide real-time visibility into user activity, enabling the detection and response to threats such as phishing, session hijacking, and credential misuse. + +Integrate Push Security with Datadog's pre-built dashboard visualizations to gain insights into [Events][2]. With Datadog's built-in log pipelines, you can parse and enrich these logs to facilitate easy search and detailed insights. Additionally, this integration includes ready-to-use Cloud SIEM detection rules for enhanced monitoring and security. + +## Setup + +### Configuration + +#### Webhook Configuration + +Configure the Datadog endpoint to forward Push Security events as logs to Datadog. + +1. Copy the generated URL inside the **Configuration** tab on the Datadog [Push Security][5] tile. +2. Sign in to [Push Security Portal][3]. +3. Go to the **Settings** > **Webhooks**. +4. Click `+Webhook`. +5. In the URL field, enter the **webhook url** generated in the **Step 1**. +5. Under the **Select Events** section, make sure all the below mentioned checkboxes are selected. + - Activity + - Audit + - Controls + - Detections + - Entities +7. Click `Generate Webhook`. + +## Data Collected + +### Logs +The Push Security integration collects Activity, Audit, Controls, Detections and Entities Events. + +### Metrics + +The Push Security integration does not include any metrics. + +### Events + +The Push Security integration does not include any events. + +## Support + +For further assistance, contact [Datadog support][4]. + +[1]: https://pushsecurity.com/ +[2]: https://pushsecurity.redoc.ly/webhooks-v1#operation/account-event +[3]: http://login.pushsecurity.com/u/login +[4]: https://docs.datadoghq.com/help/ +[5]: /integrations/push-security \ No newline at end of file diff --git a/push_security/assets/dashboards/push_security_activity.json b/push_security/assets/dashboards/push_security_activity.json new file mode 100644 index 0000000000000..a9010525d900c --- /dev/null +++ b/push_security/assets/dashboards/push_security_activity.json @@ -0,0 +1,1040 @@ +{ + "title": "Push Security - Activity", + "description": "This dashboard offers a comprehensive summary of employee login activities for security oversight and analysis.", + "widgets": [ + { + "id": 8508816171812108, + "definition": { + "type": "image", + "url": "https://lever-client-logos.s3.us-west-2.amazonaws.com/af1f06cb-5fe4-4956-b99d-89b489dc3de9-1749476979307.png", + "url_dark_theme": "https://lever-client-logos.s3.us-west-2.amazonaws.com/af1f06cb-5fe4-4956-b99d-89b489dc3de9-1749476979307.png", + "sizing": "contain", + "margin": "md", + "has_background": true, + "has_border": true, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 3 + } + }, + { + "id": 10546878817969, + "definition": { + "type": "note", + "content": "This dashboard offers a comprehensive summary of employee login activities for security oversight and analysis.\n\nFor more information, see the [Push Security Documentation](https://docs.datadoghq.com/integrations/push_security/).\n\n**Tips**:\n - Use the timeframe selector in the upper-right corner of the dashboard to change the default timeframe.\n - Clone this dashboard to rearrange, modify, and add widgets and visualizations.\n\n", + "background_color": "orange", + "font_size": "14", + "text_align": "left", + "vertical_align": "center", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 3 + } + }, + { + "id": 3569705310123999, + "definition": { + "title": "Login", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 8147737320164172, + "definition": { + "title": "Total Login Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:ACTIVITY @object:LOGIN $application_type $email $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "bars", + "yaxis": {} + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 7792055127330449, + "definition": { + "title": "Login Events over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Login Event", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:ACTIVITY @object:LOGIN $application_type $email $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 1543784189995115, + "definition": { + "title": "Login Events by App Type", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:ACTIVITY @object:LOGIN $application_type $email $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@new.appType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 3, + "height": 4 + } + }, + { + "id": 7407259663740449, + "definition": { + "title": "Top Emails by Login Activity", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:ACTIVITY @object:LOGIN $application_type $email $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@new.email", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 3, + "y": 3, + "width": 3, + "height": 4 + } + }, + { + "id": 1684474188369872, + "definition": { + "title": "Login Events by Browser Used", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:ACTIVITY @object:LOGIN $application_type $email $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@new.browser", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 5422814329939300, + "definition": { + "title": "Login Events by Operating System", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:ACTIVITY @object:LOGIN $application_type $email $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@new.os", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 239607312794032, + "definition": { + "title": "Login Events by Login Type", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:ACTIVITY @object:LOGIN $application_type $email $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@new.loginType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 8811170934858692, + "definition": { + "title": "Login Events by Source IP Address", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:ACTIVITY @object:LOGIN $application_type $email $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 11, + "width": 3, + "height": 4 + } + }, + { + "id": 1232258193806238, + "definition": { + "title": "Login Events by Location", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:ACTIVITY @object:LOGIN $application_type $email $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.geoip.country.iso_code", + "limit": 250, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 3, + "y": 11, + "width": 9, + "height": 4 + } + }, + { + "id": 7903982386365039, + "definition": { + "title": "Login Events with Weak Passwords", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:ACTIVITY @object:LOGIN @new.weakPassword:true $application_type $email $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 15, + "width": 3, + "height": 3 + } + }, + { + "id": 43241473215464, + "definition": { + "title": "Top Weak Password Reasons", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:ACTIVITY @object:LOGIN $application_type $email $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@new.weakPasswordReasons", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 3, + "y": 15, + "width": 6, + "height": 3 + } + }, + { + "id": 5956483216129770, + "definition": { + "title": "Login Events with Leaked Passwords", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:ACTIVITY @object:LOGIN @new.leakedPassword:true $application_type $email $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 9, + "y": 15, + "width": 3, + "height": 3 + } + }, + { + "id": 81520266591636, + "definition": { + "title": "Login Events by Password Manager Used", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:ACTIVITY @object:LOGIN $application_type $email $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@new.passwordManager", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 18, + "width": 7, + "height": 4 + } + }, + { + "id": 2748136858603232, + "definition": { + "title": "Login Events by Identity Provider", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:ACTIVITY @object:LOGIN $application_type $email $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@new.identityProvider", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 7, + "y": 18, + "width": 5, + "height": 4 + } + }, + { + "id": 7363581427372900, + "definition": { + "title": "Login Event Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:pushsecurity service:ACTIVITY @object:LOGIN $application_type $email $client_ip", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 22, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 27 + } + } + ], + "template_variables": [ + { + "name": "application_type", + "prefix": "@new.appType", + "available_values": [], + "default": "*" + }, + { + "name": "email", + "prefix": "@usr.email", + "available_values": [], + "default": "*" + }, + { + "name": "client_ip", + "prefix": "@network.client.ip", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/push_security/assets/dashboards/push_security_audit.json b/push_security/assets/dashboards/push_security_audit.json new file mode 100644 index 0000000000000..aa1f18914fffd --- /dev/null +++ b/push_security/assets/dashboards/push_security_audit.json @@ -0,0 +1,2595 @@ +{ + "title": "Push Security - Audit", + "description": "This dashboard offers a comprehensive summary of activities, including admin actions, API key events, app updates, control rule changes, employee data modifications, detection events, and other audit-related activities.", + "widgets": [ + { + "id": 8508816171812108, + "definition": { + "type": "image", + "url": "https://lever-client-logos.s3.us-west-2.amazonaws.com/af1f06cb-5fe4-4956-b99d-89b489dc3de9-1749476979307.png", + "url_dark_theme": "https://lever-client-logos.s3.us-west-2.amazonaws.com/af1f06cb-5fe4-4956-b99d-89b489dc3de9-1749476979307.png", + "sizing": "contain", + "margin": "md", + "has_background": true, + "has_border": true, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 3 + } + }, + { + "id": 10546878817969, + "definition": { + "type": "note", + "content": "This dashboard offers a comprehensive summary of activities, including admin actions, API key events, app updates, control rule changes, employee data modifications, detection events, and other audit-related activities.\n\nFor more information, see the [Push Security Documentation](https://docs.datadoghq.com/integrations/push_security/).\n\n**Tips**:\n - Use the timeframe selector in the upper-right corner of the dashboard to change the default timeframe.\n - Clone this dashboard to rearrange, modify, and add widgets and visualizations.\n\n", + "background_color": "orange", + "font_size": "14", + "text_align": "left", + "vertical_align": "center", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 3 + } + }, + { + "id": 3569705310123999, + "definition": { + "title": "Overview", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 2783930304552371, + "definition": { + "title": "Total Audit Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:AUDIT $actor_source $user_email" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 3570499936240261, + "definition": { + "title": "Audit Events over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Audit Event", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:AUDIT $actor_source $user_email" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 2372793241224407, + "definition": { + "title": "Audit Events by Type", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:AUDIT $actor_source $user_email" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@evt.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 5261648611943507, + "definition": { + "title": "Top Users by Audit Events", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:AUDIT $actor_source $user_email" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.email", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 2479982404414374, + "definition": { + "title": "Top Sources by Audit Events", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:AUDIT $actor_source $user_email" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@actor.source", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 566360616673284, + "definition": { + "title": "Top Source IP by Audit Events", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:AUDIT $actor_source $user_email" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 792840092681891, + "definition": { + "title": "Audit Event Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:pushsecurity service:AUDIT $actor_source $user_email", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@usr.email", + "width": "auto" + }, + { + "field": "@evt.name", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 11, + "width": 12, + "height": 3 + } + } + ] + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 15 + } + }, + { + "id": 7880160429975304, + "definition": { + "title": "Admin Activities", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 5461737680932635, + "definition": { + "title": "Total Admin Actions", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:AUDIT @object:(ADMIN_ACCEPTED_INVITATION OR ADMIN_ENABLED_MFA OR ADMIN_EXPORTED_DATA OR ADMIN_LOADED_DATA OR ADMIN_LOGGED_IN OR ADMIN_REMOVED) $actor_source $user_email" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 553133701671024, + "definition": { + "title": "Admin Actions over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Event", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:AUDIT @object:(ADMIN_ACCEPTED_INVITATION OR ADMIN_ENABLED_MFA OR ADMIN_EXPORTED_DATA OR ADMIN_LOADED_DATA OR ADMIN_LOGGED_IN OR ADMIN_REMOVED) $actor_source $user_email" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@evt.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 568945646701465, + "definition": { + "title": "Admin Actions by Type", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:AUDIT @object:(ADMIN_ACCEPTED_INVITATION OR ADMIN_ENABLED_MFA OR ADMIN_EXPORTED_DATA OR ADMIN_LOADED_DATA OR ADMIN_LOGGED_IN OR ADMIN_REMOVED) $actor_source $user_email" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@evt.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 4, + "height": 4 + } + }, + { + "id": 59781569083030, + "definition": { + "title": "Top Users by Invite send", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:AUDIT @object:ADMIN_ACCEPTED_INVITATION $actor_source $user_email" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@new.inviter", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 4, + "y": 3, + "width": 4, + "height": 4 + } + }, + { + "id": 7796713342318998, + "definition": { + "title": "Top MFA method used by Admin", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:AUDIT @object:ADMIN_ENABLED_MFA $actor_source $user_email" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@new.method", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 8, + "y": 3, + "width": 4, + "height": 4 + } + }, + { + "id": 4137270712975066, + "definition": { + "title": "Admin Event Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:pushsecurity service:AUDIT @object:(ADMIN_ACCEPTED_INVITATION OR ADMIN_ENABLED_MFA OR ADMIN_EXPORTED_DATA OR ADMIN_LOADED_DATA OR ADMIN_LOGGED_IN OR ADMIN_REMOVED) $actor_source $user_email", + "indexes": [ + "*" + ], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@usr.email", + "width": "auto" + }, + { + "field": "@evt.name", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 7, + "width": 12, + "height": 3 + } + } + ] + }, + "layout": { + "x": 0, + "y": 18, + "width": 12, + "height": 11 + } + }, + { + "id": 7268840563575406, + "definition": { + "title": "API Key Activity Event", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 3392847027938864, + "definition": { + "title": "API Key Addition Trends", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Event", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:AUDIT @object:API_KEY_ADDED $actor_source $user_email" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 3 + } + }, + { + "id": 1698285862400694, + "definition": { + "title": "API Key Removal Trends", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Event", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:AUDIT @object:API_KEY_REMOVED $actor_source $user_email" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 3 + } + }, + { + "id": 7694859115703526, + "definition": { + "title": "Top Users by API Key Actions", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:AUDIT @object:(API_KEY_ADDED OR API_KEY_REMOVED) $actor_source $user_email" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.email", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@evt.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "dog_classic" + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 4, + "height": 4 + } + }, + { + "id": 6399225792205824, + "definition": { + "title": "API Key Creation by Permission", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:AUDIT @object:API_KEY_ADDED $actor_source $user_email" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@new.permissions", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 4, + "y": 3, + "width": 8, + "height": 4 + } + }, + { + "id": 3521423490422780, + "definition": { + "title": "API Key Event Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:pushsecurity service:AUDIT @object:(API_KEY_ADDED OR API_KEY_REMOVED) $actor_source $user_email", + "indexes": [ + "*" + ], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@usr.email", + "width": "auto" + }, + { + "field": "@evt.name", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 7, + "width": 12, + "height": 3 + } + } + ] + }, + "layout": { + "x": 0, + "y": 29, + "width": 12, + "height": 11 + } + }, + { + "id": 3524873566637129, + "definition": { + "title": "App Update Events", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 4015832492558388, + "definition": { + "title": "App Updates over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Event", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:AUDIT @object:(APP_APPROVAL_STATUS_UPDATED OR APP_LABELS_ADDED OR APP_LABELS_REMOVED OR APP_NOTES_UPDATED OR APP_OWNER_ID_UPDATED OR APP_SENSITIVITY_LEVEL_UPDATED) $actor_source $user_email" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@evt.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 3 + } + }, + { + "id": 7694635517811389, + "definition": { + "title": "Top App with Owner Changes", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:AUDIT @object:APP_OWNER_ID_UPDATED $actor_source $user_email" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@new.appType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "dog_classic" + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 4, + "height": 4 + } + }, + { + "id": 7344704994016346, + "definition": { + "title": "Top Apps by Update Activity", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:AUDIT @object:(APP_APPROVAL_STATUS_UPDATED OR APP_NOTES_UPDATED OR APP_OWNER_ID_UPDATED OR APP_SENSITIVITY_LEVEL_UPDATED) $actor_source $user_email" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@new.appType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "dog_classic" + } + }, + "layout": { + "x": 4, + "y": 3, + "width": 4, + "height": 4 + } + }, + { + "id": 7424395028179887, + "definition": { + "title": "Top Apps with Label Modification", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:AUDIT @object:(APP_LABELS_ADDED OR APP_LABELS_REMOVED) $actor_source $user_email" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@new.apps", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@evt.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "dog_classic" + } + }, + "layout": { + "x": 8, + "y": 3, + "width": 4, + "height": 4 + } + }, + { + "id": 6165260835505707, + "definition": { + "title": "App Owner Changes over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Event", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:AUDIT @object:APP_OWNER_ID_UPDATED $actor_source $user_email" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 7, + "width": 12, + "height": 3 + } + }, + { + "id": 819167784948400, + "definition": { + "title": "App Update Events Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:pushsecurity service:AUDIT @object:(APP_APPROVAL_STATUS_UPDATED OR APP_LABELS_ADDED OR APP_LABELS_REMOVED OR APP_NOTES_UPDATED OR APP_OWNER_ID_UPDATED OR APP_SENSITIVITY_LEVEL_UPDATED) $actor_source $user_email", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@usr.email", + "width": "auto" + }, + { + "field": "@evt.name", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 10, + "width": 12, + "height": 3 + } + } + ] + }, + "layout": { + "x": 0, + "y": 40, + "width": 12, + "height": 14 + } + }, + { + "id": 4285309164762903, + "definition": { + "title": "Control Rule Activities", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 3400147890758439, + "definition": { + "title": "Total Control Rule Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:AUDIT @object:(CONTROL_RULE_ADDED OR CONTROL_RULE_REMOVED OR CONTROL_RULE_REORDERED OR CONTROL_RULE_TOGGLED OR CONTROL_RULE_UPDATED) $actor_source $user_email" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 2936604158692483, + "definition": { + "title": "Control Rule Events over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Control Rule Event", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:AUDIT @object:(CONTROL_RULE_ADDED OR CONTROL_RULE_REMOVED OR CONTROL_RULE_REORDERED OR CONTROL_RULE_TOGGLED OR CONTROL_RULE_UPDATED) $actor_source $user_email" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@evt.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 4488784212341925, + "definition": { + "title": "Top Users by Control Rule Changes", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:AUDIT @object:(CONTROL_RULE_ADDED OR CONTROL_RULE_REMOVED OR CONTROL_RULE_REORDERED OR CONTROL_RULE_TOGGLED OR CONTROL_RULE_UPDATED) $actor_source $user_email" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.email", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@evt.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 4, + "height": 4 + } + }, + { + "id": 2715767715760579, + "definition": { + "title": "Control Rule Events by Type", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:AUDIT @object:(CONTROL_RULE_ADDED OR CONTROL_RULE_REMOVED OR CONTROL_RULE_REORDERED OR CONTROL_RULE_TOGGLED OR CONTROL_RULE_UPDATED) $actor_source $user_email" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@evt.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 4, + "y": 3, + "width": 8, + "height": 4 + } + }, + { + "id": 8008548933610423, + "definition": { + "title": "Control Rule Events Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:pushsecurity service:AUDIT @object:(CONTROL_RULE_ADDED OR CONTROL_RULE_REMOVED OR CONTROL_RULE_REORDERED OR CONTROL_RULE_TOGGLED OR CONTROL_RULE_UPDATED) $actor_source $user_email", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@usr.email", + "width": "auto" + }, + { + "field": "@evt.name", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 7, + "width": 12, + "height": 3 + } + } + ] + }, + "layout": { + "x": 0, + "y": 54, + "width": 12, + "height": 11 + } + }, + { + "id": 5248323089556061, + "definition": { + "title": "Employee Data Modifications", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 7969483374672391, + "definition": { + "title": "Employee Events over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Employee Data Event", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:AUDIT @object:(EMPLOYEE_DISABLED_EXTENSION OR EMPLOYEE_EMAIL_UPDATED OR EMPLOYEE_NAME_UPDATED OR EMPLOYEE_REMOVED_FROM_GROUP OR EMPLOYEES_ADDED_TO_GROUP OR EMPLOYEES_MERGED OR EMPLOYEES_UNMERGED) $actor_source $user_email" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@evt.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 3 + } + }, + { + "id": 5815124519845308, + "definition": { + "title": "Top Employees Temporary Disabling Extension", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:AUDIT @object:EMPLOYEE_DISABLED_EXTENSION $actor_source $user_email" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.email", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "dog_classic" + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 4, + "height": 4 + } + }, + { + "id": 8234087924514658, + "definition": { + "title": "Employee Email Update Details", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:AUDIT @object:EMPLOYEE_EMAIL_UPDATED $actor_source $user_email" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.email", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@timestamp", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@new.email", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@old.email", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 10000, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "number", + "alias": "count", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 4, + "y": 3, + "width": 8, + "height": 4 + } + }, + { + "id": 1069081787477895, + "definition": { + "title": "Employee Events Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:pushsecurity service:AUDIT @object:(EMPLOYEE_DISABLED_EXTENSION OR EMPLOYEE_EMAIL_UPDATED OR EMPLOYEE_NAME_UPDATED OR EMPLOYEE_REMOVED_FROM_GROUP OR EMPLOYEES_ADDED_TO_GROUP OR EMPLOYEES_MERGED OR EMPLOYEES_UNMERGED) $actor_source $user_email", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@usr.email", + "width": "auto" + }, + { + "field": "@evt.name", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 7, + "width": 12, + "height": 3 + } + } + ] + }, + "layout": { + "x": 0, + "y": 65, + "width": 12, + "height": 11 + } + }, + { + "id": 1356874157678472, + "definition": { + "title": "Detection Activities", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 4278633039552564, + "definition": { + "title": "Detection Activities over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Detection Activities Event", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:AUDIT @object:(DETECTION_ARCHIVED OR DETECTION_SCREENSHOTS_TOGGLED OR DETECTION_UNARCHIVED OR PHISHING_TOOL_DETECTION_IGNORED_DOMAINS_ADDED OR PHISHING_TOOL_DETECTION_IGNORED_DOMAINS_REMOVED OR STOLEN_CREDENTIALS_ADDED OR STOLEN_CREDENTIALS_MODE_UPDATED OR STOLEN_CREDENTIALS_REMOVED) $actor_source $user_email" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@evt.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 3 + } + }, + { + "id": 8825496633360742, + "definition": { + "title": "Top Users by Detection Events", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:AUDIT @object:(DETECTION_ARCHIVED OR DETECTION_SCREENSHOTS_TOGGLED OR DETECTION_UNARCHIVED OR PHISHING_TOOL_DETECTION_IGNORED_DOMAINS_ADDED OR PHISHING_TOOL_DETECTION_IGNORED_DOMAINS_REMOVED OR STOLEN_CREDENTIALS_ADDED OR STOLEN_CREDENTIALS_MODE_UPDATED OR STOLEN_CREDENTIALS_REMOVED) $actor_source $user_email" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.email", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 5, + "height": 4 + } + }, + { + "id": 7181827978165821, + "definition": { + "title": "Detection Status Update Details", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:AUDIT @object:(DETECTION_ARCHIVED OR DETECTION_UNARCHIVED) $actor_source $user_email" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@evt.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@new.archived", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "alias": "count", + "cell_display_mode": "number", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 5, + "y": 3, + "width": 7, + "height": 4 + } + }, + { + "id": 2076843924327457, + "definition": { + "title": "Detection Events Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:pushsecurity service:AUDIT @object:(DETECTION_ARCHIVED OR DETECTION_SCREENSHOTS_TOGGLED OR DETECTION_UNARCHIVED OR PHISHING_TOOL_DETECTION_IGNORED_DOMAINS_ADDED OR PHISHING_TOOL_DETECTION_IGNORED_DOMAINS_REMOVED OR STOLEN_CREDENTIALS_ADDED OR STOLEN_CREDENTIALS_MODE_UPDATED OR STOLEN_CREDENTIALS_REMOVED) $actor_source $user_email", + "indexes": [ + "*" + ], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@usr.email", + "width": "auto" + }, + { + "field": "@evt.name", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 7, + "width": 12, + "height": 3 + } + } + ] + }, + "layout": { + "x": 0, + "y": 76, + "width": 12, + "height": 11 + } + } + ], + "template_variables": [ + { + "name": "user_email", + "prefix": "@usr.email", + "available_values": [], + "default": "*" + }, + { + "name": "actor_source", + "prefix": "@actor.source", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/push_security/assets/dashboards/push_security_controls.json b/push_security/assets/dashboards/push_security_controls.json new file mode 100644 index 0000000000000..3d657e6891117 --- /dev/null +++ b/push_security/assets/dashboards/push_security_controls.json @@ -0,0 +1,4965 @@ +{ + "title": "Push Security - Controls", + "description": "This dashboard summarizes critical security controls and alerts, including MFA enforcement, phishing detection, blocked URLs, and credential protection to help monitor your security posture.", + "widgets": [ + { + "id": 8508816171812108, + "definition": { + "type": "image", + "url": "https://lever-client-logos.s3.us-west-2.amazonaws.com/af1f06cb-5fe4-4956-b99d-89b489dc3de9-1749476979307.png", + "url_dark_theme": "https://lever-client-logos.s3.us-west-2.amazonaws.com/af1f06cb-5fe4-4956-b99d-89b489dc3de9-1749476979307.png", + "sizing": "contain", + "margin": "md", + "has_background": true, + "has_border": true, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 3 + } + }, + { + "id": 10546878817969, + "definition": { + "type": "note", + "content": "This dashboard summarizes critical security controls and alerts, including MFA enforcement, phishing detection, blocked URLs, and credential protection to help monitor your security posture.\n\nFor more information, see the [Push Security Documentation](https://docs.datadoghq.com/integrations/push_security/).\n\n**Tips**:\n - Use the timeframe selector in the upper-right corner of the dashboard to change the default timeframe.\n - Clone this dashboard to rearrange, modify, and add widgets and visualizations.\n\n", + "background_color": "orange", + "font_size": "14", + "text_align": "left", + "vertical_align": "center", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 3 + } + }, + { + "id": 7252990685481335, + "definition": { + "title": "Overview", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 2849433358832, + "definition": { + "title": "Total Control Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "bars", + "yaxis": {} + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 1031232260061671, + "definition": { + "title": "Control Events over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Control Event", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 6016496185184478, + "definition": { + "title": "Control Events by Event Type", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@evt.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 8, + "height": 4 + } + }, + { + "id": 52316689597069, + "definition": { + "title": "Control Events by Employee Department", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@new.employee.department", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 8, + "y": 3, + "width": 4, + "height": 4 + } + }, + { + "id": 8776487918148441, + "definition": { + "title": "Control Events by Operating System", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@new.os", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 1104142573177871, + "definition": { + "title": "Control Events by Browser", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@new.browser", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 1773283333656778, + "definition": { + "title": "Control Event Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:pushsecurity service:CONTROL $user_email $event_outcome $application_type $client_ip", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@evt.name", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 11, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 16 + } + }, + { + "id": 3161475319024968, + "definition": { + "title": "App Banner", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 706794460332607, + "definition": { + "title": "Total App Banner Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:APP_BANNER $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 5701551660877735, + "definition": { + "title": "App Banner Events over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "App Banner Event", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:APP_BANNER $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 6567564446919175, + "definition": { + "title": "App Banner Events by Mode", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:APP_BANNER $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@new.appBanner.mode", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 7, + "height": 4 + } + }, + { + "id": 6768010005268312, + "definition": { + "title": "App Banner Events by Action", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:APP_BANNER $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@evt.outcome", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 7, + "y": 3, + "width": 5, + "height": 4 + } + }, + { + "id": 5466430629455091, + "definition": { + "title": "Top Employees by App Banner Interactions", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:APP_BANNER $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.email", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 4, + "height": 4 + } + }, + { + "id": 5696076354685129, + "definition": { + "title": "App Banner URLs", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:APP_BANNER $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@http.url", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 4, + "y": 7, + "width": 4, + "height": 4 + } + }, + { + "id": 6212751527465142, + "definition": { + "title": "Top Source IP Addresses", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:APP_BANNER $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 8, + "y": 7, + "width": 4, + "height": 4 + } + }, + { + "id": 3866853218047602, + "definition": { + "title": "App Banner Events by App Type", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:APP_BANNER $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@new.appType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 11, + "width": 6, + "height": 4 + } + }, + { + "id": 4682340648238868, + "definition": { + "title": "App Banner Event Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:pushsecurity service:CONTROL @object:APP_BANNER $user_email $event_outcome $application_type $client_ip", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 6, + "y": 11, + "width": 6, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 19, + "width": 12, + "height": 16 + } + }, + { + "id": 3772288814933864, + "definition": { + "title": "Blocked URL Visited", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 381307237747573, + "definition": { + "title": "Total Blocked URL Visits", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:BLOCKED_URL_VISITED $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 4993195463643143, + "definition": { + "title": "Blocked URL Visits over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Event", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:BLOCKED_URL_VISITED $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 7943324162260778, + "definition": { + "title": "Top Blocked URL", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:BLOCKED_URL_VISITED $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@http.url", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 3, + "height": 4 + } + }, + { + "id": 3724938257783823, + "definition": { + "title": "Blocked URL Visits by Employee", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:BLOCKED_URL_VISITED $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.email", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 3, + "y": 3, + "width": 3, + "height": 4 + } + }, + { + "id": 2905649483037872, + "definition": { + "title": "Blocked URL Visits by Source IP", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:BLOCKED_URL_VISITED $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 3, + "width": 3, + "height": 4 + } + }, + { + "id": 3820844480883478, + "definition": { + "title": "Top Referrer URLs", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:BLOCKED_URL_VISITED $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@new.referrerUrl", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 9, + "y": 3, + "width": 3, + "height": 4 + } + }, + { + "id": 8212904089294878, + "definition": { + "title": "Blocked URL Visits by Schema Obfuscation", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:BLOCKED_URL_VISITED $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@new.urlSchemaObfuscationBlock", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 6905091989852103, + "definition": { + "title": "Blocked URL Visit Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:pushsecurity service:CONTROL @object:BLOCKED_URL_VISITED $user_email $event_outcome $application_type $client_ip", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 6, + "y": 7, + "width": 6, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 35, + "width": 12, + "height": 12 + } + }, + { + "id": 2495545276213455, + "definition": { + "title": "Cloned Login Page Detected", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 5751329912387752, + "definition": { + "title": "Total Cloned Login Page Detections", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:CLONED_LOGIN_PAGE_DETECTED $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 5994998595390100, + "definition": { + "title": "Detections over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Detection", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:CLONED_LOGIN_PAGE_DETECTED $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 3189205611004531, + "definition": { + "title": "Top Cloned Login Page Types", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:CLONED_LOGIN_PAGE_DETECTED $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@new.clonedLoginPageType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 4, + "height": 4 + } + }, + { + "id": 1940844024690485, + "definition": { + "title": "Top URLs Triggering Detections", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:CLONED_LOGIN_PAGE_DETECTED $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@http.url", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 4, + "y": 3, + "width": 4, + "height": 4 + } + }, + { + "id": 2748562925554591, + "definition": { + "title": "Top Legitimate Cloned URLs", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:CLONED_LOGIN_PAGE_DETECTED $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@new.clonedLoginPageUrls", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 8, + "y": 3, + "width": 4, + "height": 4 + } + }, + { + "id": 6475921935870390, + "definition": { + "title": "Detection Mode Distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:CLONED_LOGIN_PAGE_DETECTED $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@new.mode", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 8, + "height": 4 + } + }, + { + "id": 895090361546133, + "definition": { + "title": "Top Referrer URLs", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:CLONED_LOGIN_PAGE_DETECTED $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@new.referrerUrl", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 8, + "y": 7, + "width": 4, + "height": 4 + } + }, + { + "id": 8830114217736690, + "definition": { + "title": "Top Cloned Login Page by Employee", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:CLONED_LOGIN_PAGE_DETECTED $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.email", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 11, + "width": 3, + "height": 4 + } + }, + { + "id": 552695575531411, + "definition": { + "title": "Top Cloned Login Page by Source IP Addresses", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:CLONED_LOGIN_PAGE_DETECTED $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 3, + "y": 11, + "width": 3, + "height": 4 + } + }, + { + "id": 8651051791100027, + "definition": { + "title": "Actions Taken by Users", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:CLONED_LOGIN_PAGE_DETECTED $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@evt.outcome", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 11, + "width": 6, + "height": 4 + } + }, + { + "id": 225150350662341, + "definition": { + "title": "Detection Event Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:pushsecurity service:CONTROL @object:CLONED_LOGIN_PAGE_DETECTED $user_email $event_outcome $application_type $client_ip", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 15, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 47, + "width": 12, + "height": 20 + } + }, + { + "id": 6222660427583425, + "definition": { + "title": "MFA Enforcement Event", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 2942671041016384, + "definition": { + "title": "Total MFA Enforcement Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:MFA_ENFORCEMENT $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 3824601827594010, + "definition": { + "title": "MFA Enforcement Events over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "MFA Enforcement Event", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:MFA_ENFORCEMENT $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 1682945360698459, + "definition": { + "title": "Top Apps with MFA Enforcement", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:MFA_ENFORCEMENT $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@new.appType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 4, + "height": 4 + } + }, + { + "id": 3995977648048552, + "definition": { + "title": "Top Employees by MFA Enforcement", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:MFA_ENFORCEMENT $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.email", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 4, + "y": 3, + "width": 4, + "height": 4 + } + }, + { + "id": 950616750626615, + "definition": { + "title": "MFA Enforcement by Source IP", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:MFA_ENFORCEMENT $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 8, + "y": 3, + "width": 4, + "height": 4 + } + }, + { + "id": 3251890052564543, + "definition": { + "title": "MFA Enforcement Actions Taken", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:MFA_ENFORCEMENT $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@evt.outcome", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 1372558427626162, + "definition": { + "title": "MFA Enforcement Event Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:pushsecurity service:CONTROL @object:MFA_ENFORCEMENT $user_email $event_outcome $application_type $client_ip", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 6, + "y": 7, + "width": 6, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 67, + "width": 12, + "height": 12 + } + }, + { + "id": 686719093346119, + "definition": { + "title": "SSO Password Used", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 6258200789157195, + "definition": { + "title": "Total SSO Password Used Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:SSO_PASSWORD_USED $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 4455804979646968, + "definition": { + "title": "SSO Password Used Events over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Event", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:SSO_PASSWORD_USED $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 915558634470054, + "definition": { + "title": "Top SSO Password App Types", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:SSO_PASSWORD_USED $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@new.appType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 3, + "height": 4 + } + }, + { + "id": 6077200413541957, + "definition": { + "title": "Top Employees Using SSO Passwords", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:SSO_PASSWORD_USED $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.email", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 3, + "y": 3, + "width": 3, + "height": 4 + } + }, + { + "id": 3208994895625505, + "definition": { + "title": "Top IPs for SSO Password Used Events", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:SSO_PASSWORD_USED $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 3, + "width": 3, + "height": 4 + } + }, + { + "id": 348490326552005, + "definition": { + "title": "Top Target URLs for SSO Password Usage", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:SSO_PASSWORD_USED $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@http.url", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 9, + "y": 3, + "width": 3, + "height": 4 + } + }, + { + "id": 3260948409689339, + "definition": { + "title": "SSO Password Protection Mode Distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:SSO_PASSWORD_USED $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@new.mode", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 5959208562232301, + "definition": { + "title": "SSO Password Protection Actions Taken", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:SSO_PASSWORD_USED $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@evt.outcome", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 5691169993702888, + "definition": { + "title": "Top Referrer URLs", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:SSO_PASSWORD_USED $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@new.referrerUrl", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 11, + "width": 3, + "height": 4 + } + }, + { + "id": 97216342788537, + "definition": { + "title": "SSO Password Usage Event Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:pushsecurity service:CONTROL @object:SSO_PASSWORD_USED $user_email $event_outcome $application_type $client_ip", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 3, + "y": 11, + "width": 9, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 79, + "width": 12, + "height": 16 + } + }, + { + "id": 7444373861925237, + "definition": { + "title": "Phishing Tool Detected", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 2896778854520417, + "definition": { + "title": "Total Phishing Tool Detected Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:PHISHING_TOOL_DETECTED $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 4105607851270729, + "definition": { + "title": "Phishing Tool Detected Events over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Event", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:PHISHING_TOOL_DETECTED $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 4520087154290140, + "definition": { + "title": "Top Phishing Tool Indicators", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:PHISHING_TOOL_DETECTED $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@new.indicator", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 4, + "height": 4 + } + }, + { + "id": 8400806887788784, + "definition": { + "title": "Top URLs by Phishing Tool Detections", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:PHISHING_TOOL_DETECTED $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@http.url", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 4, + "y": 3, + "width": 4, + "height": 4 + } + }, + { + "id": 1015941840576000, + "definition": { + "title": "Top Referrer URLs", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:PHISHING_TOOL_DETECTED $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@new.referrerUrl", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 8, + "y": 3, + "width": 4, + "height": 4 + } + }, + { + "id": 7321811563425877, + "definition": { + "title": "Phishing Tool Detection Mode Distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:PHISHING_TOOL_DETECTED $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@new.mode", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 8850315407355756, + "definition": { + "title": "Phishing Tool Detection Actions Taken", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:PHISHING_TOOL_DETECTED $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@evt.outcome", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 2985676796394810, + "definition": { + "title": "Top Employees by Phishing Tool Detections", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:PHISHING_TOOL_DETECTED $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.email", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 11, + "width": 6, + "height": 4 + } + }, + { + "id": 6914591754264252, + "definition": { + "title": "Top Source IPs by Phishing Tool Detections", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:PHISHING_TOOL_DETECTED $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 11, + "width": 6, + "height": 4 + } + }, + { + "id": 8596712201738899, + "definition": { + "title": "Phishing Tool Detection Event Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:pushsecurity service:CONTROL @object:PHISHING_TOOL_DETECTED $user_email $event_outcome $application_type $client_ip", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 15, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 95, + "width": 12, + "height": 20 + } + }, + { + "id": 1276426855206804, + "definition": { + "title": "Stolen Credentials Detected", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 4059139984565163, + "definition": { + "title": "Total Stolen Credentials Detected Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:STOLEN_CREDENTIALS_DETECTED $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 3277158005893371, + "definition": { + "title": "Stolen Credentials Detected Events over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Event", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:STOLEN_CREDENTIALS_DETECTED $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 6195424083029133, + "definition": { + "title": "Top Affected Accounts", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:STOLEN_CREDENTIALS_DETECTED $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@new.email", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 4, + "height": 4 + } + }, + { + "id": 2765746735489671, + "definition": { + "title": "Top Apps with Stolen Credentials", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:STOLEN_CREDENTIALS_DETECTED $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@new.appType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 4, + "y": 3, + "width": 4, + "height": 4 + } + }, + { + "id": 3408178197559180, + "definition": { + "title": "Top Employees with Stolen Credentials Events", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:STOLEN_CREDENTIALS_DETECTED $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.email", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 8, + "y": 3, + "width": 4, + "height": 4 + } + }, + { + "id": 5151902398743386, + "definition": { + "title": "Top Source IPs for Stolen Credentials Events", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:STOLEN_CREDENTIALS_DETECTED $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 4, + "height": 4 + } + }, + { + "id": 7068388530746589, + "definition": { + "title": "Stolen Credentials Detection Event Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:pushsecurity service:CONTROL @object:STOLEN_CREDENTIALS_DETECTED $user_email $event_outcome $application_type $client_ip", + "indexes": [ + "*" + ], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 4, + "y": 7, + "width": 8, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 115, + "width": 12, + "height": 12 + } + }, + { + "id": 5832171259499389, + "definition": { + "title": "Strong Password Enforcement Event", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 5747551828604192, + "definition": { + "title": "Total Strong Password Enforcement Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:STRONG_PASSWORD_ENFORCEMENT $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 5543721935639311, + "definition": { + "title": "Strong Password Enforcement Events over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Event", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:STRONG_PASSWORD_ENFORCEMENT $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 3031204024507346, + "definition": { + "title": "Top Apps with Strong Password Enforcement", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:STRONG_PASSWORD_ENFORCEMENT $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@new.appType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 4, + "height": 4 + } + }, + { + "id": 5644450226328720, + "definition": { + "title": "Top Employees Triggering Enforcement", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:STRONG_PASSWORD_ENFORCEMENT $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.email", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 4, + "y": 3, + "width": 4, + "height": 4 + } + }, + { + "id": 5296972507870186, + "definition": { + "title": "Top Source IP Addresses by Enforcement Events", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:STRONG_PASSWORD_ENFORCEMENT $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 8, + "y": 3, + "width": 4, + "height": 4 + } + }, + { + "id": 6822060348256008, + "definition": { + "title": "Enforcement Actions Taken by Users", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL @object:STRONG_PASSWORD_ENFORCEMENT $user_email $event_outcome $application_type $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@evt.outcome", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 1959368419716449, + "definition": { + "title": "Strong Password Enforcement Event Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:pushsecurity service:CONTROL @object:STRONG_PASSWORD_ENFORCEMENT $user_email $event_outcome $application_type $client_ip", + "indexes": [ + "*" + ], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 6, + "y": 7, + "width": 6, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 127, + "width": 12, + "height": 12 + } + } + ], + "template_variables": [ + { + "name": "user_email", + "prefix": "@usr.email", + "available_values": [], + "default": "*" + }, + { + "name": "event_outcome", + "prefix": "@evt.outcome", + "available_values": [], + "default": "*" + }, + { + "name": "application_type", + "prefix": "@new.appType", + "available_values": [], + "default": "*" + }, + { + "name": "client_ip", + "prefix": "@network.client.ip", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/push_security/assets/dashboards/push_security_detections.json b/push_security/assets/dashboards/push_security_detections.json new file mode 100644 index 0000000000000..5abb875a7365c --- /dev/null +++ b/push_security/assets/dashboards/push_security_detections.json @@ -0,0 +1,2007 @@ +{ + "title": "Push Security - Detections", + "description": "This dashboard offers a comprehensive summary of blocked URLs, phishing attacks, and stolen credential detections, providing clear visibility into active threats and security incidents.", + "widgets": [ + { + "id": 8508816171812108, + "definition": { + "type": "image", + "url": "https://lever-client-logos.s3.us-west-2.amazonaws.com/af1f06cb-5fe4-4956-b99d-89b489dc3de9-1749476979307.png", + "url_dark_theme": "https://lever-client-logos.s3.us-west-2.amazonaws.com/af1f06cb-5fe4-4956-b99d-89b489dc3de9-1749476979307.png", + "sizing": "contain", + "margin": "md", + "has_background": true, + "has_border": true, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 3 + } + }, + { + "id": 10546878817969, + "definition": { + "type": "note", + "content": "This dashboard offers a comprehensive summary of blocked URLs, phishing attacks, and stolen credential detections, providing clear visibility into active threats and security incidents.\n\nFor more information, see the [Push Security Documentation](https://docs.datadoghq.com/integrations/push_security/).\n\n**Tips**:\n - Use the timeframe selector in the upper-right corner of the dashboard to change the default timeframe.\n - Clone this dashboard to rearrange, modify, and add widgets and visualizations.\n\n", + "background_color": "orange", + "font_size": "14", + "text_align": "left", + "vertical_align": "center", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 3 + } + }, + { + "id": 3569705310123999, + "definition": { + "title": "Overview", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 2783930304552371, + "definition": { + "title": "Total Detection Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:DETECTION $user_email $severity $event_outcome" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 5138577513957007, + "definition": { + "title": "Detection Events over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Detection Event", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:DETECTION $user_email $severity $event_outcome" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 5410647026976859, + "definition": { + "title": "Events by Severity", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:DETECTION $user_email $severity $event_outcome" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@severity", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 5412020082353573, + "definition": { + "title": "Detection Events by Type", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:DETECTION $user_email $severity $event_outcome" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@evt.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 3857982523484888, + "definition": { + "title": "Top Employees by Detections", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:DETECTION $user_email $severity $event_outcome" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.email", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 4, + "height": 4 + } + }, + { + "id": 3127344240923313, + "definition": { + "title": "Detection Event Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:pushsecurity service:DETECTION $user_email $severity $event_outcome", + "indexes": [ + "*" + ], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@evt.name", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 4, + "y": 7, + "width": 8, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 12 + } + }, + { + "id": 8344641485849564, + "definition": { + "title": "Blocked URL Detection", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 8101040829664152, + "definition": { + "title": "Total Blocked URL Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:DETECTION @object:BLOCKED_URL $user_email $severity $event_outcome" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 6692167947772074, + "definition": { + "title": "Blocked URL Events over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Blocked URL Event", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:DETECTION @object:BLOCKED_URL $user_email $severity $event_outcome" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 5002677574522957, + "definition": { + "title": "Blocked URL Events by type", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:DETECTION @object:BLOCKED_URL $user_email $severity $event_outcome" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@type", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 1793899745468669, + "definition": { + "title": "Blocked URL Events Detected by Severity", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:DETECTION @object:BLOCKED_URL @type:CREATE $user_email $severity $event_outcome" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@severity", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 4622844163276551, + "definition": { + "title": "Blocked URL Events Detected by Department", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:DETECTION @object:BLOCKED_URL @type:CREATE $user_email $severity $event_outcome" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@new.employee.department", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 4, + "height": 4 + } + }, + { + "id": 4500619413404481, + "definition": { + "title": "Blocked URL Detection Response Types", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:DETECTION @object:BLOCKED_URL @type:CREATE $user_email $severity $event_outcome" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@evt.outcome", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 4, + "y": 7, + "width": 8, + "height": 4 + } + }, + { + "id": 4843736653364139, + "definition": { + "title": "Top Employees by Blocked URL Events Detected", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:DETECTION @object:BLOCKED_URL @type:CREATE $user_email $severity $event_outcome" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.email", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 11, + "width": 4, + "height": 4 + } + }, + { + "id": 5850275418774684, + "definition": { + "title": "Blocked URL Detection Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:pushsecurity service:DETECTION @object:BLOCKED_URL $user_email $severity $event_outcome", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 4, + "y": 11, + "width": 8, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 15, + "width": 12, + "height": 16 + } + }, + { + "id": 3079320136215618, + "definition": { + "title": "Phishing Attack Detection", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 6438802293116291, + "definition": { + "title": "Total Phishing Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:DETECTION @object:PHISHING $user_email $severity $event_outcome" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 1056274768693752, + "definition": { + "title": "Phishing Events over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Phishing Event", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:DETECTION @object:PHISHING $user_email $severity $event_outcome" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 1511637790697542, + "definition": { + "title": "Phishing Events by Type", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:DETECTION @object:PHISHING $user_email $severity $event_outcome" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@type", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 5876016952515269, + "definition": { + "title": "Phishing Events by Severity", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:DETECTION @object:PHISHING @type:CREATE $user_email $severity $event_outcome" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@severity", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 3253810053953305, + "definition": { + "title": "Phishing Events by Department", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:DETECTION @object:PHISHING @type:CREATE $user_email $severity $event_outcome" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@new.employee.department", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 1487454036562927, + "definition": { + "title": "Phishing Detection Response Types", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:DETECTION @object:PHISHING @type:CREATE $user_email $severity $event_outcome" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@evt.outcome", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 6, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 8849687569436134, + "definition": { + "title": "Top Employees by Phishing Events", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:DETECTION @object:PHISHING @type:CREATE $user_email $severity $event_outcome" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.email", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 11, + "width": 4, + "height": 4 + } + }, + { + "id": 5809588344253718, + "definition": { + "title": "Phishing Detection Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:pushsecurity service:DETECTION @object:PHISHING $user_email $severity $event_outcome", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 4, + "y": 11, + "width": 8, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 31, + "width": 12, + "height": 16, + "is_column_break": true + } + }, + { + "id": 4437491025853666, + "definition": { + "title": "Stolen Credentials Detection", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 5093179049079633, + "definition": { + "title": "Total Stolen Credentials Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:DETECTION @object:STOLEN_CREDENTIALS $user_email $severity $event_outcome" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 2418825306345170, + "definition": { + "title": "Stolen Credentials Events over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Event", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:DETECTION @object:STOLEN_CREDENTIALS $user_email $severity $event_outcome" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 1630693271520938, + "definition": { + "title": "Stolen Credentials Events by Type", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:DETECTION @object:STOLEN_CREDENTIALS $user_email $severity $event_outcome" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@type", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 4568101725802397, + "definition": { + "title": "Stolen Credentials Events by Severity", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:DETECTION @object:STOLEN_CREDENTIALS @type:CREATE $user_email $severity $event_outcome" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@severity", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 3131201005270690, + "definition": { + "title": "Stolen Credentials Events by Department", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:DETECTION @object:STOLEN_CREDENTIALS @type:CREATE $user_email $severity $event_outcome" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@new.employee.department", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 6274884578550747, + "definition": { + "title": "Stolen Credentials Detection Response Types", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:DETECTION @object:STOLEN_CREDENTIALS @type:CREATE $user_email $severity $event_outcome" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@evt.outcome", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 6575686189608812, + "definition": { + "title": "Top Employees by Stolen Credentials Events", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:DETECTION @object:STOLEN_CREDENTIALS @type:CREATE $user_email $severity $event_outcome" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.email", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 11, + "width": 4, + "height": 4 + } + }, + { + "id": 1121827070495615, + "definition": { + "title": "Stolen Credentials Detection Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:pushsecurity service:DETECTION @object:STOLEN_CREDENTIALS $user_email $severity $event_outcome", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 4, + "y": 11, + "width": 8, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 47, + "width": 12, + "height": 16 + } + } + ], + "template_variables": [ + { + "name": "user_email", + "prefix": "@usr.email", + "available_values": [], + "default": "*" + }, + { + "name": "severity", + "prefix": "@severity", + "available_values": [], + "default": "*" + }, + { + "name": "event_outcome", + "prefix": "@evt.outcome", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/push_security/assets/dashboards/push_security_entity.json b/push_security/assets/dashboards/push_security_entity.json new file mode 100644 index 0000000000000..c404d9810d0ba --- /dev/null +++ b/push_security/assets/dashboards/push_security_entity.json @@ -0,0 +1,1042 @@ +{ + "title": "Push Security - Entity", + "description": "This dashboard offers a comprehensive summary of key entities such as accounts, applications, browsers, employees, and findings to provide insight into your security environment.", + "widgets": [ + { + "id": 8508816171812108, + "definition": { + "type": "image", + "url": "https://lever-client-logos.s3.us-west-2.amazonaws.com/af1f06cb-5fe4-4956-b99d-89b489dc3de9-1749476979307.png", + "url_dark_theme": "https://lever-client-logos.s3.us-west-2.amazonaws.com/af1f06cb-5fe4-4956-b99d-89b489dc3de9-1749476979307.png", + "sizing": "contain", + "margin": "md", + "has_background": true, + "has_border": true, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 3 + } + }, + { + "id": 10546878817969, + "definition": { + "type": "note", + "content": "This dashboard offers a comprehensive summary of key entities such as accounts, applications, browsers, employees, and findings to provide insight into your security environment.\n\nFor more information, see the [Push Security Documentation](https://docs.datadoghq.com/integrations/push_security/).\n\n**Tips**:\n - Use the timeframe selector in the upper-right corner of the dashboard to change the default timeframe.\n - Clone this dashboard to rearrange, modify, and add widgets and visualizations.\n\n", + "background_color": "orange", + "font_size": "14", + "text_align": "left", + "vertical_align": "center", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 3 + } + }, + { + "id": 3569705310123999, + "definition": { + "title": "Overview", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 2783930304552371, + "definition": { + "title": "Total Entity Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:ENTITY $event_name $type" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 6964842732912243, + "definition": { + "title": "Entity Events over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Entity Event", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:ENTITY $event_name $type" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@evt.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 3823652230992030, + "definition": { + "title": "Entity Events by Operation", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:ENTITY $event_name $type" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@type", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 4 + } + }, + { + "id": 1872359295516518, + "definition": { + "title": "Entity Event Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:pushsecurity service:ENTITY $event_name $type", + "indexes": [ + "*" + ], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@evt.name", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 7, + "width": 12, + "height": 3 + } + } + ] + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 11 + } + }, + { + "id": 4468118218361704, + "definition": { + "title": "Entity Creation Insights", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 5153838165887277, + "definition": { + "title": "Top Entity Types by Entity Creation", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:ENTITY @type:CREATE $event_name $type" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@evt.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "dog_classic" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 8777482221943838, + "definition": { + "title": "Created Entity over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Entity Event", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:ENTITY @type:CREATE $event_name $type" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@evt.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 3 + } + }, + { + "id": 2642063133234640, + "definition": { + "title": "Total Findings Created", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:ENTITY @object:FINDING $event_name $type" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "bars", + "yaxis": {} + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 4, + "height": 3 + } + }, + { + "id": 1478707274199892, + "definition": { + "title": "Findings Created over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Entity Event", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:ENTITY @object:FINDING $event_name $type" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 3, + "width": 8, + "height": 3 + } + }, + { + "id": 4035203141697471, + "definition": { + "title": "Entity Create Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:pushsecurity service:ENTITY @type:CREATE $event_name $type", + "indexes": [ + "*" + ], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@evt.name", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 6, + "width": 12, + "height": 3 + } + } + ] + }, + "layout": { + "x": 0, + "y": 14, + "width": 12, + "height": 10 + } + }, + { + "id": 4284715746919810, + "definition": { + "title": "Entity Update Insights", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 1975824819118761, + "definition": { + "title": "Top Entity Types by Entity Update", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:ENTITY @type:UPDATE $event_name $type" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@evt.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "dog_classic" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 2218593469124732, + "definition": { + "title": "Updated Entity over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Entity Event", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:ENTITY @type:UPDATE $event_name $type" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@evt.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 3 + } + }, + { + "id": 8487069185914559, + "definition": { + "title": "Entity Update Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:pushsecurity service:ENTITY @type:UPDATE $event_name $type", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@evt.name", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 3 + } + } + ] + }, + "layout": { + "x": 0, + "y": 24, + "width": 12, + "height": 7 + } + }, + { + "id": 8725467750734877, + "definition": { + "title": "Entity Deletion Insights", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 3157284420378315, + "definition": { + "title": "Top Entity Types by Entity Deletion", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:ENTITY @type:DELETE $event_name $type" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@evt.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "dog_classic" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 8598226404415819, + "definition": { + "title": "Deleted Entity over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Entity Event", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:ENTITY @type:DELETE $event_name $type" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@evt.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 3 + } + }, + { + "id": 1629224454888312, + "definition": { + "title": "Entity Deletion Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:pushsecurity service:ENTITY @type:DELETE $event_name $type", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@evt.name", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 3 + } + } + ] + }, + "layout": { + "x": 0, + "y": 31, + "width": 12, + "height": 7 + } + } + ], + "template_variables": [ + { + "name": "event_name", + "prefix": "@evt.name", + "available_values": [], + "default": "*" + }, + { + "name": "type", + "prefix": "@type", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/push_security/assets/dashboards/push_security_overview.json b/push_security/assets/dashboards/push_security_overview.json new file mode 100644 index 0000000000000..380ebf7d3b8b2 --- /dev/null +++ b/push_security/assets/dashboards/push_security_overview.json @@ -0,0 +1,1453 @@ +{ + "title": "Push Security - Overview", + "description": "This dashboard offers a comprehensive summary of push security events.", + "widgets": [ + { + "id": 8508816171812108, + "definition": { + "type": "image", + "url": "https://lever-client-logos.s3.us-west-2.amazonaws.com/af1f06cb-5fe4-4956-b99d-89b489dc3de9-1749476979307.png", + "url_dark_theme": "https://lever-client-logos.s3.us-west-2.amazonaws.com/af1f06cb-5fe4-4956-b99d-89b489dc3de9-1749476979307.png", + "sizing": "contain", + "margin": "md", + "has_background": true, + "has_border": true, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 3 + } + }, + { + "id": 10546878817969, + "definition": { + "type": "note", + "content": "[Push Security](https://pushsecurity.com/) is an identity security platform that focuses on securing workforce identities through browser-level monitoring. It uses a browser extension to provide real-time visibility into user activity, enabling the detection and response to threats such as phishing, session hijacking, and credential misuse.\n\nThis dashboard offers a comprehensive summary of push security events.\n\nFor more information, see the [Push Security Documentation](https://docs.datadoghq.com/integrations/push_security/).\n\n**Tips**:\n - Use the timeframe selector in the upper-right corner of the dashboard to change the default timeframe.\n - Clone this dashboard to rearrange, modify, and add widgets and visualizations.\n\n", + "background_color": "orange", + "font_size": "14", + "text_align": "left", + "vertical_align": "center", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 3 + } + }, + { + "id": 2359747953745690, + "definition": { + "title": "Overview", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 3535367490927331, + "definition": { + "title": "Total Push Security Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity $category $event_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 2075683450489690, + "definition": { + "title": "Push Security Events over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Push Security Event", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity $category $event_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 2434720994596062, + "definition": { + "title": "Top Objects", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity $category $event_name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@evt.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 4, + "height": 3 + } + }, + { + "id": 4119256967514169, + "definition": { + "title": "Distribution by Categories", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity $category $event_name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@category", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 4, + "y": 3, + "width": 8, + "height": 3 + } + }, + { + "id": 1220549390933439, + "definition": { + "title": "Total Activity Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:ACTIVITY $category $event_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 6, + "width": 3, + "height": 3 + } + }, + { + "id": 6612787829156264, + "definition": { + "title": "Activity Events over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Activity Event", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:ACTIVITY $category $event_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 6, + "width": 9, + "height": 3 + } + }, + { + "id": 8364126385953429, + "definition": { + "title": "Total Audit Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:AUDIT $category $event_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 9, + "width": 3, + "height": 3 + } + }, + { + "id": 4500961091615137, + "definition": { + "title": "Audit Events over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Audit Event", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:AUDIT $category $event_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 9, + "width": 9, + "height": 3 + } + }, + { + "id": 3782687339014091, + "definition": { + "title": "Total Control Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL $category $event_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "bars", + "yaxis": {} + } + }, + "layout": { + "x": 0, + "y": 12, + "width": 3, + "height": 3 + } + }, + { + "id": 1425482385795097, + "definition": { + "title": "Control Events over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Control Event", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:CONTROL $category $event_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 12, + "width": 9, + "height": 3 + } + }, + { + "id": 7556212599856494, + "definition": { + "title": "Total Detection Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:DETECTION $category $event_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 15, + "width": 3, + "height": 3 + } + }, + { + "id": 8985578754747413, + "definition": { + "title": "Detection Events over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Detection Event", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:DETECTION $category $event_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 15, + "width": 9, + "height": 3 + } + }, + { + "id": 736192324378529, + "definition": { + "title": "Total Entity Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:ENTITY $category $event_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 18, + "width": 3, + "height": 3 + } + }, + { + "id": 8915696879594161, + "definition": { + "title": "Entity Events over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Entity Event", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:pushsecurity service:ENTITY $category $event_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 18, + "width": 9, + "height": 3 + } + }, + { + "id": 1684364589744873, + "definition": { + "title": "Push Security Events", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:pushsecurity $category $event_name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@evt.name", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 21, + "width": 12, + "height": 3 + } + } + ] + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 25 + } + }, + { + "id": 1788200238589151, + "definition": { + "title": "Datadog Cloud SIEM", + "title_align": "center", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 5796443987164897, + "definition": { + "type": "note", + "content": "\nDatadog Cloud SIEM analyzes and correlates **Push Security** Events to detect threats to your environment in real time. If you don't see signals please make sure you've enabled [Datadog Cloud SIEM](/security). ", + "background_color": "orange", + "font_size": "14", + "text_align": "center", + "vertical_align": "center", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 7592497432339158, + "definition": { + "title": "CRITICALs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#bc303c", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:pushsecurity status:critical" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2 + }, + "layout": { + "x": 0, + "y": 1, + "width": 2, + "height": 2 + } + }, + { + "id": 8590838176656657, + "definition": { + "title": "HIGHs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#d33043", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:pushsecurity status:high" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2 + }, + "layout": { + "x": 2, + "y": 1, + "width": 2, + "height": 2 + } + }, + { + "id": 5637582141964113, + "definition": { + "title": "Critical Security Signals", + "type": "toplist", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#bc303c", + "palette": "custom_bg", + "value": 0 + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:pushsecurity status:critical" + } + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "custom_links": [], + "style": {} + }, + "layout": { + "x": 4, + "y": 1, + "width": 8, + "height": 4 + } + }, + { + "id": 798578581210795, + "definition": { + "title": "MEDIUMs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#e5a21c", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:pushsecurity status:medium" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2 + }, + "layout": { + "x": 0, + "y": 3, + "width": 2, + "height": 2 + } + }, + { + "id": 5030971382265516, + "definition": { + "title": "LOWs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#ffb52b", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:pushsecurity status:low" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2 + }, + "layout": { + "x": 2, + "y": 3, + "width": 2, + "height": 1 + } + }, + { + "id": 8810194885305869, + "definition": { + "title": "INFOs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#84c1e0", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:pushsecurity status:info" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2 + }, + "layout": { + "x": 2, + "y": 4, + "width": 2, + "height": 1 + } + }, + { + "id": 145497858656265, + "definition": { + "title": "High Security Signals", + "type": "toplist", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#d33043", + "palette": "custom_bg", + "value": 0 + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:pushsecurity status:high" + } + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "custom_links": [], + "style": {} + }, + "layout": { + "x": 0, + "y": 5, + "width": 6, + "height": 4 + } + }, + { + "id": 5478511460240243, + "definition": { + "title": "Medium Security Signals", + "type": "toplist", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#e5a21c", + "palette": "custom_bg", + "value": 0 + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:pushsecurity status:medium" + } + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "custom_links": [], + "style": {} + }, + "layout": { + "x": 6, + "y": 5, + "width": 6, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 28, + "width": 12, + "height": 10, + "is_column_break": true + } + } + ], + "template_variables": [ + { + "name": "category", + "prefix": "@category", + "available_values": [], + "default": "*" + }, + { + "name": "event_name", + "prefix": "@evt.name", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/push_security/assets/logs/push-security.yaml b/push_security/assets/logs/push-security.yaml new file mode 100644 index 0000000000000..511d2033715ee --- /dev/null +++ b/push_security/assets/logs/push-security.yaml @@ -0,0 +1,665 @@ +id: push-security +metric_id: push-security +backend_only: false +installation_sources: + - pushsecurity +facets: + - groups: + - Event + name: Event Name + path: evt.name + source: log + - groups: + - Event + name: Event Outcome + path: evt.outcome + source: log + - groups: + - Web Access + name: URL Path + path: http.url + source: log + - groups: + - Web Access + name: User-Agent + path: http.useragent + source: log + - groups: + - Web Access + name: Browser + path: http.useragent_details.browser.family + source: log + - groups: + - Web Access + name: Device + path: http.useragent_details.device.family + source: log + - groups: + - Web Access + name: OS + path: http.useragent_details.os.family + source: log + - groups: + - Geoip + name: City Name + path: network.client.geoip.city.name + source: log + - groups: + - Geoip + name: Continent Code + path: network.client.geoip.continent.code + source: log + - groups: + - Geoip + name: Continent Name + path: network.client.geoip.continent.name + source: log + - groups: + - Geoip + name: Country ISO Code + path: network.client.geoip.country.iso_code + source: log + - groups: + - Geoip + name: Country Name + path: network.client.geoip.country.name + source: log + - groups: + - Geoip + name: Subdivision ISO Code + path: network.client.geoip.subdivision.iso_code + source: log + - groups: + - Geoip + name: Subdivision Name + path: network.client.geoip.subdivision.name + source: log + - groups: + - Web Access + name: Client IP + path: network.client.ip + source: log + - groups: + - User + name: User Email + path: usr.email + source: log + - groups: + - User + name: User ID + path: usr.id + source: log + - groups: + - User + name: User Name + path: usr.name + source: log +pipeline: + type: pipeline + name: Push Security + enabled: true + filter: + query: source:pushsecurity + processors: + - type: arithmetic-processor + name: Convert `timestamp` epoch to milliseconds epoch + enabled: true + expression: timestamp * 1000 + target: timestamp + replaceMissing: false + - type: date-remapper + name: Define `timestamp` as the official date of the log + enabled: true + sources: + - timestamp + - type: service-remapper + name: Define `category` as the official service of the log + enabled: true + sources: + - category + - type: message-remapper + name: Define `description` as the official message of the log + enabled: true + sources: + - description + - type: attribute-remapper + name: Map `friendlyName` to `evt.name` + enabled: true + sources: + - friendlyName + sourceType: attribute + target: evt.name + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: pipeline + name: Parse Detection Create, and Update Events + enabled: true + filter: + query: service:DETECTION @type:(CREATE OR UPDATE) + processors: + - type: string-builder-processor + name: Prepare `fullName` string for user + enabled: true + template: "%{new.employee.firstName} %{new.employee.lastName}" + target: new.employee.fullName + replaceMissing: true + - name: Lookup on `new.severity` to `severity` + enabled: true + source: new.severity + target: severity + lookupTable: |- + CRITICAL,critical + HIGH,warning + MEDIUM,notice + LOW,info + type: lookup-processor + - type: status-remapper + name: Define `severity` as the official status of the log + enabled: true + sources: + - severity + - type: attribute-remapper + name: Map `new.employee.id` to `usr.id` + enabled: true + sources: + - new.employee.id + sourceType: attribute + target: usr.id + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `new.employee.fullName` to `usr.name` + enabled: true + sources: + - new.employee.fullName + sourceType: attribute + target: usr.name + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `new.employee.email` to `usr.email` + enabled: true + sources: + - new.employee.email + sourceType: attribute + target: usr.email + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `new.response` to `evt.outcome` + enabled: true + sources: + - new.response + sourceType: attribute + target: evt.outcome + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: pipeline + name: Parse Detection Delete Events + enabled: true + filter: + query: service:DETECTION @type:DELETE + processors: + - type: string-builder-processor + name: Prepare `fullName` string for user + enabled: true + template: "%{old.employee.firstName} %{old.employee.lastName}" + target: old.employee.fullName + replaceMissing: true + - name: Lookup on `old.severity` to `severity` + enabled: true + source: old.severity + target: severity + lookupTable: |- + CRITICAL,critical + HIGH,warning + MEDIUM,notice + LOW,info + type: lookup-processor + - type: status-remapper + name: Define `severity` as the official status of the log + enabled: true + sources: + - severity + - type: attribute-remapper + name: Map `old.employee.id` to `usr.id` + enabled: true + sources: + - old.employee.id + sourceType: attribute + target: usr.id + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `old.employee.fullName` to `usr.name` + enabled: true + sources: + - old.employee.fullName + sourceType: attribute + target: usr.name + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `old.employee.email` to `usr.email` + enabled: true + sources: + - old.employee.email + sourceType: attribute + target: usr.email + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `old.response` to `evt.outcome` + enabled: true + sources: + - old.response + sourceType: attribute + target: evt.outcome + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: pipeline + name: Parse Activity Events + enabled: true + filter: + query: service:ACTIVITY + processors: + - type: attribute-remapper + name: Map `new.employeeId` to `usr.id` + enabled: true + sources: + - new.employeeId + sourceType: attribute + target: usr.id + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `new.loginUrl` to `http.url` + enabled: true + sources: + - new.loginUrl + sourceType: attribute + target: http.url + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `new.sourceIpAddress` to `network.client.ip` + enabled: true + sources: + - new.sourceIpAddress + sourceType: attribute + target: network.client.ip + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `new.userAgent` to `http.useragent` + enabled: true + sources: + - new.userAgent + sourceType: attribute + target: http.useragent + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: pipeline + name: Parse Control Events + enabled: true + filter: + query: service:CONTROL + processors: + - type: string-builder-processor + name: Prepare `fullName` string for user + enabled: true + template: "%{new.employee.firstName} %{new.employee.lastName}" + target: new.employee.fullName + replaceMissing: true + - type: attribute-remapper + name: Map `new.employee.id` to `usr.id` + enabled: true + sources: + - new.employee.id + sourceType: attribute + target: usr.id + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `new.employee.fullName` to `usr.name` + enabled: true + sources: + - new.employee.fullName + sourceType: attribute + target: usr.name + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `new.employee.email` to `usr.email` + enabled: true + sources: + - new.employee.email + sourceType: attribute + target: usr.email + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `new.action` to `evt.outcome` + enabled: true + sources: + - new.action + sourceType: attribute + target: evt.outcome + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `new.url` to `http.url` + enabled: true + sources: + - new.url + sourceType: attribute + target: http.url + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `new.sourceIpAddress` to `network.client.ip` + enabled: true + sources: + - new.sourceIpAddress + sourceType: attribute + target: network.client.ip + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `new.userAgent` to `http.useragent` + enabled: true + sources: + - new.userAgent + sourceType: attribute + target: http.useragent + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: pipeline + name: Parse Audit Events with Actor Email + enabled: true + filter: + query: service:AUDIT @actor.email:* + processors: + - type: attribute-remapper + name: Map `actor.email` to `usr.email` + enabled: true + sources: + - actor.email + sourceType: attribute + target: usr.email + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `actor.sourceIpAddress` to `network.client.ip` + enabled: true + sources: + - actor.sourceIpAddress + sourceType: attribute + target: network.client.ip + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `actor.userAgent` to `http.useragent` + enabled: true + sources: + - actor.userAgent + sourceType: attribute + target: http.useragent + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: pipeline + name: Parse Audit Events with Actor API Key + enabled: true + filter: + query: service:AUDIT @actor.apiKeyName:* + processors: + - type: attribute-remapper + name: Map `actor.apiKeyCreatedBy` to `usr.email` + enabled: true + sources: + - actor.apiKeyCreatedBy + sourceType: attribute + target: usr.email + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `actor.sourceIpAddress` to `network.client.ip` + enabled: true + sources: + - actor.sourceIpAddress + sourceType: attribute + target: network.client.ip + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `actor.userAgent` to `http.useragent` + enabled: true + sources: + - actor.userAgent + sourceType: attribute + target: http.useragent + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: pipeline + name: Parse Entity Events without Finding and Employee Events + enabled: true + filter: + query: service:ENTITY @type:(CREATE OR UPDATE) -@object:(FINDING OR EMPLOYEE) + processors: + - type: attribute-remapper + name: Map `new.employeeId,new.ownerId` to `usr.id` + enabled: true + sources: + - new.employeeId + - new.ownerId + sourceType: attribute + target: usr.id + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `new.email` to `usr.email` + enabled: true + sources: + - new.email + sourceType: attribute + target: usr.email + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: pipeline + name: Parsing Entity Delete Events without Finding and Employee Events + enabled: true + filter: + query: service:ENTITY @type:DELETE -@object:(FINDING OR EMPLOYEE) + processors: + - type: attribute-remapper + name: Map `old.employeeId,old.ownerId` to `usr.id` + enabled: true + sources: + - old.employeeId + - old.ownerId + sourceType: attribute + target: usr.id + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `old.email` to `usr.email` + enabled: true + sources: + - old.email + sourceType: attribute + target: usr.email + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: pipeline + name: Parsing Entity Employee Create and Update Events + enabled: true + filter: + query: service:ENTITY @type:(CREATE OR UPDATE) @object:EMPLOYEE + processors: + - type: string-builder-processor + name: Prepare `fullName` string for user + enabled: true + template: "%{new.firstName} %{new.lastName}" + target: new.fullName + replaceMissing: true + - type: attribute-remapper + name: Map `new.fullName` to `usr.name` + enabled: true + sources: + - new.fullName + sourceType: attribute + target: usr.name + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `new.id` to `usr.id` + enabled: true + sources: + - new.id + sourceType: attribute + target: usr.id + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: pipeline + name: Parsing Entity Finding Create and Update Events + enabled: true + filter: + query: service:ENTITY @type:(CREATE OR UPDATE) @object:FINDING + processors: + - type: string-builder-processor + name: Prepare `fullName` string for user + enabled: true + template: "%{new.employee.firstName} %{new.employee.lastName}" + target: new.employee.fullName + replaceMissing: true + - type: attribute-remapper + name: Map `new.employee.fullName` to `usr.name` + enabled: true + sources: + - new.employee.fullName + sourceType: attribute + target: usr.name + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `new.employee.email` to `usr.email` + enabled: true + sources: + - new.employee.email + sourceType: attribute + target: usr.email + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: pipeline + name: Parsing Entity Employee Delete Events + enabled: true + filter: + query: service:ENTITY @type:DELETE @object:EMPLOYEE + processors: + - type: string-builder-processor + name: Prepare `fullName` string for user + enabled: true + template: "%{old.firstName} %{old.lastName}" + target: old.fullName + replaceMissing: true + - type: attribute-remapper + name: Map `old.fullName` to `usr.name` + enabled: true + sources: + - old.fullName + sourceType: attribute + target: usr.name + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `old.id` to `usr.id` + enabled: true + sources: + - old.id + sourceType: attribute + target: usr.id + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: pipeline + name: Parsing Entity Finding Delete Events + enabled: true + filter: + query: service:ENTITY @type:DELETE @object:FINDING + processors: + - type: string-builder-processor + name: Prepare `fullName` string for user + enabled: true + template: "%{old.employee.firstName} %{old.employee.lastName}" + target: old.employee.fullName + replaceMissing: true + - type: attribute-remapper + name: Map `old.employee.fullName` to `usr.name` + enabled: true + sources: + - old.employee.fullName + sourceType: attribute + target: usr.name + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `old.employee.email` to `usr.email` + enabled: true + sources: + - old.employee.email + sourceType: attribute + target: usr.email + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: geo-ip-parser + name: Extract geolocation information + enabled: true + sources: + - network.client.ip + target: network.client.geoip + ip_processing_behavior: do-nothing + - type: user-agent-parser + name: User Agent Parser for `http.useragent` + enabled: true + sources: + - http.useragent + target: http.useragent_details + encoded: false + combineVersionDetails: false diff --git a/push_security/assets/logs/push-security_tests.yaml b/push_security/assets/logs/push-security_tests.yaml new file mode 100644 index 0000000000000..0fed0b17af701 --- /dev/null +++ b/push_security/assets/logs/push-security_tests.yaml @@ -0,0 +1,869 @@ +id: push-security +tests: + - + sample: |- + { + "new" : { + "os" : "MACOS", + "loginType" : "PASSWORD_LOGIN", + "sourceIpAddress" : "10.10.10.10", + "employeeId" : "emp1", + "userAgent" : "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15", + "passwordManuallyTyped" : true, + "accountId" : "acc1", + "weakPassword" : false, + "passwordId" : "pass1", + "appType" : "EXAMPLE_APP", + "loginUrl" : "https://example.com/authorize", + "appId" : "app1", + "browser" : "SAFARI", + "workApp" : true, + "loginTimestamp" : 1757326157, + "email" : "test.user@example.com", + "leakedPassword" : false + }, + "description" : "test.user@example.com logged into https://example.com/authorize using a password", + "id" : "123", + "category" : "ACTIVITY", + "version" : "1", + "friendlyName" : "Login", + "timestamp" : 1757326162, + "object" : "LOGIN" + } + result: + custom: + category: "ACTIVITY" + evt: + name: "Login" + http: + url: "https://example.com/authorize" + useragent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15" + useragent_details: + browser: + family: "Safari" + major: "17" + minor: "6" + device: + brand: "Apple" + category: "Desktop" + family: "Mac" + model: "Mac" + os: + family: "Mac OS X" + major: "10" + minor: "15" + patch: "7" + id: "123" + network: + client: + geoip: {} + ip: "10.10.10.10" + new: + accountId: "acc1" + appId: "app1" + appType: "EXAMPLE_APP" + browser: "SAFARI" + email: "test.user@example.com" + leakedPassword: false + loginTimestamp: 1757326157 + loginType: "PASSWORD_LOGIN" + os: "MACOS" + passwordId: "pass1" + passwordManuallyTyped: true + weakPassword: false + workApp: true + object: "LOGIN" + timestamp: 1.757326162E12 + usr: + id: "emp1" + version: "1" + message: "test.user@example.com logged into https://example.com/authorize using a password" + service: "ACTIVITY" + tags: + - "source:LOGS_SOURCE" + timestamp: 1757326162000 + - + sample: |- + { + "new" : { + "indicator" : "TEST_IND", + "mode" : "WARN", + "os" : "WINDOWS", + "browser" : "CHROME", + "sourceIpAddress" : "10.10.10.10", + "action" : "DISPLAYED", + "userAgent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36", + "employee" : { + "firstName" : "test", + "lastName" : "user", + "licensed" : true, + "creationTimestamp" : 1754473323, + "id" : "emp1", + "department" : "/", + "email" : "test.user@example.com", + "chatopsEnabled" : false + }, + "url" : "https://example.dev/" + }, + "description" : "test.user@example.com was blocked from visiting https://example.dev/", + "id" : "123", + "category" : "CONTROL", + "version" : "1", + "friendlyName" : "Phishing tool detected", + "timestamp" : 1757404789, + "object" : "PHISHING_TOOL_DETECTED" + } + result: + custom: + category: "CONTROL" + evt: + name: "Phishing tool detected" + outcome: "DISPLAYED" + http: + url: "https://example.dev/" + useragent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36" + useragent_details: + browser: + family: "Chrome" + major: "140" + minor: "0" + patch: "0" + patch_minor: "0" + device: + category: "Desktop" + family: "Other" + os: + family: "Windows" + major: "10" + id: "123" + network: + client: + geoip: {} + ip: "10.10.10.10" + new: + browser: "CHROME" + employee: + chatopsEnabled: false + creationTimestamp: 1754473323 + department: "/" + firstName: "test" + lastName: "user" + licensed: true + indicator: "TEST_IND" + mode: "WARN" + os: "WINDOWS" + object: "PHISHING_TOOL_DETECTED" + timestamp: 1.757404789E12 + usr: + email: "test.user@example.com" + id: "emp1" + name: "test user" + version: "1" + message: "test.user@example.com was blocked from visiting https://example.dev/" + service: "CONTROL" + tags: + - "source:LOGS_SOURCE" + timestamp: 1757404789000 + - + sample: |- + { + "new" : { + "severity" : "MEDIUM", + "lastActivityTimestamp" : 1757404789, + "archived" : false, + "browserId" : "browser1", + "detectionType" : "PHISHING", + "detectionLink" : "https://pushsecurity.com/app/detections?id=test_id1", + "response" : "EMPLOYEE_WARNED", + "creationTimestamp" : 1757404789, + "employeeId" : "emp1", + "id" : "abc", + "employee" : { + "firstName" : "test", + "lastName" : "user", + "licensed" : true, + "creationTimestamp" : 1754473323, + "id" : "emp1", + "department" : "/", + "email" : "test.user@example.com", + "chatopsEnabled" : false + } + }, + "description" : "test.user@example.com triggered a new phishing detection", + "id" : "123", + "category" : "DETECTION", + "type" : "CREATE", + "version" : "1", + "friendlyName" : "Phishing attack", + "timestamp" : 1757404789, + "object" : "PHISHING" + } + result: + custom: + category: "DETECTION" + evt: + name: "Phishing attack" + outcome: "EMPLOYEE_WARNED" + id: "123" + new: + archived: false + browserId: "browser1" + creationTimestamp: 1757404789 + detectionLink: "https://pushsecurity.com/app/detections?id=test_id1" + detectionType: "PHISHING" + employee: + chatopsEnabled: false + creationTimestamp: 1754473323 + department: "/" + firstName: "test" + lastName: "user" + licensed: true + employeeId: "emp1" + id: "abc" + lastActivityTimestamp: 1757404789 + severity: "MEDIUM" + object: "PHISHING" + severity: "notice" + timestamp: 1.757404789E12 + type: "CREATE" + usr: + email: "test.user@example.com" + id: "emp1" + name: "test user" + version: "1" + message: "test.user@example.com triggered a new phishing detection" + service: "DETECTION" + status: "notice" + tags: + - "source:LOGS_SOURCE" + timestamp: 1757404789000 + - + sample: |- + { + "new" : { + "severity" : "HIGH", + "lastActivityTimestamp" : 1757334485, + "archived" : false, + "browserId" : "browser_1", + "detectionType" : "PHISHING", + "detectionLink" : "https://pushsecurity.com/app/detections?id=test_id1", + "response" : "EMPLOYEE_IGNORED_WARNING", + "creationTimestamp" : 1757334476, + "employeeId" : "emp1", + "id" : "test_id1", + "employee" : { + "firstName" : "test", + "lastName" : "user", + "licensed" : true, + "creationTimestamp" : 1752659761, + "id" : "emp1", + "email" : "test.user@example.com", + "chatopsEnabled" : false + } + }, + "old" : { + "severity" : "MEDIUM", + "lastActivityTimestamp" : 1757334476, + "archived" : false, + "browserId" : "browser_1", + "detectionType" : "PHISHING", + "detectionLink" : "https://pushsecurity.com/app/detections?id=test_id1", + "response" : "EMPLOYEE_WARNED", + "creationTimestamp" : 1757334476, + "employeeId" : "emp1", + "id" : "test_id1", + "employee" : { + "firstName" : "test", + "lastName" : "user", + "licensed" : true, + "creationTimestamp" : 1752659761, + "id" : "emp1", + "email" : "test.user@example.com", + "chatopsEnabled" : false + } + }, + "description" : "Phishing detection for test.user@example.com updated", + "id" : "123", + "category" : "DETECTION", + "type" : "UPDATE", + "version" : "1", + "friendlyName" : "Phishing attack", + "timestamp" : 1757334485, + "object" : "PHISHING" + } + result: + custom: + category: "DETECTION" + evt: + name: "Phishing attack" + outcome: "EMPLOYEE_IGNORED_WARNING" + id: "123" + new: + archived: false + browserId: "browser_1" + creationTimestamp: 1757334476 + detectionLink: "https://pushsecurity.com/app/detections?id=test_id1" + detectionType: "PHISHING" + employee: + chatopsEnabled: false + creationTimestamp: 1752659761 + firstName: "test" + lastName: "user" + licensed: true + employeeId: "emp1" + id: "test_id1" + lastActivityTimestamp: 1757334485 + severity: "HIGH" + object: "PHISHING" + old: + archived: false + browserId: "browser_1" + creationTimestamp: 1757334476 + detectionLink: "https://pushsecurity.com/app/detections?id=test_id1" + detectionType: "PHISHING" + employee: + chatopsEnabled: false + creationTimestamp: 1752659761 + email: "test.user@example.com" + firstName: "test" + id: "emp1" + lastName: "user" + licensed: true + employeeId: "emp1" + id: "test_id1" + lastActivityTimestamp: 1757334476 + response: "EMPLOYEE_WARNED" + severity: "MEDIUM" + severity: "warning" + timestamp: 1.757334485E12 + type: "UPDATE" + usr: + email: "test.user@example.com" + id: "emp1" + name: "test user" + version: "1" + message: "Phishing detection for test.user@example.com updated" + service: "DETECTION" + status: "warn" + tags: + - "source:LOGS_SOURCE" + timestamp: 1757334485000 + - + sample: |- + { + "actor" : { + "role" : "FULL_ACCESS", + "sourceIpAddress" : "10.10.10.10", + "userAgent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36", + "source" : "UI", + "email" : "test.user@example.com" + }, + "new" : { + "query" : "events", + "arguments" : { + "sortDirection" : "DESC", + "category" : "AUDIT", + "first" : 50 + } + }, + "description" : "test.user@example.com listed events from event log", + "id" : "123", + "category" : "AUDIT", + "version" : "1", + "friendlyName" : "Admin loaded data", + "timestamp" : 1757488503, + "object" : "ADMIN_LOADED_DATA" + } + result: + custom: + actor: + role: "FULL_ACCESS" + source: "UI" + category: "AUDIT" + evt: + name: "Admin loaded data" + http: + useragent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36" + useragent_details: + browser: + family: "Chrome" + major: "140" + minor: "0" + patch: "0" + patch_minor: "0" + device: + category: "Desktop" + family: "Other" + os: + family: "Windows" + major: "10" + id: "123" + network: + client: + geoip: {} + ip: "10.10.10.10" + new: + arguments: + category: "AUDIT" + first: 50 + sortDirection: "DESC" + query: "events" + object: "ADMIN_LOADED_DATA" + timestamp: 1.757488503E12 + usr: + email: "test.user@example.com" + version: "1" + message: "test.user@example.com listed events from event log" + service: "AUDIT" + tags: + - "source:LOGS_SOURCE" + timestamp: 1757488503000 + - + sample: |- + { + "actor" : { + "apiKeyCreatedBy" : "adm1", + "sourceIpAddress" : "10.10.10.10", + "apiKeyName" : "key-1", + "userAgent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36", + "source" : "API" + }, + "new" : { + "query" : "events", + "arguments" : { + "sortDirection" : "DESC", + "category" : "AUDIT", + "first" : 50 + } + }, + "description" : "test.user@example.com listed events from event log", + "id" : "123", + "category" : "AUDIT", + "version" : "1", + "friendlyName" : "Admin loaded data", + "timestamp" : 1757488503, + "object" : "ADMIN_LOADED_DATA" + } + result: + custom: + actor: + apiKeyName: "key-1" + source: "API" + category: "AUDIT" + evt: + name: "Admin loaded data" + http: + useragent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36" + useragent_details: + browser: + family: "Chrome" + major: "140" + minor: "0" + patch: "0" + patch_minor: "0" + device: + category: "Desktop" + family: "Other" + os: + family: "Windows" + major: "10" + id: "123" + network: + client: + geoip: {} + ip: "10.10.10.10" + new: + arguments: + category: "AUDIT" + first: 50 + sortDirection: "DESC" + query: "events" + object: "ADMIN_LOADED_DATA" + timestamp: 1.757488503E12 + usr: + email: "adm1" + version: "1" + message: "test.user@example.com listed events from event log" + service: "AUDIT" + tags: + - "source:LOGS_SOURCE" + timestamp: 1757488503000 + - + sample: |- + { + "new" : { + "lastOnlineTimestamp" : 1757404720, + "os" : "WINDOWS", + "profileSyncEnabled" : true, + "employeeId" : "emp_1", + "language" : "en-GB", + "isActive" : true, + "version" : "140.0.0.0", + "profileEmail" : "test.user@example.com", + "browser" : "CHROME", + "creationTimestamp" : 1757337192, + "extensionVersion" : "2.0.0", + "id" : "abc", + "tokenType" : "INDIVIDUAL", + "email" : "test.user@example.com" + }, + "old" : { + "lastOnlineTimestamp" : 1757404720, + "os" : "WINDOWS", + "profileSyncEnabled" : true, + "employeeId" : "emp_1", + "language" : "en-GB", + "isActive" : true, + "version" : "140.0.0.0", + "profileEmail" : "test.user@example.com", + "browser" : "CHROME", + "creationTimestamp" : 1757337192, + "extensionVersion" : "1.96.19", + "id" : "abc", + "tokenType" : "INDIVIDUAL", + "email" : "test.user@example.com" + }, + "description" : "Browser for test.user@example.com updated", + "id" : "123", + "category" : "ENTITY", + "type" : "UPDATE", + "version" : "1", + "friendlyName" : "Browser", + "timestamp" : 1757404720, + "object" : "BROWSER" + } + result: + custom: + category: "ENTITY" + evt: + name: "Browser" + id: "123" + new: + browser: "CHROME" + creationTimestamp: 1757337192 + extensionVersion: "2.0.0" + id: "abc" + isActive: true + language: "en-GB" + lastOnlineTimestamp: 1757404720 + os: "WINDOWS" + profileEmail: "test.user@example.com" + profileSyncEnabled: true + tokenType: "INDIVIDUAL" + version: "140.0.0.0" + object: "BROWSER" + old: + browser: "CHROME" + creationTimestamp: 1757337192 + email: "test.user@example.com" + employeeId: "emp_1" + extensionVersion: "1.96.19" + id: "abc" + isActive: true + language: "en-GB" + lastOnlineTimestamp: 1757404720 + os: "WINDOWS" + profileEmail: "test.user@example.com" + profileSyncEnabled: true + tokenType: "INDIVIDUAL" + version: "140.0.0.0" + timestamp: 1.75740472E12 + type: "UPDATE" + usr: + email: "test.user@example.com" + id: "emp_1" + version: "1" + message: "Browser for test.user@example.com updated" + service: "ENTITY" + tags: + - "source:LOGS_SOURCE" + timestamp: 1757404720000 + - + sample: |- + { + "old" : { + "requestSupportStatus" : "DISCOVERED", + "hidden" : false, + "domain" : "www.example.com", + "creationTimestamp" : 1754559431, + "id" : "abc" + }, + "description" : "www.example.com removed", + "id" : "123", + "category" : "ENTITY", + "type" : "DELETE", + "version" : "1", + "friendlyName" : "App (Other)", + "timestamp" : 1757390436, + "object" : "APP_OTHER" + } + result: + custom: + category: "ENTITY" + evt: + name: "App (Other)" + id: "123" + object: "APP_OTHER" + old: + creationTimestamp: 1754559431 + domain: "www.example.com" + hidden: false + id: "abc" + requestSupportStatus: "DISCOVERED" + timestamp: 1.757390436E12 + type: "DELETE" + version: "1" + message: "www.example.com removed" + service: "ENTITY" + tags: + - "source:LOGS_SOURCE" + timestamp: 1757390436000 + - + sample: |- + { + "new" : { + "accountId" : "acc_1", + "appType" : "PUSH_SECURITY", + "appId" : "app_1", + "creationTimestamp" : 1757333626, + "employeeId" : "emp_1", + "id" : "abc", + "state" : "OPEN", + "type" : "SHARED_ACCOUNT", + "employee" : { + "firstName" : "test", + "lastName" : "user", + "licensed" : true, + "creationTimestamp" : 1754480521, + "id" : "emp_1", + "department" : "/", + "email" : "test.user@example.com", + "chatopsEnabled" : false + } + }, + "description" : "Shared account finding observed for test.user@example.com on Push Security", + "id" : "123", + "category" : "ENTITY", + "type" : "CREATE", + "version" : "1", + "friendlyName" : "Finding", + "timestamp" : 1757333626, + "object" : "FINDING" + } + result: + custom: + category: "ENTITY" + evt: + name: "Finding" + id: "123" + new: + accountId: "acc_1" + appId: "app_1" + appType: "PUSH_SECURITY" + creationTimestamp: 1757333626 + employee: + chatopsEnabled: false + creationTimestamp: 1754480521 + department: "/" + firstName: "test" + id: "emp_1" + lastName: "user" + licensed: true + employeeId: "emp_1" + id: "abc" + state: "OPEN" + type: "SHARED_ACCOUNT" + object: "FINDING" + timestamp: 1.757333626E12 + type: "CREATE" + usr: + email: "test.user@example.com" + name: "test user" + version: "1" + message: "Shared account finding observed for test.user@example.com on Push Security" + service: "ENTITY" + tags: + - "source:LOGS_SOURCE" + timestamp: 1757333626000 + - + sample: |- + { + "new" : { + "firstName" : "test", + "lastName" : "user", + "licensed" : true, + "creationTimestamp" : 1754480521, + "id" : "abc", + "department" : "/", + "email" : "test.user@example.com", + "chatopsEnabled" : false + }, + "old" : { + "firstName" : "test", + "lastName" : "user", + "licensed" : false, + "creationTimestamp" : 1754480521, + "id" : "abc", + "department" : "/", + "email" : "test.user@example.com", + "chatopsEnabled" : false + }, + "description" : "test.user@example.com updated", + "id" : "123", + "category" : "ENTITY", + "type" : "UPDATE", + "version" : "1", + "friendlyName" : "Employee", + "timestamp" : 1757327806, + "object" : "EMPLOYEE" + } + result: + custom: + category: "ENTITY" + evt: + name: "Employee" + id: "123" + new: + chatopsEnabled: false + creationTimestamp: 1754480521 + department: "/" + email: "test.user@example.com" + firstName: "test" + lastName: "user" + licensed: true + object: "EMPLOYEE" + old: + chatopsEnabled: false + creationTimestamp: 1754480521 + department: "/" + email: "test.user@example.com" + firstName: "test" + id: "abc" + lastName: "user" + licensed: false + timestamp: 1.757327806E12 + type: "UPDATE" + usr: + id: "abc" + name: "test user" + version: "1" + message: "test.user@example.com updated" + service: "ENTITY" + tags: + - "source:LOGS_SOURCE" + timestamp: 1757327806000 + - + sample: |- + { + "old" : { + "accountId" : "acc_1", + "appType" : "PUSH_SECURITY", + "appId" : "app_1", + "creationTimestamp" : 1757333626, + "employeeId" : "emp_1", + "id" : "abc", + "state" : "OPEN", + "type" : "SHARED_ACCOUNT", + "employee" : { + "firstName" : "test", + "lastName" : "user", + "licensed" : true, + "creationTimestamp" : 1754480521, + "id" : "emp_1", + "department" : "/", + "email" : "test.user@example.com", + "chatopsEnabled" : false + } + }, + "description" : "Shared account finding observed for test.user@example.com on Push Security", + "id" : "123", + "category" : "ENTITY", + "type" : "CREATE", + "version" : "1", + "friendlyName" : "Finding", + "timestamp" : 1757333626, + "object" : "FINDING" + } + result: + custom: + category: "ENTITY" + evt: + name: "Finding" + id: "123" + object: "FINDING" + old: + accountId: "acc_1" + appId: "app_1" + appType: "PUSH_SECURITY" + creationTimestamp: 1757333626 + employee: + chatopsEnabled: false + creationTimestamp: 1754480521 + department: "/" + email: "test.user@example.com" + firstName: "test" + id: "emp_1" + lastName: "user" + licensed: true + employeeId: "emp_1" + id: "abc" + state: "OPEN" + type: "SHARED_ACCOUNT" + timestamp: 1.757333626E12 + type: "CREATE" + usr: + name: " " + version: "1" + message: "Shared account finding observed for test.user@example.com on Push Security" + service: "ENTITY" + tags: + - "source:LOGS_SOURCE" + timestamp: 1757333626000 + - + sample: |- + { + "old" : { + "firstName" : "test", + "lastName" : "user", + "licensed" : false, + "creationTimestamp" : 1754480521, + "id" : "abc", + "department" : "/", + "email" : "test.user@example.com", + "chatopsEnabled" : false + }, + "description" : "test.user@example.com updated", + "id" : "123", + "category" : "ENTITY", + "type" : "DELETE", + "version" : "1", + "friendlyName" : "Employee", + "timestamp" : 1757327806, + "object" : "EMPLOYEE" + } + result: + custom: + category: "ENTITY" + evt: + name: "Employee" + id: "123" + object: "EMPLOYEE" + old: + chatopsEnabled: false + creationTimestamp: 1754480521 + department: "/" + email: "test.user@example.com" + firstName: "test" + lastName: "user" + licensed: false + timestamp: 1.757327806E12 + type: "DELETE" + usr: + id: "abc" + name: "test user" + version: "1" + message: "test.user@example.com updated" + service: "ENTITY" + tags: + - "source:LOGS_SOURCE" + timestamp: 1757327806000 diff --git a/push_security/assets/push_security.svg b/push_security/assets/push_security.svg new file mode 100644 index 0000000000000..fe2de5abcb21e --- /dev/null +++ b/push_security/assets/push_security.svg @@ -0,0 +1,19 @@ + + + + + + + + + + + + + + + + + + + diff --git a/push_security/images/push_security_activity.png b/push_security/images/push_security_activity.png new file mode 100644 index 0000000000000..4c8e73eb9cf8a Binary files /dev/null and b/push_security/images/push_security_activity.png differ diff --git a/push_security/images/push_security_audit.png b/push_security/images/push_security_audit.png new file mode 100644 index 0000000000000..913273f340fcc Binary files /dev/null and b/push_security/images/push_security_audit.png differ diff --git a/push_security/images/push_security_controls.png b/push_security/images/push_security_controls.png new file mode 100644 index 0000000000000..da87f38595f12 Binary files /dev/null and b/push_security/images/push_security_controls.png differ diff --git a/push_security/images/push_security_detections_1.png b/push_security/images/push_security_detections_1.png new file mode 100644 index 0000000000000..30de29fcd5a2c Binary files /dev/null and b/push_security/images/push_security_detections_1.png differ diff --git a/push_security/images/push_security_detections_2.png b/push_security/images/push_security_detections_2.png new file mode 100644 index 0000000000000..8859c80f3beea Binary files /dev/null and b/push_security/images/push_security_detections_2.png differ diff --git a/push_security/images/push_security_entity.png b/push_security/images/push_security_entity.png new file mode 100644 index 0000000000000..898e4e7b029e9 Binary files /dev/null and b/push_security/images/push_security_entity.png differ diff --git a/push_security/images/push_security_overview.png b/push_security/images/push_security_overview.png new file mode 100644 index 0000000000000..ade390139c17a Binary files /dev/null and b/push_security/images/push_security_overview.png differ diff --git a/push_security/manifest.json b/push_security/manifest.json new file mode 100644 index 0000000000000..4f0adf4e1ab2d --- /dev/null +++ b/push_security/manifest.json @@ -0,0 +1,84 @@ +{ + "manifest_version": "2.0.0", + "app_uuid": "5adddeb6-b278-49b7-b124-e67642e76f51", + "app_id": "push-security", + "display_on_public_website": false, + "tile": { + "overview": "README.md#Overview", + "configuration": "README.md#Setup", + "support": "README.md#Support", + "changelog": "CHANGELOG.md", + "description": "Gain insights into Push Security Events.", + "title": "Push Security", + "media": [ + { + "media_type": "image", + "caption": "Push Security - Overview", + "image_url": "images/push_security_overview.png" + }, + { + "media_type": "image", + "caption": "Push Security - Activity", + "image_url": "images/push_security_activity.png" + }, + { + "media_type": "image", + "caption": "Push Security - Audit", + "image_url": "images/push_security_audit.png" + }, + { + "media_type": "image", + "caption": "Push Security - Controls", + "image_url": "images/push_security_controls.png" + }, + { + "media_type": "image", + "caption": "Push Security - Detections", + "image_url": "images/push_security_detections_1.png" + }, + { + "media_type": "image", + "caption": "Push Security - Detections", + "image_url": "images/push_security_detections_2.png" + }, + { + "media_type": "image", + "caption": "Push Security - Entity", + "image_url": "images/push_security_entity.png" + } + ], + "classifier_tags": [ + "Category::Log Collection", + "Category::Security", + "Offering::Integration", + "Submitted Data Type::Logs" + ] + }, + "assets": { + "integration": { + "auto_install": false, + "source_type_id": 56861741, + "source_type_name": "Push Security", + "events": { + "creates_events": false + } + }, + "dashboards": { + "Push Security - Overview": "assets/dashboards/push_security_overview.json", + "Push Security - Activity": "assets/dashboards/push_security_activity.json", + "Push Security - Audit": "assets/dashboards/push_security_audit.json", + "Push Security - Controls": "assets/dashboards/push_security_controls.json", + "Push Security - Detections": "assets/dashboards/push_security_detections.json", + "Push Security - Entity": "assets/dashboards/push_security_entity.json" + }, + "logs": { + "source": "pushsecurity" + } + }, + "author": { + "support_email": "help@datadoghq.com", + "name": "Datadog", + "homepage": "https://www.datadoghq.com", + "sales_email": "info@datadoghq.com" + } +} \ No newline at end of file