diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 0104e80d45ef8..851ea8ad94c24 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -421,6 +421,11 @@ plaid/assets/logs/ @DataDog/saa /streamnative/manifest.json @DataDog/saas-integrations @DataDog/documentation /streamnative/assets/logs/ @DataDog/saas-integrations @DataDog/documentation @DataDog/logs-backend +/zero_networks/ @DataDog/saas-integrations +/zero_networks/*.md @DataDog/saas-integrations @DataDog/documentation +/zero_networks/manifest.json @DataDog/saas-integrations @DataDog/documentation +/zero_networks/assets/logs/ @DataDog/saas-integrations @DataDog/documentation @DataDog/logs-backend @DataDog/logs-core + # To keep Security up-to-date with changes to the signing tool. /datadog_checks_dev/datadog_checks/dev/tooling/signing.py @DataDog/agent-integrations # As well as the secure downloader. diff --git a/.github/workflows/config/labeler.yml b/.github/workflows/config/labeler.yml index 420482ad42152..c793734a2809e 100644 --- a/.github/workflows/config/labeler.yml +++ b/.github/workflows/config/labeler.yml @@ -611,6 +611,8 @@ integration/yarn: - yarn/**/* integration/zeek: - zeek/**/* +integration/zero_networks: +- zero_networks/**/* integration/zk: - zk/**/* qa/skip-qa: diff --git a/zero_networks/CHANGELOG.md b/zero_networks/CHANGELOG.md new file mode 100644 index 0000000000000..0afbc81e871ba --- /dev/null +++ b/zero_networks/CHANGELOG.md @@ -0,0 +1,7 @@ +# CHANGELOG - zero-networks + +## 1.0.0 / 2025-01-01 + +***Added***: + +* Initial Release diff --git a/zero_networks/README.md b/zero_networks/README.md new file mode 100644 index 0000000000000..39b67397c6a96 --- /dev/null +++ b/zero_networks/README.md @@ -0,0 +1,59 @@ +# Zero Networks + +## Overview + +[Zero Networks][1] is a cybersecurity platform that enforces zero-trust principles by restricting access to network resources based on user identity and behavior. It automates the creation of security policies, ensuring that only authorized users and devices can connect, while blocking unauthorized attempts. With features like adaptive access control, audit logs, and micro-segmentation, it minimizes attack surfaces and protects against threats. The platform is easy to deploy and integrates seamlessly with existing systems. + +This integration ingests the following logs: + +- Audit: Records an event performed by the user, providing an overview of the event's timestamp, involved entities, actions, and more. +- Network-Activities: Represents information about network communication events occurring within a system, including protocol and traffic type, source and destination information, process information, user information, threat scores, and more. + +This integration seamlessly collects all the above listed logs, channeling them into Datadog for analysis. Leveraging the built-in logs pipeline, these logs are parsed and enriched, enabling effortless search and analysis. The integration provides insight into audit and network-activities through the out-of-the-box dashboards. + +## Setup + +### Generate API credentials in Zero Networks + +1. Log in to the Zero Networks platform. +2. Navigate to **Settings**, click **API** under **Integrations**, click **Add new token** and specify the settings of the new API key. + - Token name: A meaningful name that can help you identify the API key. + - Access type: The access permission assigned to the API key. Select **Read only**. + - Expiry: The expiration duration of the API key. Select **36 months**. +3. Click Add. + +### Connect your Zero Networks Account to Datadog + +1. Add your Zero Networks credentials. + + | Parameters | Description | + | ------------------------------------- | ------------------------------------------------------------ | + | Domain Name | The Domain Name from Zero Networks portal URL | + | API Key | The Personal API key of Zero Networks | + +2. Click the Save button to save your settings. + +## Data Collected + +### Logs + +The Zero Networks integration collects and forwards Zero Networks audit and network activities logs to Datadog. + +### Metrics + +The Zero Networks integration does not include any metrics. + +### Service Checks + +The Zero Networks integration does not include any service checks. + +### Events + +The Zero Networks integration does not include any events. + +## Support + +Need help? Contact [Datadog support][2]. + +[1]: https://zeronetworks.com/ +[2]: https://docs.datadoghq.com/help/ \ No newline at end of file diff --git a/zero_networks/assets/dashboards/zero_networks_audit.json b/zero_networks/assets/dashboards/zero_networks_audit.json new file mode 100644 index 0000000000000..673c3df9acad3 --- /dev/null +++ b/zero_networks/assets/dashboards/zero_networks_audit.json @@ -0,0 +1,4080 @@ +{ + "title": "Zero Networks - Audit", + "description": "This Dashboard provides insights into audit logs generated on Zero Networks Platform.", + "widgets": [ + { + "id": 1863500026524962, + "definition": { + "title": "", + "banner_img": "https://cdn.prod.website-files.com/66d894ac929236a04d136c23/66f44ba20ee5b6674d84c2b9_zero.jpg", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 1221940071162682, + "definition": { + "type": "note", + "content": "Zero Networks is a cybersecurity platform that enforces zero-trust principles by restricting access to network resources based on user identity and behavior. It automates security policy creation, ensuring that only authorized users and devices can connect while blocking unauthorized attempts. With features like adaptive access control, audit logs, and microsegmentation, it minimizes attack surfaces and protects against threats. The platform is easy to deploy and integrates seamlessly with existing systems.\n\nThis dashboard provides information about Audit Logs generated on Zero Networks.\n\nAudits can help you capture log details of audit types and it also records information such as user name, user roles and enforcement sources. \n\nFor more information, see the [Zero Networks Documentation](https://docs.datadoghq.com/integrations/zero_networks/).\n\nTips:\n - Use the timeframe selector in the top right of the dashboard to change the default timeframe.\n - Clone this dashboard to rearrange, modify and add widgets and visualizations.", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 6 + } + } + ] + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 9 + } + }, + { + "id": 1090821916952074, + "definition": { + "title": "Audit Logs Overview", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 4953922766515528, + "definition": { + "title": "Audit Logs over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "count", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 4 + } + }, + { + "id": 7242183548985904, + "definition": { + "title": "Total Audit Logs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 4, + "width": 3, + "height": 4 + } + }, + { + "id": 1681254120188672, + "definition": { + "title": "Top Users", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 3, + "y": 4, + "width": 3, + "height": 4 + } + } + ] + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 9 + } + }, + { + "id": 8903832120411966, + "definition": { + "title": "Datadog Cloud SIEM", + "title_align": "center", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 1520603275009884, + "definition": { + "type": "note", + "content": "Datadog Cloud SIEM analyzes and correlates Audit logs to detect threats to your environment in real time. If you don't see signals please make sure you've enabled [Datadog Cloud SIEM](https://app.datadoghq.com/security?query=source%3Azero-networks%20service%3Aaudit). ", + "background_color": "blue", + "font_size": "14", + "text_align": "left", + "vertical_align": "center", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 5171305195280798, + "definition": { + "title": "CRITICALs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:zero-networks service:audit status:critical $User $User-Role $Enforcement-Source" + } + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#bc303c" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 1, + "width": 2, + "height": 2 + } + }, + { + "id": 3716339438229230, + "definition": { + "title": "HIGHs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:zero-networks service:audit status:high $User $User-Role $Enforcement-Source" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#d33043" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 2, + "y": 1, + "width": 2, + "height": 2 + } + }, + { + "id": 526207678442798, + "definition": { + "title": "Critical Security Signals", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:zero-networks service:audit status:critical $User $User-Role $Enforcement-Source" + } + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#e5a21c" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 4, + "y": 1, + "width": 8, + "height": 4 + } + }, + { + "id": 7065177256241926, + "definition": { + "title": "MEDIUMs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:zero-networks service:audit status:medium $User $User-Role $Enforcement-Source" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#e5a21c" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 3, + "width": 2, + "height": 2 + } + }, + { + "id": 5633195198610606, + "definition": { + "title": "LOWs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:zero-networks service:audit status:low $User $User-Role $Enforcement-Source" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#ffb52b" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 2, + "y": 3, + "width": 2, + "height": 1 + } + }, + { + "id": 8771190338846140, + "definition": { + "title": "INFOs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:zero-networks service:audit status:info $User $User-Role $Enforcement-Source" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#84c1e0" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 2, + "y": 4, + "width": 2, + "height": 1 + } + }, + { + "id": 6423904998842304, + "definition": { + "title": "High Security Signals", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:zero-networks service:audit status:high $User $User-Role $Enforcement-Source" + } + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#e5a21c" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 5, + "width": 6, + "height": 4 + } + }, + { + "id": 8271369373960348, + "definition": { + "title": "Medium Security Signals", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:zero-networks service:audit status:medium $User $User-Role $Enforcement-Source" + } + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#ffb52b" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 5, + "width": 6, + "height": 4 + } + }, + { + "id": 708983995767266, + "definition": { + "title": "Info Security Signals", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:zero-networks service:audit status:info $User $User-Role $Enforcement-Source" + } + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#e5a21c" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 9, + "width": 6, + "height": 4 + } + }, + { + "id": 1407892894051968, + "definition": { + "title": "Low Security Signals", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:zero-networks service:audit status:low $User $User-Role $Enforcement-Source" + } + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#e5a21c" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 9, + "width": 6, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 9, + "width": 12, + "height": 14 + } + }, + { + "id": 644000452526738, + "definition": { + "title": "Audit Details", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 2556237570829152, + "definition": { + "title": "Top User Roles", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@user_role", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 4 + } + }, + { + "id": 4180845588431612, + "definition": { + "title": "Distribution by Enforcement Sources", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@enforcement_source", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 4 + } + }, + { + "id": 5999525942412330, + "definition": { + "title": "Top User Roles associated with System", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit @enforcement_source:System $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@user_role", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 4, + "height": 4 + } + }, + { + "id": 4669974496291300, + "definition": { + "title": "API Usage Analysis over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit @user_role:(API-FullAccess OR API-ReadOnly) @enforcement_source:API $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@user_role", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 4, + "width": 8, + "height": 4 + } + }, + { + "id": 7270801875129594, + "definition": { + "title": "Total Admin Users", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit @user_role:Admin $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 8, + "width": 3, + "height": 4 + } + }, + { + "id": 1080787060051264, + "definition": { + "title": "Total Self Service Users", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit @user_role:SelfService $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 3, + "y": 8, + "width": 3, + "height": 4 + } + }, + { + "id": 3783082847426088, + "definition": { + "title": "Total Unspecified Users", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit @user_role:Unspecified $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 6, + "y": 8, + "width": 3, + "height": 4 + } + }, + { + "id": 6621169246882574, + "definition": { + "title": "Total Viewer Users", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit @user_role:Viewer $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#d8e6f3" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 9, + "y": 8, + "width": 3, + "height": 4 + } + }, + { + "id": 7418851780658186, + "definition": { + "title": "Total JAMF Asset Users", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit @user_role:\"JAMF Asset\" $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 12, + "width": 3, + "height": 4 + } + }, + { + "id": 17237147742890, + "definition": { + "title": "Total Asset Manager Users", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit @user_role:\"Asset Manager\" $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#fde2f2" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 3, + "y": 12, + "width": 3, + "height": 4 + } + }, + { + "id": 6871196872716226, + "definition": { + "title": "Total Regular Users", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit @user_role:Regular $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 6, + "y": 12, + "width": 3, + "height": 4 + } + }, + { + "id": 5112550643636798, + "definition": { + "title": "Total API Users", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit @user_role:(API-FullAccess OR API-ReadOnly) $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#fbeabc" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 9, + "y": 12, + "width": 3, + "height": 4 + } + }, + { + "id": 8988645435508292, + "definition": { + "title": "Total Cloud Connector Provisioning Users", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit @user_role:CloudConnectorProvisioning $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 16, + "width": 4, + "height": 4 + } + }, + { + "id": 2318710282304818, + "definition": { + "title": "Total Operator Users", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit @user_role:Operator $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 4, + "y": 16, + "width": 4, + "height": 4 + } + }, + { + "id": 8015711901397206, + "definition": { + "title": "Total Service Now Users", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit @user_role:\"Service Now Token\" $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#efeefb" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 8, + "y": 16, + "width": 4, + "height": 4 + } + }, + { + "id": 6280654354708074, + "definition": { + "title": "Top Users by MFA Enforcement Source", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit @enforcement_source:MFA $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 20, + "width": 4, + "height": 4 + } + }, + { + "id": 123439317121484, + "definition": { + "title": "Top Enforcement Sources by Segmented Assets", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit @fields_mapping.auditType:\"Asset segmented (network)\" $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@enforcement_source", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 4, + "y": 20, + "width": 4, + "height": 4 + } + }, + { + "id": 8883716077430122, + "definition": { + "title": "Top Enforcement Sources associated with Asset Manager", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit @user_role:\"Asset Manager\" $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@enforcement_source", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 8, + "y": 20, + "width": 4, + "height": 4 + } + }, + { + "id": 7527913239895988, + "definition": { + "title": "Top Enforcement Sources with Unspecified Role", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit @user_role:Unspecified $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@enforcement_source", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 24, + "width": 4, + "height": 4 + } + }, + { + "id": 5100808526380316, + "definition": { + "title": "Top Asset Managers Added", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit @fields_mapping.auditType:\"Asset manager added\" @user_role:\"Asset Manager\" $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 4, + "y": 24, + "width": 4, + "height": 4 + } + }, + { + "id": 5924686678840334, + "definition": { + "title": "Top Asset Managers Removed", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit @fields_mapping.auditType:\"Asset manager removed\" @user_role:\"Asset Manager\" $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 8, + "y": 24, + "width": 4, + "height": 4 + } + }, + { + "id": 8210840798992286, + "definition": { + "title": "User Details by API Full Access Status", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit @user_role:API-FullAccess $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.id", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@fields_mapping.auditType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 1000, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "count", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 0, + "y": 28, + "width": 6, + "height": 5 + } + }, + { + "id": 6089722912957010, + "definition": { + "title": "User Details when API Token Created", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit @fields_mapping.auditType:\"API Token created\" $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.id", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@user_role", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 1000, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "count", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 6, + "y": 28, + "width": 6, + "height": 5 + } + }, + { + "id": 8008875364881484, + "definition": { + "title": "Distribution by User Access Configuration Status", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit @fields_mapping.auditType:(\"User access configuration created\" OR \"User access configuration edited\" OR \"User access configuration deleted\") $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@fields_mapping.auditType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 33, + "width": 6, + "height": 4 + } + }, + { + "id": 4610184027668450, + "definition": { + "title": "Distribution of API Token Status", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit @fields_mapping.auditType:(\"API Token created\" OR \"API Token deleted\" OR \"API Token regenerated\") $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@fields_mapping.auditType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 33, + "width": 6, + "height": 4 + } + }, + { + "id": 8336717976484940, + "definition": { + "title": "Distribution by Asset RPC Monitoring Status", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit @fields_mapping.auditType:(\"Asset added to RPC monitoring\" OR \"Asset removed from RPC monitoring\") $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@fields_mapping.auditType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 37, + "width": 6, + "height": 4 + } + }, + { + "id": 670734366491020, + "definition": { + "title": "Distribution by Asset Cloud Monitoring Status", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit @user_role:CloudConnectorProvisioning @fields_mapping.auditType:(\"Asset is monitored by Cloud connector\" OR \"Asset is no longer monitored by Cloud connector\") $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@fields_mapping.auditType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 37, + "width": 6, + "height": 4 + } + }, + { + "id": 3754709865300744, + "definition": { + "title": "Distribution by Admin Portal Status", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit @enforcement_source:\"Admin Portal\" @fields_mapping.auditType:(\"Admin portal role changed to admin\" OR \"Admin portal role changed to viewer\" OR \"Admin portal role revoked\" OR \"Admin portal logon\" OR \"Admin portal role changed to operator\") $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@fields_mapping.auditType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 41, + "width": 6, + "height": 4 + } + }, + { + "id": 5502064587970996, + "definition": { + "title": "Distribution by Segmentation Policy Status", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit @fields_mapping.auditType:(\"Segmentation policy created\" OR \"Segmentation policy deleted\" OR \"Segmentation policy edited\") $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@fields_mapping.auditType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 41, + "width": 6, + "height": 4 + } + }, + { + "id": 1108945772378682, + "definition": { + "title": "JIT Access Rejected Breakdown", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit @fields_mapping.auditType:(\"Outbound JIT access rejected\" OR \"Inbound JIT access rejected\") $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@fields_mapping.auditType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 45, + "width": 12, + "height": 4 + } + }, + { + "id": 3534431085357244, + "definition": { + "title": "Distribution by Inbound JIT Rule Status", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit @fields_mapping.auditType:(\"Inbound JIT rule created\" OR \"Inbound JIT rule deleted\" OR \"Inbound JIT rule expired\" OR \"Inbound JIT rule revived\" OR \"Inbound JIT rule edited\") $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@fields_mapping.auditType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 49, + "width": 6, + "height": 4 + } + }, + { + "id": 5641989942381028, + "definition": { + "title": "Distribution by Outbound JIT Rule Status", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit @fields_mapping.auditType:(\"Outbound JIT rule created\" OR \"Outbound JIT rule deleted\" OR \"Outbound JIT rule expired\") $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@fields_mapping.auditType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 49, + "width": 6, + "height": 4 + } + }, + { + "id": 5044773016041802, + "definition": { + "title": "Distribution by Inbound MFA Policy Status", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit @enforcement_source:MFA @fields_mapping.auditType:(\"Inbound MFA policy created\" OR \"Inbound MFA policy edited\" OR \"Inbound MFA policy deleted\") $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@fields_mapping.auditType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 53, + "width": 6, + "height": 4 + } + }, + { + "id": 5683227781932788, + "definition": { + "title": "Distribution by Outbound MFA Policy Status", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit @enforcement_source:MFA @fields_mapping.auditType:(\"Outbound MFA policy created\" OR \"Outbound MFA policy edited\" OR \"Outbound MFA policy deleted\") $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@fields_mapping.auditType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 53, + "width": 6, + "height": 4 + } + }, + { + "id": 1015805240700402, + "definition": { + "title": "Distribution by Inbound Allow Rule Status", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit @fields_mapping.auditType:(\"Inbound allow rule created\" OR \"Inbound allow rule deleted\" OR \"Inbound allow rule expired\" OR \"Inbound allow rule edited\") $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@fields_mapping.auditType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 57, + "width": 6, + "height": 4 + } + }, + { + "id": 4481281950303368, + "definition": { + "title": "Distribution by Outbound Allow Rule Status", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit @fields_mapping.auditType:(\"Outbound allow rule created\" OR \"Outbound allow rule deleted\" OR \"Outbound allow rule expired\" OR \"Outbound allow rule edited\") $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@fields_mapping.auditType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 57, + "width": 6, + "height": 4 + } + }, + { + "id": 350747560290646, + "definition": { + "title": "Distribution by Inbound Block Rule Status", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit @fields_mapping.auditType:(\"Inbound block rule created\" OR \"Inbound block rule deleted\" OR \"Inbound block rule expired\" OR \"Inbound block rule edited\") $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@fields_mapping.auditType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 61, + "width": 6, + "height": 4 + } + }, + { + "id": 6091362109720210, + "definition": { + "title": "Distribution by Outbound Block Rule Status", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit @fields_mapping.auditType:(\"Outbound block rule created\" OR \"Outbound block rule deleted\" OR \"Outbound block rule expired\" OR \"Outbound block rule edited\") $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@fields_mapping.auditType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 61, + "width": 6, + "height": 4 + } + }, + { + "id": 1115683580811782, + "definition": { + "title": "Distribution by Connect Session Status", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit @fields_mapping.auditType:(\"Connect session created\" OR \"Connect session expired\" OR \"Connect session revoked\" OR \"Connect session logged out\" OR \"Connect session extended\") $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@fields_mapping.auditType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 65, + "width": 6, + "height": 4 + } + }, + { + "id": 3282289349266296, + "definition": { + "title": "Distribution by Connect Region Status", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit @fields_mapping.auditType:(\"Connect region created\" OR \"Connect region edited\") $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@fields_mapping.auditType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 65, + "width": 6, + "height": 4 + } + }, + { + "id": 7296457709427624, + "definition": { + "title": "Distribution by Connect Server Status", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit @fields_mapping.auditType:(\"Connect server deployed\" OR \"Connect server edited\") $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@fields_mapping.auditType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 69, + "width": 6, + "height": 4 + } + }, + { + "id": 5681340390094250, + "definition": { + "title": "Distribution by Rules RPC rule Status", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit @fields_mapping.auditType:(\"Rules RPC rule created\" OR \"Rules RPC rule deleted\" OR \"Rules RPC rule expired\" OR \"Rules RPC rule edited\") $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@fields_mapping.auditType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 69, + "width": 6, + "height": 4 + } + }, + { + "id": 6235168435099362, + "definition": { + "title": "Distribution by AI Inbound Allow Rule Status", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit @fields_mapping.auditType:(\"AI inbound allow rule rejected\" OR \"AI inbound allow rule approved\" OR \"AI inbound allow rule approved with changes\") $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@fields_mapping.auditType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 73, + "width": 6, + "height": 4 + } + }, + { + "id": 3232645691460268, + "definition": { + "title": "Distribution by AI Outbound Allow Rule Status", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit @fields_mapping.auditType:(\"AI outbound allow rule rejected\" OR \"AI outbound allow rule approved\" OR \"AI outbound allow rule approved with changes\") $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@fields_mapping.auditType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 73, + "width": 6, + "height": 4 + } + }, + { + "id": 2343644671622496, + "definition": { + "title": "Distribution by AI Inbound Block Rule Status", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit @fields_mapping.auditType:(\"AI inbound block rule rejected\" OR \"AI inbound block rule approved\" OR \"AI inbound block rule approved with changes\") $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@fields_mapping.auditType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 77, + "width": 6, + "height": 4 + } + }, + { + "id": 7638257482231942, + "definition": { + "title": "Distribution by AI Outbound Block Rule Status", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit @fields_mapping.auditType:(\"AI outbound block rule rejected\" OR \"AI outbound block rule approved\" OR \"AI outbound block rule approved with changes\") $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@fields_mapping.auditType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 77, + "width": 6, + "height": 4 + } + }, + { + "id": 7529546885171408, + "definition": { + "title": "Distribution by Identity Rule Status", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:audit @fields_mapping.auditType:(\"Identity rule created\" OR \"Identity rule deleted\" OR \"Identity rule expired\" OR \"Identity rule edited\") $User $User-Role $Enforcement-Source" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@fields_mapping.auditType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 81, + "width": 12, + "height": 4 + } + }, + { + "id": 8516258548930438, + "definition": { + "title": "Log Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:zero-networks service:audit $User $User-Role $Enforcement-Source", + "indexes": [], + "storage": "hot", + "sort": { + "order": "desc", + "column": "timestamp" + } + }, + "columns": [ + { + "field": "usr.id", + "width": "auto" + }, + { + "field": "usr.name", + "width": "auto" + }, + { + "field": "user_role", + "width": "auto" + }, + { + "field": "enforcement_source", + "width": "auto" + }, + { + "field": "fields_mapping.auditType", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 85, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 23, + "width": 12, + "height": 90 + } + } + ], + "template_variables": [ + { + "name": "User", + "prefix": "@usr.name", + "available_values": [], + "default": "*" + }, + { + "name": "User-Role", + "prefix": "@user_role", + "available_values": [], + "default": "*" + }, + { + "name": "Enforcement-Source", + "prefix": "@enforcement_source", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/zero_networks/assets/dashboards/zero_networks_network_activities.json b/zero_networks/assets/dashboards/zero_networks_network_activities.json new file mode 100644 index 0000000000000..1316d1169d513 --- /dev/null +++ b/zero_networks/assets/dashboards/zero_networks_network_activities.json @@ -0,0 +1,3132 @@ +{ + "title": "Zero Networks - Network Activities", + "description": "This Dashboard provides insights into network activities logs generated on Zero Networks Platform.", + "widgets": [ + { + "id": 7048682808416574, + "definition": { + "title": "", + "banner_img": "https://cdn.prod.website-files.com/66d894ac929236a04d136c23/66f44ba20ee5b6674d84c2b9_zero.jpg", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 4724375602798618, + "definition": { + "type": "note", + "content": "Zero Networks is a cybersecurity platform that enforces zero-trust principles by restricting access to network resources based on user identity and behavior. It automates security policy creation, ensuring that only authorized users and devices can connect while blocking unauthorized attempts. With features like adaptive access control, audit logs, and microsegmentation, it minimizes attack surfaces and protects against threats. The platform is easy to deploy and integrates seamlessly with existing systems.\n\nThis dashboard provides information about the Network Activities logs generated on Zero Networks.\n\nNetwork activities can help you maintain your network in the following ways:\n- Captures and logs details of network connections between a source and a destination.\n- Records information such as IP addresses, ports, processes involved, user identities, and threat scores associated with the network traffic.\n- Monitor and analyze network communication, detect potential security threats, and provide visibility into the network activities occurring within the environment.\n\nFor more information, see the [Zero Networks Documentation](https://docs.datadoghq.com/integrations/zero_networks/).\n\nTips:\n - Use the timeframe selector in the top right of the dashboard to change the default timeframe.\n - Clone this dashboard to rearrange, modify and add widgets and visualizations.", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 6 + } + } + ] + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 9 + } + }, + { + "id": 8522168906775942, + "definition": { + "title": "Network Activities Logs Overview", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 2821775474448160, + "definition": { + "title": "Network Activity Logs over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "count", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:network-activities $User $IP $Traffic-Type $State $Protocol" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 4 + } + }, + { + "id": 5023916849568878, + "definition": { + "title": "Total Network Activity Logs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:network-activities $User $IP $Traffic-Type $State $Protocol" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 4, + "width": 3, + "height": 4 + } + }, + { + "id": 3993652264280538, + "definition": { + "title": "Top Users", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:network-activities $User $IP $Traffic-Type $State $Protocol" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 3, + "y": 4, + "width": 3, + "height": 4 + } + } + ] + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 9 + } + }, + { + "id": 2866141829269764, + "definition": { + "title": "Datadog Cloud SIEM", + "title_align": "center", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 2164149458767982, + "definition": { + "type": "note", + "content": "Datadog Cloud SIEM analyzes and correlates Network Activity logs to detect threats to your environment in real time. If you don't see signals please make sure you've enabled [Datadog Cloud SIEM](https://app.datadoghq.com/security?query=source%3Azero-networks%20service%3Anetwork-activities). ", + "background_color": "blue", + "font_size": "14", + "text_align": "left", + "vertical_align": "center", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 2645872198219308, + "definition": { + "title": "CRITICALs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:zero-networks service:network-activities status:critical $User $IP $Traffic-Type $State $Protocol" + } + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#bc303c" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 1, + "width": 2, + "height": 2 + } + }, + { + "id": 4148528252612364, + "definition": { + "title": "HIGHs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:zero-networks service:network-activities status:high $User $IP $Traffic-Type $State $Protocol" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#d33043" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 2, + "y": 1, + "width": 2, + "height": 2 + } + }, + { + "id": 8700812738359164, + "definition": { + "title": "Critical Security Signals", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:zero-networks service:network-activities status:critical $User $IP $Traffic-Type $State $Protocol" + } + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#e5a21c" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 4, + "y": 1, + "width": 8, + "height": 4 + } + }, + { + "id": 6750891340282460, + "definition": { + "title": "MEDIUMs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:zero-networks service:network-activities status:medium $User $IP $Traffic-Type $State $Protocol" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#e5a21c" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 3, + "width": 2, + "height": 2 + } + }, + { + "id": 2964548153610178, + "definition": { + "title": "LOWs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:zero-networks service:network-activities status:low $User $IP $Traffic-Type $State $Protocol" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#ffb52b" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 2, + "y": 3, + "width": 2, + "height": 1 + } + }, + { + "id": 3511561538032828, + "definition": { + "title": "INFOs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:zero-networks service:network-activities status:info $User $IP $Traffic-Type $State $Protocol" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#84c1e0" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 2, + "y": 4, + "width": 2, + "height": 1 + } + }, + { + "id": 3680138366512730, + "definition": { + "title": "High Security Signals", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:zero-networks service:network-activities status:high $User $IP $Traffic-Type $State $Protocol" + } + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#e5a21c" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 5, + "width": 6, + "height": 4 + } + }, + { + "id": 8590036025513724, + "definition": { + "title": "Medium Security Signals", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:zero-networks service:network-activities status:medium $User $IP $Traffic-Type $State $Protocol" + } + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#ffb52b" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 5, + "width": 6, + "height": 4 + } + }, + { + "id": 6292364445193512, + "definition": { + "title": "Info Security Signals", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:zero-networks service:network-activities status:info $User $IP $Traffic-Type $State $Protocol" + } + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#e5a21c" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 9, + "width": 6, + "height": 4 + } + }, + { + "id": 1513911561139188, + "definition": { + "title": "Low Security Signals", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:zero-networks service:network-activities status:low $User $IP $Traffic-Type $State $Protocol" + } + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#e5a21c" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 9, + "width": 6, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 9, + "width": 12, + "height": 14 + } + }, + { + "id": 2735070504617084, + "definition": { + "title": "Network Activities Logs", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 7408250835431734, + "definition": { + "title": "Top Protocols", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:network-activities $User $IP $Traffic-Type $State $Protocol" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@fields_mapping.protocol", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 4 + } + }, + { + "id": 5125143270261116, + "definition": { + "title": "Distribution by Traffic Types", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:network-activities $User $IP $Traffic-Type $State $Protocol" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@fields_mapping.trafficType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 4 + } + }, + { + "id": 7587274748285862, + "definition": { + "title": "Total Internal Traffic", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:network-activities @fields_mapping.trafficType:Internal $User $IP $Traffic-Type $State $Protocol" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 4, + "width": 4, + "height": 4 + } + }, + { + "id": 542398547448820, + "definition": { + "title": "Total External Traffic", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:network-activities @fields_mapping.trafficType:External $User $IP $Traffic-Type $State $Protocol" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 4, + "y": 4, + "width": 4, + "height": 4 + } + }, + { + "id": 1904201580642026, + "definition": { + "title": "Total Internal and External Traffic", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:network-activities @fields_mapping.trafficType:Both $User $IP $Traffic-Type $State $Protocol" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#e4f4f7" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 8, + "y": 4, + "width": 4, + "height": 4 + } + }, + { + "id": 4018554368221482, + "definition": { + "title": "Top IPs", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:network-activities $User $IP $Traffic-Type $State $Protocol" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 8, + "width": 4, + "height": 4 + } + }, + { + "id": 3814672709882648, + "definition": { + "title": "Distribution by States", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:network-activities $User $IP $Traffic-Type $State $Protocol" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@fields_mapping.state", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 4, + "y": 8, + "width": 8, + "height": 4 + } + }, + { + "id": 2627643690830184, + "definition": { + "title": "Total Blocked Network Traffic", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:network-activities @fields_mapping.state:Blocked $User $IP $Traffic-Type $State $Protocol" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 12, + "width": 4, + "height": 4 + } + }, + { + "id": 8455608497007756, + "definition": { + "title": "Total Blocked At Source Network Traffic", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:network-activities @fields_mapping.state:\"Blocked at source\" $User $IP $Traffic-Type $State $Protocol" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 4, + "y": 12, + "width": 4, + "height": 4 + } + }, + { + "id": 6518168948932602, + "definition": { + "title": "Total Requested Network Traffic", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:network-activities @fields_mapping.state:Requested $User $IP $Traffic-Type $State $Protocol" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#ebfaff" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 8, + "y": 12, + "width": 4, + "height": 4 + } + }, + { + "id": 109041145079294, + "definition": { + "title": "Total Blocked By Third Party Network Traffic", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:network-activities @fields_mapping.state:\"Blocked by third party\" $User $IP $Traffic-Type $State $Protocol" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#f4cdd9" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 16, + "width": 4, + "height": 4 + } + }, + { + "id": 4179949591999648, + "definition": { + "title": "Total Blocked At Source By Third Party Network Traffic", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:network-activities @fields_mapping.state:\"Blocked at source by third party\" $User $IP $Traffic-Type $State $Protocol" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#f7c0c0" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 4, + "y": 16, + "width": 4, + "height": 4 + } + }, + { + "id": 5825249782758720, + "definition": { + "title": "Total Established Network Traffic", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:network-activities @fields_mapping.state:Established $User $IP $Traffic-Type $State $Protocol" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 8, + "y": 16, + "width": 4, + "height": 4 + } + }, + { + "id": 8140375815927286, + "definition": { + "title": "Total TCP Network Traffic", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:network-activities @fields_mapping.protocol:TCP $User $IP $Traffic-Type $State $Protocol" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#e3f6f8" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 20, + "width": 3, + "height": 4 + } + }, + { + "id": 3693207539505400, + "definition": { + "title": "Total UDP Network Traffic", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:network-activities @fields_mapping.protocol:UDP $User $IP $Traffic-Type $State $Protocol" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#fbe2fd" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 3, + "y": 20, + "width": 3, + "height": 4 + } + }, + { + "id": 6867819967370544, + "definition": { + "title": "Total ICMP Network Traffic", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:network-activities @fields_mapping.protocol:ICMP $User $IP $Traffic-Type $State $Protocol" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#f8e3e3" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 6, + "y": 20, + "width": 3, + "height": 4 + } + }, + { + "id": 8147706316730684, + "definition": { + "title": "Total RDP Network Traffic", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:network-activities @fields_mapping.protocol:RDP $User $IP $Traffic-Type $State $Protocol" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#edeefd" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 9, + "y": 20, + "width": 3, + "height": 4 + } + }, + { + "id": 8071523453594128, + "definition": { + "title": "Top Destination Asset Types", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:network-activities $User $IP $Traffic-Type $State $Protocol" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@fields_mapping.dst.assetType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 24, + "width": 4, + "height": 4 + } + }, + { + "id": 5123855718486176, + "definition": { + "title": "Top Destination IP Addresses", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:network-activities $User $IP $Traffic-Type $State $Protocol" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.destination.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 4, + "y": 24, + "width": 4, + "height": 4 + } + }, + { + "id": 5586724905348182, + "definition": { + "title": "Top Destination FQDN", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:network-activities $User $IP $Traffic-Type $State $Protocol" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@record.dst.fqdn", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 8, + "y": 24, + "width": 4, + "height": 4 + } + }, + { + "id": 44790517895590, + "definition": { + "title": "Top Destination Processes", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:network-activities $User $IP $Traffic-Type $State $Protocol" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@record.dst.processName", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 28, + "width": 4, + "height": 4 + } + }, + { + "id": 6589084141519102, + "definition": { + "title": "Destination User Details", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:network-activities $User $IP $Traffic-Type $State $Protocol" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@record.dst.assetId", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@record.dst.userId", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@record.dst.userName", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 1000, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 4, + "y": 28, + "width": 8, + "height": 4 + } + }, + { + "id": 6297826389227418, + "definition": { + "title": "Top Destination Asset Sources", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:network-activities $User $IP $Traffic-Type $State $Protocol" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@fields_mapping.src.assetSrc", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 32, + "width": 4, + "height": 4 + } + }, + { + "id": 1840424163789940, + "definition": { + "title": "Destination Process Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:zero-networks service:network-activities $User $IP $Traffic-Type $State $Protocol", + "indexes": [], + "storage": "hot", + "sort": { + "order": "desc", + "column": "timestamp" + } + }, + "columns": [ + { + "field": "record.dst.assetId", + "width": "auto" + }, + { + "field": "record.dst.processId", + "width": "auto" + }, + { + "field": "record.dst.processName", + "width": "auto" + }, + { + "field": "record.dst.processPath", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 4, + "y": 32, + "width": 8, + "height": 4 + } + }, + { + "id": 8205966187394598, + "definition": { + "title": "Overall Destination Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:zero-networks service:network-activities $User $IP $Traffic-Type $State $Protocol", + "indexes": [], + "storage": "hot", + "sort": { + "order": "desc", + "column": "timestamp" + } + }, + "columns": [ + { + "field": "record.dst.assetId", + "width": "auto" + }, + { + "field": "network.destination.ip", + "width": "auto" + }, + { + "field": "network.destination.port", + "width": "auto" + }, + { + "field": "record.dst.ipThreatScore", + "width": "auto" + }, + { + "field": "record.dst.eventRecordId", + "width": "auto" + }, + { + "field": "record.dst.processId", + "width": "auto" + }, + { + "field": "record.dst.processName", + "width": "auto" + }, + { + "field": "record.dst.processPath", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 36, + "width": 12, + "height": 4 + } + }, + { + "id": 8588088349138280, + "definition": { + "title": "Top Source Asset Types", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:network-activities $User $IP $Traffic-Type $State $Protocol" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@fields_mapping.src.assetType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 40, + "width": 4, + "height": 4 + } + }, + { + "id": 8852165136650850, + "definition": { + "title": "Top Source FQDN", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:network-activities $User $IP $Traffic-Type $State $Protocol" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@record.src.fqdn", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 4, + "y": 40, + "width": 4, + "height": 4 + } + }, + { + "id": 6509420781057236, + "definition": { + "title": "Top Source Processes", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:network-activities $User $IP $Traffic-Type $State $Protocol -@record.src.processName:\"\"" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@record.src.processName", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 8, + "y": 40, + "width": 4, + "height": 4 + } + }, + { + "id": 8107362937220770, + "definition": { + "title": "Top Asset Sources", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:network-activities $User $IP $Traffic-Type $State $Protocol" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@fields_mapping.src.assetSrc", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 44, + "width": 4, + "height": 4 + } + }, + { + "id": 8960629590747932, + "definition": { + "title": "Source Process Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:zero-networks service:network-activities $User $IP $Traffic-Type $State $Protocol", + "indexes": [], + "storage": "hot", + "sort": { + "order": "desc", + "column": "timestamp" + } + }, + "columns": [ + { + "field": "record.src.assetId", + "width": "auto" + }, + { + "field": "record.src.processId", + "width": "auto" + }, + { + "field": "record.src.processName", + "width": "auto" + }, + { + "field": "record.src.processPath", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 4, + "y": 44, + "width": 8, + "height": 4 + } + }, + { + "id": 2267192419920364, + "definition": { + "title": "Overall Source Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:zero-networks service:network-activities $User $IP $Traffic-Type $State $Protocol", + "indexes": [], + "storage": "hot", + "sort": { + "order": "desc", + "column": "timestamp" + } + }, + "columns": [ + { + "field": "record.src.assetId", + "width": "auto" + }, + { + "field": "network.client.ip", + "width": "auto" + }, + { + "field": "network.client.port", + "width": "auto" + }, + { + "field": "record.src.ipThreatScore", + "width": "auto" + }, + { + "field": "record.src.processId", + "width": "auto" + }, + { + "field": "record.src.processName", + "width": "auto" + }, + { + "field": "record.src.processPath", + "width": "auto" + }, + { + "field": "record.src.eventRecordId", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 48, + "width": 12, + "height": 4 + } + }, + { + "id": 2626869851753922, + "definition": { + "title": "Network Activities by Country", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:network-activities $User $IP $Traffic-Type $State $Protocol" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.geoip.country.iso_code", + "limit": 250, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 250, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 0, + "y": 52, + "width": 12, + "height": 4 + } + }, + { + "id": 2675206461490272, + "definition": { + "title": "Network Activities by Destination Country", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zero-networks service:network-activities $User $IP $Traffic-Type $State $Protocol" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.destination.geoip.country.iso_code", + "limit": 250, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 250, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 0, + "y": 56, + "width": 12, + "height": 4 + } + }, + { + "id": 8603664597574194, + "definition": { + "title": "Log Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:zero-networks service:network-activities $User $IP $Traffic-Type $State $Protocol", + "indexes": [], + "storage": "hot", + "sort": { + "order": "desc", + "column": "timestamp" + } + }, + "columns": [ + { + "field": "usr.id", + "width": "auto" + }, + { + "field": "usr.name", + "width": "auto" + }, + { + "field": "fields_mapping.protocol", + "width": "auto" + }, + { + "field": "fields_mapping.trafficType", + "width": "auto" + }, + { + "field": "network.client.ip", + "width": "auto" + }, + { + "field": "fields_mapping.state", + "width": "auto" + }, + { + "field": "record.dst.assetSrc", + "width": "auto" + }, + { + "field": "record.dst.fqdn", + "width": "auto" + }, + { + "field": "network.destination.ip", + "width": "auto" + }, + { + "field": "record.dst.assetId", + "width": "auto" + }, + { + "field": "record.dst.processId", + "width": "auto" + }, + { + "field": "record.dst.processName", + "width": "auto" + }, + { + "field": "record.dst.processPath", + "width": "auto" + }, + { + "field": "record.dst.userId", + "width": "auto" + }, + { + "field": "record.dst.userName", + "width": "auto" + }, + { + "field": "network.destination.port", + "width": "auto" + }, + { + "field": "record.dst.ipThreatScore", + "width": "auto" + }, + { + "field": "record.dst.eventRecordId", + "width": "auto" + }, + { + "field": "record.dst.ipThreatScore", + "width": "auto" + }, + { + "field": "record.src.assetSrc", + "width": "auto" + }, + { + "field": "record.src.fqdn", + "width": "auto" + }, + { + "field": "network.client.ip", + "width": "auto" + }, + { + "field": "record.src.assetId", + "width": "auto" + }, + { + "field": "record.src.processId", + "width": "auto" + }, + { + "field": "record.src.processName", + "width": "auto" + }, + { + "field": "record.src.processPath", + "width": "auto" + }, + { + "field": "network.client.port", + "width": "auto" + }, + { + "field": "record.src.ipThreatScore", + "width": "auto" + }, + { + "field": "record.src.eventRecordId", + "width": "auto" + }, + { + "field": "record.src.processPath", + "width": "auto" + }, + { + "field": "record.src.processPath", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 60, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 23, + "width": 12, + "height": 65 + } + } + ], + "template_variables": [ + { + "name": "User", + "prefix": "@usr.name", + "available_values": [], + "default": "*" + }, + { + "name": "IP", + "prefix": "@network.client.ip", + "available_values": [], + "default": "*" + }, + { + "name": "Traffic-Type", + "prefix": "@trafficType", + "available_values": [], + "default": "*" + }, + { + "name": "State", + "prefix": "@state", + "available_values": [], + "default": "*" + }, + { + "name": "Protocol", + "prefix": "@protocol", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/zero_networks/assets/logs/zero-networks.yaml b/zero_networks/assets/logs/zero-networks.yaml new file mode 100644 index 0000000000000..d8085cc3e3c28 --- /dev/null +++ b/zero_networks/assets/logs/zero-networks.yaml @@ -0,0 +1,308 @@ +id: "zero-networks" +metric_id: "zero-networks" +backend_only: false +facets: + - groups: + - Geoip + name: City Name + path: network.client.geoip.city.name + source: log + - groups: + - Geoip + name: Continent Code + path: network.client.geoip.continent.code + source: log + - groups: + - Geoip + name: Continent Name + path: network.client.geoip.continent.name + source: log + - groups: + - Geoip + name: Country ISO Code + path: network.client.geoip.country.iso_code + source: log + - groups: + - Geoip + name: Country Name + path: network.client.geoip.country.name + source: log + - groups: + - Geoip + name: Subdivision ISO Code + path: network.client.geoip.subdivision.iso_code + source: log + - groups: + - Geoip + name: Subdivision Name + path: network.client.geoip.subdivision.name + source: log + - groups: + - Web Access + name: Client IP + path: network.client.ip + source: log + - groups: + - Web Access + name: Client Port + path: network.client.port + source: log + - groups: + - Geoip + name: Destination City Name + path: network.destination.geoip.city.name + source: log + - groups: + - Geoip + name: Destination Continent Code + path: network.destination.geoip.continent.code + source: log + - groups: + - Geoip + name: Destination Continent Name + path: network.destination.geoip.continent.name + source: log + - groups: + - Geoip + name: Destination Country ISO Code + path: network.destination.geoip.country.iso_code + source: log + - groups: + - Geoip + name: Destination Country Name + path: network.destination.geoip.country.name + source: log + - groups: + - Geoip + name: Destination Subdivision ISO Code + path: network.destination.geoip.subdivision.iso_code + source: log + - groups: + - Geoip + name: Destination Subdivision Name + path: network.destination.geoip.subdivision.name + source: log + - groups: + - Web Access + name: Destination IP + path: network.destination.ip + source: log + - groups: + - Web Access + name: Destination Port + path: network.destination.port + source: log + - groups: + - User + name: User ID + path: usr.id + source: log + - groups: + - User + name: User Name + path: usr.name + source: log +pipeline: + type: pipeline + name: Zero Networks + enabled: true + filter: + query: source:zero-networks + processors: + - type: date-remapper + name: Define `record.timestamp` as the official date of the log + enabled: true + sources: + - record.timestamp + - type: pipeline + name: Audit + enabled: true + filter: + query: service:audit + processors: + - type: attribute-remapper + name: Map `record.performedBy.id` to `usr.id` + enabled: true + sources: + - record.performedBy.id + sourceType: attribute + target: usr.id + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `record.performedBy.name` to `usr.name` + enabled: true + sources: + - record.performedBy.name + sourceType: attribute + target: usr.name + targetType: attribute + preserveSource: false + overrideOnConflict: false + - name: Lookup on `record.userRole` to `user_role` + enabled: true + source: record.userRole + target: user_role + lookupTable: |- + 0 , Unspecified + 1 , Admin + 2 , Viewer + 3 , Regular + 4 , API-FullAccess + 5 , API-ReadOnly + 6 , SelfService + 7 , CloudConnectorProvisioning + 8 , JAMF Asset + 9 , Asset Manager + 10 , Operator + 11 , Service Now Token + type: lookup-processor + - name: Lookup on `record.enforcementSource` to `enforcement_source` + enabled: true + source: record.enforcementSource + target: enforcement_source + lookupTable: |- + 1 , MFA + 2 , System + 3 , Access Portal + 4 , Admin Portal + 5 , Automation Engine + 6 , API + 7 , Setup + 8 , Connect + type: lookup-processor + - type: pipeline + name: Network Activities + enabled: true + filter: + query: service:network-activities + processors: + - type: attribute-remapper + name: Map `record.src.userId` to `usr.id` + enabled: true + sources: + - record.src.userId + sourceType: attribute + target: usr.id + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `record.src.userName` to `usr.name` + enabled: true + sources: + - record.src.userName + sourceType: attribute + target: usr.name + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `record.src.ip` to `network.client.ip` + enabled: true + sources: + - record.src.ip + sourceType: attribute + target: network.client.ip + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `record.dst.ip` to `network.destination.ip` + enabled: true + sources: + - record.dst.ip + sourceType: attribute + target: network.destination.ip + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `record.src.port` to `network.client.port` + enabled: true + sources: + - record.src.port + sourceType: attribute + target: network.client.port + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `record.dst.port` to `network.destination.port` + enabled: true + sources: + - record.dst.port + sourceType: attribute + target: network.destination.port + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: geo-ip-parser + name: GeoIp Parser for `network.client.ip` + enabled: true + sources: + - network.client.ip + target: network.client.geoip + ip_processing_behavior: do-nothing + - type: geo-ip-parser + name: GeoIp Parser for `network.destination.ip` + enabled: true + sources: + - network.destination.ip + target: network.destination.geoip + ip_processing_behavior: do-nothing + - name: Lookup on `record.src.assetSrc` to `fields_mapping.src.assetSrc` + enabled: true + source: record.src.assetSrc + target: fields_mapping.src.assetSrc + lookupTable: |- + 1 , Access portal + 2 , SSP + 3 , Active directory + 4 , Custom + 5 , System + 6 , Ansible + 7 , Manual OT/IoT + 8 , Workgroup + 9 , Azure active directory + 10 , Azure + 11 , AWS + 12 , GCP + 14 , Jamf + 15 , Manual Linux + 16 , IBM cloud + 17 , Oracle cloud + 18 , VMware cloud + 19 , Alibaba cloud + 20 , Lumen cloud + 21 , OVH cloud + 22 , Connect + type: lookup-processor + - name: Lookup on `record.dst.assetSrc` to `fields_mapping.dst.assetSrc` + enabled: true + source: record.dst.assetSrc + target: fields_mapping.dst.assetSrc + lookupTable: |- + 1 , Access portal + 2 , SSP + 3 , Active directory + 4 , Custom + 5 , System + 6 , Ansible + 7 , Manual OT/IoT + 8 , Workgroup + 9 , Azure active directory + 10 , Azure + 11 , AWS + 12 , GCP + 14 , Jamf + 15 , Manual Linux + 16 , IBM cloud + 17 , Oracle cloud + 18 , VMware cloud + 19 , Alibaba cloud + 20 , Lumen cloud + 21 , OVH cloud + 22 , Connect + type: lookup-processor diff --git a/zero_networks/assets/logs/zero-networks_tests.yaml b/zero_networks/assets/logs/zero-networks_tests.yaml new file mode 100644 index 0000000000000..ed4822fd28011 --- /dev/null +++ b/zero_networks/assets/logs/zero-networks_tests.yaml @@ -0,0 +1,185 @@ +id: "zero-networks" +tests: + - + sample: |- + { + "reportedObjectId" : "", + "performedBy" : { + "name" : "Test User", + "id" : "c05d5f20-89a3-4948-bcc6-8cc6e2aab3fe" + }, + "enforcementSource" : 4, + "parentObjectId" : "", + "details" : "{\"publicIp\":\"163.116.212.44\",\"tokenTtl\":\"2025-01-07T08:35:30.000Z\",\"idp\":1,\"role\":1}", + "auditType" : 73, + "userRole" : 1, + "isoTimestamp" : "2024-12-31T08:35:30.990Z", + "timestamp" : 1735634130990, + "destinationEntitiesList" : [ { + "name" : "Test User", + "id" : "c05d5f20-89a3-4948-bcc6-8cc6e2aab3fe" + } ] + } + result: + custom: + auditType: 73 + destinationEntitiesList: + - + name: "Test User" + id: "c05d5f20-89a3-4948-bcc6-8cc6e2aab3fe" + details: "{\"publicIp\":\"163.116.212.44\",\"tokenTtl\":\"2025-01-07T08:35:30.000Z\",\"idp\":1,\"role\":1}" + enforcementSource: 4 + isoTimestamp: "2024-12-31T08:35:30.990Z" + parentObjectId: "" + performedBy: + id: "c05d5f20-89a3-4948-bcc6-8cc6e2aab3fe" + name: "Test User" + reportedObjectId: "" + timestamp: 1735634130990 + userRole: 1 + message: |- + { + "reportedObjectId" : "", + "performedBy" : { + "name" : "Test User", + "id" : "c05d5f20-89a3-4948-bcc6-8cc6e2aab3fe" + }, + "enforcementSource" : 4, + "parentObjectId" : "", + "details" : "{\"publicIp\":\"163.116.212.44\",\"tokenTtl\":\"2025-01-07T08:35:30.000Z\",\"idp\":1,\"role\":1}", + "auditType" : 73, + "userRole" : 1, + "isoTimestamp" : "2024-12-31T08:35:30.990Z", + "timestamp" : 1735634130990, + "destinationEntitiesList" : [ { + "name" : "Test User", + "id" : "c05d5f20-89a3-4948-bcc6-8cc6e2aab3fe" + } ] + } + tags: + - "source:LOGS_SOURCE" + timestamp: 1 + - + sample: |- + { + "reason" : 5, + "protocol" : 17, + "dst" : { + "networkProtectionState" : 5, + "processPath" : "C:\\Windows\\System32\\svchost.exe (W32Time) (1056)", + "ipThreatScore" : 0, + "fqdn" : "dc01.posh.local", + "ip" : "10.0.0.4", + "userName" : "NT AUTHORITY\\LOCAL SERVICE", + "userId" : "S-1-5-19", + "assetType" : 2, + "eventRecordId" : 43174318, + "assetSrc" : 3, + "port" : 123, + "processId" : "1056", + "processName" : "svchost.exe (W32Time) (1056)", + "assetId" : "a:a:VWW2G2C8" + }, + "src" : { + "networkProtectionState" : 6, + "processPath" : "C:\\Windows\\System32\\svchost.exe (W32Time) (1072)", + "ipThreatScore" : 0, + "fqdn" : "fs02.posh.local", + "ip" : "10.0.0.8", + "userName" : "NT AUTHORITY\\LOCAL SERVICE", + "envGroupId" : "g:e:zUnrnhfa", + "userId" : "S-1-5-19", + "assetType" : 2, + "eventRecordId" : 24143201, + "assetSrc" : 3, + "port" : 123, + "processId" : "1072", + "processName" : "svchost.exe (W32Time) (1072)", + "assetId" : "a:a:ka62y0mc" + }, + "trafficType" : 1, + "state" : 3, + "timestamp" : 1734584254851 + } + result: + custom: + dst: + assetId: "a:a:VWW2G2C8" + assetSrc: 3 + assetType: 2 + eventRecordId: 43174318 + fqdn: "dc01.posh.local" + ip: "10.0.0.4" + ipThreatScore: 0 + networkProtectionState: 5 + port: 123 + processId: "1056" + processName: "svchost.exe (W32Time) (1056)" + processPath: "C:\\Windows\\System32\\svchost.exe (W32Time) (1056)" + userId: "S-1-5-19" + userName: "NT AUTHORITY\\LOCAL SERVICE" + protocol: 17 + reason: 5 + src: + assetId: "a:a:ka62y0mc" + assetSrc: 3 + assetType: 2 + envGroupId: "g:e:zUnrnhfa" + eventRecordId: 24143201 + fqdn: "fs02.posh.local" + ip: "10.0.0.8" + ipThreatScore: 0 + networkProtectionState: 6 + port: 123 + processId: "1072" + processName: "svchost.exe (W32Time) (1072)" + processPath: "C:\\Windows\\System32\\svchost.exe (W32Time) (1072)" + userId: "S-1-5-19" + userName: "NT AUTHORITY\\LOCAL SERVICE" + state: 3 + timestamp: 1734584254851 + trafficType: 1 + message: |- + { + "reason" : 5, + "protocol" : 17, + "dst" : { + "networkProtectionState" : 5, + "processPath" : "C:\\Windows\\System32\\svchost.exe (W32Time) (1056)", + "ipThreatScore" : 0, + "fqdn" : "dc01.posh.local", + "ip" : "10.0.0.4", + "userName" : "NT AUTHORITY\\LOCAL SERVICE", + "userId" : "S-1-5-19", + "assetType" : 2, + "eventRecordId" : 43174318, + "assetSrc" : 3, + "port" : 123, + "processId" : "1056", + "processName" : "svchost.exe (W32Time) (1056)", + "assetId" : "a:a:VWW2G2C8" + }, + "src" : { + "networkProtectionState" : 6, + "processPath" : "C:\\Windows\\System32\\svchost.exe (W32Time) (1072)", + "ipThreatScore" : 0, + "fqdn" : "fs02.posh.local", + "ip" : "10.0.0.8", + "userName" : "NT AUTHORITY\\LOCAL SERVICE", + "envGroupId" : "g:e:zUnrnhfa", + "userId" : "S-1-5-19", + "assetType" : 2, + "eventRecordId" : 24143201, + "assetSrc" : 3, + "port" : 123, + "processId" : "1072", + "processName" : "svchost.exe (W32Time) (1072)", + "assetId" : "a:a:ka62y0mc" + }, + "trafficType" : 1, + "state" : 3, + "timestamp" : 1734584254851 + } + tags: + - "source:LOGS_SOURCE" + timestamp: 1 \ No newline at end of file diff --git a/zero_networks/assets/service_checks.json b/zero_networks/assets/service_checks.json new file mode 100644 index 0000000000000..fe51488c7066f --- /dev/null +++ b/zero_networks/assets/service_checks.json @@ -0,0 +1 @@ +[] diff --git a/zero_networks/assets/zero_networks.svg b/zero_networks/assets/zero_networks.svg new file mode 100644 index 0000000000000..b9c57c68efadb --- /dev/null +++ b/zero_networks/assets/zero_networks.svg @@ -0,0 +1,8 @@ + \ No newline at end of file diff --git a/zero_networks/images/zero_networks_audit.png b/zero_networks/images/zero_networks_audit.png new file mode 100644 index 0000000000000..6732cdf2bab72 Binary files /dev/null and b/zero_networks/images/zero_networks_audit.png differ diff --git a/zero_networks/images/zero_networks_network_activities.png b/zero_networks/images/zero_networks_network_activities.png new file mode 100644 index 0000000000000..b929c5178c00c Binary files /dev/null and b/zero_networks/images/zero_networks_network_activities.png differ diff --git a/zero_networks/manifest.json b/zero_networks/manifest.json new file mode 100644 index 0000000000000..225374601b006 --- /dev/null +++ b/zero_networks/manifest.json @@ -0,0 +1,55 @@ +{ + "manifest_version": "2.0.0", + "app_uuid": "5be301d0-072e-42c2-a579-0c8d24755a85", + "app_id": "zero-networks", + "display_on_public_website": false, + "tile": { + "overview": "README.md#Overview", + "configuration": "README.md#Setup", + "support": "README.md#Support", + "changelog": "CHANGELOG.md", + "description": "Gain insights into Zero Networks audit and network activities logs.", + "title": "Zero Networks", + "media": [ + { + "caption": "Zero Networks - Audit", + "image_url": "images/zero_networks_audit.png", + "media_type": "image" + }, + { + "caption": "Zero Networks - Network Activities", + "image_url": "images/zero_networks_network_activities.png", + "media_type": "image" + } + ], + "classifier_tags": [ + "Category::Log Collection", + "Category::Security", + "Submitted Data Type::Logs", + "Offering::Integration" + ] + }, + "assets": { + "integration": { + "auto_install": false, + "source_type_id": 35533755, + "source_type_name": "Zero Networks", + "events": { + "creates_events": false + }, + "service_checks": { + "metadata_path": "assets/service_checks.json" + } + }, + "dashboards": { + "Zero Networks - Audit": "assets/dashboards/zero_networks_audit.json", + "Zero Networks - Network Activities": "assets/dashboards/zero_networks_network_activities.json" + } + }, + "author": { + "support_email": "help@datadoghq.com", + "name": "Datadog", + "homepage": "https://www.datadoghq.com", + "sales_email": "info@datadoghq.com" + } +}