diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index cecdeefd875..1c905e540b6 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -18,6 +18,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff] - Convert netflow input to API v2 and disable event normalisation {pull}37901[37901] - Introduce input/netmetrics and refactor netflow input metrics {pull}38055[38055] +- Update Salesforce module to use new Salesforce input. {pull}37509[37509] *Heartbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 0c897ca3b1e..0bb410948d0 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -125170,11 +125170,10 @@ Fileset for ingesting Salesforce Apex logs. -*`salesforce.access_mode`*:: +*`salesforce.instance_url`*:: + -- -The mode of collecting logs from Salesforce - "rest" or "stream". - +The Instance URL of the Salesforce instance. type: keyword @@ -125187,12 +125186,20 @@ Fileset for ingesting Salesforce Apex logs. +*`salesforce.apex.document_id`*:: ++ +-- +Unique ID of the Apex document. + +type: keyword + +-- + *`salesforce.apex.action`*:: + -- Action performed by the callout. - type: keyword -- @@ -125200,10 +125207,9 @@ type: keyword *`salesforce.apex.callout_time`*:: + -- -Time spent waiting on webservice callouts, in milliseconds. +Time spent waiting on web service callouts, in milliseconds. - -type: keyword +type: float -- @@ -125212,7 +125218,6 @@ type: keyword -- The Apex class name. If the class is part of a managed package, this string includes the package namespace. - type: keyword -- @@ -125220,8 +125225,7 @@ type: keyword *`salesforce.apex.client_name`*:: + -- -The name of the client that's using Salesforce services. This field is an optional parameter that can be passed in API calls. If blank, the caller didnt specify a client in the CallOptions header. - +The name of the client that's using Salesforce services. This field is an optional parameter that can be passed in API calls. If blank, the caller didn't specify a client in the CallOptions header. type: keyword @@ -125232,8 +125236,7 @@ type: keyword -- The CPU time in milliseconds used to complete the request. - -type: keyword +type: float -- @@ -125242,8 +125245,7 @@ type: keyword -- Indicates how much activity is occurring in the database. A high value for this field suggests that adding indexes or filters on your queries would benefit performance. - -type: keyword +type: long -- @@ -125252,18 +125254,16 @@ type: keyword -- The CPU time in milliseconds to complete the request. Indicates the amount of activity taking place in the database layer during the request. - -type: keyword +type: float -- *`salesforce.apex.db_total_time`*:: + -- -Time (in milliseconds) spent waiting for database processing in aggregate for all operations in the request. Compare this field to CPU_TIME to determine whether performance issues are occurring in the database layer or in your own code. - +Time (in milliseconds) spent waiting for database processing in aggregate for all operations in the request. Compare this field to cpu_time to determine whether performance issues are occurring in the database layer or in your own code. -type: keyword +type: float -- @@ -125272,7 +125272,6 @@ type: keyword -- Name of the external object being accessed. - type: keyword -- @@ -125282,7 +125281,6 @@ type: keyword -- The name of the object affected by the trigger. - type: keyword -- @@ -125292,7 +125290,6 @@ type: keyword -- The entry point for this Apex execution. - type: keyword -- @@ -125300,8 +125297,7 @@ type: keyword *`salesforce.apex.event_type`*:: + -- -The type of event. The value is always ApexCallout. - +The type of event. type: keyword @@ -125312,8 +125308,7 @@ type: keyword -- How long it took (in milliseconds) for Salesforce to prepare and execute the query. Available in API version 42.0 and later. - -type: keyword +type: float -- @@ -125322,8 +125317,7 @@ type: keyword -- How long it took (in milliseconds) to retrieve the query results from the external system. Available in API version 42.0 and later. - -type: keyword +type: float -- @@ -125332,7 +125326,6 @@ type: keyword -- Field expressions to filter which rows to return. Corresponds to WHERE in SOQL queries. - type: keyword -- @@ -125342,7 +125335,6 @@ type: keyword -- Indicates whether the request is counted against your org's concurrent long-running Apex request limit (true) or not (false). - type: keyword -- @@ -125352,18 +125344,16 @@ type: keyword -- Maximum number of rows to return for a query. Corresponds to LIMIT in SOQL queries. - -type: keyword +type: long -- -*`salesforce.apex.limit_usage_percent`*:: +*`salesforce.apex.limit_usage_pct`*:: + -- The percentage of Apex SOAP calls that were made against the organization's limit. - -type: keyword +type: float -- @@ -125372,7 +125362,6 @@ type: keyword -- The string that ties together all events in a given user's login session. It starts with a login event and ends with either a logout event or the user session expiring. - type: keyword -- @@ -125382,7 +125371,6 @@ type: keyword -- The media type of the response. - type: keyword -- @@ -125392,8 +125380,7 @@ type: keyword -- Error or warning message associated with the failed call. - -type: keyword +type: text -- @@ -125402,28 +125389,25 @@ type: keyword -- The name of the calling Apex method. - type: keyword -- -*`salesforce.apex.number_fields`*:: +*`salesforce.apex.fields_count`*:: + -- The number of fields or columns, where applicable. - -type: keyword +type: long -- -*`salesforce.apex.number_soql_queries`*:: +*`salesforce.apex.soql_queries_count`*:: + -- The number of SOQL queries that were executed during the event. - -type: keyword +type: long -- @@ -125432,8 +125416,7 @@ type: keyword -- Number of rows to skip when paging through a result set. Corresponds to OFFSET in SOQL queries. - -type: keyword +type: long -- @@ -125442,7 +125425,6 @@ type: keyword -- Field or column to use for sorting query results, and whether to sort the results in ascending (default) or descending order. Corresponds to ORDER BY in SOQL queries. - type: keyword -- @@ -125452,7 +125434,6 @@ type: keyword -- The 15-character ID of the organization. - type: keyword -- @@ -125462,7 +125443,6 @@ type: keyword -- The SOQL query, if one was performed. - type: keyword -- @@ -125472,68 +125452,61 @@ type: keyword -- The type of outer execution associated with this event. - type: keyword -- -*`salesforce.apex.request.id`*:: +*`salesforce.apex.request_id`*:: + -- -The unique ID of a single transaction. A transaction can contain one or more events. Each event in a given transaction has the same REQUEST_ID. - +The unique ID of a single transaction. A transaction can contain one or more events. Each event in a given transaction has the same request_id. type: keyword -- -*`salesforce.apex.request.status`*:: +*`salesforce.apex.request_status`*:: + -- The status of the request for a page view or user interface action. - type: keyword -- -*`salesforce.apex.rows.total`*:: +*`salesforce.apex.rows_total`*:: + -- Total number of records in the result set. The value is always -1 if the custom adapter's DataSource.Provider class doesn't declare the QUERY_TOTAL_SIZE capability. - -type: keyword +type: long -- -*`salesforce.apex.rows.fetched`*:: +*`salesforce.apex.rows_fetched`*:: + -- Number of rows fetched by the callout. Available in API version 42.0 and later. - -type: keyword +type: long -- -*`salesforce.apex.rows.processed`*:: +*`salesforce.apex.rows_processed`*:: + -- The number of rows that were processed in the request. - -type: keyword +type: long -- *`salesforce.apex.run_time`*:: + -- -Not used for this event type. Use the TIME field instead. +The amount of time that the request took in milliseconds. - -type: keyword +type: float -- @@ -125542,7 +125515,6 @@ type: keyword -- Comma-separated list of fields being queried. Corresponds to SELECT in SOQL queries. - type: keyword -- @@ -125552,7 +125524,6 @@ type: keyword -- Reserved for future use. - type: keyword -- @@ -125562,38 +125533,33 @@ type: keyword -- Number of records retrieved in one second. - -type: keyword +type: float -- - -*`salesforce.apex.trigger.id`*:: +*`salesforce.apex.trigger_id`*:: + -- The 15-character ID of the trigger that was fired. - type: keyword -- -*`salesforce.apex.trigger.name`*:: +*`salesforce.apex.trigger_name`*:: + -- -For triggers coming from managed packages, TRIGGER_NAME includes a namespace prefix separated with a . character. If no namespace prefix is present, the trigger is from an unmanaged trigger. - +For triggers coming from managed packages, trigger_name includes a namespace prefix separated with a . character. If no namespace prefix is present, the trigger is from an unmanaged trigger. type: keyword -- -*`salesforce.apex.trigger.type`*:: +*`salesforce.apex.trigger_type`*:: + -- The type of this trigger. - type: keyword -- @@ -125603,7 +125569,6 @@ type: keyword -- The type of Apex callout. - type: keyword -- @@ -125613,17 +125578,15 @@ type: keyword -- The URI of the page that's receiving the request. - type: keyword -- -*`salesforce.apex.uri_id_derived`*:: +*`salesforce.apex.uri_derived_id`*:: + -- The 18-character case-safe ID of the URI of the page that's receiving the request. - type: keyword -- @@ -125633,7 +125596,6 @@ type: keyword -- The numeric code for the type of client used to make the request (for example, the browser, application, or API). - type: keyword -- @@ -125643,7 +125605,6 @@ type: keyword -- The 18-character case-safe ID of the user who's using Salesforce services through the UI or the API. - type: keyword -- @@ -125651,55 +125612,224 @@ type: keyword [float] === salesforce.login -Fileset for ingesting Salesforce Login (Streaming) logs. +Fileset for ingesting Salesforce Login (REST) logs. +*`salesforce.login.document_id`*:: ++ +-- +Unique Id. + +type: keyword + +-- + *`salesforce.login.application`*:: + -- -The application used to access the org. Possible values include: AppExchange, Browser, Salesforce for iOS, Salesforce Developers API Explorer, N/A +The application used to access the organization. + +type: keyword + +-- +*`salesforce.login.api.type`*:: ++ +-- +The type of Salesforce API request. + +type: keyword + +-- + +*`salesforce.login.api.version`*:: ++ +-- +The version of the Salesforce API that's being used. + type: keyword -- -*`salesforce.login.auth_method_reference`*:: + +*`salesforce.login.auth.service_id`*:: + -- The authentication method used by a third-party identification provider for an OpenID Connect single sign-on protocol. +type: keyword + +-- + +*`salesforce.login.auth.method_reference`*:: ++ +-- +The authentication method used by a third-party identification provider for an OpenID Connect single sign-on protocol. This field is available in API version 51.0 and later. + +type: keyword + +-- + + +*`salesforce.login.session.level`*:: ++ +-- +Session-level security controls user access to features that support it, such as connected apps and reporting. This field is available in API version 42.0 and later. + +type: text + +-- + +*`salesforce.login.session.key`*:: ++ +-- +The user's unique session ID. Use this value to identify all user events within a session. When a user logs out and logs in again, a new session is started. For LoginEvent, this field is often null because the event is captured before a session is created. For example, vMASKIU6AxEr+Op5. This field is available in API version 46.0 and later. type: keyword -- -*`salesforce.login.auth_service_id`*:: +*`salesforce.login.key`*:: + -- -The 18-character ID for an authentication service for a login event. +The string that ties together all events in a given user's login session. It starts with a login event and ends with either a logout event or the user session expiring. + +type: keyword + +-- +*`salesforce.login.history_id`*:: ++ +-- +Tracks a user session so you can correlate user activity with a particular login instance. This field is also available on the LoginHistory, AuthSession, and other objects, making it easier to trace events back to a user's original authentication. type: keyword -- +*`salesforce.login.type`*:: ++ +-- +The type of login used to access the session. + +type: keyword + +-- + +*`salesforce.login.geo_id`*:: ++ +-- +The Salesforce ID of the LoginGeo object associated with the login user's IP address. + +type: keyword + +-- + +*`salesforce.login.additional_info`*:: ++ +-- +JSON serialization of additional information that's captured from the HTTP headers during a login request. + +type: text + +-- + *`salesforce.login.client_version`*:: + -- The version number of the login client. If no version number is available, “Unknown” is returned. +type: keyword + +-- + +*`salesforce.login.client_ip`*:: ++ +-- +The IP address of the client that's using Salesforce services. A Salesforce internal IP (such as a login from Salesforce Workbench or AppExchange) is shown as “Salesforce.com IP”. type: keyword -- -*`salesforce.login.created_by_id`*:: +*`salesforce.login.cpu_time`*:: + -- -Unavailable +The CPU time in milliseconds used to complete the request. This field indicates the amount of activity taking place in the app server layer. + +type: long + +-- + +*`salesforce.login.db_time_total`*:: ++ +-- +The time in nanoseconds for a database round trip. Includes time spent in the JDBC driver, network to the database, and DB's CPU time. Compare this field to cpu_time to determine whether performance issues are occurring in the database layer or in your own code. + +type: double + +-- + +*`salesforce.login.event_type`*:: ++ +-- +The type of event. The value is always Login. + +type: keyword + +-- + +*`salesforce.login.organization_id`*:: ++ +-- +The 15-character ID of the organization. + +type: keyword + +-- + +*`salesforce.login.request_id`*:: ++ +-- +The unique ID of a single transaction. A transaction can contain one or more events. Each event in a given transaction has the same REQUEST_ID. + +type: keyword + +-- +*`salesforce.login.request_status`*:: ++ +-- +The status of the request for a page view or user interface action. + +type: keyword + +-- + +*`salesforce.login.run_time`*:: ++ +-- +The amount of time that the request took in milliseconds. + +type: long + +-- + +*`salesforce.login.user_id`*:: ++ +-- +The 15-character ID of the user who's using Salesforce services through the UI or the API. + +type: keyword + +-- + +*`salesforce.login.uri_id_derived`*:: ++ +-- +The 18-character case insensitive ID of the URI of the page that's receiving the request. type: keyword @@ -125710,124 +125840,224 @@ type: keyword -- The amount of time it took to evaluate the transaction security policy, in milliseconds. +type: float + +-- + +*`salesforce.login.login_type`*:: ++ +-- +The type of login used to access the session. type: keyword -- -*`salesforce.login.login_geo_id`*:: +[float] +=== salesforce.logout + +Fileset for parsing Salesforce Logout (REST) logs. + + + +*`salesforce.logout.document_id`*:: + -- -The Salesforce ID of the LoginGeo object associated with the login user’s IP address. +Unique Id. type: keyword -- -*`salesforce.login.login_history_id`*:: + +*`salesforce.logout.session.key`*:: + -- -Tracks a user session so you can correlate user activity with a particular login instance. This field is also available on the LoginHistory, AuthSession, and LoginHistory objects, making it easier to trace events back to a user’s original authentication. +The user's unique session ID. You can use this value to identify all user events within a session. When a user logs out and logs in again, a new session is started. type: keyword -- -*`salesforce.login.login_type`*:: +*`salesforce.logout.session.level`*:: + -- -The type of login used to access the session. +The security level of the session that was used when logging out (e.g. Standard Session or High-Assurance Session). + + +type: text + +-- + +*`salesforce.logout.session.type`*:: ++ +-- +The session type that was used when logging out (e.g. API, Oauth2 or UI). type: keyword -- -*`salesforce.login.policy_id`*:: +*`salesforce.logout.login_key`*:: + -- -The ID of the transaction security policy associated with this event. +The string that ties together all events in a given user's login session. It starts with a login event and ends with either a logout event or the user session expiring. type: keyword -- -*`salesforce.login.policy_outcome`*:: + +*`salesforce.logout.api.type`*:: + -- -The result of the transaction policy. +The type of Salesforce API request. type: keyword -- -*`salesforce.login.related_event_identifier`*:: +*`salesforce.logout.api.version`*:: + -- -This field is populated only when the activity that this event monitors requires extra authentication, such as multi-factor authentication. In this case, Salesforce generates more events and sets the RelatedEventIdentifier field of the new events to the value of the EventIdentifier field of the original event. Use this field with the EventIdentifier field to correlate all the related events. If no extra authentication is required, this field is blank. +The version of the Salesforce API that's being used. type: keyword -- -*`salesforce.login.session_level`*:: +*`salesforce.logout.app_type`*:: + -- -Session-level security controls user access to features that support it, such as connected apps and reporting. Possible values are: HIGH_ASSURANCE, LOW, STANDARD +The application type that was in use upon logging out. type: keyword -- -[float] -=== salesforce.logout +*`salesforce.logout.browser_type`*:: ++ +-- +The identifier string returned by the browser used at login. -Fileset for parsing Salesforce Logout (Streaming) logs. +type: keyword +-- -*`salesforce.logout.created_by_id`*:: +*`salesforce.logout.client_version`*:: + -- -Unavailable +The version of the client that was in use upon logging out. type: keyword -- -*`salesforce.logout.related_event_identifier`*:: +*`salesforce.logout.event_type`*:: + -- -This field is populated only when the activity that this event monitors requires extra authentication, such as multi-factor authentication. In this case, Salesforce generates more events and sets the RelatedEventIdentifier field of the new events to the value of the EventIdentifier field of the original event. Use this field with the EventIdentifier field to correlate all the related events. If no extra authentication is required, this field is blank. +The type of event. The value is always Logout. type: keyword -- -*`salesforce.logout.replay_id`*:: +*`salesforce.logout.organization_by_id`*:: + -- -Represents an ID value that is populated by the system and refers to the position of the event in the event stream. Replay ID values aren’t guaranteed to be contiguous for consecutive events. A subscriber can store a replay ID value and use it on resubscription to retrieve missed events that are within the retention window. +The 15-character ID of the organization. type: keyword -- -*`salesforce.logout.schema`*:: +*`salesforce.logout.platform_type`*:: ++ +-- +The code for the client platform. If a timeout caused the logout, this field is null. + + +type: keyword + +-- + +*`salesforce.logout.resolution_type`*:: ++ +-- +The screen resolution of the client. If a timeout caused the logout, this field is null. + + +type: keyword + +-- + +*`salesforce.logout.user_id`*:: ++ +-- +The 15-character ID of the user who's using Salesforce services through the UI or the API. + + +type: keyword + +-- + +*`salesforce.logout.user_id_derived`*:: ++ +-- +The 18-character case-safe ID of the user who's using Salesforce services through the UI or the API. + + +type: keyword + +-- + +*`salesforce.logout.user_initiated_logout`*:: ++ +-- +The value is 1 if the user intentionally logged out of the organization by clicking the Logout button. If the user's session timed out due to inactivity or another implicit logout action, the value is 0. + + +type: keyword + +-- + +*`salesforce.logout.created_by_id`*:: + -- Unavailable +type: keyword + +-- + +*`salesforce.logout.event_identifier`*:: ++ +-- +This field is populated only when the activity that this event monitors requires extra authentication, such as multi-factor authentication. In this case, Salesforce generates more events and sets the RelatedEventIdentifier field of the new events to the value of the EventIdentifier field of the original event. Use this field with the EventIdentifier field to correlate all the related events. If no extra authentication is required, this field is blank. + + +type: keyword + +-- + +*`salesforce.logout.organization_id`*:: ++ +-- +The 15-character ID of the organization. + + type: keyword -- @@ -125839,10 +126069,10 @@ Fileset for ingesting Salesforce SetupAuditTrail logs. -*`salesforce.setup_audit_trail.event_type`*:: +*`salesforce.setup_audit_trail.document_id`*:: + -- -Event type +Unique Id. type: keyword @@ -125882,7 +126112,7 @@ type: keyword *`salesforce.setup_audit_trail.delegate_user`*:: + -- -The Login-As user who executed the action in Setup. If a Login-As user didn’t perform the action, this field is blank. This field is available in API version 35.0 and later. +The Login-As user who executed the action in Setup. If a Login-As user didn't perform the action, this field is blank. This field is available in API version 35.0 and later. type: keyword diff --git a/filebeat/docs/filebeat-options.asciidoc b/filebeat/docs/filebeat-options.asciidoc index 13e4ffde499..d30d3c3b9e3 100644 --- a/filebeat/docs/filebeat-options.asciidoc +++ b/filebeat/docs/filebeat-options.asciidoc @@ -89,6 +89,7 @@ You can configure {beatname_uc} to use the following inputs: * <<{beatname_lc}-input-netflow>> * <<{beatname_lc}-input-o365audit>> * <<{beatname_lc}-input-redis>> +* <<{beatname_lc}-input-salesforce>> * <<{beatname_lc}-input-stdin>> * <<{beatname_lc}-input-syslog>> * <<{beatname_lc}-input-tcp>> @@ -143,6 +144,8 @@ include::../../x-pack/filebeat/docs/inputs/input-o365audit.asciidoc[] include::inputs/input-redis.asciidoc[] +include::../../x-pack/filebeat/docs/inputs/input-salesforce.asciidoc[] + include::inputs/input-stdin.asciidoc[] include::inputs/input-syslog.asciidoc[] diff --git a/filebeat/docs/images/filebeat-salesforce-login-dashboard.png b/filebeat/docs/images/filebeat-salesforce-login-dashboard.png index 72003b0f00f..dc862bddc01 100644 Binary files a/filebeat/docs/images/filebeat-salesforce-login-dashboard.png and b/filebeat/docs/images/filebeat-salesforce-login-dashboard.png differ diff --git a/filebeat/docs/images/filebeat-salesforce-logout-dashboard.png b/filebeat/docs/images/filebeat-salesforce-logout-dashboard.png index f65b29be018..aeff9a04ee4 100644 Binary files a/filebeat/docs/images/filebeat-salesforce-logout-dashboard.png and b/filebeat/docs/images/filebeat-salesforce-logout-dashboard.png differ diff --git a/filebeat/docs/images/filebeat-salesforce-setupaudittrail-dashboard.png b/filebeat/docs/images/filebeat-salesforce-setupaudittrail-dashboard.png new file mode 100644 index 00000000000..2d0c6674bd4 Binary files /dev/null and b/filebeat/docs/images/filebeat-salesforce-setupaudittrail-dashboard.png differ diff --git a/filebeat/docs/modules/salesforce.asciidoc b/filebeat/docs/modules/salesforce.asciidoc index b81def57bef..8e431e8d97e 100644 --- a/filebeat/docs/modules/salesforce.asciidoc +++ b/filebeat/docs/modules/salesforce.asciidoc @@ -12,314 +12,577 @@ This file is generated! See scripts/docs_collector.py == Salesforce module -This is a module for Salesforce logs. -It collects the logs using the following two different types of inputs: +include::{libbeat-dir}/shared/integration-link.asciidoc[] -- `httpjson` input: collects historical data from Salesforce REST API. -- `cometd` input: collects real-time data from Salesforce Streaming API. +[NOTE] -It includes the following filesets for receiving logs: +The Salesforce module has been completely revamped to use a new dedicated Salesforce input for event collection, replacing the previous HTTPJSON input method. This change brings improved performance and reliability. However, please be aware that this update introduces a breaking change. We believe this is the right time to make this necessary improvement as the previous module was in beta. -- `login-rest` fileset: supports Salesforce Login logs received from the REST API. -- `login-stream` fileset: supports Salesforce Login logs received from the Streaming API. -- `logout-rest` fileset: supports Salesforce Logout logs received from the REST API. -- `logout-stream` fileset: supports Salesforce Logout logs received from the Streaming API. -- `apex-rest` fileset: supports Salesforce Apex logs received from the REST API. -- `setupaudittrail-rest` fileset: supports logs generated when admins make in your org’s Setup area. +The Salesforce module collects logs from a Salesforce instance using the Salesforce REST API. It supports real-time and historical data collection for various log types including Login, Logout, APEX, and Setup Audit Trail. -Note: We can leverage the inputs provided above to collect the rest of the events from the Salesforce REST or Streaming API. +The Salesforce module contains the following filesets for collecting different types of logs: -include::../include/what-happens.asciidoc[] +- The `login` fileset collects Login events from the EventLogFile or Objects (real-time). +- The `logout` fileset collects Logout events from the EventLogFile or Objects (real-time). +- The `apex` fileset collects APEX execution logs from the EventLogFile. +- The `setupaudittrail` fileset collects Audit Trails events generated when admins make configuration changes in the org's Setup area from the Objects (real-time). + +[options="header"] +|=== +| Fileset | EventLogFile | Objects (real-time) + +|login +|yes +|yes + +|logout +|yes +|yes + +|apex +|yes +|no + +|setupaudittrail +|no +|yes +|=== + + +[IMPORTANT] +==== +The default interval for collecting logs (`var.real_time_interval` or `var.elf_interval`) is 5m/1h. Exercise caution when reducing this interval, as it directly impacts the Salesforce API rate limit of ~1000 calls per hour. Exceeding the limit will result in errors from the Salesforce API. Refer to the https://developer.salesforce.com/docs/atlas.en-us.salesforce_app_limits_cheatsheet.meta/salesforce_app_limits_cheatsheet/salesforce_app_limits_platform_api.htm[Salesforce API Rate Limit] documentation for more details. +==== + +== Set up the OAuth App in the Salesforce + +In order to use this integration, users need to create a new Salesforce Application using OAuth. Follow the steps below to create a connected application in Salesforce: + +1. Login to https://login.salesforce.com/[Salesforce] with the same user credentials that the user wants to collect data with. +2. Click on Setup on the top right menu bar. On the Setup page, search for `App Manager` in the `Search Setup` search box at the top of the page, then select `App Manager`. +3. Click _New Connected App_. +4. Provide a name for the connected application. This will be displayed in the App Manager and on its App Launcher tile. +5. Enter the API name. The default is a version of the name without spaces. Only letters, numbers, and underscores are allowed. If the original app name contains any other characters, edit the default name. +6. Enter the contact email for Salesforce. +7. Under the API (Enable OAuth Settings) section of the page, select _Enable OAuth Settings_. +8. In the Callback URL, enter the Instance URL (Please refer to `Salesforce Instance URL`). +9. Select the following OAuth scopes to apply to the connected app: +- Manage user data via APIs (api). +- Perform requests at any time (refresh_token, offline_access). +- (Optional) In case of data collection, if any permission issues arise, add the Full access (full) scope. +10. Select _Require Secret for the Web Server Flow_ to require the app's client secret in exchange for an access token. +11. Select _Require Secret for Refresh Token Flow_ to require the app's client secret in the authorization request of a refresh token and hybrid refresh token flow. +12. Click Save. It may take approximately 10 minutes for the changes to take effect. +13. Click Continue and then under API details, click Manage Consumer Details. Verify the user account using the Verification Code. +14. Copy `Consumer Key` and `Consumer Secret` from the Consumer Details section, which should be populated as values for Client ID and Client Secret respectively in the configuration. + +For more details on how to create a Connected App, refer to the Salesforce documentation https://help.salesforce.com/apex/HTViewHelpDoc?id=connected_app_create.htm[here]. + +[NOTE] + +==== + +*Enabling real-time events* + +To get started with https://developer.salesforce.com/blogs/2020/05/introduction-to-real-time-event-monitoring[real-time] events, head to setup and into the quick find search for 'Event Manager'. Enterprise and Unlimited environments have access to the Logout Event by default, but the remainder of the events need licensing to access https://help.salesforce.com/s/articleView?id=sf.salesforce_shield.htm&type=5[Shield Event Monitoring]. + +==== include::../include/gs-link.asciidoc[] +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: login + +include::../include/config-option-intro.asciidoc[] + +[float] +=== Fileset settings + [float] -==== `login-rest` fileset settings +==== `login` fileset Example config: [source,yaml] ---- - module: salesforce - login-rest: + login: enabled: true - var.client_id: "my-client-id" - var.client_secret: "my-client-secret" - var.token_url: "https://login.salesforce.com/services/oauth2/token" - var.user: "my.email@here.com" - var.password: "password" + var.initial_interval: 1d + var.api_version: 56 + + var.authentication: + jwt_bearer_flow: + enabled: false + client.id: "my-client-id" + client.username: "my.email@here.com" + client.key_path: client_key.pem + url: https://login.salesforce.com + user_password_flow: + enabled: true + client.id: "my-client-id" + client.secret: "my-client-secret" + token_url: "https://login.salesforce.com" + username: "my.email@here.com" + password: "password" + var.url: "https://instance-url.salesforce.com" + + var.event_log_file: true + var.elf_interval: 1h + var.log_file_interval: Hourly + + var.real_time: true + var.real_time_interval: 5m ---- -include::../include/var-paths.asciidoc[] +*`var.initial_interval`*:: -*`var.client_id`*:: +The time window for collecting historical data when the input starts. Expects a duration string (e.g. 12h or 7d). -Oauth client ID. +*`var.api_version`*:: -*`var.client_secret`*:: +The API version of the Salesforce instance. -Oauth client secret. +*`var.authentication`*:: -*`var.token_url`*:: +Authentication config for connecting to Salesforce API. Supports JWT or user-password auth flows. -Oauth token URL. +*`var.authentication.jwt_bearer_flow.enabled`*:: -*`var.user`*:: +Set to true to use JWT authentication. -The user used as part of the authentication flow. It is required for authentication - grant type password. +*`var.authentication.jwt_bearer_flow.client.id`*:: -*`var.password`*:: +The client ID for JWT authentication. -The password used as part of the authentication flow. It is required for authentication - grant type password. +*`var.authentication.jwt_bearer_flow.client.username`*:: -*`var.url`*:: +The username for JWT authentication. -The URL of the Saleforce instance. +*`var.authentication.jwt_bearer_flow.client.key_path`*:: -[float] -==== `login-stream` fileset settings +Path to the client key file for JWT authentication. -Example config: +*`var.authentication.jwt_bearer_flow.url`*:: -[source,yaml] ----- -- module: salesforce - login-stream: - enabled: true - var.client_id: "my-client-id" - var.client_secret: "my-client-secret" - var.token_url: "https://login.salesforce.com/services/oauth2/token" - var.user: "my.email@here.com" - var.password: "password" - var.url: "https://instance-url.salesforce.com" ----- +The audience URL for JWT authentication. -include::../include/var-paths.asciidoc[] +*`var.authentication.user_password_flow.enabled`*:: -*`var.client_id`*:: +Set to true to use user-password authentication. -Oauth client ID. +*`var.authentication.user_password_flow.client.id`*:: -*`var.client_secret`*:: +The client ID for user-password authentication. -Oauth client secret. +*`var.authentication.user_password_flow.client.secret`*:: -*`var.token_url`*:: +The client secret for user-password authentication. -Oauth token URL. +*`var.authentication.user_password_flow.token_url`*:: -*`var.user`*:: +The Salesforce token URL for user-password authentication. -The user used as part of the authentication flow. It is required for authentication - grant type password. +*`var.authentication.user_password_flow.username`*:: -*`var.password`*:: +The Salesforce username for authentication. -The password used as part of the authentication flow. It is required for authentication - grant type password. +*`var.authentication.user_password_flow.password`*:: + +The password for the Salesforce user. *`var.url`*:: -The URL of the Saleforce instance. +The URL of the Salesforce instance. + +*`var.event_log_file`*:: + +Set to true to collect logs from EventLogFile (historical data). + +*`var.elf_interval`*:: + +Interval for collecting EventLogFile logs, e.g. 1h or 5m. + +*`var.log_file_interval`*:: + +Either "Hourly" or "Daily". The time interval of each log file from EventLogFile. + +*`var.real_time`*:: + +Set to true to collect real-time data collection. + +*`var.real_time_interval`*:: + +Interval for collecting real-time logs, e.g. 30s or 5m. [float] -==== `logout-rest` fileset settings +==== `logout` fileset Example config: [source,yaml] ---- - module: salesforce - logout-rest: + logout: enabled: true - var.client_id: "my-client-id" - var.client_secret: "my-client-secret" - var.token_url: "https://login.salesforce.com/services/oauth2/token" - var.user: "my.email@here.com" - var.password: "password" + var.initial_interval: 1d + var.api_version: 56 + + var.authentication: + jwt_bearer_flow: + enabled: false + client.id: "my-client-id" + client.username: "my.email@here.com" + client.key_path: client_key.pem + url: https://login.salesforce.com + user_password_flow: + enabled: true + client.id: "my-client-id" + client.secret: "my-client-secret" + token_url: "https://login.salesforce.com" + username: "my.email@here.com" + password: "password" + var.url: "https://instance-url.salesforce.com" + + var.event_log_file: true + var.elf_interval: 1h + var.log_file_interval: Hourly + + var.real_time: true + var.real_time_interval: 5m ---- -include::../include/var-paths.asciidoc[] +*`var.initial_interval`*:: -*`var.client_id`*:: +The time window for collecting historical data when the input starts. Expects a duration string (e.g. 12h or 7d). -Oauth client ID. +*`var.api_version`*:: -*`var.client_secret`*:: +The API version of the Salesforce instance. -Oauth client secret. +*`var.authentication`*:: -*`var.token_url`*:: +Authentication config for connecting to Salesforce API. Supports JWT or user-password auth flows. -Oauth token URL. +*`var.authentication.jwt_bearer_flow.enabled`*:: -*`var.user`*:: +Set to true to use JWT authentication. -The user used as part of the authentication flow. It is required for authentication - grant type password. +*`var.authentication.jwt_bearer_flow.client.id`*:: -*`var.password`*:: +The client ID for JWT authentication. -The password used as part of the authentication flow. It is required for authentication - grant type password. +*`var.authentication.jwt_bearer_flow.client.username`*:: -*`var.url`*:: +The username for JWT authentication. -The URL of the Saleforce instance. +*`var.authentication.jwt_bearer_flow.client.key_path`*:: -[float] -==== `logout-stream` fileset settings +Path to the client key file for JWT authentication. -Example config: +*`var.authentication.jwt_bearer_flow.url`*:: -[source,yaml] ----- -- module: salesforce - logout-stream: - enabled: true - var.client_id: "my-client-id" - var.client_secret: "my-client-secret" - var.token_url: "https://login.salesforce.com/services/oauth2/token" - var.user: "my.email@here.com" - var.password: "password" - var.url: "https://instance-url.salesforce.com" ----- +The audience URL for JWT authentication. -include::../include/var-paths.asciidoc[] +*`var.authentication.user_password_flow.enabled`*:: -*`var.client_id`*:: +Set to true to use user-password authentication. -Oauth client ID. +*`var.authentication.user_password_flow.client.id`*:: -*`var.client_secret`*:: +The client ID for user-password authentication. -Oauth client secret. +*`var.authentication.user_password_flow.client.secret`*:: -*`var.token_url`*:: +The client secret for user-password authentication. -Oauth token URL. +*`var.authentication.user_password_flow.token_url`*:: -*`var.user`*:: +The Salesforce token URL for user-password authentication. -The user used as part of the authentication flow. It is required for authentication - grant type password. +*`var.authentication.user_password_flow.username`*:: -*`var.password`*:: +The Salesforce username for authentication. -The password used as part of the authentication flow. It is required for authentication - grant type password. +*`var.authentication.user_password_flow.password`*:: + +The password for the Salesforce user. *`var.url`*:: -The URL of the Saleforce instance. +The URL of the Salesforce instance. + +*`var.event_log_file`*:: + +Set to true to collect logs from EventLogFile (historical data). + +*`var.elf_interval`*:: + +Interval for collecting EventLogFile logs, e.g. 1h or 5m. + +*`var.log_file_interval`*:: + +Either "Hourly" or "Daily". The time interval of each log file from EventLogFile. + +*`var.real_time`*:: + +Set to true to collect real-time data collection. + +*`var.real_time_interval`*:: + +Interval for collecting real-time logs, e.g. 30s or 5m. [float] -==== `setupaudittrail-rest` fileset settings +==== `setupaudittrail` fileset Example config: [source,yaml] ---- - module: salesforce - setupaudittrail-rest: + setupaudittrail: enabled: true - var.client_id: "my-client-id" - var.client_secret: "my-client-secret" - var.token_url: "https://login.salesforce.com/services/oauth2/token" - var.user: "my.email@here.com" - var.password: "password" + var.initial_interval: 1d + var.api_version: 56 + + var.authentication: + jwt_bearer_flow: + enabled: false + client.id: "my-client-id" + client.username: "my.email@here.com" + client.key_path: client_key.pem + url: https://login.salesforce.com + user_password_flow: + enabled: true + client.id: "my-client-id" + client.secret: "my-client-secret" + token_url: "https://login.salesforce.com" + username: "my.email@here.com" + password: "password" + var.url: "https://instance-url.salesforce.com" - var.interval: 1h + + var.real_time: true + var.real_time_interval: 5m ---- -include::../include/var-paths.asciidoc[] +*`var.initial_interval`*:: + +The time window for collecting historical data when the input starts. Expects a duration string (e.g. 12h or 7d). + +*`var.api_version`*:: + +The API version of the Salesforce instance. + +*`var.authentication`*:: + +Authentication config for connecting to Salesforce API. Supports JWT or user-password auth flows. + +*`var.authentication.jwt_bearer_flow.enabled`*:: + +Set to true to use JWT authentication. + +*`var.authentication.jwt_bearer_flow.client.id`*:: -*`var.client_id`*:: +The client ID for JWT authentication. -Oauth client ID. +*`var.authentication.jwt_bearer_flow.client.username`*:: -*`var.client_secret`*:: +The username for JWT authentication. -Oauth client secret. +*`var.authentication.jwt_bearer_flow.client.key_path`*:: -*`var.token_url`*:: +Path to the client key file for JWT authentication. -Oauth token URL. +*`var.authentication.jwt_bearer_flow.url`*:: -*`var.user`*:: +The audience URL for JWT authentication. -The user used as part of the authentication flow. It is required for authentication - grant type password. +*`var.authentication.user_password_flow.enabled`*:: -*`var.password`*:: +Set to true to use user-password authentication. -The password used as part of the authentication flow. It is required for authentication - grant type password. +*`var.authentication.user_password_flow.client.id`*:: + +The client ID for user-password authentication. + +*`var.authentication.user_password_flow.client.secret`*:: + +The client secret for user-password authentication. + +*`var.authentication.user_password_flow.token_url`*:: + +The Salesforce token URL for user-password authentication. + +*`var.authentication.user_password_flow.username`*:: + +The Salesforce username for authentication. + +*`var.authentication.user_password_flow.password`*:: + +The password for the Salesforce user. *`var.url`*:: -The URL of the Saleforce instance. +The URL of the Salesforce instance. + +*`var.real_time`*:: -*`var.interval`*:: +Set to true to collect real-time data collection. -Period of fetching logs, i.e. 1s/1m/1h. +*`var.real_time_interval`*:: -Note: The default value of `var.interval` is 1h. It is important to exercise caution when reducing the interval, as it directly affects the API rate limit of the Salesforce instance. Salesforce API rate limit is ~1000 API calls per hour. Hence if user goes with lower limit of var.interval, the Salesforce API rate limit will exceed and any additional API requests beyond the limit will result in an error response from the Salesforce API. The error message will typically indicate that the rate limit has been exceeded. Please refer to the following link for the https://developer.salesforce.com/docs/atlas.en-us.salesforce_app_limits_cheatsheet.meta/salesforce_app_limits_cheatsheet/salesforce_app_limits_platform_api.htm[Salesforce API Rate Limit]. +Interval for collecting real-time logs, e.g. 30s or 5m. [float] -==== `apex-rest` fileset settings +==== `apex` fileset Example config: [source,yaml] ---- - module: salesforce - apex-rest: + apex: enabled: true - var.client_id: "my-client-id" - var.client_secret: "my-client-secret" - var.token_url: "https://login.salesforce.com/services/oauth2/token" - var.user: "my.email@here.com" - var.password: "password" + var.initial_interval: 1d + var.log_file_interval: Hourly + var.api_version: 56 + + var.authentication: + jwt_bearer_flow: + enabled: false + client.id: "my-client-id" + client.username: "my.email@here.com" + client.key_path: client_key.pem + url: https://login.salesforce.com + user_password_flow: + enabled: true + client.id: "my-client-id" + client.secret: "my-client-secret" + token_url: "https://login.salesforce.com" + username: "my.email@here.com" + password: "password" + var.url: "https://instance-url.salesforce.com" + + var.event_log_file: true + var.elf_interval: 1h + var.log_file_interval: Hourly ---- -include::../include/var-paths.asciidoc[] +*`var.initial_interval`*:: + +The time window for collecting historical data when the input starts. Expects a duration string (e.g. 12h or 7d). + +*`var.api_version`*:: + +The API version of the Salesforce instance. -*`var.client_id`*:: +*`var.authentication`*:: -Oauth client ID. +Authentication config for connecting to Salesforce API. Supports JWT or user-password auth flows. -*`var.client_secret`*:: +*`var.authentication.jwt_bearer_flow.enabled`*:: -Oauth client secret. +Set to true to use JWT authentication. -*`var.token_url`*:: +*`var.authentication.jwt_bearer_flow.client.id`*:: -Oauth token URL. +The client ID for JWT authentication. -*`var.user`*:: +*`var.authentication.jwt_bearer_flow.client.username`*:: -The user used as part of the authentication flow. It is required for authentication - grant type password. +The username for JWT authentication. -*`var.password`*:: +*`var.authentication.jwt_bearer_flow.client.key_path`*:: -The password used as part of the authentication flow. It is required for authentication - grant type password. +Path to the client key file for JWT authentication. + +*`var.authentication.jwt_bearer_flow.url`*:: + +The audience URL for JWT authentication. + +*`var.authentication.user_password_flow.enabled`*:: + +Set to true to use user-password authentication. + +*`var.authentication.user_password_flow.client.id`*:: + +The client ID for user-password authentication. + +*`var.authentication.user_password_flow.client.secret`*:: + +The client secret for user-password authentication. + +*`var.authentication.user_password_flow.token_url`*:: + +The Salesforce token URL for user-password authentication. + +*`var.authentication.user_password_flow.username`*:: + +The Salesforce username for authentication. + +*`var.authentication.user_password_flow.password`*:: + +The password for the Salesforce user. *`var.url`*:: -The URL of the Saleforce instance. +The URL of the Salesforce instance. + +*`var.event_log_file`*:: + +Set to true to collect logs from EventLogFile (historical data). + +*`var.elf_interval`*:: + +Interval for collecting EventLogFile logs, e.g. 1h or 5m. + +*`var.log_file_interval`*:: + +Either "Hourly" or "Daily". The time interval of each log file from EventLogFile. [float] -=== Example dashboard +=== Example dashboards + +The Salesforce module includes several predefined dashboards: -This Salesforce module comes with several predefined dashboards, including Login, Logout, Apex, and Setup Audit Trails Dashboards. For example: +- Login Dashboard: Visualizes login activity and trends. +- Logout Dashboard: Visualizes logout activity and trends. +- Apex Dashboard: Visualizes Apex executions and errors. +- Setup Audit Trail Dashboard: Shows changes made in the Setup area. image::./images/filebeat-salesforce-login-dashboard.png[] image::./images/filebeat-salesforce-logout-dashboard.png[] -:has-dashboards!: +image::./images/filebeat-salesforce-setupaudittrail-dashboard.png[] + +Access these dashboards in Kibana by going to Management -> Kibana -> Dashboards and searching for "Salesforce". + +[float] +=== Troubleshooting + +Here are some common issues and how to resolve them: + +*Hitting Salesforce API limits*:: +Reduce the values of `var.real_time_interval` and `var.elf_interval` to poll the API less frequently. Monitor the API usage in your Salesforce instance. + +*Connectivity issues*:: +Verify the `var.url` is correct. Check that the user credentials are valid and have the necessary permissions. Ensure network connectivity between the Elastic Agent and Salesforce instance. + +*Not seeing any data*:: +Check the Elastic Agent logs for errors. Verify the module configuration is correct, the filesets are enabled, and the intervals are reasonable. Confirm there is log activity in Salesforce for the log types being collected. + +:has-dashboards!: :fileset_ex!: :modulename!: - [float] === Fields diff --git a/go.sum b/go.sum index 83453f9727f..9d91060a158 100644 --- a/go.sum +++ b/go.sum @@ -2884,4 +2884,4 @@ sigs.k8s.io/structured-merge-diff/v4 v4.2.1/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZa sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q= sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= -sourcegraph.com/sourcegraph/appdash v0.0.0-20190731080439-ebfcffb1b5c0/go.mod h1:hI742Nqp5OhwiqlzhgfbWU4mW4yO10fP+LoT9WOswdU= +sourcegraph.com/sourcegraph/appdash v0.0.0-20190731080439-ebfcffb1b5c0/go.mod h1:hI742Nqp5OhwiqlzhgfbWU4mW4yO10fP+LoT9WOswdU= \ No newline at end of file diff --git a/libbeat/tests/system/beat/beat.py b/libbeat/tests/system/beat/beat.py index 8fe74193b91..b8c4b3c43f1 100644 --- a/libbeat/tests/system/beat/beat.py +++ b/libbeat/tests/system/beat/beat.py @@ -814,16 +814,25 @@ def is_documented(key, docs): return True return False + undocumented_keys = [] + is_documented_aliases = [] + for key in flat.keys(): meta_key = key.startswith('@metadata.') # Range keys as used in 'date_range' etc will not have docs of course is_range_key = key.split('.')[-1] in ['gte', 'gt', 'lte', 'lt'] + if not(is_documented(key, expected_fields) or meta_key or is_range_key): - raise Exception( - f"Key '{key}' found in event ({str(evt)}) is not documented!") + undocumented_keys.append(key) + if is_documented(key, aliases): - raise Exception( - "Key '{key}' found in event is documented as an alias!") + is_documented_aliases.append(key) + + if undocumented_keys: + raise Exception(f"Keys {undocumented_keys} not documented in event {str(evt)}") + + if is_documented_aliases: + raise Exception(f"Keys {is_documented_aliases} documented as aliases!") def get_beat_version(self): """ diff --git a/x-pack/filebeat/docs/inputs/input-salesforce.asciidoc b/x-pack/filebeat/docs/inputs/input-salesforce.asciidoc index 3b85b8511b6..02e6f4675c3 100644 --- a/x-pack/filebeat/docs/inputs/input-salesforce.asciidoc +++ b/x-pack/filebeat/docs/inputs/input-salesforce.asciidoc @@ -11,21 +11,32 @@ Use the `salesforce` input to monitor Salesforce events either via the https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_eventlogfile.htm[Salesforce EventLogFile (ELF) API] or the https://developer.salesforce.com/blogs/2020/05/introduction-to-real-time-event-monitoring[Salesforce Real-time event monitoring API]. Both use REST API (to execute SOQL queries in the Salesforce instance) under the hood to query the relevant objects to fetch the events. -Here the `input` have cursor state(s) that will be provided to the next execution of event monitoring to fetch the events from the last cursor state. The cursor states can be used to control the behaviour of the program. +The Salesforce input maintains cursor states between requests to track the last event retrieved in each execution. These cursor states are passed to the next event monitoring execution to resume fetching events from the last known position. The cursor states allow the input to pick up where it left off and provide control over the behavior of the input. -This input supports: +Here are some supported authentication methods and event monitoring methods: -* Auth +* Authentication methods ** OAuth2 *** User-Password flow *** JWT Bearer flow -* Event Monitoring + +* Event monitoring methods ** EventLogFile (ELF) using REST API -** REST API for objects (Used for Setup Audit Trail and for monitoring real-time events) +** REST API for objects (For monitoring real-time events) + +Here are some key points about how cursors are used in the Salesforce input: + +- Separate cursor states are maintained for each configured event monitoring method (`event_log_file` and `object`). +- The cursor state stores the unique identifier of the last event retrieved, based on the `cursor.field` specified in the configuration. +- On the first run, the `query.default` is used to fetch an initial set of events. +- On subsequent runs, the `query.value` template is populated with the cursor state to fetch events since the last execution. +- If the input is restarted, it will resume from the last persisted cursor state rather than starting over from scratch. + +Using cursors allows the Salesforce input to reliably keep track of its progress and avoid missing or duplicating events across executions. The cursor field should be chosen carefully to have a monotonically increasing value for each new event. Event Monitoring methods are highly configurable and can be used to monitor any supported object or event log file. The input can be configured to monitor multiple objects or event log files at the same time. -Example configurations: +Example configuration: ["source","yaml",subs="attributes"] ---- @@ -67,6 +78,39 @@ filebeat.inputs: field: "EventDate" ---- +==== Set up the OAuth App in the Salesforce + +In order to use this integration, users need to create a new Salesforce Application using OAuth. Follow the steps below to create a connected application in Salesforce: + +1. Login to https://login.salesforce.com/[Salesforce] with the same user credentials that the user wants to collect data with. +2. Click on Setup on the top right menu bar. On the Setup page, search for `App Manager` in the `Search Setup` search box at the top of the page, then select `App Manager`. +3. Click _New Connected App_. +4. Provide a name for the connected application. This will be displayed in the App Manager and on its App Launcher tile. +5. Enter the API name. The default is a version of the name without spaces. Only letters, numbers, and underscores are allowed. If the original app name contains any other characters, edit the default name. +6. Enter the contact email for Salesforce. +7. Under the API (Enable OAuth Settings) section of the page, select _Enable OAuth Settings_. +8. In the Callback URL, enter the Instance URL (Please refer to `Salesforce Instance URL`). +9. Select the following OAuth scopes to apply to the connected app: +- Manage user data via APIs (api). +- Perform requests at any time (refresh_token, offline_access). +- (Optional) In case of data collection, if any permission issues arise, add the Full access (full) scope. +10. Select _Require Secret for the Web Server Flow_ to require the app's client secret in exchange for an access token. +11. Select _Require Secret for Refresh Token Flow_ to require the app's client secret in the authorization request of a refresh token and hybrid refresh token flow. +12. Click Save. It may take approximately 10 minutes for the changes to take effect. +13. Click Continue and then under API details, click Manage Consumer Details. Verify the user account using the Verification Code. +14. Copy `Consumer Key` and `Consumer Secret` from the Consumer Details section, which should be populated as values for Client ID and Client Secret respectively in the configuration. + +For more details on how to create a Connected App, refer to the Salesforce documentation https://help.salesforce.com/apex/HTViewHelpDoc?id=connected_app_create.htm[here]. + +[NOTE] + +==== + +*Enabling real-time events* + +To get started with https://developer.salesforce.com/blogs/2020/05/introduction-to-real-time-event-monitoring[real-time] events, head to setup and into the quick find search for 'Event Manager'. Enterprise and Unlimited environments have access to the Logout Event by default, but the remainder of the events need licensing to access https://help.salesforce.com/s/articleView?id=sf.salesforce_shield.htm&type=5[Shield Event Monitoring]. + +==== ==== Execution @@ -74,9 +118,27 @@ The `salesforce` input is a long-running program that retrieves events from a Sa There are two methods to fetch the events from the Salesforce instance: -- event_log_file: https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_eventlogfile.htm[EventLogFile] is a standard object in Salesforce and the event monitoring method uses the REST API under the hood to gather the Salesforce org's operational events from the object. There is a field EventType that helps distinguish between the types of operational events like — Login, Logout, etc. Uses Salesforce's query language SOQL to query the object. +- `event_log_file`: https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_eventlogfile.htm[EventLogFile] is a standard object in Salesforce and the event monitoring method uses the REST API under the hood to gather the Salesforce org's operational events from the object. There is a field EventType that helps distinguish between the types of operational events like — Login, Logout, etc. Uses Salesforce's query language SOQL to query the object. + +- `object`: This method is a general way of retrieving events from a Salesforce instance by using the REST API. It can be used for monitoring https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_list.htm[objects] in real-time. In real-time event monitoring, subscribing to the events is a common practice, but the events are also stored in Salesforce org (if configured), specifically in big object tables that are preconfigured for each event type. With this method, we query the object using Salesforce's query language (https://developer.salesforce.com/docs/atlas.en-us.soql_sosl.meta/soql_sosl/sforce_api_calls_soql.htm[SOQL]). The collection happens at the configured scrape `interval`. -- object: This method is a general way of retrieving events from a Salesforce instance by using the REST API. It can be used for the SetupAuditTrail and for monitoring objects in real-time. In real-time event monitoring, subscribing to the events is a common practice, but the events are also stored in Salesforce org (if configured), specifically in big object tables that are preconfigured for each event type. To query the object, Salesforce's query language SOQL is used. +[NOTE] +==== + +*Salesforce Objects and SOQL Query Field Ordering Limitations* + +Each Salesforce Object contains a set of fields, but SOQL queries have restrictions on the fields that can be ordered and the specific ordering method. The Object description on the Salesforce Developers page provides information about these limitations. For instance, the Login Object only allows ordering by the EventDate field in descending order. + +When collecting data over time using cursors, the following cursor inputs are available: + +- `object.first_event_time`: This cursor input stores the cursor value from the first event encountered during data collection using the object method. +- `object.last_event_time`: This cursor input stores the cursor value from the last event encountered during data collection using the object method. +- `event_log_file.first_event_time`: This cursor input stores the cursor value from the first event encountered during data collection using the event log file method. +- `event_log_file.last_event_time`: This cursor input stores the cursor value from the last event encountered during data collection using the event log file method. + +By selecting one of the above cursor inputs, users can collect data from both the object and event log file in the desired order. The cursor configuration can be customized based on the user's specific requirements. + +==== ==== Configuration options @@ -113,7 +175,9 @@ There are two OAuth2 authentication flows supported: Whether to use the user-password flow for authentication. Default: `false`. -NOTE: Only one authentication flow can be enabled at a time. +[NOTE] + +Only one authentication flow can be enabled at a time. [string] ==== `auth.oauth2.user_password_flow.client.id` @@ -145,7 +209,9 @@ The password for the user-password flow. Whether to use the JWT bearer flow for authentication. Default: `false`. -NOTE: Only one authentication flow can be enabled at a time. +[NOTE] + +Only one authentication flow can be enabled at a time. [string] ==== `auth.oauth2.jwt_bearer_flow.client.id` @@ -172,23 +238,22 @@ The URL for the JWT bearer flow. The URL of the Salesforce instance. Required. -[[resource-parameters]] -[float] +[duration] ==== `resource.timeout` Duration before declaring that the HTTP client connection has timed out. Valid time units are `ns`, `us`, `ms`, `s`, `m`, `h`. Default: `30s`. -[float] +[integer] ==== `resource.retry.max_attempts` The maximum number of retries for the HTTP client. Default: `5`. -[float] +[duration] ==== `resource.retry.wait_min` The minimum time to wait before a retry is attempted. Default: `1s`. -[float] +[duration] ==== `resource.retry.wait_max` The maximum time to wait before a retry is attempted. Default: `60s`. @@ -239,7 +304,7 @@ The field to use to fetch the cursor state from the last event fetched from the [object] ==== `event_monitoring_method.object` -The event monitoring method to use — object. Uses REST API to fetch the events directly from the objects from the Salesforce instance. This method is used for Setup Audit Trail and for monitoring real-time events. +The event monitoring method to use — object. Uses REST API to fetch the events directly from the objects from the Salesforce instance. [bool] ==== `event_monitoring_method.object.enabled` diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index ab9bafd0ed5..b2f1bd22ff2 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -1878,136 +1878,148 @@ filebeat.modules: #var.password: #------------------------------ Salesforce Module ------------------------------ -- module: salesforce +# Configuration file for Salesforce module in Filebeat - apex-rest: - enabled: false +# Common Configurations: +# - enabled: Set to true to enable ingestion of Salesforce module fileset +# - initial_interval: Initial interval for log collection. This setting determines the time period for which the logs will be initially collected when the ingestion process starts, i.e. 1d/h/m/s +# - api_version: API version for Salesforce, version should be greater than 46.0 - # Oauth Client ID - #var.client_id: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +# Authentication Configurations: +# User-Password Authentication: +# - enabled: Set to true to enable user-password authentication +# - client.id: Client ID for user-password authentication +# - client.secret: Client secret for user-password authentication +# - token_url: Token URL for user-password authentication +# - username: Username for user-password authentication +# - password: Password for user-password authentication - # Oauth Client Secret - #var.client_secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +# JWT Authentication: +# - enabled: Set to true to enable JWT authentication +# - client.id: Client ID for JWT authentication +# - client.username: Username for JWT authentication +# - client.key_path: Path to client key for JWT authentication +# - url: Audience URL for JWT authentication - # Oauth Token URL - #var.token_url: "https://login.salesforce.com/services/oauth2/token" +# Event Monitoring: +# - real_time: Set to true to enable real-time logging using object type data collection +# - real_time_interval: Interval for real-time logging - # Oauth User, should include the User mail - #var.user: "abc.xyz@mail.com" +# Event Log File: +# - event_log_file: Set to true to enable event log file type data collection +# - elf_interval: Interval for event log file +# - log_file_interval: Interval type for log file collection, either Hourly or Daily - # Oauth password, should include the User password - #var.password: "P@$$W0₹D" +- module: salesforce - # URL, should include the instance_url - #var.url: "https://instance_id.my.salesforce.com" - - login-rest: + apex: enabled: false + var.initial_interval: 1d + var.api_version: 56 - # Oauth Client ID - #var.client_id: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - - # Oauth Client Secret - #var.client_secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - - # Oauth Token URL - #var.token_url: "https://login.salesforce.com/services/oauth2/token" - - # Oauth User, should include the User mail - #var.user: "abc.xyz@mail.com" + var.authentication: + user_password_flow: + enabled: true + client.id: "" + client.secret: "" + token_url: "" + username: "" + password: "" + jwt_bearer_flow: + enabled: false + client.id: "" + client.username: "" + client.key_path: "" + url: "https://login.salesforce.com" - # Oauth password, should include the User password - #var.password: "P@$$W0₹D" + var.url: "https://instance_id.my.salesforce.com" - # URL, should include the instance_url - #var.url: "https://instance_id.my.salesforce.com" + var.event_log_file: true + var.elf_interval: 1h + var.log_file_interval: "Hourly" - login-stream: + login: enabled: false + var.initial_interval: 1d + var.api_version: 56 - # Oauth Client ID - #var.client_id: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + var.authentication: + user_password_flow: + enabled: true + client.id: "" + client.secret: "client-secret" + token_url: "" + username: "" + password: "" + jwt_bearer_flow: + enabled: false + client.id: "" + client.username: "" + client.key_path: "" + url: "https://login.salesforce.com" - # Oauth Client Secret - #var.client_secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + var.url: "https://instance_id.my.salesforce.com" - # Oauth Token URL - #var.token_url: "https://login.salesforce.com/services/oauth2/token" + var.event_log_file: true + var.elf_interval: 1h + var.log_file_interval: "Hourly" - # Oauth User, should include the User mail - #var.user: "abc.xyz@mail.com" + var.real_time: true + var.real_time_interval: 5m - # Oauth password, should include the User password - #var.password: "P@$$W0₹D" - - # URL, should include the instance_url - #var.url: "https://instance_id.my.salesforce.com" - - logout-rest: + logout: enabled: false + var.initial_interval: 1d + var.api_version: 56 - # Oauth Client ID - #var.client_id: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - - # Oauth Client Secret - #var.client_secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + var.authentication: + user_password_flow: + enabled: true + client.id: "" + client.secret: "client-secret" + token_url: "" + username: "" + password: "" + jwt_bearer_flow: + enabled: false + client.id: "" + client.username: "" + client.key_path: "" + url: "https://login.salesforce.com" - # Oauth Token URL - #var.token_url: "https://login.salesforce.com/services/oauth2/token" + var.url: "https://instance_id.my.salesforce.com" - # Oauth User, should include the User mail - #var.user: "abc.xyz@mail.com" + var.event_log_file: true + var.elf_interval: 1h + var.log_file_interval: "Hourly" - # Oauth password, should include the User password - #var.password: "P@$$W0₹D" + var.real_time: true + var.real_time_interval: 5m - # URL, should include the instance_url - #var.url: "https://instance_id.my.salesforce.com" - - logout-stream: + setupaudittrail: enabled: false + var.initial_interval: 1d + var.api_version: 56 - # Oauth Client ID - #var.client_id: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - - # Oauth Client Secret - #var.client_secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - - # Oauth Token URL - #var.token_url: "https://login.salesforce.com/services/oauth2/token" + var.authentication: + user_password_flow: + enabled: true + client.id: "" + client.secret: "client-secret" + token_url: "" + username: "" + password: "" + jwt_bearer_flow: + enabled: false + client.id: "" + client.username: "" + client.key_path: "" + url: "https://login.salesforce.com" - # Oauth User, should include the User mail - #var.user: "abc.xyz@mail.com" + var.url: "https://instance_id.my.salesforce.com" - # Oauth password, should include the User password - #var.password: "P@$$W0₹D" - - # URL, should include the instance_url - #var.url: "https://instance_id.my.salesforce.com" - - setupaudittrail-rest: - enabled: false - - # Oauth Client ID - #var.client_id: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - - # Oauth Client Secret - #var.client_secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - - # Oauth Token URL - #var.token_url: "https://login.salesforce.com/services/oauth2/token" - - # Oauth User, should include the User mail - #var.user: "abc.xyz@mail.com" - - # Oauth password, should include the User password - #var.password: "P@$$W0₹D" - - # URL, should include the instance_url - #var.url: "https://instance_id.my.salesforce.com" - - # Interval, should include the time interval - #var.interval: 1h + var.real_time: true + var.real_time_interval: 5m #----------------------------- Google Santa Module ----------------------------- - module: santa log: diff --git a/x-pack/filebeat/input/salesforce/input.go b/x-pack/filebeat/input/salesforce/input.go index 1e893625ed2..dacb15042b3 100644 --- a/x-pack/filebeat/input/salesforce/input.go +++ b/x-pack/filebeat/input/salesforce/input.go @@ -292,12 +292,12 @@ func (s *salesforceInput) RunEventLogFile() error { s.log.Debugf("scrape eventLogFile(s) every %s", s.srcConfig.EventMonitoringMethod.EventLogFile.Interval) var cursor mapstr.M - if !(isZero(s.cursor.Object.FirstEventTime) && isZero(s.cursor.Object.LastEventTime)) { + if !(isZero(s.cursor.EventLogFile.FirstEventTime) && isZero(s.cursor.EventLogFile.LastEventTime)) { eventLogFile := make(mapstr.M) - if !isZero(s.cursor.Object.FirstEventTime) { + if !isZero(s.cursor.EventLogFile.FirstEventTime) { eventLogFile.Put("first_event_time", s.cursor.EventLogFile.FirstEventTime) } - if !isZero(s.cursor.Object.LastEventTime) { + if !isZero(s.cursor.EventLogFile.LastEventTime) { eventLogFile.Put("last_event_time", s.cursor.EventLogFile.LastEventTime) } cursor = mapstr.M{"event_log_file": eventLogFile} diff --git a/x-pack/filebeat/module/salesforce/_meta/config.yml b/x-pack/filebeat/module/salesforce/_meta/config.yml index f5c6c9c7f06..b5110376324 100644 --- a/x-pack/filebeat/module/salesforce/_meta/config.yml +++ b/x-pack/filebeat/module/salesforce/_meta/config.yml @@ -1,130 +1,142 @@ -- module: salesforce - - apex-rest: - enabled: false - - # Oauth Client ID - #var.client_id: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - - # Oauth Client Secret - #var.client_secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - - # Oauth Token URL - #var.token_url: "https://login.salesforce.com/services/oauth2/token" - - # Oauth User, should include the User mail - #var.user: "abc.xyz@mail.com" - - # Oauth password, should include the User password - #var.password: "P@$$W0₹D" - - # URL, should include the instance_url - #var.url: "https://instance_id.my.salesforce.com" - - login-rest: - enabled: false - - # Oauth Client ID - #var.client_id: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +# Configuration file for Salesforce module in Filebeat + +# Common Configurations: +# - enabled: Set to true to enable ingestion of Salesforce module fileset +# - initial_interval: Initial interval for log collection. This setting determines the time period for which the logs will be initially collected when the ingestion process starts, i.e. 1d/h/m/s +# - api_version: API version for Salesforce, version should be greater than 46.0 + +# Authentication Configurations: +# User-Password Authentication: +# - enabled: Set to true to enable user-password authentication +# - client.id: Client ID for user-password authentication +# - client.secret: Client secret for user-password authentication +# - token_url: Token URL for user-password authentication +# - username: Username for user-password authentication +# - password: Password for user-password authentication + +# JWT Authentication: +# - enabled: Set to true to enable JWT authentication +# - client.id: Client ID for JWT authentication +# - client.username: Username for JWT authentication +# - client.key_path: Path to client key for JWT authentication +# - url: Audience URL for JWT authentication + +# Event Monitoring: +# - real_time: Set to true to enable real-time logging using object type data collection +# - real_time_interval: Interval for real-time logging + +# Event Log File: +# - event_log_file: Set to true to enable event log file type data collection +# - elf_interval: Interval for event log file +# - log_file_interval: Interval type for log file collection, either Hourly or Daily - # Oauth Client Secret - #var.client_secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - - # Oauth Token URL - #var.token_url: "https://login.salesforce.com/services/oauth2/token" - - # Oauth User, should include the User mail - #var.user: "abc.xyz@mail.com" - - # Oauth password, should include the User password - #var.password: "P@$$W0₹D" - - # URL, should include the instance_url - #var.url: "https://instance_id.my.salesforce.com" +- module: salesforce - login-stream: + apex: enabled: false - - # Oauth Client ID - #var.client_id: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - - # Oauth Client Secret - #var.client_secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - - # Oauth Token URL - #var.token_url: "https://login.salesforce.com/services/oauth2/token" - - # Oauth User, should include the User mail - #var.user: "abc.xyz@mail.com" - - # Oauth password, should include the User password - #var.password: "P@$$W0₹D" - - # URL, should include the instance_url - #var.url: "https://instance_id.my.salesforce.com" - - logout-rest: + var.initial_interval: 1d + var.api_version: 56 + + var.authentication: + user_password_flow: + enabled: true + client.id: "" + client.secret: "" + token_url: "" + username: "" + password: "" + jwt_bearer_flow: + enabled: false + client.id: "" + client.username: "" + client.key_path: "" + url: "https://login.salesforce.com" + + var.url: "https://instance_id.my.salesforce.com" + + var.event_log_file: true + var.elf_interval: 1h + var.log_file_interval: "Hourly" + + login: enabled: false - - # Oauth Client ID - #var.client_id: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - - # Oauth Client Secret - #var.client_secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - - # Oauth Token URL - #var.token_url: "https://login.salesforce.com/services/oauth2/token" - - # Oauth User, should include the User mail - #var.user: "abc.xyz@mail.com" - - # Oauth password, should include the User password - #var.password: "P@$$W0₹D" - - # URL, should include the instance_url - #var.url: "https://instance_id.my.salesforce.com" - - logout-stream: + var.initial_interval: 1d + var.api_version: 56 + + var.authentication: + user_password_flow: + enabled: true + client.id: "" + client.secret: "client-secret" + token_url: "" + username: "" + password: "" + jwt_bearer_flow: + enabled: false + client.id: "" + client.username: "" + client.key_path: "" + url: "https://login.salesforce.com" + + var.url: "https://instance_id.my.salesforce.com" + + var.event_log_file: true + var.elf_interval: 1h + var.log_file_interval: "Hourly" + + var.real_time: true + var.real_time_interval: 5m + + logout: enabled: false - - # Oauth Client ID - #var.client_id: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - - # Oauth Client Secret - #var.client_secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - - # Oauth Token URL - #var.token_url: "https://login.salesforce.com/services/oauth2/token" - - # Oauth User, should include the User mail - #var.user: "abc.xyz@mail.com" - - # Oauth password, should include the User password - #var.password: "P@$$W0₹D" - - # URL, should include the instance_url - #var.url: "https://instance_id.my.salesforce.com" - - setupaudittrail-rest: + var.initial_interval: 1d + var.api_version: 56 + + var.authentication: + user_password_flow: + enabled: true + client.id: "" + client.secret: "client-secret" + token_url: "" + username: "" + password: "" + jwt_bearer_flow: + enabled: false + client.id: "" + client.username: "" + client.key_path: "" + url: "https://login.salesforce.com" + + var.url: "https://instance_id.my.salesforce.com" + + var.event_log_file: true + var.elf_interval: 1h + var.log_file_interval: "Hourly" + + var.real_time: true + var.real_time_interval: 5m + + setupaudittrail: enabled: false - - # Oauth Client ID - #var.client_id: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - - # Oauth Client Secret - #var.client_secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - - # Oauth Token URL - #var.token_url: "https://login.salesforce.com/services/oauth2/token" - - # Oauth User, should include the User mail - #var.user: "abc.xyz@mail.com" - - # Oauth password, should include the User password - #var.password: "P@$$W0₹D" - - # URL, should include the instance_url - #var.url: "https://instance_id.my.salesforce.com" - - # Interval, should include the time interval - #var.interval: 1h \ No newline at end of file + var.initial_interval: 1d + var.api_version: 56 + + var.authentication: + user_password_flow: + enabled: true + client.id: "" + client.secret: "client-secret" + token_url: "" + username: "" + password: "" + jwt_bearer_flow: + enabled: false + client.id: "" + client.username: "" + client.key_path: "" + url: "https://login.salesforce.com" + + var.url: "https://instance_id.my.salesforce.com" + + var.real_time: true + var.real_time_interval: 5m \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/docs.asciidoc b/x-pack/filebeat/module/salesforce/_meta/docs.asciidoc index edfce0ea7ad..7d189fc6984 100644 --- a/x-pack/filebeat/module/salesforce/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/salesforce/_meta/docs.asciidoc @@ -5,309 +5,573 @@ == Salesforce module -This is a module for Salesforce logs. -It collects the logs using the following two different types of inputs: +include::{libbeat-dir}/shared/integration-link.asciidoc[] -- `httpjson` input: collects historical data from Salesforce REST API. -- `cometd` input: collects real-time data from Salesforce Streaming API. +[NOTE] -It includes the following filesets for receiving logs: +The Salesforce module has been completely revamped to use a new dedicated Salesforce input for event collection, replacing the previous HTTPJSON input method. This change brings improved performance and reliability. However, please be aware that this update introduces a breaking change. We believe this is the right time to make this necessary improvement as the previous module was in beta. -- `login-rest` fileset: supports Salesforce Login logs received from the REST API. -- `login-stream` fileset: supports Salesforce Login logs received from the Streaming API. -- `logout-rest` fileset: supports Salesforce Logout logs received from the REST API. -- `logout-stream` fileset: supports Salesforce Logout logs received from the Streaming API. -- `apex-rest` fileset: supports Salesforce Apex logs received from the REST API. -- `setupaudittrail-rest` fileset: supports logs generated when admins make in your org’s Setup area. +The Salesforce module collects logs from a Salesforce instance using the Salesforce REST API. It supports real-time and historical data collection for various log types including Login, Logout, APEX, and Setup Audit Trail. -Note: We can leverage the inputs provided above to collect the rest of the events from the Salesforce REST or Streaming API. +The Salesforce module contains the following filesets for collecting different types of logs: -include::../include/what-happens.asciidoc[] +- The `login` fileset collects Login events from the EventLogFile or Objects (real-time). +- The `logout` fileset collects Logout events from the EventLogFile or Objects (real-time). +- The `apex` fileset collects APEX execution logs from the EventLogFile. +- The `setupaudittrail` fileset collects Audit Trails events generated when admins make configuration changes in the org's Setup area from the Objects (real-time). + +[options="header"] +|=== +| Fileset | EventLogFile | Objects (real-time) + +|login +|yes +|yes + +|logout +|yes +|yes + +|apex +|yes +|no + +|setupaudittrail +|no +|yes +|=== + + +[IMPORTANT] +==== +The default interval for collecting logs (`var.real_time_interval` or `var.elf_interval`) is 5m/1h. Exercise caution when reducing this interval, as it directly impacts the Salesforce API rate limit of ~1000 calls per hour. Exceeding the limit will result in errors from the Salesforce API. Refer to the https://developer.salesforce.com/docs/atlas.en-us.salesforce_app_limits_cheatsheet.meta/salesforce_app_limits_cheatsheet/salesforce_app_limits_platform_api.htm[Salesforce API Rate Limit] documentation for more details. +==== + +== Set up the OAuth App in the Salesforce + +In order to use this integration, users need to create a new Salesforce Application using OAuth. Follow the steps below to create a connected application in Salesforce: + +1. Login to https://login.salesforce.com/[Salesforce] with the same user credentials that the user wants to collect data with. +2. Click on Setup on the top right menu bar. On the Setup page, search for `App Manager` in the `Search Setup` search box at the top of the page, then select `App Manager`. +3. Click _New Connected App_. +4. Provide a name for the connected application. This will be displayed in the App Manager and on its App Launcher tile. +5. Enter the API name. The default is a version of the name without spaces. Only letters, numbers, and underscores are allowed. If the original app name contains any other characters, edit the default name. +6. Enter the contact email for Salesforce. +7. Under the API (Enable OAuth Settings) section of the page, select _Enable OAuth Settings_. +8. In the Callback URL, enter the Instance URL (Please refer to `Salesforce Instance URL`). +9. Select the following OAuth scopes to apply to the connected app: +- Manage user data via APIs (api). +- Perform requests at any time (refresh_token, offline_access). +- (Optional) In case of data collection, if any permission issues arise, add the Full access (full) scope. +10. Select _Require Secret for the Web Server Flow_ to require the app's client secret in exchange for an access token. +11. Select _Require Secret for Refresh Token Flow_ to require the app's client secret in the authorization request of a refresh token and hybrid refresh token flow. +12. Click Save. It may take approximately 10 minutes for the changes to take effect. +13. Click Continue and then under API details, click Manage Consumer Details. Verify the user account using the Verification Code. +14. Copy `Consumer Key` and `Consumer Secret` from the Consumer Details section, which should be populated as values for Client ID and Client Secret respectively in the configuration. + +For more details on how to create a Connected App, refer to the Salesforce documentation https://help.salesforce.com/apex/HTViewHelpDoc?id=connected_app_create.htm[here]. + +[NOTE] + +==== + +*Enabling real-time events* + +To get started with https://developer.salesforce.com/blogs/2020/05/introduction-to-real-time-event-monitoring[real-time] events, head to setup and into the quick find search for 'Event Manager'. Enterprise and Unlimited environments have access to the Logout Event by default, but the remainder of the events need licensing to access https://help.salesforce.com/s/articleView?id=sf.salesforce_shield.htm&type=5[Shield Event Monitoring]. + +==== include::../include/gs-link.asciidoc[] +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: login + +include::../include/config-option-intro.asciidoc[] + +[float] +=== Fileset settings + [float] -==== `login-rest` fileset settings +==== `login` fileset Example config: [source,yaml] ---- - module: salesforce - login-rest: + login: enabled: true - var.client_id: "my-client-id" - var.client_secret: "my-client-secret" - var.token_url: "https://login.salesforce.com/services/oauth2/token" - var.user: "my.email@here.com" - var.password: "password" + var.initial_interval: 1d + var.api_version: 56 + + var.authentication: + jwt_bearer_flow: + enabled: false + client.id: "my-client-id" + client.username: "my.email@here.com" + client.key_path: client_key.pem + url: https://login.salesforce.com + user_password_flow: + enabled: true + client.id: "my-client-id" + client.secret: "my-client-secret" + token_url: "https://login.salesforce.com" + username: "my.email@here.com" + password: "password" + var.url: "https://instance-url.salesforce.com" + + var.event_log_file: true + var.elf_interval: 1h + var.log_file_interval: Hourly + + var.real_time: true + var.real_time_interval: 5m ---- -include::../include/var-paths.asciidoc[] +*`var.initial_interval`*:: -*`var.client_id`*:: +The time window for collecting historical data when the input starts. Expects a duration string (e.g. 12h or 7d). -Oauth client ID. +*`var.api_version`*:: -*`var.client_secret`*:: +The API version of the Salesforce instance. -Oauth client secret. +*`var.authentication`*:: -*`var.token_url`*:: +Authentication config for connecting to Salesforce API. Supports JWT or user-password auth flows. -Oauth token URL. +*`var.authentication.jwt_bearer_flow.enabled`*:: -*`var.user`*:: +Set to true to use JWT authentication. -The user used as part of the authentication flow. It is required for authentication - grant type password. +*`var.authentication.jwt_bearer_flow.client.id`*:: -*`var.password`*:: +The client ID for JWT authentication. -The password used as part of the authentication flow. It is required for authentication - grant type password. +*`var.authentication.jwt_bearer_flow.client.username`*:: -*`var.url`*:: +The username for JWT authentication. -The URL of the Saleforce instance. +*`var.authentication.jwt_bearer_flow.client.key_path`*:: -[float] -==== `login-stream` fileset settings +Path to the client key file for JWT authentication. -Example config: +*`var.authentication.jwt_bearer_flow.url`*:: -[source,yaml] ----- -- module: salesforce - login-stream: - enabled: true - var.client_id: "my-client-id" - var.client_secret: "my-client-secret" - var.token_url: "https://login.salesforce.com/services/oauth2/token" - var.user: "my.email@here.com" - var.password: "password" - var.url: "https://instance-url.salesforce.com" ----- +The audience URL for JWT authentication. -include::../include/var-paths.asciidoc[] +*`var.authentication.user_password_flow.enabled`*:: -*`var.client_id`*:: +Set to true to use user-password authentication. -Oauth client ID. +*`var.authentication.user_password_flow.client.id`*:: -*`var.client_secret`*:: +The client ID for user-password authentication. -Oauth client secret. +*`var.authentication.user_password_flow.client.secret`*:: -*`var.token_url`*:: +The client secret for user-password authentication. -Oauth token URL. +*`var.authentication.user_password_flow.token_url`*:: -*`var.user`*:: +The Salesforce token URL for user-password authentication. -The user used as part of the authentication flow. It is required for authentication - grant type password. +*`var.authentication.user_password_flow.username`*:: -*`var.password`*:: +The Salesforce username for authentication. -The password used as part of the authentication flow. It is required for authentication - grant type password. +*`var.authentication.user_password_flow.password`*:: + +The password for the Salesforce user. *`var.url`*:: -The URL of the Saleforce instance. +The URL of the Salesforce instance. + +*`var.event_log_file`*:: + +Set to true to collect logs from EventLogFile (historical data). + +*`var.elf_interval`*:: + +Interval for collecting EventLogFile logs, e.g. 1h or 5m. + +*`var.log_file_interval`*:: + +Either "Hourly" or "Daily". The time interval of each log file from EventLogFile. + +*`var.real_time`*:: + +Set to true to collect real-time data collection. + +*`var.real_time_interval`*:: + +Interval for collecting real-time logs, e.g. 30s or 5m. [float] -==== `logout-rest` fileset settings +==== `logout` fileset Example config: [source,yaml] ---- - module: salesforce - logout-rest: + logout: enabled: true - var.client_id: "my-client-id" - var.client_secret: "my-client-secret" - var.token_url: "https://login.salesforce.com/services/oauth2/token" - var.user: "my.email@here.com" - var.password: "password" + var.initial_interval: 1d + var.api_version: 56 + + var.authentication: + jwt_bearer_flow: + enabled: false + client.id: "my-client-id" + client.username: "my.email@here.com" + client.key_path: client_key.pem + url: https://login.salesforce.com + user_password_flow: + enabled: true + client.id: "my-client-id" + client.secret: "my-client-secret" + token_url: "https://login.salesforce.com" + username: "my.email@here.com" + password: "password" + var.url: "https://instance-url.salesforce.com" + + var.event_log_file: true + var.elf_interval: 1h + var.log_file_interval: Hourly + + var.real_time: true + var.real_time_interval: 5m ---- -include::../include/var-paths.asciidoc[] +*`var.initial_interval`*:: -*`var.client_id`*:: +The time window for collecting historical data when the input starts. Expects a duration string (e.g. 12h or 7d). -Oauth client ID. +*`var.api_version`*:: -*`var.client_secret`*:: +The API version of the Salesforce instance. -Oauth client secret. +*`var.authentication`*:: -*`var.token_url`*:: +Authentication config for connecting to Salesforce API. Supports JWT or user-password auth flows. -Oauth token URL. +*`var.authentication.jwt_bearer_flow.enabled`*:: -*`var.user`*:: +Set to true to use JWT authentication. -The user used as part of the authentication flow. It is required for authentication - grant type password. +*`var.authentication.jwt_bearer_flow.client.id`*:: -*`var.password`*:: +The client ID for JWT authentication. -The password used as part of the authentication flow. It is required for authentication - grant type password. +*`var.authentication.jwt_bearer_flow.client.username`*:: -*`var.url`*:: +The username for JWT authentication. -The URL of the Saleforce instance. +*`var.authentication.jwt_bearer_flow.client.key_path`*:: -[float] -==== `logout-stream` fileset settings +Path to the client key file for JWT authentication. -Example config: +*`var.authentication.jwt_bearer_flow.url`*:: -[source,yaml] ----- -- module: salesforce - logout-stream: - enabled: true - var.client_id: "my-client-id" - var.client_secret: "my-client-secret" - var.token_url: "https://login.salesforce.com/services/oauth2/token" - var.user: "my.email@here.com" - var.password: "password" - var.url: "https://instance-url.salesforce.com" ----- +The audience URL for JWT authentication. -include::../include/var-paths.asciidoc[] +*`var.authentication.user_password_flow.enabled`*:: -*`var.client_id`*:: +Set to true to use user-password authentication. -Oauth client ID. +*`var.authentication.user_password_flow.client.id`*:: -*`var.client_secret`*:: +The client ID for user-password authentication. -Oauth client secret. +*`var.authentication.user_password_flow.client.secret`*:: -*`var.token_url`*:: +The client secret for user-password authentication. -Oauth token URL. +*`var.authentication.user_password_flow.token_url`*:: -*`var.user`*:: +The Salesforce token URL for user-password authentication. -The user used as part of the authentication flow. It is required for authentication - grant type password. +*`var.authentication.user_password_flow.username`*:: -*`var.password`*:: +The Salesforce username for authentication. -The password used as part of the authentication flow. It is required for authentication - grant type password. +*`var.authentication.user_password_flow.password`*:: + +The password for the Salesforce user. *`var.url`*:: -The URL of the Saleforce instance. +The URL of the Salesforce instance. + +*`var.event_log_file`*:: + +Set to true to collect logs from EventLogFile (historical data). + +*`var.elf_interval`*:: + +Interval for collecting EventLogFile logs, e.g. 1h or 5m. + +*`var.log_file_interval`*:: + +Either "Hourly" or "Daily". The time interval of each log file from EventLogFile. + +*`var.real_time`*:: + +Set to true to collect real-time data collection. + +*`var.real_time_interval`*:: + +Interval for collecting real-time logs, e.g. 30s or 5m. [float] -==== `setupaudittrail-rest` fileset settings +==== `setupaudittrail` fileset Example config: [source,yaml] ---- - module: salesforce - setupaudittrail-rest: + setupaudittrail: enabled: true - var.client_id: "my-client-id" - var.client_secret: "my-client-secret" - var.token_url: "https://login.salesforce.com/services/oauth2/token" - var.user: "my.email@here.com" - var.password: "password" + var.initial_interval: 1d + var.api_version: 56 + + var.authentication: + jwt_bearer_flow: + enabled: false + client.id: "my-client-id" + client.username: "my.email@here.com" + client.key_path: client_key.pem + url: https://login.salesforce.com + user_password_flow: + enabled: true + client.id: "my-client-id" + client.secret: "my-client-secret" + token_url: "https://login.salesforce.com" + username: "my.email@here.com" + password: "password" + var.url: "https://instance-url.salesforce.com" - var.interval: 1h + + var.real_time: true + var.real_time_interval: 5m ---- -include::../include/var-paths.asciidoc[] +*`var.initial_interval`*:: + +The time window for collecting historical data when the input starts. Expects a duration string (e.g. 12h or 7d). + +*`var.api_version`*:: + +The API version of the Salesforce instance. + +*`var.authentication`*:: + +Authentication config for connecting to Salesforce API. Supports JWT or user-password auth flows. + +*`var.authentication.jwt_bearer_flow.enabled`*:: + +Set to true to use JWT authentication. -*`var.client_id`*:: +*`var.authentication.jwt_bearer_flow.client.id`*:: -Oauth client ID. +The client ID for JWT authentication. -*`var.client_secret`*:: +*`var.authentication.jwt_bearer_flow.client.username`*:: -Oauth client secret. +The username for JWT authentication. -*`var.token_url`*:: +*`var.authentication.jwt_bearer_flow.client.key_path`*:: -Oauth token URL. +Path to the client key file for JWT authentication. -*`var.user`*:: +*`var.authentication.jwt_bearer_flow.url`*:: -The user used as part of the authentication flow. It is required for authentication - grant type password. +The audience URL for JWT authentication. -*`var.password`*:: +*`var.authentication.user_password_flow.enabled`*:: -The password used as part of the authentication flow. It is required for authentication - grant type password. +Set to true to use user-password authentication. + +*`var.authentication.user_password_flow.client.id`*:: + +The client ID for user-password authentication. + +*`var.authentication.user_password_flow.client.secret`*:: + +The client secret for user-password authentication. + +*`var.authentication.user_password_flow.token_url`*:: + +The Salesforce token URL for user-password authentication. + +*`var.authentication.user_password_flow.username`*:: + +The Salesforce username for authentication. + +*`var.authentication.user_password_flow.password`*:: + +The password for the Salesforce user. *`var.url`*:: -The URL of the Saleforce instance. +The URL of the Salesforce instance. -*`var.interval`*:: +*`var.real_time`*:: -Period of fetching logs, i.e. 1s/1m/1h. +Set to true to collect real-time data collection. -Note: The default value of `var.interval` is 1h. It is important to exercise caution when reducing the interval, as it directly affects the API rate limit of the Salesforce instance. Salesforce API rate limit is ~1000 API calls per hour. Hence if user goes with lower limit of var.interval, the Salesforce API rate limit will exceed and any additional API requests beyond the limit will result in an error response from the Salesforce API. The error message will typically indicate that the rate limit has been exceeded. Please refer to the following link for the https://developer.salesforce.com/docs/atlas.en-us.salesforce_app_limits_cheatsheet.meta/salesforce_app_limits_cheatsheet/salesforce_app_limits_platform_api.htm[Salesforce API Rate Limit]. +*`var.real_time_interval`*:: + +Interval for collecting real-time logs, e.g. 30s or 5m. [float] -==== `apex-rest` fileset settings +==== `apex` fileset Example config: [source,yaml] ---- - module: salesforce - apex-rest: + apex: enabled: true - var.client_id: "my-client-id" - var.client_secret: "my-client-secret" - var.token_url: "https://login.salesforce.com/services/oauth2/token" - var.user: "my.email@here.com" - var.password: "password" + var.initial_interval: 1d + var.log_file_interval: Hourly + var.api_version: 56 + + var.authentication: + jwt_bearer_flow: + enabled: false + client.id: "my-client-id" + client.username: "my.email@here.com" + client.key_path: client_key.pem + url: https://login.salesforce.com + user_password_flow: + enabled: true + client.id: "my-client-id" + client.secret: "my-client-secret" + token_url: "https://login.salesforce.com" + username: "my.email@here.com" + password: "password" + var.url: "https://instance-url.salesforce.com" + + var.event_log_file: true + var.elf_interval: 1h + var.log_file_interval: Hourly ---- -include::../include/var-paths.asciidoc[] +*`var.initial_interval`*:: + +The time window for collecting historical data when the input starts. Expects a duration string (e.g. 12h or 7d). + +*`var.api_version`*:: -*`var.client_id`*:: +The API version of the Salesforce instance. -Oauth client ID. +*`var.authentication`*:: -*`var.client_secret`*:: +Authentication config for connecting to Salesforce API. Supports JWT or user-password auth flows. -Oauth client secret. +*`var.authentication.jwt_bearer_flow.enabled`*:: -*`var.token_url`*:: +Set to true to use JWT authentication. -Oauth token URL. +*`var.authentication.jwt_bearer_flow.client.id`*:: -*`var.user`*:: +The client ID for JWT authentication. -The user used as part of the authentication flow. It is required for authentication - grant type password. +*`var.authentication.jwt_bearer_flow.client.username`*:: -*`var.password`*:: +The username for JWT authentication. -The password used as part of the authentication flow. It is required for authentication - grant type password. +*`var.authentication.jwt_bearer_flow.client.key_path`*:: + +Path to the client key file for JWT authentication. + +*`var.authentication.jwt_bearer_flow.url`*:: + +The audience URL for JWT authentication. + +*`var.authentication.user_password_flow.enabled`*:: + +Set to true to use user-password authentication. + +*`var.authentication.user_password_flow.client.id`*:: + +The client ID for user-password authentication. + +*`var.authentication.user_password_flow.client.secret`*:: + +The client secret for user-password authentication. + +*`var.authentication.user_password_flow.token_url`*:: + +The Salesforce token URL for user-password authentication. + +*`var.authentication.user_password_flow.username`*:: + +The Salesforce username for authentication. + +*`var.authentication.user_password_flow.password`*:: + +The password for the Salesforce user. *`var.url`*:: -The URL of the Saleforce instance. +The URL of the Salesforce instance. + +*`var.event_log_file`*:: + +Set to true to collect logs from EventLogFile (historical data). + +*`var.elf_interval`*:: + +Interval for collecting EventLogFile logs, e.g. 1h or 5m. + +*`var.log_file_interval`*:: + +Either "Hourly" or "Daily". The time interval of each log file from EventLogFile. [float] -=== Example dashboard +=== Example dashboards -This Salesforce module comes with several predefined dashboards, including Login, Logout, Apex, and Setup Audit Trails Dashboards. For example: +The Salesforce module includes several predefined dashboards: + +- Login Dashboard: Visualizes login activity and trends. +- Logout Dashboard: Visualizes logout activity and trends. +- Apex Dashboard: Visualizes Apex executions and errors. +- Setup Audit Trail Dashboard: Shows changes made in the Setup area. image::./images/filebeat-salesforce-login-dashboard.png[] image::./images/filebeat-salesforce-logout-dashboard.png[] -:has-dashboards!: +image::./images/filebeat-salesforce-setupaudittrail-dashboard.png[] + +Access these dashboards in Kibana by going to Management -> Kibana -> Dashboards and searching for "Salesforce". + +[float] +=== Troubleshooting + +Here are some common issues and how to resolve them: + +*Hitting Salesforce API limits*:: +Reduce the values of `var.real_time_interval` and `var.elf_interval` to poll the API less frequently. Monitor the API usage in your Salesforce instance. + +*Connectivity issues*:: +Verify the `var.url` is correct. Check that the user credentials are valid and have the necessary permissions. Ensure network connectivity between the Elastic Agent and Salesforce instance. + +*Not seeing any data*:: +Check the Elastic Agent logs for errors. Verify the module configuration is correct, the filesets are enabled, and the intervals are reasonable. Confirm there is log activity in Salesforce for the log types being collected. + +:has-dashboards!: :fileset_ex!: -:modulename!: +:modulename!: \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/dashboard/243e40b0-f891-11ee-9088-0f36517484ce.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/dashboard/243e40b0-f891-11ee-9088-0f36517484ce.json new file mode 100644 index 00000000000..1c0b58da7ae --- /dev/null +++ b/x-pack/filebeat/module/salesforce/_meta/kibana/7/dashboard/243e40b0-f891-11ee-9088-0f36517484ce.json @@ -0,0 +1,763 @@ +{ + "attributes": { + "description": "Salesforce Logout Data", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "salesforce.logout" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "salesforce.logout" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "controls": [ + { + "fieldName": "salesforce.instance_url", + "id": "1712900437314", + "indexPatternRefName": "control_e04d7dbe-82fb-438b-8097-594262a141ec_0_index_pattern", + "label": "Instance URL", + "options": { + "dynamicOptions": true, + "multiselect": true, + "order": "desc", + "size": 5, + "type": "terms" + }, + "parent": "", + "type": "list" + } + ], + "pinFilters": false, + "updateFiltersOnChange": false, + "useTimeFilter": false + }, + "title": "", + "type": "input_control_vis", + "uiState": {} + } + }, + "gridData": { + "h": 5, + "i": "e04d7dbe-82fb-438b-8097-594262a141ec", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "e04d7dbe-82fb-438b-8097-594262a141ec", + "type": "visualization", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "filebeat-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-layer-7f107c7d-34fd-481a-b6ac-6e0037488d00", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "7f107c7d-34fd-481a-b6ac-6e0037488d00": { + "columnOrder": [ + "d0a8f0be-bff5-4156-b797-4ce54c84c2ad", + "d0a8f0be-bff5-4156-b797-4ce54c84c2adX0", + "d0a8f0be-bff5-4156-b797-4ce54c84c2adX1", + "d0a8f0be-bff5-4156-b797-4ce54c84c2adX2" + ], + "columns": { + "d0a8f0be-bff5-4156-b797-4ce54c84c2ad": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "User initiated logout", + "operationType": "formula", + "params": { + "format": { + "id": "percent", + "params": { + "decimals": 2 + } + }, + "formula": "count(kql='salesforce.logout.user_initiated_logout : \"1\" ')/count()", + "isFormulaBroken": false + }, + "references": [ + "d0a8f0be-bff5-4156-b797-4ce54c84c2adX2" + ], + "scale": "ratio" + }, + "d0a8f0be-bff5-4156-b797-4ce54c84c2adX0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "salesforce.logout.user_initiated_logout : \"1\" " + }, + "isBucketed": false, + "label": "Part of count(kql='salesforce.logout.user_initiated_logout : \"1\" ')/count()", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "d0a8f0be-bff5-4156-b797-4ce54c84c2adX1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of count(kql='salesforce.logout.user_initiated_logout : \"1\" ')/count()", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "d0a8f0be-bff5-4156-b797-4ce54c84c2adX2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of count(kql='salesforce.logout.user_initiated_logout : \"1\" ')/count()", + "operationType": "math", + "params": { + "tinymathAst": { + "args": [ + "d0a8f0be-bff5-4156-b797-4ce54c84c2adX0", + "d0a8f0be-bff5-4156-b797-4ce54c84c2adX1" + ], + "location": { + "max": 67, + "min": 0 + }, + "name": "divide", + "text": "count(kql='salesforce.logout.user_initiated_logout : \"1\" ')/count()", + "type": "function" + } + }, + "references": [ + "d0a8f0be-bff5-4156-b797-4ce54c84c2adX0", + "d0a8f0be-bff5-4156-b797-4ce54c84c2adX1" + ], + "scale": "ratio" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "d0a8f0be-bff5-4156-b797-4ce54c84c2ad", + "layerId": "7f107c7d-34fd-481a-b6ac-6e0037488d00", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 12, + "i": "eaf7f094-92f3-46ca-84eb-ef2126f220bd", + "w": 24, + "x": 0, + "y": 5 + }, + "panelIndex": "eaf7f094-92f3-46ca-84eb-ef2126f220bd", + "title": "Percentage of user initiated logout [Filebeat Salesforce]", + "type": "lens", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "filebeat-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-layer-f3cc3792-a28a-4847-bd7d-bf08156d7def", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "f3cc3792-a28a-4847-bd7d-bf08156d7def": { + "columnOrder": [ + "3134a608-006c-4bfc-b42c-0c1ad3c4315f", + "8e4f70e3-db21-4183-bd70-b1b56fe816b4" + ], + "columns": { + "3134a608-006c-4bfc-b42c-0c1ad3c4315f": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Top 5 values of salesforce.logout.session.level", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "8e4f70e3-db21-4183-bd70-b1b56fe816b4", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "salesforce.logout.session.level" + }, + "8e4f70e3-db21-4183-bd70-b1b56fe816b4": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "3134a608-006c-4bfc-b42c-0c1ad3c4315f" + ], + "layerId": "f3cc3792-a28a-4847-bd7d-bf08156d7def", + "layerType": "data", + "legendDisplay": "default", + "metric": "8e4f70e3-db21-4183-bd70-b1b56fe816b4", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 12, + "i": "698cb161-2847-4fe2-b8b0-29047d20472e", + "w": 24, + "x": 24, + "y": 5 + }, + "panelIndex": "698cb161-2847-4fe2-b8b0-29047d20472e", + "title": "Session levels used while logging out [Filebeat Salesforce]", + "type": "lens", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "filebeat-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-layer-07bd6025-fb9b-4980-94b7-4be1f9948220", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "07bd6025-fb9b-4980-94b7-4be1f9948220": { + "columnOrder": [ + "265a7158-90ba-4ba7-acb6-e8c1f700dd2c", + "3fe1c36a-768e-43c0-93fe-77fc2465f19a" + ], + "columns": { + "265a7158-90ba-4ba7-acb6-e8c1f700dd2c": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "3fe1c36a-768e-43c0-93fe-77fc2465f19a": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "3fe1c36a-768e-43c0-93fe-77fc2465f19a" + ], + "layerId": "07bd6025-fb9b-4980-94b7-4be1f9948220", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "265a7158-90ba-4ba7-acb6-e8c1f700dd2c" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line", + "title": "Empty XY chart", + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 12, + "i": "9f2a2ef4-ba17-4d76-8a0a-76517f1c0936", + "w": 48, + "x": 0, + "y": 17 + }, + "panelIndex": "9f2a2ef4-ba17-4d76-8a0a-76517f1c0936", + "title": "Logout over time [Filebeat Salesforce]", + "type": "lens", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "filebeat-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-layer-aed1858a-a560-41f8-a5ca-58e917d3f0f6", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "aed1858a-a560-41f8-a5ca-58e917d3f0f6": { + "columnOrder": [ + "0d1ba1cc-f436-4f99-bab4-80da94ab8377", + "e3f18ea3-e3c9-4dcb-8617-0998a34460a2" + ], + "columns": { + "0d1ba1cc-f436-4f99-bab4-80da94ab8377": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Top 5 values of salesforce.logout.session.type", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "e3f18ea3-e3c9-4dcb-8617-0998a34460a2", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "salesforce.logout.session.type" + }, + "e3f18ea3-e3c9-4dcb-8617-0998a34460a2": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "0d1ba1cc-f436-4f99-bab4-80da94ab8377" + ], + "layerId": "aed1858a-a560-41f8-a5ca-58e917d3f0f6", + "layerType": "data", + "legendDisplay": "default", + "metric": "e3f18ea3-e3c9-4dcb-8617-0998a34460a2", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "treemap" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "ff455525-355f-49cd-a503-159a03ada387", + "w": 24, + "x": 0, + "y": 29 + }, + "panelIndex": "ff455525-355f-49cd-a503-159a03ada387", + "title": "Distribution of session types [Filebeat Salesforce]", + "type": "lens", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "filebeat-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-layer-6cd4c92e-cef0-46cf-937a-5123ddc95e7b", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "6cd4c92e-cef0-46cf-937a-5123ddc95e7b": { + "columnOrder": [ + "26b08e8c-5391-4f11-9955-c414ba872de8", + "63d839ef-dad8-43bf-b6e3-4f162e8354ce" + ], + "columns": { + "26b08e8c-5391-4f11-9955-c414ba872de8": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "IP Addresses", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "63d839ef-dad8-43bf-b6e3-4f162e8354ce", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "source.ip" + }, + "63d839ef-dad8-43bf-b6e3-4f162e8354ce": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Request count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "63d839ef-dad8-43bf-b6e3-4f162e8354ce" + ], + "layerId": "6cd4c92e-cef0-46cf-937a-5123ddc95e7b", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal", + "showGridlines": false, + "xAccessor": "26b08e8c-5391-4f11-9955-c414ba872de8" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_horizontal", + "title": "Empty XY chart", + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "69095005-0182-4363-b606-263449739e20", + "w": 24, + "x": 24, + "y": 29 + }, + "panelIndex": "69095005-0182-4363-b606-263449739e20", + "title": "Top 10 IP addresses by Logout request count [Filebeat Salesforce]", + "type": "lens", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hiddenLayers": [], + "hidePanelTitles": false, + "isLayerTOCOpen": true, + "mapBuffer": { + "maxLat": 85.05113, + "maxLon": 270, + "minLat": -66.51326, + "minLon": -270 + }, + "mapCenter": { + "lat": 24.87922, + "lon": -0.42602, + "zoom": 1.77 + }, + "openTOCDetails": [] + }, + "gridData": { + "h": 25, + "i": "6e4e4f8a-da6a-482e-81a6-ae3a26ad10ef", + "w": 48, + "x": 0, + "y": 44 + }, + "panelIndex": "6e4e4f8a-da6a-482e-81a6-ae3a26ad10ef", + "panelRefName": "panel_6e4e4f8a-da6a-482e-81a6-ae3a26ad10ef", + "title": "Logout activity by region [Filebeat Salesforce]", + "type": "map", + "version": "7.15.0" + } + ], + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-7d/d", + "timeRestore": true, + "timeTo": "now", + "title": "[Filebeat Salesforce] Logout Dashboard", + "version": 1 + }, + "coreMigrationVersion": "7.15.0", + "id": "243e40b0-f891-11ee-9088-0f36517484ce", + "migrationVersion": { + "dashboard": "7.15.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "e04d7dbe-82fb-438b-8097-594262a141ec:control_e04d7dbe-82fb-438b-8097-594262a141ec_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "eaf7f094-92f3-46ca-84eb-ef2126f220bd:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "eaf7f094-92f3-46ca-84eb-ef2126f220bd:indexpattern-datasource-layer-7f107c7d-34fd-481a-b6ac-6e0037488d00", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "698cb161-2847-4fe2-b8b0-29047d20472e:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "698cb161-2847-4fe2-b8b0-29047d20472e:indexpattern-datasource-layer-f3cc3792-a28a-4847-bd7d-bf08156d7def", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "9f2a2ef4-ba17-4d76-8a0a-76517f1c0936:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "9f2a2ef4-ba17-4d76-8a0a-76517f1c0936:indexpattern-datasource-layer-07bd6025-fb9b-4980-94b7-4be1f9948220", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "ff455525-355f-49cd-a503-159a03ada387:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "ff455525-355f-49cd-a503-159a03ada387:indexpattern-datasource-layer-aed1858a-a560-41f8-a5ca-58e917d3f0f6", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "69095005-0182-4363-b606-263449739e20:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "69095005-0182-4363-b606-263449739e20:indexpattern-datasource-layer-6cd4c92e-cef0-46cf-937a-5123ddc95e7b", + "type": "index-pattern" + }, + { + "id": "15bcb8a0-f891-11ee-9088-0f36517484ce", + "name": "6e4e4f8a-da6a-482e-81a6-ae3a26ad10ef:panel_6e4e4f8a-da6a-482e-81a6-ae3a26ad10ef", + "type": "map" + } + ], + "type": "dashboard", + "updated_at": "2024-04-12T11:40:07.036Z", + "version": "WzExMzc5LDFd" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/dashboard/6e6bee90-f7e6-11ee-9088-0f36517484ce.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/dashboard/6e6bee90-f7e6-11ee-9088-0f36517484ce.json new file mode 100644 index 00000000000..8e7ef6c831b --- /dev/null +++ b/x-pack/filebeat/module/salesforce/_meta/kibana/7/dashboard/6e6bee90-f7e6-11ee-9088-0f36517484ce.json @@ -0,0 +1,1770 @@ +{ + "attributes": { + "description": "Salesforce Apex Data", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "salesforce.apex" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "salesforce.apex" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "controls": [ + { + "fieldName": "salesforce.instance_url", + "id": "1712824865887", + "indexPatternRefName": "control_2e30f60b-d451-4b0d-89eb-6ba01e94c2aa_0_index_pattern", + "label": "Instance URL", + "options": { + "dynamicOptions": true, + "multiselect": true, + "order": "desc", + "size": 5, + "type": "terms" + }, + "parent": "", + "type": "list" + } + ], + "pinFilters": false, + "updateFiltersOnChange": false, + "useTimeFilter": false + }, + "title": "", + "type": "input_control_vis", + "uiState": {} + } + }, + "gridData": { + "h": 5, + "i": "2e30f60b-d451-4b0d-89eb-6ba01e94c2aa", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "2e30f60b-d451-4b0d-89eb-6ba01e94c2aa", + "type": "visualization", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "filebeat-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-layer-f7a3c405-487c-4473-aeb5-c6f5e63de3db", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "filter-index-pattern-1", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "f7a3c405-487c-4473-aeb5-c6f5e63de3db": { + "columnOrder": [ + "c8b7de64-e628-4200-8520-1699a69f49af" + ], + "columns": { + "c8b7de64-e628-4200-8520-1699a69f49af": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Calls against the organization limit", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "filter-index-pattern-0", + "key": "salesforce.apex.is_long_running_request", + "negate": true, + "params": { + "query": "0" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "salesforce.apex.is_long_running_request": "0" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "salesforce.apex.is_long_running_request" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "filter-index-pattern-1", + "key": "salesforce.apex.is_long_running_request", + "negate": false, + "type": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "c8b7de64-e628-4200-8520-1699a69f49af", + "layerId": "f7a3c405-487c-4473-aeb5-c6f5e63de3db", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 15, + "i": "7decef13-13b6-4eb2-bb2b-cd657951e930", + "w": 14, + "x": 0, + "y": 5 + }, + "panelIndex": "7decef13-13b6-4eb2-bb2b-cd657951e930", + "title": "Calls against the organization limit [Filebeat Salesforce]]", + "type": "lens", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "filebeat-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-layer-83c3e25a-134f-43bf-bca7-cd3c3d33eff3", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "83c3e25a-134f-43bf-bca7-cd3c3d33eff3": { + "columnOrder": [ + "c55333c9-aa79-4829-8e41-34029ca8e56a", + "099c35b2-0b10-4026-8883-274a3bd24c10" + ], + "columns": { + "099c35b2-0b10-4026-8883-274a3bd24c10": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "c55333c9-aa79-4829-8e41-34029ca8e56a": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Top 5 values of event.outcome", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "099c35b2-0b10-4026-8883-274a3bd24c10", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "event.outcome" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "c55333c9-aa79-4829-8e41-34029ca8e56a" + ], + "layerId": "83c3e25a-134f-43bf-bca7-cd3c3d33eff3", + "layerType": "data", + "legendDisplay": "default", + "metric": "099c35b2-0b10-4026-8883-274a3bd24c10", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "7154e44a-c51d-4881-8d23-6d822a0bd77d", + "w": 17, + "x": 14, + "y": 5 + }, + "panelIndex": "7154e44a-c51d-4881-8d23-6d822a0bd77d", + "title": "Distribution of request status [Filebeat Salesforce]", + "type": "lens", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "filebeat-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-layer-23547c7a-8041-4b0a-856d-ffc03d80fbc0", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "23547c7a-8041-4b0a-856d-ffc03d80fbc0": { + "columnOrder": [ + "55861941-7ec4-480b-800a-bae54e679ceb", + "ffcee30c-ac14-49a3-a634-04205ecc7788" + ], + "columns": { + "55861941-7ec4-480b-800a-bae54e679ceb": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Apex media type", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "ffcee30c-ac14-49a3-a634-04205ecc7788", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "salesforce.apex.media_type" + }, + "ffcee30c-ac14-49a3-a634-04205ecc7788": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "55861941-7ec4-480b-800a-bae54e679ceb" + ], + "layerId": "23547c7a-8041-4b0a-856d-ffc03d80fbc0", + "layerType": "data", + "legendDisplay": "default", + "metric": "ffcee30c-ac14-49a3-a634-04205ecc7788", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "73688f67-7274-4172-bc72-81581d1b1dc2", + "w": 17, + "x": 31, + "y": 5 + }, + "panelIndex": "73688f67-7274-4172-bc72-81581d1b1dc2", + "title": "Responses by media type [Filebeat Salesforce]", + "type": "lens", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "filebeat-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-layer-2ea8d938-401b-4b61-92c4-c476e7d3e4bc", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "2ea8d938-401b-4b61-92c4-c476e7d3e4bc": { + "columnOrder": [ + "5ca49fa3-e0db-4c3f-9116-b0cdba13b3fb", + "d665ca71-d578-4fc0-a7eb-b6c4ea8b31d9", + "69ea92d8-1db1-4dd6-b01f-8ed3937c9ab8" + ], + "columns": { + "5ca49fa3-e0db-4c3f-9116-b0cdba13b3fb": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of salesforce.apex.trigger_name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "69ea92d8-1db1-4dd6-b01f-8ed3937c9ab8", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "salesforce.apex.trigger_name" + }, + "69ea92d8-1db1-4dd6-b01f-8ed3937c9ab8": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Apex Trigger", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "d665ca71-d578-4fc0-a7eb-b6c4ea8b31d9": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "69ea92d8-1db1-4dd6-b01f-8ed3937c9ab8" + ], + "layerId": "2ea8d938-401b-4b61-92c4-c476e7d3e4bc", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "5ca49fa3-e0db-4c3f-9116-b0cdba13b3fb", + "xAccessor": "d665ca71-d578-4fc0-a7eb-b6c4ea8b31d9" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line", + "title": "Empty XY chart", + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "be541fae-8b1f-40e5-9fcc-e552b3544773", + "w": 48, + "x": 0, + "y": 20 + }, + "panelIndex": "be541fae-8b1f-40e5-9fcc-e552b3544773", + "title": "Top 10 apex triggers over time [Filebeat Salesforce]", + "type": "lens", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "filebeat-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-layer-395b6aa2-d6cd-406e-9559-a0ed2b833854", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-layer-dbfc2649-500a-4d9e-8035-f2094fc75c86", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "filter-index-pattern-0", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "395b6aa2-d6cd-406e-9559-a0ed2b833854": { + "columnOrder": [ + "7d694982-04a5-4e47-9aa9-eea47b40f505", + "7ac0b6dc-60e0-46b8-81f9-519459e354b3" + ], + "columns": { + "7ac0b6dc-60e0-46b8-81f9-519459e354b3": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Average run time", + "operationType": "average", + "scale": "ratio", + "sourceField": "salesforce.apex.run_time" + }, + "7d694982-04a5-4e47-9aa9-eea47b40f505": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + }, + "dbfc2649-500a-4d9e-8035-f2094fc75c86": { + "columnOrder": [ + "ba09599b-cc6f-420b-bd27-e9126e585c0f", + "f6bac9bb-7015-41d6-8c02-ffede3aeba7e" + ], + "columns": { + "ba09599b-cc6f-420b-bd27-e9126e585c0f": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "f6bac9bb-7015-41d6-8c02-ffede3aeba7e": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Request count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "salesforce.apex.run_time" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "filter-index-pattern-0", + "key": "salesforce.apex.run_time", + "negate": false, + "type": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "f6bac9bb-7015-41d6-8c02-ffede3aeba7e" + ], + "layerId": "dbfc2649-500a-4d9e-8035-f2094fc75c86", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "ba09599b-cc6f-420b-bd27-e9126e585c0f", + "yConfig": [ + { + "color": "#00e499", + "forAccessor": "f6bac9bb-7015-41d6-8c02-ffede3aeba7e" + } + ] + }, + { + "accessors": [ + "7ac0b6dc-60e0-46b8-81f9-519459e354b3" + ], + "layerId": "395b6aa2-d6cd-406e-9559-a0ed2b833854", + "layerType": "data", + "seriesType": "line", + "xAccessor": "7d694982-04a5-4e47-9aa9-eea47b40f505", + "yConfig": [ + { + "color": "#ff3a66", + "forAccessor": "7ac0b6dc-60e0-46b8-81f9-519459e354b3" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 16, + "i": "fe66cbe2-e564-49ae-a724-6440517ceb3b", + "w": 48, + "x": 0, + "y": 35 + }, + "panelIndex": "fe66cbe2-e564-49ae-a724-6440517ceb3b", + "title": "Apex performance over time [Filebeat Salesforce]", + "type": "lens", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "filebeat-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-layer-f73f968b-392e-4f0e-8c9b-351ad7370ddd", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "filter-index-pattern-0", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "f73f968b-392e-4f0e-8c9b-351ad7370ddd": { + "columnOrder": [ + "e50a7586-31dd-47bd-8b42-2a02dd27aec9", + "148d81bd-6204-41a1-99d7-26580ab2a3e7" + ], + "columns": { + "148d81bd-6204-41a1-99d7-26580ab2a3e7": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "SOQL queries", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "e50a7586-31dd-47bd-8b42-2a02dd27aec9": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Entry point", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "148d81bd-6204-41a1-99d7-26580ab2a3e7", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "salesforce.apex.entry_point" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "filter-index-pattern-0", + "key": "event.action", + "negate": false, + "params": { + "query": "apex-execution" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.action": "apex-execution" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "148d81bd-6204-41a1-99d7-26580ab2a3e7" + ], + "layerId": "f73f968b-392e-4f0e-8c9b-351ad7370ddd", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "e50a7586-31dd-47bd-8b42-2a02dd27aec9" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 16, + "i": "574ede56-2b30-49a5-8888-8ae368c856af", + "w": 48, + "x": 0, + "y": 51 + }, + "panelIndex": "574ede56-2b30-49a5-8888-8ae368c856af", + "title": "Top 10 SOQL queries per entry point [Filebeat Salesforce]", + "type": "lens", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "filebeat-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-layer-b53e356e-52be-419c-bf3d-282ec655706d", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "b53e356e-52be-419c-bf3d-282ec655706d": { + "columnOrder": [ + "86ab6d3f-99be-44a8-9050-1a79992a7948", + "f3682f79-73a9-4bd4-aff4-d1be1c81f7dd", + "c231ae4b-9cb7-4bc1-96f2-06870e504081" + ], + "columns": { + "86ab6d3f-99be-44a8-9050-1a79992a7948": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of salesforce.apex.trigger_type", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "c231ae4b-9cb7-4bc1-96f2-06870e504081", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "salesforce.apex.trigger_type" + }, + "c231ae4b-9cb7-4bc1-96f2-06870e504081": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Trigger count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "f3682f79-73a9-4bd4-aff4-d1be1c81f7dd": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "c231ae4b-9cb7-4bc1-96f2-06870e504081" + ], + "layerId": "b53e356e-52be-419c-bf3d-282ec655706d", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "86ab6d3f-99be-44a8-9050-1a79992a7948", + "xAccessor": "f3682f79-73a9-4bd4-aff4-d1be1c81f7dd" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line", + "title": "Empty XY chart", + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "f8ecb623-ff3c-4422-9f91-2676fe2e58e0", + "w": 24, + "x": 0, + "y": 67 + }, + "panelIndex": "f8ecb623-ff3c-4422-9f91-2676fe2e58e0", + "title": "Trigger trends over time [Filebeat Salesforce]", + "type": "lens", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "filebeat-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-layer-b2559ffe-87f5-4f0e-a041-671ae182cad2", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "b2559ffe-87f5-4f0e-a041-671ae182cad2": { + "columnOrder": [ + "b3a46082-815b-44d5-a8ab-77b1f4aa3e39", + "bf492b8e-efdf-423a-a3c2-33b59eee9cc2" + ], + "columns": { + "b3a46082-815b-44d5-a8ab-77b1f4aa3e39": { + "dataType": "string", + "isBucketed": true, + "label": "Filters", + "operationType": "filters", + "params": { + "filters": [ + { + "input": { + "language": "kuery", + "query": "salesforce.apex.trigger_type : *Update*" + }, + "label": "Updates" + }, + { + "input": { + "language": "kuery", + "query": "salesforce.apex.trigger_type : *Insert*" + }, + "label": "Inserts" + }, + { + "input": { + "language": "kuery", + "query": "salesforce.apex.trigger_type : *Delete*" + }, + "label": "Deletes" + } + ] + }, + "scale": "ordinal" + }, + "bf492b8e-efdf-423a-a3c2-33b59eee9cc2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Trigger count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "bf492b8e-efdf-423a-a3c2-33b59eee9cc2" + ], + "layerId": "b2559ffe-87f5-4f0e-a041-671ae182cad2", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal", + "showGridlines": false, + "xAccessor": "b3a46082-815b-44d5-a8ab-77b1f4aa3e39" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_horizontal", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "xTitle": "Trigger type", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "c713f492-059e-48c9-bddb-bfa5dff4379a", + "w": 24, + "x": 24, + "y": 67 + }, + "panelIndex": "c713f492-059e-48c9-bddb-bfa5dff4379a", + "title": "Number of triggers by type [Filebeat Salesforce]", + "type": "lens", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "filebeat-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-layer-f2b00fda-234b-44d4-9ce5-7cd8c28efce3", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "f2b00fda-234b-44d4-9ce5-7cd8c28efce3": { + "columnOrder": [ + "844908c9-57a6-4468-b7bd-d7261afdc379", + "c20cc0fc-5742-405c-86e9-f535058df2b2" + ], + "columns": { + "844908c9-57a6-4468-b7bd-d7261afdc379": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "User type", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "c20cc0fc-5742-405c-86e9-f535058df2b2", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "user.roles" + }, + "c20cc0fc-5742-405c-86e9-f535058df2b2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Requests count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "c20cc0fc-5742-405c-86e9-f535058df2b2" + ], + "layerId": "f2b00fda-234b-44d4-9ce5-7cd8c28efce3", + "layerType": "data", + "position": "top", + "seriesType": "bar", + "showGridlines": false, + "xAccessor": "844908c9-57a6-4468-b7bd-d7261afdc379" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "9d4bd40c-a3b5-4668-a58a-118e352c3ad2", + "w": 24, + "x": 0, + "y": 82 + }, + "panelIndex": "9d4bd40c-a3b5-4668-a58a-118e352c3ad2", + "title": "Requests per user type [Filebeat Salesforce]", + "type": "lens", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "filebeat-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-layer-7b43a22c-ad61-444d-a002-8cc4116b4854", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "7b43a22c-ad61-444d-a002-8cc4116b4854": { + "columnOrder": [ + "6619dbcd-313a-4a14-8991-8f4110656b5d", + "829d388d-4c2b-4e04-a26b-1a1ac2bdb434" + ], + "columns": { + "6619dbcd-313a-4a14-8991-8f4110656b5d": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "User agent", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "829d388d-4c2b-4e04-a26b-1a1ac2bdb434", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "salesforce.apex.user_agent" + }, + "829d388d-4c2b-4e04-a26b-1a1ac2bdb434": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Response count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "829d388d-4c2b-4e04-a26b-1a1ac2bdb434" + ], + "layerId": "7b43a22c-ad61-444d-a002-8cc4116b4854", + "layerType": "data", + "position": "top", + "seriesType": "bar", + "showGridlines": false, + "xAccessor": "6619dbcd-313a-4a14-8991-8f4110656b5d" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "f26b8459-e1af-4cee-92ac-9e91348c2c16", + "w": 24, + "x": 24, + "y": 82 + }, + "panelIndex": "f26b8459-e1af-4cee-92ac-9e91348c2c16", + "title": "Responses per user agent [Filebeat Salesforce]", + "type": "lens", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "filebeat-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-layer-92994644-eb5e-41a8-871b-b0911dcbf481", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "92994644-eb5e-41a8-871b-b0911dcbf481": { + "columnOrder": [ + "04755ce2-d91a-4fe9-8384-3247ccdb2980", + "5ba3835a-9391-4298-8cc6-3c6fa0678e5b", + "452aad19-1d09-4cc3-9e86-b6a84a6d0b6c" + ], + "columns": { + "04755ce2-d91a-4fe9-8384-3247ccdb2980": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Entity name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "452aad19-1d09-4cc3-9e86-b6a84a6d0b6c", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "salesforce.apex.entity_name" + }, + "452aad19-1d09-4cc3-9e86-b6a84a6d0b6c": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Apex trigger name", + "operationType": "unique_count", + "scale": "ratio", + "sourceField": "salesforce.apex.trigger_name" + }, + "5ba3835a-9391-4298-8cc6-3c6fa0678e5b": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "452aad19-1d09-4cc3-9e86-b6a84a6d0b6c" + ], + "layerId": "92994644-eb5e-41a8-871b-b0911dcbf481", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "splitAccessor": "04755ce2-d91a-4fe9-8384-3247ccdb2980", + "xAccessor": "5ba3835a-9391-4298-8cc6-3c6fa0678e5b" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "cc5bf3a1-5a33-4204-8efc-32b2b1629e63", + "w": 24, + "x": 0, + "y": 97 + }, + "panelIndex": "cc5bf3a1-5a33-4204-8efc-32b2b1629e63", + "title": "Triggers by entity categorization [Filebeat Salesforce]", + "type": "lens", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "filebeat-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-layer-84a0be7e-5127-485b-9ce2-9a9ba033a74c", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "84a0be7e-5127-485b-9ce2-9a9ba033a74c": { + "columnOrder": [ + "4282f56c-5d7a-49e2-aa89-8533831afb6b", + "270e21c6-f213-4df6-bbcc-a4735f99028d" + ], + "columns": { + "270e21c6-f213-4df6-bbcc-a4735f99028d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Request count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "4282f56c-5d7a-49e2-aa89-8533831afb6b": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of salesforce.apex.entry_point", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "270e21c6-f213-4df6-bbcc-a4735f99028d", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "salesforce.apex.entry_point" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "4282f56c-5d7a-49e2-aa89-8533831afb6b" + }, + { + "columnId": "270e21c6-f213-4df6-bbcc-a4735f99028d", + "isTransposed": false + } + ], + "layerId": "84a0be7e-5127-485b-9ce2-9a9ba033a74c", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "5904bcb3-1616-422d-855e-a86e6a69f802", + "w": 24, + "x": 24, + "y": 97 + }, + "panelIndex": "5904bcb3-1616-422d-855e-a86e6a69f802", + "title": "Top 10 entry points by request count [Filebeat Salesforce]", + "type": "lens", + "version": "7.15.0" + } + ], + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-7d/d", + "timeRestore": true, + "timeTo": "now", + "title": "[Filebeat Salesforce] Apex Dashboard", + "version": 1 + }, + "coreMigrationVersion": "7.15.0", + "id": "6e6bee90-f7e6-11ee-9088-0f36517484ce", + "migrationVersion": { + "dashboard": "7.15.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "2e30f60b-d451-4b0d-89eb-6ba01e94c2aa:control_2e30f60b-d451-4b0d-89eb-6ba01e94c2aa_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "7decef13-13b6-4eb2-bb2b-cd657951e930:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "7decef13-13b6-4eb2-bb2b-cd657951e930:indexpattern-datasource-layer-f7a3c405-487c-4473-aeb5-c6f5e63de3db", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "7decef13-13b6-4eb2-bb2b-cd657951e930:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "7decef13-13b6-4eb2-bb2b-cd657951e930:filter-index-pattern-1", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "7154e44a-c51d-4881-8d23-6d822a0bd77d:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "7154e44a-c51d-4881-8d23-6d822a0bd77d:indexpattern-datasource-layer-83c3e25a-134f-43bf-bca7-cd3c3d33eff3", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "73688f67-7274-4172-bc72-81581d1b1dc2:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "73688f67-7274-4172-bc72-81581d1b1dc2:indexpattern-datasource-layer-23547c7a-8041-4b0a-856d-ffc03d80fbc0", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "be541fae-8b1f-40e5-9fcc-e552b3544773:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "be541fae-8b1f-40e5-9fcc-e552b3544773:indexpattern-datasource-layer-2ea8d938-401b-4b61-92c4-c476e7d3e4bc", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "fe66cbe2-e564-49ae-a724-6440517ceb3b:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "fe66cbe2-e564-49ae-a724-6440517ceb3b:indexpattern-datasource-layer-395b6aa2-d6cd-406e-9559-a0ed2b833854", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "fe66cbe2-e564-49ae-a724-6440517ceb3b:indexpattern-datasource-layer-dbfc2649-500a-4d9e-8035-f2094fc75c86", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "fe66cbe2-e564-49ae-a724-6440517ceb3b:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "574ede56-2b30-49a5-8888-8ae368c856af:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "574ede56-2b30-49a5-8888-8ae368c856af:indexpattern-datasource-layer-f73f968b-392e-4f0e-8c9b-351ad7370ddd", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "574ede56-2b30-49a5-8888-8ae368c856af:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "f8ecb623-ff3c-4422-9f91-2676fe2e58e0:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "f8ecb623-ff3c-4422-9f91-2676fe2e58e0:indexpattern-datasource-layer-b53e356e-52be-419c-bf3d-282ec655706d", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "c713f492-059e-48c9-bddb-bfa5dff4379a:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "c713f492-059e-48c9-bddb-bfa5dff4379a:indexpattern-datasource-layer-b2559ffe-87f5-4f0e-a041-671ae182cad2", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "9d4bd40c-a3b5-4668-a58a-118e352c3ad2:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "9d4bd40c-a3b5-4668-a58a-118e352c3ad2:indexpattern-datasource-layer-f2b00fda-234b-44d4-9ce5-7cd8c28efce3", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "f26b8459-e1af-4cee-92ac-9e91348c2c16:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "f26b8459-e1af-4cee-92ac-9e91348c2c16:indexpattern-datasource-layer-7b43a22c-ad61-444d-a002-8cc4116b4854", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "cc5bf3a1-5a33-4204-8efc-32b2b1629e63:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "cc5bf3a1-5a33-4204-8efc-32b2b1629e63:indexpattern-datasource-layer-92994644-eb5e-41a8-871b-b0911dcbf481", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "5904bcb3-1616-422d-855e-a86e6a69f802:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "5904bcb3-1616-422d-855e-a86e6a69f802:indexpattern-datasource-layer-84a0be7e-5127-485b-9ce2-9a9ba033a74c", + "type": "index-pattern" + } + ], + "type": "dashboard", + "updated_at": "2024-04-12T11:46:15.739Z", + "version": "WzExODE1LDFd" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/dashboard/c66be450-f891-11ee-9088-0f36517484ce.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/dashboard/c66be450-f891-11ee-9088-0f36517484ce.json new file mode 100644 index 00000000000..f373c866471 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/_meta/kibana/7/dashboard/c66be450-f891-11ee-9088-0f36517484ce.json @@ -0,0 +1,548 @@ +{ + "attributes": { + "description": "Salesforce SetupAuditTrail Data", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "salesforce.setupaudittrail" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "salesforce.setupaudittrail" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "controls": [ + { + "fieldName": "salesforce.instance_url", + "id": "1712901482300", + "indexPatternRefName": "control_198189b3-48f3-4fc4-ae69-5ac5ee520d24_0_index_pattern", + "label": "Instance URL", + "options": { + "dynamicOptions": true, + "multiselect": true, + "order": "desc", + "size": 5, + "type": "terms" + }, + "parent": "", + "type": "list" + } + ], + "pinFilters": false, + "updateFiltersOnChange": false, + "useTimeFilter": false + }, + "title": "", + "type": "input_control_vis", + "uiState": {} + } + }, + "gridData": { + "h": 5, + "i": "198189b3-48f3-4fc4-ae69-5ac5ee520d24", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "198189b3-48f3-4fc4-ae69-5ac5ee520d24", + "type": "visualization", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "filebeat-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-layer-5ca48d62-7341-48b7-a2c0-5f2410c2d045", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "5ca48d62-7341-48b7-a2c0-5f2410c2d045": { + "columnOrder": [ + "81a88837-0d15-4349-8e0f-d75ba72a95bc", + "57312742-f268-4f68-bdd9-40461aeb51ec", + "06369992-979e-421a-928b-03d026695908" + ], + "columns": { + "06369992-979e-421a-928b-03d026695908": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Request count", + "operationType": "unique_count", + "scale": "ratio", + "sourceField": "@timestamp" + }, + "57312742-f268-4f68-bdd9-40461aeb51ec": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of salesforce.setup_audit_trail.delegate_user", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "06369992-979e-421a-928b-03d026695908", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "salesforce.setup_audit_trail.delegate_user" + }, + "81a88837-0d15-4349-8e0f-d75ba72a95bc": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Actions", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "06369992-979e-421a-928b-03d026695908", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "event.action" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "06369992-979e-421a-928b-03d026695908" + ], + "layerId": "5ca48d62-7341-48b7-a2c0-5f2410c2d045", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "splitAccessor": "57312742-f268-4f68-bdd9-40461aeb51ec", + "xAccessor": "81a88837-0d15-4349-8e0f-d75ba72a95bc" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "fc8067aa-c39c-4547-adfb-b618b9cbe4e8", + "w": 24, + "x": 0, + "y": 5 + }, + "panelIndex": "fc8067aa-c39c-4547-adfb-b618b9cbe4e8", + "title": "Top 10 actions performed by delegated users [Filebeat Salesforce]", + "type": "lens", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "filebeat-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-layer-72ce303a-9d98-4bab-856e-a67eb8605bfb", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "72ce303a-9d98-4bab-856e-a67eb8605bfb": { + "columnOrder": [ + "46424fdd-77b9-4f4b-bd63-beda1a1fafe4", + "184aa36c-5bf5-4d94-8c2d-7199a208d5f9" + ], + "columns": { + "184aa36c-5bf5-4d94-8c2d-7199a208d5f9": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Request count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "46424fdd-77b9-4f4b-bd63-beda1a1fafe4": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Sections affected", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "184aa36c-5bf5-4d94-8c2d-7199a208d5f9", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "salesforce.setup_audit_trail.section" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "184aa36c-5bf5-4d94-8c2d-7199a208d5f9" + ], + "layerId": "72ce303a-9d98-4bab-856e-a67eb8605bfb", + "layerType": "data", + "position": "top", + "seriesType": "bar", + "showGridlines": false, + "xAccessor": "46424fdd-77b9-4f4b-bd63-beda1a1fafe4" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar", + "title": "Empty XY chart", + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "6d50ae65-0cff-4b59-b347-ee6ea82d637e", + "w": 24, + "x": 24, + "y": 5 + }, + "panelIndex": "6d50ae65-0cff-4b59-b347-ee6ea82d637e", + "title": "Top 10 sections affected [Filebeat Salesforce]", + "type": "lens", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "filebeat-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-layer-3ac7ca64-bfb5-471c-8a8a-2cb5837ee004", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "3ac7ca64-bfb5-471c-8a8a-2cb5837ee004": { + "columnOrder": [ + "b3792010-1e80-401f-a6fc-54cbedf9720a", + "9056c574-d371-4c77-9f6b-04326402c8d1", + "a547e7f8-6d39-4b6a-a4fe-329c901d368c" + ], + "columns": { + "9056c574-d371-4c77-9f6b-04326402c8d1": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "a547e7f8-6d39-4b6a-a4fe-329c901d368c": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Actions", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "b3792010-1e80-401f-a6fc-54cbedf9720a": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of event.action", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "a547e7f8-6d39-4b6a-a4fe-329c901d368c", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "event.action" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "a547e7f8-6d39-4b6a-a4fe-329c901d368c" + ], + "layerId": "3ac7ca64-bfb5-471c-8a8a-2cb5837ee004", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "splitAccessor": "b3792010-1e80-401f-a6fc-54cbedf9720a", + "xAccessor": "9056c574-d371-4c77-9f6b-04326402c8d1" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "33acb8b4-5e5c-4ba2-8089-2554aaff7f23", + "w": 48, + "x": 0, + "y": 20 + }, + "panelIndex": "33acb8b4-5e5c-4ba2-8089-2554aaff7f23", + "title": "Top 10 actions over time [Filebeat Salesforce]", + "type": "lens", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 19, + "i": "7c636e26-d3f1-4aa9-b263-683d6b75f2ab", + "w": 48, + "x": 0, + "y": 35 + }, + "panelIndex": "7c636e26-d3f1-4aa9-b263-683d6b75f2ab", + "panelRefName": "panel_7c636e26-d3f1-4aa9-b263-683d6b75f2ab", + "type": "search", + "version": "7.15.0" + } + ], + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-7d/d", + "timeRestore": true, + "timeTo": "now", + "title": "[Filebeat Salesforce] Setup Audit Trail Dashboard", + "version": 1 + }, + "coreMigrationVersion": "7.15.0", + "id": "c66be450-f891-11ee-9088-0f36517484ce", + "migrationVersion": { + "dashboard": "7.15.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "198189b3-48f3-4fc4-ae69-5ac5ee520d24:control_198189b3-48f3-4fc4-ae69-5ac5ee520d24_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "fc8067aa-c39c-4547-adfb-b618b9cbe4e8:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "fc8067aa-c39c-4547-adfb-b618b9cbe4e8:indexpattern-datasource-layer-5ca48d62-7341-48b7-a2c0-5f2410c2d045", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "6d50ae65-0cff-4b59-b347-ee6ea82d637e:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "6d50ae65-0cff-4b59-b347-ee6ea82d637e:indexpattern-datasource-layer-72ce303a-9d98-4bab-856e-a67eb8605bfb", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "33acb8b4-5e5c-4ba2-8089-2554aaff7f23:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "33acb8b4-5e5c-4ba2-8089-2554aaff7f23:indexpattern-datasource-layer-3ac7ca64-bfb5-471c-8a8a-2cb5837ee004", + "type": "index-pattern" + }, + { + "id": "3e7187a0-f894-11ee-9088-0f36517484ce", + "name": "7c636e26-d3f1-4aa9-b263-683d6b75f2ab:panel_7c636e26-d3f1-4aa9-b263-683d6b75f2ab", + "type": "search" + } + ], + "type": "dashboard", + "updated_at": "2024-04-12T11:38:19.817Z", + "version": "WzExMjcyLDFd" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/dashboard/cb7b4a40-f7ff-11ee-9088-0f36517484ce.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/dashboard/cb7b4a40-f7ff-11ee-9088-0f36517484ce.json new file mode 100644 index 00000000000..bd95b31e3a9 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/_meta/kibana/7/dashboard/cb7b4a40-f7ff-11ee-9088-0f36517484ce.json @@ -0,0 +1,1552 @@ +{ + "attributes": { + "description": "Salesforce Login Data", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "salesforce.login" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "salesforce.login" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "controls": [ + { + "fieldName": "salesforce.instance_url", + "id": "1712835656630", + "indexPatternRefName": "control_9788dc28-4697-4ec7-8953-e70fabbdb620_0_index_pattern", + "label": "Instance URL", + "options": { + "dynamicOptions": true, + "multiselect": true, + "order": "desc", + "size": 5, + "type": "terms" + }, + "parent": "", + "type": "list" + } + ], + "pinFilters": false, + "updateFiltersOnChange": false, + "useTimeFilter": false + }, + "title": "", + "type": "input_control_vis", + "uiState": {} + } + }, + "gridData": { + "h": 5, + "i": "9788dc28-4697-4ec7-8953-e70fabbdb620", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "9788dc28-4697-4ec7-8953-e70fabbdb620", + "type": "visualization", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "filebeat-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-layer-e601c823-8f3a-4656-ad12-402588f0f425", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "filter-index-pattern-0", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "e601c823-8f3a-4656-ad12-402588f0f425": { + "columnOrder": [ + "eda440c2-47d3-4779-a238-48cedf1e1dab", + "eda440c2-47d3-4779-a238-48cedf1e1dabX0", + "eda440c2-47d3-4779-a238-48cedf1e1dabX1", + "eda440c2-47d3-4779-a238-48cedf1e1dabX2" + ], + "columns": { + "eda440c2-47d3-4779-a238-48cedf1e1dab": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Login success rate", + "operationType": "formula", + "params": { + "format": { + "id": "percent", + "params": { + "decimals": 2 + } + }, + "formula": "(count(kql='event.outcome : \"success\"')/count())", + "isFormulaBroken": false + }, + "references": [ + "eda440c2-47d3-4779-a238-48cedf1e1dabX2" + ], + "scale": "ratio" + }, + "eda440c2-47d3-4779-a238-48cedf1e1dabX0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "event.outcome : \"success\"" + }, + "isBucketed": false, + "label": "Part of Login success rate", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "eda440c2-47d3-4779-a238-48cedf1e1dabX1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Login success rate", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "eda440c2-47d3-4779-a238-48cedf1e1dabX2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Login success rate", + "operationType": "math", + "params": { + "tinymathAst": { + "args": [ + "eda440c2-47d3-4779-a238-48cedf1e1dabX0", + "eda440c2-47d3-4779-a238-48cedf1e1dabX1" + ], + "location": { + "max": 48, + "min": 0 + }, + "name": "divide", + "text": "(count(kql='event.outcome : \"success\"')/count())", + "type": "function" + } + }, + "references": [ + "eda440c2-47d3-4779-a238-48cedf1e1dabX0", + "eda440c2-47d3-4779-a238-48cedf1e1dabX1" + ], + "scale": "ratio" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "filter-index-pattern-0", + "key": "event.action", + "negate": false, + "params": { + "query": "login-attempt" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.action": "login-attempt" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "eda440c2-47d3-4779-a238-48cedf1e1dab", + "layerId": "e601c823-8f3a-4656-ad12-402588f0f425", + "layerType": "data" + } + }, + "title": "Login success rate [Filebeat Salesforce]", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 10, + "i": "ccd0f44d-f761-4a75-8fe1-f01955f30077", + "w": 24, + "x": 0, + "y": 5 + }, + "panelIndex": "ccd0f44d-f761-4a75-8fe1-f01955f30077", + "type": "lens", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "filebeat-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-layer-16d40659-3f98-477a-8c51-69ff60874d70", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "filter-index-pattern-1", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "16d40659-3f98-477a-8c51-69ff60874d70": { + "columnOrder": [ + "5ef8874b-edac-4144-9d56-f3cdc02988ba", + "5ef8874b-edac-4144-9d56-f3cdc02988baX0" + ], + "columns": { + "5ef8874b-edac-4144-9d56-f3cdc02988ba": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Failed login attempts", + "operationType": "formula", + "params": { + "formula": "count()", + "isFormulaBroken": false + }, + "references": [ + "5ef8874b-edac-4144-9d56-f3cdc02988baX0" + ], + "scale": "ratio" + }, + "5ef8874b-edac-4144-9d56-f3cdc02988baX0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of count()", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "filter-index-pattern-0", + "key": "event.outcome", + "negate": false, + "params": { + "query": "failure" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.outcome": "failure" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "filter-index-pattern-1", + "key": "event.action", + "negate": false, + "params": { + "query": "login-attempt" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.action": "login-attempt" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "5ef8874b-edac-4144-9d56-f3cdc02988ba", + "layerId": "16d40659-3f98-477a-8c51-69ff60874d70", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 10, + "i": "da637943-7e6d-41a2-a9db-2d0fedc58956", + "w": 24, + "x": 24, + "y": 5 + }, + "panelIndex": "da637943-7e6d-41a2-a9db-2d0fedc58956", + "title": "Failed login attempts [Filebeat Salesforce]", + "type": "lens", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "filebeat-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-layer-eb6954c3-d7f8-4561-953b-bb7a85328904", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "filter-index-pattern-0", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "eb6954c3-d7f8-4561-953b-bb7a85328904": { + "columnOrder": [ + "633c1004-485f-4933-a814-4002992a1f8c", + "cac7726d-d7fc-4ab3-af4f-2d96c1fd5b17", + "543b37da-f2c5-49e2-b125-d877d7447c10" + ], + "columns": { + "543b37da-f2c5-49e2-b125-d877d7447c10": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "event.outcome : \"failure\"" + }, + "isBucketed": false, + "label": "Failure", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "633c1004-485f-4933-a814-4002992a1f8c": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "cac7726d-d7fc-4ab3-af4f-2d96c1fd5b17": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "event.outcome : \"success\"" + }, + "isBucketed": false, + "label": "Success", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "filter-index-pattern-0", + "key": "event.action", + "negate": false, + "params": { + "query": "login-attempt" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.action": "login-attempt" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "cac7726d-d7fc-4ab3-af4f-2d96c1fd5b17", + "543b37da-f2c5-49e2-b125-d877d7447c10" + ], + "layerId": "eb6954c3-d7f8-4561-953b-bb7a85328904", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "633c1004-485f-4933-a814-4002992a1f8c", + "yConfig": [ + { + "color": "#68bc00", + "forAccessor": "cac7726d-d7fc-4ab3-af4f-2d96c1fd5b17" + }, + { + "color": "#e7664c", + "forAccessor": "543b37da-f2c5-49e2-b125-d877d7447c10" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line", + "title": "Empty XY chart", + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "71807bd3-d0ed-4328-93cc-6d9f3c93ea2c", + "w": 48, + "x": 0, + "y": 15 + }, + "panelIndex": "71807bd3-d0ed-4328-93cc-6d9f3c93ea2c", + "title": "Login over time [Filebeat Salesforce]", + "type": "lens", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "filebeat-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-layer-94dd5ffa-7be5-4655-b1a2-2556e9ad835b", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "filter-index-pattern-0", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "94dd5ffa-7be5-4655-b1a2-2556e9ad835b": { + "columnOrder": [ + "5747b6b2-a7ee-4835-bbef-ef41299cf88a", + "5cef11ff-915a-46ed-b3b3-40d2111d429f" + ], + "columns": { + "5747b6b2-a7ee-4835-bbef-ef41299cf88a": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "5cef11ff-915a-46ed-b3b3-40d2111d429f": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Login Events", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "filter-index-pattern-0", + "key": "event.action", + "negate": false, + "params": { + "query": "login-attempt" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.action": "login-attempt" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "5cef11ff-915a-46ed-b3b3-40d2111d429f" + ], + "layerId": "94dd5ffa-7be5-4655-b1a2-2556e9ad835b", + "layerType": "data", + "position": "top", + "seriesType": "bar", + "showGridlines": false, + "xAccessor": "5747b6b2-a7ee-4835-bbef-ef41299cf88a" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar", + "title": "Empty XY chart", + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "e988774b-2311-49ce-90d2-89c11abcdb07", + "w": 48, + "x": 0, + "y": 30 + }, + "panelIndex": "e988774b-2311-49ce-90d2-89c11abcdb07", + "title": "Total login events over time [Filebeat Salesforce]", + "type": "lens", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "filebeat-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-layer-77dc6ae7-66ae-4403-861c-86e10c2920b7", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "filter-index-pattern-0", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "77dc6ae7-66ae-4403-861c-86e10c2920b7": { + "columnOrder": [ + "8912e35b-2fd5-493f-94bd-f8f6b5494819", + "f8b67a30-098a-4474-9b3e-8bbdc7fb223f" + ], + "columns": { + "8912e35b-2fd5-493f-94bd-f8f6b5494819": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of user.roles", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "f8b67a30-098a-4474-9b3e-8bbdc7fb223f", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "user.roles" + }, + "f8b67a30-098a-4474-9b3e-8bbdc7fb223f": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "filter-index-pattern-0", + "key": "event.action", + "negate": false, + "params": { + "query": "login-attempt" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.action": "login-attempt" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "8912e35b-2fd5-493f-94bd-f8f6b5494819" + ], + "layerId": "77dc6ae7-66ae-4403-861c-86e10c2920b7", + "layerType": "data", + "legendDisplay": "default", + "metric": "f8b67a30-098a-4474-9b3e-8bbdc7fb223f", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "89cc0806-06c0-44ff-a439-302308134141", + "w": 24, + "x": 0, + "y": 45 + }, + "panelIndex": "89cc0806-06c0-44ff-a439-302308134141", + "title": "Distribution of type of users [Filebeat Salesforce]", + "type": "lens", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "filebeat-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-layer-0c41d5d1-1ecc-4583-bf02-f403fd062f57", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "filter-index-pattern-0", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "0c41d5d1-1ecc-4583-bf02-f403fd062f57": { + "columnOrder": [ + "03378057-e779-4d5b-9529-bb74a6b69613", + "b328aa99-56ed-443d-aaa0-fcab852e9d2f" + ], + "columns": { + "03378057-e779-4d5b-9529-bb74a6b69613": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "User Agent", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "b328aa99-56ed-443d-aaa0-fcab852e9d2f", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "user_agent.name" + }, + "b328aa99-56ed-443d-aaa0-fcab852e9d2f": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "filter-index-pattern-0", + "key": "event.action", + "negate": false, + "params": { + "query": "login-attempt" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.action": "login-attempt" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "03378057-e779-4d5b-9529-bb74a6b69613" + ], + "layerId": "0c41d5d1-1ecc-4583-bf02-f403fd062f57", + "layerType": "data", + "legendDisplay": "default", + "metric": "b328aa99-56ed-443d-aaa0-fcab852e9d2f", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "47159791-40d6-4728-a005-79ddba90c433", + "w": 24, + "x": 24, + "y": 45 + }, + "panelIndex": "47159791-40d6-4728-a005-79ddba90c433", + "title": "Activity by browser/client [Filebeat Salesforce]", + "type": "lens", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "filebeat-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-layer-e6917172-0cfc-45d0-8761-9d151ca8c6d8", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "e6917172-0cfc-45d0-8761-9d151ca8c6d8": { + "columnOrder": [ + "12c45419-8c36-42d5-a61f-0134974a7917", + "8eb21603-1016-4a57-8f72-f2cbcd046732" + ], + "columns": { + "12c45419-8c36-42d5-a61f-0134974a7917": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Postal code", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "8eb21603-1016-4a57-8f72-f2cbcd046732", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "source.geo.postal_code" + }, + "8eb21603-1016-4a57-8f72-f2cbcd046732": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "User count", + "operationType": "unique_count", + "scale": "ratio", + "sourceField": "user.email" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "8eb21603-1016-4a57-8f72-f2cbcd046732" + ], + "layerId": "e6917172-0cfc-45d0-8761-9d151ca8c6d8", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal", + "showGridlines": false, + "xAccessor": "12c45419-8c36-42d5-a61f-0134974a7917" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_horizontal", + "title": "Empty XY chart", + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "062d36b1-7b48-4942-8dc6-bc6c9da71ca4", + "w": 24, + "x": 0, + "y": 60 + }, + "panelIndex": "062d36b1-7b48-4942-8dc6-bc6c9da71ca4", + "title": "Top 10 postal code by user count [Filebeat Salesforce]", + "type": "lens", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "filebeat-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-layer-57bddf43-9edc-455c-a430-1905126337ab", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "filter-index-pattern-0", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "57bddf43-9edc-455c-a430-1905126337ab": { + "columnOrder": [ + "898c6e89-40ea-41ed-83bb-db2b34fbe59d", + "fbdd3f62-f9f8-4830-a06d-f1b04ae314d5" + ], + "columns": { + "898c6e89-40ea-41ed-83bb-db2b34fbe59d": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Application type", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "fbdd3f62-f9f8-4830-a06d-f1b04ae314d5", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "salesforce.login.application" + }, + "fbdd3f62-f9f8-4830-a06d-f1b04ae314d5": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "User count", + "operationType": "unique_count", + "scale": "ratio", + "sourceField": "user.email" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "filter-index-pattern-0", + "key": "event.action", + "negate": false, + "params": { + "query": "login-attempt" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.action": "login-attempt" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "fbdd3f62-f9f8-4830-a06d-f1b04ae314d5" + ], + "layerId": "57bddf43-9edc-455c-a430-1905126337ab", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal", + "showGridlines": false, + "xAccessor": "898c6e89-40ea-41ed-83bb-db2b34fbe59d" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_horizontal", + "title": "Empty XY chart", + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "2f13c9f8-868c-420e-9243-4edc3bf8a52f", + "w": 24, + "x": 24, + "y": 60 + }, + "panelIndex": "2f13c9f8-868c-420e-9243-4edc3bf8a52f", + "title": "Top 10 application type by user count [Filebeat Salesforce]", + "type": "lens", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "cae6ad06-6134-468e-aeeb-7a1755e143e7", + "w": 24, + "x": 0, + "y": 75 + }, + "panelIndex": "cae6ad06-6134-468e-aeeb-7a1755e143e7", + "panelRefName": "panel_cae6ad06-6134-468e-aeeb-7a1755e143e7", + "type": "search", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "filebeat-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-layer-b2fe9547-0320-4300-9384-8e44fb4739cb", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "filter-index-pattern-0", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "b2fe9547-0320-4300-9384-8e44fb4739cb": { + "columnOrder": [ + "94fa32bf-c0b2-453b-abae-ba8d7552adb1", + "65726718-5a2e-4c53-9cdd-773ece695cda" + ], + "columns": { + "65726718-5a2e-4c53-9cdd-773ece695cda": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Request count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "94fa32bf-c0b2-453b-abae-ba8d7552adb1": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "IP Addresses", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "65726718-5a2e-4c53-9cdd-773ece695cda", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "source.ip" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "filter-index-pattern-0", + "key": "event.action", + "negate": false, + "params": { + "query": "login-attempt" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.action": "login-attempt" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "65726718-5a2e-4c53-9cdd-773ece695cda" + ], + "layerId": "b2fe9547-0320-4300-9384-8e44fb4739cb", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal", + "showGridlines": false, + "xAccessor": "94fa32bf-c0b2-453b-abae-ba8d7552adb1" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_horizontal", + "title": "Empty XY chart", + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "02f53527-4721-4341-9d76-05d9075eef17", + "w": 24, + "x": 24, + "y": 75 + }, + "panelIndex": "02f53527-4721-4341-9d76-05d9075eef17", + "title": "Top 10 IP addresses by request count [Filebeat Salesforce]", + "type": "lens", + "version": "7.15.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hiddenLayers": [], + "hidePanelTitles": false, + "isLayerTOCOpen": true, + "mapBuffer": { + "maxLat": 85.05113, + "maxLon": 270, + "minLat": -66.51326, + "minLon": -270 + }, + "mapCenter": { + "lat": 15.07469, + "lon": -0.10396, + "zoom": 1.38 + }, + "openTOCDetails": [] + }, + "gridData": { + "h": 25, + "i": "d860f236-a75a-4fde-81ce-f3de40ef7c19", + "w": 48, + "x": 0, + "y": 90 + }, + "panelIndex": "d860f236-a75a-4fde-81ce-f3de40ef7c19", + "panelRefName": "panel_d860f236-a75a-4fde-81ce-f3de40ef7c19", + "title": "Login activity by region [Filebeat Salesforce]", + "type": "map", + "version": "7.15.0" + } + ], + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-7d/d", + "timeRestore": true, + "timeTo": "now", + "title": "[Filebeat Salesforce] Login Dashboard", + "version": 1 + }, + "coreMigrationVersion": "7.15.0", + "id": "cb7b4a40-f7ff-11ee-9088-0f36517484ce", + "migrationVersion": { + "dashboard": "7.15.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "9788dc28-4697-4ec7-8953-e70fabbdb620:control_9788dc28-4697-4ec7-8953-e70fabbdb620_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "ccd0f44d-f761-4a75-8fe1-f01955f30077:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "ccd0f44d-f761-4a75-8fe1-f01955f30077:indexpattern-datasource-layer-e601c823-8f3a-4656-ad12-402588f0f425", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "ccd0f44d-f761-4a75-8fe1-f01955f30077:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "da637943-7e6d-41a2-a9db-2d0fedc58956:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "da637943-7e6d-41a2-a9db-2d0fedc58956:indexpattern-datasource-layer-16d40659-3f98-477a-8c51-69ff60874d70", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "da637943-7e6d-41a2-a9db-2d0fedc58956:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "da637943-7e6d-41a2-a9db-2d0fedc58956:filter-index-pattern-1", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "71807bd3-d0ed-4328-93cc-6d9f3c93ea2c:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "71807bd3-d0ed-4328-93cc-6d9f3c93ea2c:indexpattern-datasource-layer-eb6954c3-d7f8-4561-953b-bb7a85328904", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "71807bd3-d0ed-4328-93cc-6d9f3c93ea2c:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "e988774b-2311-49ce-90d2-89c11abcdb07:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "e988774b-2311-49ce-90d2-89c11abcdb07:indexpattern-datasource-layer-94dd5ffa-7be5-4655-b1a2-2556e9ad835b", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "e988774b-2311-49ce-90d2-89c11abcdb07:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "89cc0806-06c0-44ff-a439-302308134141:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "89cc0806-06c0-44ff-a439-302308134141:indexpattern-datasource-layer-77dc6ae7-66ae-4403-861c-86e10c2920b7", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "89cc0806-06c0-44ff-a439-302308134141:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "47159791-40d6-4728-a005-79ddba90c433:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "47159791-40d6-4728-a005-79ddba90c433:indexpattern-datasource-layer-0c41d5d1-1ecc-4583-bf02-f403fd062f57", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "47159791-40d6-4728-a005-79ddba90c433:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "062d36b1-7b48-4942-8dc6-bc6c9da71ca4:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "062d36b1-7b48-4942-8dc6-bc6c9da71ca4:indexpattern-datasource-layer-e6917172-0cfc-45d0-8761-9d151ca8c6d8", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "2f13c9f8-868c-420e-9243-4edc3bf8a52f:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "2f13c9f8-868c-420e-9243-4edc3bf8a52f:indexpattern-datasource-layer-57bddf43-9edc-455c-a430-1905126337ab", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "2f13c9f8-868c-420e-9243-4edc3bf8a52f:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "2752cec0-f804-11ee-9088-0f36517484ce", + "name": "cae6ad06-6134-468e-aeeb-7a1755e143e7:panel_cae6ad06-6134-468e-aeeb-7a1755e143e7", + "type": "search" + }, + { + "id": "filebeat-*", + "name": "02f53527-4721-4341-9d76-05d9075eef17:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "02f53527-4721-4341-9d76-05d9075eef17:indexpattern-datasource-layer-b2fe9547-0320-4300-9384-8e44fb4739cb", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "02f53527-4721-4341-9d76-05d9075eef17:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "c9668e10-f88e-11ee-9088-0f36517484ce", + "name": "d860f236-a75a-4fde-81ce-f3de40ef7c19:panel_d860f236-a75a-4fde-81ce-f3de40ef7c19", + "type": "map" + } + ], + "type": "dashboard", + "updated_at": "2024-04-12T11:42:57.059Z", + "version": "WzExNjA3LDFd" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/dashboard/salesforce-1659aef0-574c-11ec-8f0b-05e8b06e1b10.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/dashboard/salesforce-1659aef0-574c-11ec-8f0b-05e8b06e1b10.json deleted file mode 100644 index a054e9bbd2f..00000000000 --- a/x-pack/filebeat/module/salesforce/_meta/kibana/7/dashboard/salesforce-1659aef0-574c-11ec-8f0b-05e8b06e1b10.json +++ /dev/null @@ -1,330 +0,0 @@ -{ - "attributes": { - "description": "Login EventLogFile Data", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "useMargins": false - }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 4, - "i": "4556b8a4-b5c8-4bb2-bc03-23b4f40b3af0", - "w": 48, - "x": 0, - "y": 0 - }, - "panelIndex": "4556b8a4-b5c8-4bb2-bc03-23b4f40b3af0", - "panelRefName": "panel_4556b8a4-b5c8-4bb2-bc03-23b4f40b3af0", - "type": "visualization", - "version": "7.15.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 15, - "i": "df92b3a0-d885-4bac-a98b-ab94d1d65936", - "w": 12, - "x": 0, - "y": 4 - }, - "panelIndex": "df92b3a0-d885-4bac-a98b-ab94d1d65936", - "panelRefName": "panel_df92b3a0-d885-4bac-a98b-ab94d1d65936", - "type": "visualization", - "version": "7.15.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 15, - "i": "ae31f75c-4943-48ee-8177-f7ad58a91553", - "w": 12, - "x": 12, - "y": 4 - }, - "panelIndex": "ae31f75c-4943-48ee-8177-f7ad58a91553", - "panelRefName": "panel_ae31f75c-4943-48ee-8177-f7ad58a91553", - "title": "Failed login attempts [Filebeat Salesforce]", - "type": "visualization", - "version": "7.15.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hiddenLayers": [], - "hidePanelTitles": false, - "isLayerTOCOpen": false, - "mapBuffer": { - "maxLat": 66.51326, - "maxLon": 180, - "minLat": -66.51326, - "minLon": -90 - }, - "mapCenter": { - "lat": 14.75725, - "lon": 26.27964, - "zoom": 1.31 - }, - "openTOCDetails": [] - }, - "gridData": { - "h": 15, - "i": "9caaed64-6c42-40af-a6af-ae58cce576e3", - "w": 24, - "x": 24, - "y": 4 - }, - "panelIndex": "9caaed64-6c42-40af-a6af-ae58cce576e3", - "panelRefName": "panel_9caaed64-6c42-40af-a6af-ae58cce576e3", - "title": "Salesforce activity by region [Filebeat Salesforce]", - "type": "map", - "version": "7.15.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 15, - "i": "157cf178-6669-496e-9f0e-7d9ac8bab21d", - "w": 48, - "x": 0, - "y": 19 - }, - "panelIndex": "157cf178-6669-496e-9f0e-7d9ac8bab21d", - "panelRefName": "panel_157cf178-6669-496e-9f0e-7d9ac8bab21d", - "type": "visualization", - "version": "7.15.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 15, - "i": "a2a1513d-f5fb-4d1d-a7ce-d7a3903d55ca", - "w": 24, - "x": 0, - "y": 34 - }, - "panelIndex": "a2a1513d-f5fb-4d1d-a7ce-d7a3903d55ca", - "panelRefName": "panel_a2a1513d-f5fb-4d1d-a7ce-d7a3903d55ca", - "title": "User ID [Filebeat Salesforce]", - "type": "visualization", - "version": "7.15.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 15, - "i": "eb23e36d-9001-4fd2-ad9f-aacf62811beb", - "w": 24, - "x": 24, - "y": 34 - }, - "panelIndex": "eb23e36d-9001-4fd2-ad9f-aacf62811beb", - "panelRefName": "panel_eb23e36d-9001-4fd2-ad9f-aacf62811beb", - "title": "Success rate [Filebeat Salesforce]", - "type": "visualization", - "version": "7.15.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 15, - "i": "1436e9ad-013d-4416-a616-9a3c134af834", - "w": 24, - "x": 0, - "y": 49 - }, - "panelIndex": "1436e9ad-013d-4416-a616-9a3c134af834", - "panelRefName": "panel_1436e9ad-013d-4416-a616-9a3c134af834", - "title": "Top IP addresses by request count [Filebeat Salesforce]", - "type": "visualization", - "version": "7.15.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 15, - "i": "83337583-735d-44c1-8dc9-8e4f032d42fb", - "w": 24, - "x": 24, - "y": 49 - }, - "panelIndex": "83337583-735d-44c1-8dc9-8e4f032d42fb", - "panelRefName": "panel_83337583-735d-44c1-8dc9-8e4f032d42fb", - "title": "Login type [Filebeat Salesforce]", - "type": "visualization", - "version": "7.15.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 15, - "i": "20a81ce2-6345-4cad-936e-4337ac6bb3b0", - "w": 24, - "x": 0, - "y": 64 - }, - "panelIndex": "20a81ce2-6345-4cad-936e-4337ac6bb3b0", - "panelRefName": "panel_20a81ce2-6345-4cad-936e-4337ac6bb3b0", - "title": "Activity segmentation by browser/client [Filebeat Salesforce]", - "type": "visualization", - "version": "7.15.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 28, - "i": "8b648987-21fb-4b71-8d63-0e406180f168", - "w": 48, - "x": 0, - "y": 79 - }, - "panelIndex": "8b648987-21fb-4b71-8d63-0e406180f168", - "panelRefName": "panel_8b648987-21fb-4b71-8d63-0e406180f168", - "title": "Login events table [Filebeat Salesforce]", - "type": "search", - "version": "7.15.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 15, - "i": "4d6fa731-c3b5-4ec5-b604-f30b32d9ac5d", - "w": 24, - "x": 24, - "y": 64 - }, - "panelIndex": "4d6fa731-c3b5-4ec5-b604-f30b32d9ac5d", - "panelRefName": "panel_4d6fa731-c3b5-4ec5-b604-f30b32d9ac5d", - "title": "Application type [Filebeat Salesforce]", - "type": "visualization", - "version": "7.15.0" - } - ], - "refreshInterval": { - "pause": false, - "value": 900000 - }, - "timeFrom": "now-7d/d", - "timeRestore": true, - "timeTo": "now", - "title": "[Filebeat Salesforce] Login Dashboard", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "salesforce-1659aef0-574c-11ec-8f0b-05e8b06e1b10", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "7a22ead0-5758-11ec-8f0b-05e8b06e1b10", - "name": "4556b8a4-b5c8-4bb2-bc03-23b4f40b3af0:panel_4556b8a4-b5c8-4bb2-bc03-23b4f40b3af0", - "type": "visualization" - }, - { - "id": "c69e97e0-5d72-11ec-9523-d1b667ac64c0", - "name": "df92b3a0-d885-4bac-a98b-ab94d1d65936:panel_df92b3a0-d885-4bac-a98b-ab94d1d65936", - "type": "visualization" - }, - { - "id": "f4e05440-5d72-11ec-9523-d1b667ac64c0", - "name": "ae31f75c-4943-48ee-8177-f7ad58a91553:panel_ae31f75c-4943-48ee-8177-f7ad58a91553", - "type": "visualization" - }, - { - "id": "5c2e6bc0-5d6c-11ec-9523-d1b667ac64c0", - "name": "9caaed64-6c42-40af-a6af-ae58cce576e3:panel_9caaed64-6c42-40af-a6af-ae58cce576e3", - "type": "map" - }, - { - "id": "fbb560f0-5d8e-11ec-9523-d1b667ac64c0", - "name": "157cf178-6669-496e-9f0e-7d9ac8bab21d:panel_157cf178-6669-496e-9f0e-7d9ac8bab21d", - "type": "visualization" - }, - { - "id": "e6da1080-5d8f-11ec-9523-d1b667ac64c0", - "name": "a2a1513d-f5fb-4d1d-a7ce-d7a3903d55ca:panel_a2a1513d-f5fb-4d1d-a7ce-d7a3903d55ca", - "type": "visualization" - }, - { - "id": "33be8340-5d90-11ec-9523-d1b667ac64c0", - "name": "eb23e36d-9001-4fd2-ad9f-aacf62811beb:panel_eb23e36d-9001-4fd2-ad9f-aacf62811beb", - "type": "visualization" - }, - { - "id": "80c0b730-5d90-11ec-9523-d1b667ac64c0", - "name": "1436e9ad-013d-4416-a616-9a3c134af834:panel_1436e9ad-013d-4416-a616-9a3c134af834", - "type": "visualization" - }, - { - "id": "ab958760-5d90-11ec-9523-d1b667ac64c0", - "name": "83337583-735d-44c1-8dc9-8e4f032d42fb:panel_83337583-735d-44c1-8dc9-8e4f032d42fb", - "type": "visualization" - }, - { - "id": "e8175600-5d90-11ec-9523-d1b667ac64c0", - "name": "20a81ce2-6345-4cad-936e-4337ac6bb3b0:panel_20a81ce2-6345-4cad-936e-4337ac6bb3b0", - "type": "visualization" - }, - { - "id": "51d23250-5d8b-11ec-9523-d1b667ac64c0", - "name": "8b648987-21fb-4b71-8d63-0e406180f168:panel_8b648987-21fb-4b71-8d63-0e406180f168", - "type": "search" - }, - { - "id": "baeaca80-cd2b-11ec-83d5-7f8e1b7a2529", - "name": "4d6fa731-c3b5-4ec5-b604-f30b32d9ac5d:panel_4d6fa731-c3b5-4ec5-b604-f30b32d9ac5d", - "type": "visualization" - }, - { - "id": "50e50c20-5749-11ec-8f0b-05e8b06e1b10", - "name": "tag-50e50c20-5749-11ec-8f0b-05e8b06e1b10", - "type": "tag" - } - ], - "type": "dashboard", - "updated_at": "2022-05-06T11:14:54.091Z", - "version": "WzMzNDY2LDNd" -} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/dashboard/salesforce-59ef0af0-5749-11ec-8f0b-05e8b06e1b10.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/dashboard/salesforce-59ef0af0-5749-11ec-8f0b-05e8b06e1b10.json deleted file mode 100644 index 16ff640b838..00000000000 --- a/x-pack/filebeat/module/salesforce/_meta/kibana/7/dashboard/salesforce-59ef0af0-5749-11ec-8f0b-05e8b06e1b10.json +++ /dev/null @@ -1,296 +0,0 @@ -{ - "attributes": { - "description": "Apex EventLogFile Data", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "useMargins": false - }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 4, - "i": "92fa5f55-44db-44e6-9e32-f47c34335706", - "w": 48, - "x": 0, - "y": 0 - }, - "panelIndex": "92fa5f55-44db-44e6-9e32-f47c34335706", - "panelRefName": "panel_92fa5f55-44db-44e6-9e32-f47c34335706", - "type": "visualization", - "version": "7.15.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 15, - "i": "f7680bb8-ec0c-4bd5-8ace-140d023384dc", - "w": 12, - "x": 0, - "y": 4 - }, - "panelIndex": "f7680bb8-ec0c-4bd5-8ace-140d023384dc", - "panelRefName": "panel_f7680bb8-ec0c-4bd5-8ace-140d023384dc", - "type": "visualization", - "version": "7.15.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 15, - "i": "5b18dcde-0147-462b-85eb-154fcb9abffd", - "w": 12, - "x": 12, - "y": 4 - }, - "panelIndex": "5b18dcde-0147-462b-85eb-154fcb9abffd", - "panelRefName": "panel_5b18dcde-0147-462b-85eb-154fcb9abffd", - "type": "visualization", - "version": "7.15.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 15, - "i": "b9d36aa1-9cb3-4a1a-a010-413d72a57dd0", - "w": 24, - "x": 24, - "y": 4 - }, - "panelIndex": "b9d36aa1-9cb3-4a1a-a010-413d72a57dd0", - "panelRefName": "panel_b9d36aa1-9cb3-4a1a-a010-413d72a57dd0", - "title": "DB_TOTAL_TIME-CPU_TIME comparision [Filebeat Salesforce]", - "type": "visualization", - "version": "7.15.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 16, - "i": "97595594-bd12-4341-9287-aba4ee2642c3", - "w": 24, - "x": 0, - "y": 19 - }, - "panelIndex": "97595594-bd12-4341-9287-aba4ee2642c3", - "panelRefName": "panel_97595594-bd12-4341-9287-aba4ee2642c3", - "title": "Trigger-Entity categorisation [Filebeat Salesforce]", - "type": "visualization", - "version": "7.15.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false, - "vis": null - }, - "gridData": { - "h": 16, - "i": "1aef58f1-8aca-4225-bc5c-c1a6ceda4a8b", - "w": 24, - "x": 24, - "y": 19 - }, - "panelIndex": "1aef58f1-8aca-4225-bc5c-c1a6ceda4a8b", - "panelRefName": "panel_1aef58f1-8aca-4225-bc5c-c1a6ceda4a8b", - "type": "visualization", - "version": "7.15.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 15, - "i": "b2885132-edfc-4c17-99f9-31b56ca2f109", - "w": 48, - "x": 0, - "y": 35 - }, - "panelIndex": "b2885132-edfc-4c17-99f9-31b56ca2f109", - "panelRefName": "panel_b2885132-edfc-4c17-99f9-31b56ca2f109", - "title": "Top Entrypoints by Request Count [Filebeat Salesforce]", - "type": "visualization", - "version": "7.15.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 15, - "i": "4f5803fa-0c1e-4bd6-84ca-b8710f52c0a7", - "w": 24, - "x": 0, - "y": 50 - }, - "panelIndex": "4f5803fa-0c1e-4bd6-84ca-b8710f52c0a7", - "panelRefName": "panel_4f5803fa-0c1e-4bd6-84ca-b8710f52c0a7", - "title": "Apex Performance over time [Filebeat Salesforce]", - "type": "visualization", - "version": "7.15.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false, - "vis": { - "legendOpen": false - } - }, - "gridData": { - "h": 13, - "i": "58a8cf54-9a2e-4b7d-a579-5b01e656030e", - "w": 21, - "x": 0, - "y": 65 - }, - "panelIndex": "58a8cf54-9a2e-4b7d-a579-5b01e656030e", - "panelRefName": "panel_58a8cf54-9a2e-4b7d-a579-5b01e656030e", - "type": "visualization", - "version": "7.15.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 13, - "i": "03390f0c-c585-4cf0-8a93-06479965a0e9", - "w": 27, - "x": 21, - "y": 65 - }, - "panelIndex": "03390f0c-c585-4cf0-8a93-06479965a0e9", - "panelRefName": "panel_03390f0c-c585-4cf0-8a93-06479965a0e9", - "type": "visualization", - "version": "7.15.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 15, - "i": "60adaf8e-785f-4c89-9ff8-c842b2a64f73", - "w": 24, - "x": 24, - "y": 50 - }, - "panelIndex": "60adaf8e-785f-4c89-9ff8-c842b2a64f73", - "panelRefName": "panel_60adaf8e-785f-4c89-9ff8-c842b2a64f73", - "title": "Number of SOQL Queries per Entry Point [Filebeat Salesforce]", - "type": "visualization", - "version": "7.15.0" - } - ], - "refreshInterval": { - "pause": true, - "value": 0 - }, - "timeFrom": "now-7d/d", - "timeRestore": true, - "timeTo": "now", - "title": "[Filebeat Salesforce] Apex Dashboard", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "salesforce-59ef0af0-5749-11ec-8f0b-05e8b06e1b10", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "7a22ead0-5758-11ec-8f0b-05e8b06e1b10", - "name": "92fa5f55-44db-44e6-9e32-f47c34335706:panel_92fa5f55-44db-44e6-9e32-f47c34335706", - "type": "visualization" - }, - { - "id": "4f9923d0-574c-11ec-8f0b-05e8b06e1b10", - "name": "f7680bb8-ec0c-4bd5-8ace-140d023384dc:panel_f7680bb8-ec0c-4bd5-8ace-140d023384dc", - "type": "visualization" - }, - { - "id": "8cec4c30-574c-11ec-8f0b-05e8b06e1b10", - "name": "5b18dcde-0147-462b-85eb-154fcb9abffd:panel_5b18dcde-0147-462b-85eb-154fcb9abffd", - "type": "visualization" - }, - { - "id": "86081670-5d95-11ec-9523-d1b667ac64c0", - "name": "b9d36aa1-9cb3-4a1a-a010-413d72a57dd0:panel_b9d36aa1-9cb3-4a1a-a010-413d72a57dd0", - "type": "visualization" - }, - { - "id": "24c39ae0-574d-11ec-8f0b-05e8b06e1b10", - "name": "97595594-bd12-4341-9287-aba4ee2642c3:panel_97595594-bd12-4341-9287-aba4ee2642c3", - "type": "visualization" - }, - { - "id": "416da3a0-574f-11ec-8f0b-05e8b06e1b10", - "name": "1aef58f1-8aca-4225-bc5c-c1a6ceda4a8b:panel_1aef58f1-8aca-4225-bc5c-c1a6ceda4a8b", - "type": "visualization" - }, - { - "id": "93c37330-5751-11ec-8f0b-05e8b06e1b10", - "name": "b2885132-edfc-4c17-99f9-31b56ca2f109:panel_b2885132-edfc-4c17-99f9-31b56ca2f109", - "type": "visualization" - }, - { - "id": "31366a60-5751-11ec-8f0b-05e8b06e1b10", - "name": "4f5803fa-0c1e-4bd6-84ca-b8710f52c0a7:panel_4f5803fa-0c1e-4bd6-84ca-b8710f52c0a7", - "type": "visualization" - }, - { - "id": "17f0a5d0-5750-11ec-8f0b-05e8b06e1b10", - "name": "58a8cf54-9a2e-4b7d-a579-5b01e656030e:panel_58a8cf54-9a2e-4b7d-a579-5b01e656030e", - "type": "visualization" - }, - { - "id": "61eec180-5750-11ec-8f0b-05e8b06e1b10", - "name": "03390f0c-c585-4cf0-8a93-06479965a0e9:panel_03390f0c-c585-4cf0-8a93-06479965a0e9", - "type": "visualization" - }, - { - "id": "6d86efd0-5751-11ec-8f0b-05e8b06e1b10", - "name": "60adaf8e-785f-4c89-9ff8-c842b2a64f73:panel_60adaf8e-785f-4c89-9ff8-c842b2a64f73", - "type": "visualization" - }, - { - "id": "50e50c20-5749-11ec-8f0b-05e8b06e1b10", - "name": "tag-50e50c20-5749-11ec-8f0b-05e8b06e1b10", - "type": "tag" - } - ], - "type": "dashboard", - "updated_at": "2022-05-06T11:14:55.111Z", - "version": "WzMzNDc4LDNd" -} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/dashboard/salesforce-6c750440-5749-11ec-8f0b-05e8b06e1b10.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/dashboard/salesforce-6c750440-5749-11ec-8f0b-05e8b06e1b10.json deleted file mode 100644 index 2c3e1eee6b1..00000000000 --- a/x-pack/filebeat/module/salesforce/_meta/kibana/7/dashboard/salesforce-6c750440-5749-11ec-8f0b-05e8b06e1b10.json +++ /dev/null @@ -1,158 +0,0 @@ -{ - "attributes": { - "description": "Logout EventLogFile Data", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "useMargins": false - }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 4, - "i": "a8f9096a-18a7-4aaa-aadf-9b1264c25ff9", - "w": 48, - "x": 0, - "y": 0 - }, - "panelIndex": "a8f9096a-18a7-4aaa-aadf-9b1264c25ff9", - "panelRefName": "panel_a8f9096a-18a7-4aaa-aadf-9b1264c25ff9", - "type": "visualization", - "version": "7.15.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "vis": { - "legendOpen": false - } - }, - "gridData": { - "h": 15, - "i": "e94002ab-ee04-4bdf-80f6-fca80b3cf1b1", - "w": 24, - "x": 0, - "y": 21 - }, - "panelIndex": "e94002ab-ee04-4bdf-80f6-fca80b3cf1b1", - "panelRefName": "panel_e94002ab-ee04-4bdf-80f6-fca80b3cf1b1", - "type": "visualization", - "version": "7.15.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 15, - "i": "12145dd1-e578-4f41-a09d-7bece9d79985", - "w": 24, - "x": 24, - "y": 21 - }, - "panelIndex": "12145dd1-e578-4f41-a09d-7bece9d79985", - "panelRefName": "panel_12145dd1-e578-4f41-a09d-7bece9d79985", - "title": "Top 10 IP addresses over time [Filebeat Salesforce]", - "type": "visualization", - "version": "7.15.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 37, - "i": "4c956f84-ce21-4b40-9b6c-d0c079aa2630", - "w": 48, - "x": 0, - "y": 36 - }, - "panelIndex": "4c956f84-ce21-4b40-9b6c-d0c079aa2630", - "panelRefName": "panel_4c956f84-ce21-4b40-9b6c-d0c079aa2630", - "title": "Logout events table [Filebeat Salesforce]", - "type": "search", - "version": "7.15.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 17, - "i": "78ec8ab8-7bee-4caa-9bf9-6a8c525d76c7", - "w": 48, - "x": 0, - "y": 4 - }, - "panelIndex": "78ec8ab8-7bee-4caa-9bf9-6a8c525d76c7", - "panelRefName": "panel_78ec8ab8-7bee-4caa-9bf9-6a8c525d76c7", - "type": "visualization", - "version": "7.15.0" - } - ], - "refreshInterval": { - "pause": true, - "value": 0 - }, - "timeFrom": "now-7d/d", - "timeRestore": true, - "timeTo": "now", - "title": "[Filebeat Salesforce] Logout Dashboard", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "salesforce-6c750440-5749-11ec-8f0b-05e8b06e1b10", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "7a22ead0-5758-11ec-8f0b-05e8b06e1b10", - "name": "a8f9096a-18a7-4aaa-aadf-9b1264c25ff9:panel_a8f9096a-18a7-4aaa-aadf-9b1264c25ff9", - "type": "visualization" - }, - { - "id": "2b7921e0-5d6d-11ec-9523-d1b667ac64c0", - "name": "e94002ab-ee04-4bdf-80f6-fca80b3cf1b1:panel_e94002ab-ee04-4bdf-80f6-fca80b3cf1b1", - "type": "visualization" - }, - { - "id": "27897120-5d6d-11ec-9523-d1b667ac64c0", - "name": "12145dd1-e578-4f41-a09d-7bece9d79985:panel_12145dd1-e578-4f41-a09d-7bece9d79985", - "type": "visualization" - }, - { - "id": "b3b98110-5d92-11ec-9523-d1b667ac64c0", - "name": "4c956f84-ce21-4b40-9b6c-d0c079aa2630:panel_4c956f84-ce21-4b40-9b6c-d0c079aa2630", - "type": "search" - }, - { - "id": "2a11e7a0-cd35-11ec-83d5-7f8e1b7a2529", - "name": "78ec8ab8-7bee-4caa-9bf9-6a8c525d76c7:panel_78ec8ab8-7bee-4caa-9bf9-6a8c525d76c7", - "type": "visualization" - }, - { - "id": "50e50c20-5749-11ec-8f0b-05e8b06e1b10", - "name": "tag-50e50c20-5749-11ec-8f0b-05e8b06e1b10", - "type": "tag" - } - ], - "type": "dashboard", - "updated_at": "2022-05-06T12:21:35.309Z", - "version": "WzM0MDQxLDNd" -} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/dashboard/salesforce-790da810-5749-11ec-8f0b-05e8b06e1b10.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/dashboard/salesforce-790da810-5749-11ec-8f0b-05e8b06e1b10.json deleted file mode 100644 index 2c528c48713..00000000000 --- a/x-pack/filebeat/module/salesforce/_meta/kibana/7/dashboard/salesforce-790da810-5749-11ec-8f0b-05e8b06e1b10.json +++ /dev/null @@ -1,165 +0,0 @@ -{ - "attributes": { - "description": "SetupAuditTrail EventLogFile Data", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "useMargins": false - }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 4, - "i": "c7fd367e-26a0-440d-abdf-6c217aaa3d82", - "w": 48, - "x": 0, - "y": 0 - }, - "panelIndex": "c7fd367e-26a0-440d-abdf-6c217aaa3d82", - "panelRefName": "panel_c7fd367e-26a0-440d-abdf-6c217aaa3d82", - "type": "visualization", - "version": "7.15.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false, - "vis": { - "legendOpen": false - } - }, - "gridData": { - "h": 13, - "i": "cd348728-bab4-44b0-96cb-6f29b1095701", - "w": 16, - "x": 16, - "y": 4 - }, - "panelIndex": "cd348728-bab4-44b0-96cb-6f29b1095701", - "panelRefName": "panel_cd348728-bab4-44b0-96cb-6f29b1095701", - "title": "Top 10 Section Over Time [Filebeat Salesforce]", - "type": "visualization", - "version": "7.15.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false, - "vis": { - "legendOpen": false - } - }, - "gridData": { - "h": 13, - "i": "ecb2c974-d2ed-4256-a467-451be88465a7", - "w": 16, - "x": 32, - "y": 4 - }, - "panelIndex": "ecb2c974-d2ed-4256-a467-451be88465a7", - "panelRefName": "panel_ecb2c974-d2ed-4256-a467-451be88465a7", - "title": "Number of Actions performed over URLs [Filebeat Salesforce]", - "type": "visualization", - "version": "7.15.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 27, - "i": "fcd86baf-07ec-4c31-b1f6-054bbab0152c", - "w": 48, - "x": 0, - "y": 17 - }, - "panelIndex": "fcd86baf-07ec-4c31-b1f6-054bbab0152c", - "panelRefName": "panel_fcd86baf-07ec-4c31-b1f6-054bbab0152c", - "title": "SetupAuditTrail evnets data [Filebeat Salesforce]", - "type": "search", - "version": "7.15.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 13, - "i": "701cda8c-8a8a-4e39-ac16-52397b712b87", - "w": 16, - "x": 0, - "y": 4 - }, - "panelIndex": "701cda8c-8a8a-4e39-ac16-52397b712b87", - "panelRefName": "panel_701cda8c-8a8a-4e39-ac16-52397b712b87", - "title": "Top 10 Actions Performed [Filebeat Salesforce]", - "type": "visualization", - "version": "7.15.0" - } - ], - "refreshInterval": { - "pause": true, - "value": 0 - }, - "timeFrom": "now-30d/d", - "timeRestore": true, - "timeTo": "now", - "title": "[Filebeat Salesforce] Setup Audit Trail Dashboard", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "salesforce-790da810-5749-11ec-8f0b-05e8b06e1b10", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "7a22ead0-5758-11ec-8f0b-05e8b06e1b10", - "name": "c7fd367e-26a0-440d-abdf-6c217aaa3d82:panel_c7fd367e-26a0-440d-abdf-6c217aaa3d82", - "type": "visualization" - }, - { - "id": "cf5f92c0-4b8a-11ec-9959-a3c0f68b1e4f", - "name": "cd348728-bab4-44b0-96cb-6f29b1095701:panel_cd348728-bab4-44b0-96cb-6f29b1095701", - "type": "visualization" - }, - { - "id": "5b503310-4b8c-11ec-9959-a3c0f68b1e4f", - "name": "ecb2c974-d2ed-4256-a467-451be88465a7:panel_ecb2c974-d2ed-4256-a467-451be88465a7", - "type": "visualization" - }, - { - "id": "769ba1c0-4b84-11ec-9959-a3c0f68b1e4f", - "name": "fcd86baf-07ec-4c31-b1f6-054bbab0152c:panel_fcd86baf-07ec-4c31-b1f6-054bbab0152c", - "type": "search" - }, - { - "id": "f5942600-5d95-11ec-9523-d1b667ac64c0", - "name": "701cda8c-8a8a-4e39-ac16-52397b712b87:panel_701cda8c-8a8a-4e39-ac16-52397b712b87", - "type": "visualization" - }, - { - "id": "50e50c20-5749-11ec-8f0b-05e8b06e1b10", - "name": "tag-50e50c20-5749-11ec-8f0b-05e8b06e1b10", - "type": "tag" - } - ], - "type": "dashboard", - "updated_at": "2022-05-06T12:16:51.077Z", - "version": "WzM0MDA4LDNd" -} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/map/15bcb8a0-f891-11ee-9088-0f36517484ce.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/map/15bcb8a0-f891-11ee-9088-0f36517484ce.json new file mode 100644 index 00000000000..736dd52ddaf --- /dev/null +++ b/x-pack/filebeat/module/salesforce/_meta/kibana/7/map/15bcb8a0-f891-11ee-9088-0f36517484ce.json @@ -0,0 +1,192 @@ +{ + "attributes": { + "description": "", + "layerListJSON": [ + { + "alpha": 1, + "id": "fc011f77-7c53-4a98-afef-f7d89244f0cf", + "includeInFitToBounds": true, + "label": null, + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "isAutoSelect": true, + "type": "EMS_TMS" + }, + "style": { + "type": "TILE" + }, + "type": "VECTOR_TILE", + "visible": true + }, + { + "alpha": 0.75, + "id": "4f907c5b-67e7-45c3-8c4c-7cb80170de03", + "includeInFitToBounds": true, + "joins": [], + "label": "Logout Activity", + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "applyGlobalQuery": true, + "applyGlobalTime": true, + "filterByMapBounds": true, + "geoField": "source.geo.location", + "id": "58e3c77d-15bd-4516-a81f-56f35cbe66ed", + "indexPatternRefName": "layer_1_source_index_pattern", + "scalingType": "MVT", + "sortField": "", + "sortOrder": "desc", + "tooltipProperties": [], + "topHitsSize": 1, + "topHitsSplitField": "", + "type": "ES_SEARCH" + }, + "style": { + "isTimeAware": true, + "properties": { + "fillColor": { + "options": { + "color": "#54B399" + }, + "type": "STATIC" + }, + "icon": { + "options": { + "value": "marker" + }, + "type": "STATIC" + }, + "iconOrientation": { + "options": { + "orientation": 0 + }, + "type": "STATIC" + }, + "iconSize": { + "options": { + "size": 6 + }, + "type": "STATIC" + }, + "labelBorderColor": { + "options": { + "color": "#FFFFFF" + }, + "type": "STATIC" + }, + "labelBorderSize": { + "options": { + "size": "SMALL" + } + }, + "labelColor": { + "options": { + "color": "#000000" + }, + "type": "STATIC" + }, + "labelSize": { + "options": { + "size": 14 + }, + "type": "STATIC" + }, + "labelText": { + "options": { + "value": "" + }, + "type": "STATIC" + }, + "lineColor": { + "options": { + "color": "#41937c" + }, + "type": "STATIC" + }, + "lineWidth": { + "options": { + "size": 1 + }, + "type": "STATIC" + }, + "symbolizeAs": { + "options": { + "value": "circle" + } + } + }, + "type": "VECTOR" + }, + "type": "TILED_VECTOR", + "visible": true + } + ], + "mapStateJSON": { + "center": { + "lat": 19.94277, + "lon": 0 + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "refreshConfig": { + "interval": 0, + "isPaused": true + }, + "settings": { + "autoFitToDataBounds": false, + "backgroundColor": "#ffffff", + "browserLocation": { + "zoom": 2 + }, + "disableInteractive": false, + "disableTooltipControl": false, + "fixedLocation": { + "lat": 0, + "lon": 0, + "zoom": 2 + }, + "hideLayerControl": false, + "hideToolbarOverlay": false, + "hideViewControl": false, + "initialLocation": "LAST_SAVED_LOCATION", + "maxZoom": 24, + "minZoom": 0, + "showScaleControl": false, + "showSpatialFilters": true, + "showTimesliderToggleButton": true, + "spatialFiltersAlpa": 0.3, + "spatialFiltersFillColor": "#DA8B45", + "spatialFiltersLineColor": "#DA8B45" + }, + "timeFilters": { + "from": "now-7d/d", + "to": "now" + }, + "zoom": 1.77 + }, + "title": "Logout activity by region [Filebeat Salesforce]", + "uiStateJSON": { + "isLayerTOCOpen": true, + "openTOCDetails": [] + } + }, + "coreMigrationVersion": "7.15.0", + "id": "15bcb8a0-f891-11ee-9088-0f36517484ce", + "migrationVersion": { + "map": "7.14.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "layer_1_source_index_pattern", + "type": "index-pattern" + } + ], + "type": "map", + "updated_at": "2024-04-15T13:14:55.200Z", + "version": "WzEyNTI5LDFd" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/map/5c2e6bc0-5d6c-11ec-9523-d1b667ac64c0.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/map/5c2e6bc0-5d6c-11ec-9523-d1b667ac64c0.json deleted file mode 100644 index 7cc00fd20f1..00000000000 --- a/x-pack/filebeat/module/salesforce/_meta/kibana/7/map/5c2e6bc0-5d6c-11ec-9523-d1b667ac64c0.json +++ /dev/null @@ -1,142 +0,0 @@ -{ - "attributes": { - "description": "", - "layerListJSON": [ - { - "alpha": 1, - "id": "166258a6-0b30-4bd1-8a12-67f32cfbeb97", - "includeInFitToBounds": true, - "label": null, - "maxZoom": 24, - "minZoom": 0, - "sourceDescriptor": { - "isAutoSelect": true, - "type": "EMS_TMS" - }, - "style": { - "type": "TILE" - }, - "type": "VECTOR_TILE", - "visible": true - }, - { - "alpha": 0.75, - "id": "696a68f4-f7f0-4720-9c7a-eac4f6cba560", - "includeInFitToBounds": true, - "label": null, - "maxZoom": 24, - "minZoom": 0, - "sourceDescriptor": { - "applyForceRefresh": true, - "applyGlobalQuery": true, - "applyGlobalTime": true, - "geoField": "source.geo.location", - "id": "608c9dc4-0997-4e15-af24-9334271838bb", - "indexPatternRefName": "layer_1_source_index_pattern", - "metrics": [ - { - "type": "count" - } - ], - "requestType": "heatmap", - "resolution": "COARSE", - "type": "ES_GEO_GRID" - }, - "style": { - "colorRampName": "theclassic", - "type": "HEATMAP" - }, - "type": "HEATMAP", - "visible": true - } - ], - "mapStateJSON": { - "center": { - "lat": 23.00882, - "lon": 13.35724 - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "filebeat-*", - "key": "event.dataset", - "negate": false, - "params": { - "query": "salesforce.login" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "salesforce.login" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "refreshConfig": { - "interval": 900000, - "isPaused": false - }, - "settings": { - "autoFitToDataBounds": false, - "backgroundColor": "#ffffff", - "browserLocation": { - "zoom": 2 - }, - "disableInteractive": false, - "disableTooltipControl": false, - "fixedLocation": { - "lat": 0, - "lon": 0, - "zoom": 2 - }, - "hideLayerControl": false, - "hideToolbarOverlay": false, - "hideViewControl": false, - "initialLocation": "LAST_SAVED_LOCATION", - "maxZoom": 24, - "minZoom": 0, - "showScaleControl": false, - "showSpatialFilters": true, - "showTimesliderToggleButton": true, - "spatialFiltersAlpa": 0.3, - "spatialFiltersFillColor": "#DA8B45", - "spatialFiltersLineColor": "#DA8B45" - }, - "timeFilters": { - "from": "2021-10-21T02:19:14.117Z", - "to": "2021-10-22T10:30:00.000Z" - }, - "zoom": 1.25 - }, - "title": "[Login] Salesforce activity by region [Filebeat Salesforce]", - "uiStateJSON": { - "isLayerTOCOpen": true, - "openTOCDetails": [] - } - }, - "coreMigrationVersion": "7.15.0", - "id": "5c2e6bc0-5d6c-11ec-9523-d1b667ac64c0", - "migrationVersion": { - "map": "7.14.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "map", - "updated_at": "2022-05-06T11:14:54.091Z", - "version": "WzMzNDU2LDNd" -} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/map/c9668e10-f88e-11ee-9088-0f36517484ce.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/map/c9668e10-f88e-11ee-9088-0f36517484ce.json new file mode 100644 index 00000000000..1bbb4d88397 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/_meta/kibana/7/map/c9668e10-f88e-11ee-9088-0f36517484ce.json @@ -0,0 +1,192 @@ +{ + "attributes": { + "description": "", + "layerListJSON": [ + { + "alpha": 1, + "id": "e14b9f6c-b5bc-44c3-a76d-cd3ce4416837", + "includeInFitToBounds": true, + "label": null, + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "isAutoSelect": true, + "type": "EMS_TMS" + }, + "style": { + "type": "TILE" + }, + "type": "VECTOR_TILE", + "visible": true + }, + { + "alpha": 0.75, + "id": "b7f862e8-d875-4a1a-a922-63f5c2f6d06a", + "includeInFitToBounds": true, + "joins": [], + "label": "Login Activity", + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "applyGlobalQuery": true, + "applyGlobalTime": true, + "filterByMapBounds": true, + "geoField": "source.geo.location", + "id": "97b373bc-81dc-42de-9d90-f7970d5c3a73", + "indexPatternRefName": "layer_1_source_index_pattern", + "scalingType": "MVT", + "sortField": "", + "sortOrder": "desc", + "tooltipProperties": [], + "topHitsSize": 1, + "topHitsSplitField": "", + "type": "ES_SEARCH" + }, + "style": { + "isTimeAware": true, + "properties": { + "fillColor": { + "options": { + "color": "#54B399" + }, + "type": "STATIC" + }, + "icon": { + "options": { + "value": "marker" + }, + "type": "STATIC" + }, + "iconOrientation": { + "options": { + "orientation": 0 + }, + "type": "STATIC" + }, + "iconSize": { + "options": { + "size": 6 + }, + "type": "STATIC" + }, + "labelBorderColor": { + "options": { + "color": "#FFFFFF" + }, + "type": "STATIC" + }, + "labelBorderSize": { + "options": { + "size": "SMALL" + } + }, + "labelColor": { + "options": { + "color": "#000000" + }, + "type": "STATIC" + }, + "labelSize": { + "options": { + "size": 14 + }, + "type": "STATIC" + }, + "labelText": { + "options": { + "value": "" + }, + "type": "STATIC" + }, + "lineColor": { + "options": { + "color": "#41937c" + }, + "type": "STATIC" + }, + "lineWidth": { + "options": { + "size": 1 + }, + "type": "STATIC" + }, + "symbolizeAs": { + "options": { + "value": "circle" + } + } + }, + "type": "VECTOR" + }, + "type": "TILED_VECTOR", + "visible": true + } + ], + "mapStateJSON": { + "center": { + "lat": 15.07469, + "lon": -0.10396 + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "refreshConfig": { + "interval": 0, + "isPaused": true + }, + "settings": { + "autoFitToDataBounds": false, + "backgroundColor": "#ffffff", + "browserLocation": { + "zoom": 2 + }, + "disableInteractive": false, + "disableTooltipControl": false, + "fixedLocation": { + "lat": 0, + "lon": 0, + "zoom": 2 + }, + "hideLayerControl": false, + "hideToolbarOverlay": false, + "hideViewControl": false, + "initialLocation": "LAST_SAVED_LOCATION", + "maxZoom": 24, + "minZoom": 0, + "showScaleControl": false, + "showSpatialFilters": true, + "showTimesliderToggleButton": true, + "spatialFiltersAlpa": 0.3, + "spatialFiltersFillColor": "#DA8B45", + "spatialFiltersLineColor": "#DA8B45" + }, + "timeFilters": { + "from": "now-7d/d", + "to": "now" + }, + "zoom": 1.38 + }, + "title": "Login activity by region [Filebeat Salesforce]", + "uiStateJSON": { + "isLayerTOCOpen": true, + "openTOCDetails": [] + } + }, + "coreMigrationVersion": "7.15.0", + "id": "c9668e10-f88e-11ee-9088-0f36517484ce", + "migrationVersion": { + "map": "7.14.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "layer_1_source_index_pattern", + "type": "index-pattern" + } + ], + "type": "map", + "updated_at": "2024-04-15T13:15:17.835Z", + "version": "WzEyNTQ4LDFd" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/search/51d23250-5d8b-11ec-9523-d1b667ac64c0.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/search/2752cec0-f804-11ee-9088-0f36517484ce.json similarity index 56% rename from x-pack/filebeat/module/salesforce/_meta/kibana/7/search/51d23250-5d8b-11ec-9523-d1b667ac64c0.json rename to x-pack/filebeat/module/salesforce/_meta/kibana/7/search/2752cec0-f804-11ee-9088-0f36517484ce.json index 2ede6ff68b9..201b3ab6dc4 100644 --- a/x-pack/filebeat/module/salesforce/_meta/kibana/7/search/51d23250-5d8b-11ec-9523-d1b667ac64c0.json +++ b/x-pack/filebeat/module/salesforce/_meta/kibana/7/search/2752cec0-f804-11ee-9088-0f36517484ce.json @@ -1,17 +1,12 @@ { "attributes": { "columns": [ - "salesforce.access_mode", - "salesforce.login.db_total_time", - "salesforce.login.evaluation_time", - "salesforce.login.login_type", - "salesforce.login.request_status", + "event.outcome", "salesforce.login.run_time", - "salesforce.login.session_level" + "salesforce.login.db_time.total" ], "description": "", - "grid": {}, - "hideChart": false, + "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { "filter": [ @@ -23,18 +18,35 @@ "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.dataset", + "key": "event.action", "negate": false, "params": { - "query": "salesforce.login" + "query": "login-attempt" }, "type": "phrase" }, "query": { "match_phrase": { - "event.dataset": "salesforce.login" + "event.action": "login-attempt" } } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "event.outcome" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "event.outcome", + "negate": false, + "type": "exists", + "value": "exists" + } } ], "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", @@ -50,10 +62,11 @@ "desc" ] ], - "title": "Login Log Table [Filebeat Salesforce]" + "title": "Login events table [Filebeat Salesforce]", + "version": 1 }, "coreMigrationVersion": "7.15.0", - "id": "51d23250-5d8b-11ec-9523-d1b667ac64c0", + "id": "2752cec0-f804-11ee-9088-0f36517484ce", "migrationVersion": { "search": "7.9.3" }, @@ -67,9 +80,14 @@ "id": "filebeat-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" } ], "type": "search", - "updated_at": "2022-05-06T11:14:54.091Z", - "version": "WzMzNDYzLDNd" + "updated_at": "2024-04-12T11:42:31.623Z", + "version": "WzExNTc0LDFd" } \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/search/3e7187a0-f894-11ee-9088-0f36517484ce.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/search/3e7187a0-f894-11ee-9088-0f36517484ce.json new file mode 100644 index 00000000000..3d952741e88 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/_meta/kibana/7/search/3e7187a0-f894-11ee-9088-0f36517484ce.json @@ -0,0 +1,44 @@ +{ + "attributes": { + "columns": [ + "salesforce.setup_audit_trail.section", + "event.action", + "salesforce.setup_audit_trail.display" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "salesforce.setup_audit_trail.section : * or event.action : * or salesforce.setup_audit_trail.display : *" + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Changes made in the setup [Filebeat Salesforce]", + "version": 1 + }, + "coreMigrationVersion": "7.15.0", + "id": "3e7187a0-f894-11ee-9088-0f36517484ce", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2024-04-12T11:37:55.498Z", + "version": "WzExMjQ3LDFd" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/search/769ba1c0-4b84-11ec-9959-a3c0f68b1e4f.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/search/769ba1c0-4b84-11ec-9959-a3c0f68b1e4f.json deleted file mode 100644 index ff4ff6ab6be..00000000000 --- a/x-pack/filebeat/module/salesforce/_meta/kibana/7/search/769ba1c0-4b84-11ec-9959-a3c0f68b1e4f.json +++ /dev/null @@ -1,73 +0,0 @@ -{ - "attributes": { - "columns": [ - "salesforce.setup_audit_trail.section", - "event.action", - "salesforce.setup_audit_trail.display" - ], - "description": "", - "grid": {}, - "hideChart": false, - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.dataset", - "negate": false, - "params": { - "query": "salesforce.setupaudittrail" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "salesforce.setupaudittrail" - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - } - } - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "SetupAuditTrail Log Stream [Filebeat Salesforce]", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "769ba1c0-4b84-11ec-9959-a3c0f68b1e4f", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search", - "updated_at": "2022-05-06T11:14:57.093Z", - "version": "WzMzNDg4LDNd" -} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/search/b3b98110-5d92-11ec-9523-d1b667ac64c0.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/search/b3b98110-5d92-11ec-9523-d1b667ac64c0.json deleted file mode 100644 index 30f868a2096..00000000000 --- a/x-pack/filebeat/module/salesforce/_meta/kibana/7/search/b3b98110-5d92-11ec-9523-d1b667ac64c0.json +++ /dev/null @@ -1,71 +0,0 @@ -{ - "attributes": { - "columns": [ - "source.ip", - "source.geo.city_name", - "user.id" - ], - "description": "", - "grid": {}, - "hideChart": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.dataset", - "negate": false, - "params": { - "query": "salesforce.logout" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "salesforce.logout" - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - } - } - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Logout Logs Table [Filebeat Salesforce]" - }, - "coreMigrationVersion": "7.15.0", - "id": "b3b98110-5d92-11ec-9523-d1b667ac64c0", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search", - "updated_at": "2022-05-06T11:14:56.119Z", - "version": "WzMzNDgzLDNd" -} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/search/ef8b6070-5d6d-11ec-9523-d1b667ac64c0.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/search/ef8b6070-5d6d-11ec-9523-d1b667ac64c0.json deleted file mode 100644 index f7783723ced..00000000000 --- a/x-pack/filebeat/module/salesforce/_meta/kibana/7/search/ef8b6070-5d6d-11ec-9523-d1b667ac64c0.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "grid": {}, - "hideChart": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.dataset", - "negate": false, - "params": { - "query": "salesforce.login" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "salesforce.login" - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - } - } - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Login] Search [Filebeat Salesforce]" - }, - "coreMigrationVersion": "7.15.0", - "id": "ef8b6070-5d6d-11ec-9523-d1b667ac64c0", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search", - "updated_at": "2022-05-06T11:14:54.091Z", - "version": "WzMzNDUzLDNd" -} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/tag/50e50c20-5749-11ec-8f0b-05e8b06e1b10.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/tag/50e50c20-5749-11ec-8f0b-05e8b06e1b10.json deleted file mode 100644 index 0e217cab385..00000000000 --- a/x-pack/filebeat/module/salesforce/_meta/kibana/7/tag/50e50c20-5749-11ec-8f0b-05e8b06e1b10.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "attributes": { - "color": "#414273", - "description": "Salesforce", - "name": "beats" - }, - "coreMigrationVersion": "7.15.0", - "id": "50e50c20-5749-11ec-8f0b-05e8b06e1b10", - "references": [], - "type": "tag", - "updated_at": "2022-05-06T11:14:54.091Z", - "version": "WzMzNDY1LDNd" -} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/17f0a5d0-5750-11ec-8f0b-05e8b06e1b10.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/17f0a5d0-5750-11ec-8f0b-05e8b06e1b10.json deleted file mode 100644 index 350c25445ff..00000000000 --- a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/17f0a5d0-5750-11ec-8f0b-05e8b06e1b10.json +++ /dev/null @@ -1,113 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.dataset", - "negate": false, - "params": { - "query": "salesforce.apex" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "salesforce.apex" - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - } - } - }, - "title": "Response by Media type [Filebeat Salesforce]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "field": "salesforce.apex.media_type", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 20 - }, - "schema": "segment", - "type": "terms" - } - ], - "params": { - "addLegend": false, - "addTooltip": true, - "distinctColors": false, - "isDonut": true, - "labels": { - "last_level": false, - "percentDecimals": 2, - "position": "default", - "show": true, - "truncate": 100, - "values": true, - "valuesFormat": "percent" - }, - "legendPosition": "right", - "maxLegendLines": 1, - "nestedLegend": false, - "palette": { - "name": "default", - "type": "palette" - }, - "truncateLegend": true, - "type": "pie" - }, - "title": "Response by Media type [Filebeat Salesforce]", - "type": "pie" - } - }, - "coreMigrationVersion": "7.15.0", - "id": "17f0a5d0-5750-11ec-8f0b-05e8b06e1b10", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2022-05-06T11:14:55.111Z", - "version": "WzMzNDc1LDNd" -} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/24c39ae0-574d-11ec-8f0b-05e8b06e1b10.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/24c39ae0-574d-11ec-8f0b-05e8b06e1b10.json deleted file mode 100644 index ae6a0d64a22..00000000000 --- a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/24c39ae0-574d-11ec-8f0b-05e8b06e1b10.json +++ /dev/null @@ -1,166 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - } - } - }, - "title": "[ApexTrigger] Trigger-Entity categorisation [Filebeat Salesforce]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "Trigger Name", - "field": "salesforce.apex.trigger.name", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "group", - "type": "terms" - }, - { - "enabled": true, - "id": "3", - "params": { - "field": "salesforce.apex.entity_name", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "group", - "type": "terms" - } - ], - "params": { - "addLegend": true, - "addTimeMarker": false, - "addTooltip": true, - "categoryAxes": [ - { - "id": "CategoryAxis-1", - "labels": { - "filter": false, - "rotate": 0, - "show": true, - "truncate": 200 - }, - "position": "left", - "scale": { - "type": "linear" - }, - "show": true, - "style": {}, - "title": {}, - "type": "category" - } - ], - "detailedTooltip": true, - "grid": { - "categoryLines": true, - "valueAxis": "ValueAxis-1" - }, - "labels": {}, - "legendPosition": "right", - "maxLegendLines": 1, - "palette": { - "name": "default", - "type": "palette" - }, - "radiusRatio": 0, - "seriesParams": [ - { - "circlesRadius": 3, - "data": { - "id": "1", - "label": "Count" - }, - "drawLinesBetweenPoints": true, - "interpolate": "linear", - "lineWidth": 2, - "mode": "normal", - "show": true, - "showCircles": true, - "type": "histogram", - "valueAxis": "ValueAxis-1" - } - ], - "thresholdLine": { - "color": "#E7664C", - "show": false, - "style": "full", - "value": 10, - "width": 1 - }, - "times": [], - "truncateLegend": true, - "type": "histogram", - "valueAxes": [ - { - "id": "ValueAxis-1", - "labels": { - "filter": true, - "rotate": 75, - "show": true, - "truncate": 100 - }, - "name": "LeftAxis-1", - "position": "bottom", - "scale": { - "mode": "normal", - "type": "linear" - }, - "show": true, - "style": {}, - "title": { - "text": "Count" - }, - "type": "value" - } - ] - }, - "title": "[ApexTrigger] Trigger-Entity categorisation [Filebeat Salesforce]", - "type": "horizontal_bar" - } - }, - "coreMigrationVersion": "7.15.0", - "id": "24c39ae0-574d-11ec-8f0b-05e8b06e1b10", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2022-05-06T11:14:55.111Z", - "version": "WzMzNDcxLDNd" -} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/27897120-5d6d-11ec-9523-d1b667ac64c0.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/27897120-5d6d-11ec-9523-d1b667ac64c0.json deleted file mode 100644 index b83d71b986b..00000000000 --- a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/27897120-5d6d-11ec-9523-d1b667ac64c0.json +++ /dev/null @@ -1,178 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.dataset", - "negate": false, - "params": { - "query": "salesforce.logout" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "salesforce.logout" - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "event.dataset : \"salesforce.logout\" " - } - } - }, - "title": "[Logout] Top 10 IP addresses over time [Filebeat Salesforce]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "IP Address", - "field": "source.ip", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": true, - "otherBucketLabel": "Other", - "size": 9 - }, - "schema": "segment", - "type": "terms" - } - ], - "params": { - "addLegend": true, - "addTimeMarker": false, - "addTooltip": true, - "categoryAxes": [ - { - "id": "CategoryAxis-1", - "labels": { - "filter": true, - "rotate": 0, - "show": true, - "truncate": 100 - }, - "position": "bottom", - "scale": { - "type": "linear" - }, - "show": true, - "style": {}, - "title": {}, - "type": "category" - } - ], - "detailedTooltip": true, - "fittingFunction": "linear", - "grid": { - "categoryLines": true, - "valueAxis": "ValueAxis-1" - }, - "labels": {}, - "legendPosition": "right", - "maxLegendLines": 1, - "palette": { - "name": "default", - "type": "palette" - }, - "radiusRatio": 9, - "seriesParams": [ - { - "circlesRadius": 3, - "data": { - "id": "1", - "label": "Count" - }, - "drawLinesBetweenPoints": true, - "interpolate": "linear", - "lineWidth": 2, - "mode": "stacked", - "show": true, - "showCircles": true, - "type": "histogram", - "valueAxis": "ValueAxis-1" - } - ], - "thresholdLine": { - "color": "#E7664C", - "show": false, - "style": "full", - "value": 10, - "width": 1 - }, - "times": [], - "truncateLegend": true, - "type": "area", - "valueAxes": [ - { - "id": "ValueAxis-1", - "labels": { - "filter": false, - "rotate": 0, - "show": true, - "truncate": 100 - }, - "name": "LeftAxis-1", - "position": "left", - "scale": { - "mode": "normal", - "type": "linear" - }, - "show": true, - "style": {}, - "title": { - "text": "Count" - }, - "type": "value" - } - ] - }, - "title": "[Logout] Top 10 IP addresses over time [Filebeat Salesforce]", - "type": "area" - } - }, - "coreMigrationVersion": "7.15.0", - "id": "27897120-5d6d-11ec-9523-d1b667ac64c0", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2022-05-06T11:14:56.119Z", - "version": "WzMzNDgyLDNd" -} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/2a11e7a0-cd35-11ec-83d5-7f8e1b7a2529.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/2a11e7a0-cd35-11ec-83d5-7f8e1b7a2529.json deleted file mode 100644 index aaccb711255..00000000000 --- a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/2a11e7a0-cd35-11ec-83d5-7f8e1b7a2529.json +++ /dev/null @@ -1,85 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "title": "[Logout] Logout Over Time [Filebeat Salesforce]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [], - "params": { - "axis_formatter": "number", - "axis_position": "left", - "axis_scale": "normal", - "drop_last_bucket": 0, - "filter": { - "language": "kuery", - "query": "event.dataset : \"salesforce.logout\"" - }, - "id": "9b373d2d-abc7-4c3e-a45a-b3fed48fa34f", - "index_pattern_ref_name": "metrics_0_index_pattern", - "interval": "", - "isModelInvalid": false, - "max_lines_legend": 1, - "series": [ - { - "axis_position": "right", - "chart_type": "line", - "color": "#68BC00", - "fill": 0.5, - "formatter": "number", - "id": "0e7dc0ec-81a5-437b-a632-ff8b9a3f84d2", - "line_width": 1, - "metrics": [ - { - "id": "df05f5a6-0774-43b7-ae50-1f4ce8cdbbdd", - "type": "count" - } - ], - "palette": { - "name": "default", - "type": "palette" - }, - "point_size": 1, - "separate_axis": 0, - "split_mode": "everything", - "stacked": "none" - } - ], - "show_grid": 1, - "show_legend": 1, - "time_field": "@timestamp", - "time_range_mode": "entire_time_range", - "tooltip_mode": "show_all", - "truncate_legend": 1, - "type": "timeseries", - "use_kibana_indexes": true - }, - "title": "[Logout] Logout Over Time [Filebeat Salesforce]", - "type": "metrics" - } - }, - "coreMigrationVersion": "7.15.0", - "id": "2a11e7a0-cd35-11ec-83d5-7f8e1b7a2529", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "metrics_0_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2022-05-06T12:07:56.442Z", - "version": "WzMzOTQxLDNd" -} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/2b7921e0-5d6d-11ec-9523-d1b667ac64c0.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/2b7921e0-5d6d-11ec-9523-d1b667ac64c0.json deleted file mode 100644 index 8a73e4910f5..00000000000 --- a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/2b7921e0-5d6d-11ec-9523-d1b667ac64c0.json +++ /dev/null @@ -1,117 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.dataset", - "negate": false, - "params": { - "query": "salesforce.logout" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "salesforce.logout" - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - } - } - }, - "title": "Distribution of Session Levels used while logging out [Filebeat Salesforce]", - "uiStateJSON": { - "vis": { - "legendOpen": false - } - }, - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "field": "salesforce.logout.session_level", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": true, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "segment", - "type": "terms" - } - ], - "params": { - "addLegend": false, - "addTooltip": true, - "distinctColors": false, - "isDonut": false, - "labels": { - "last_level": false, - "percentDecimals": 2, - "position": "default", - "show": true, - "truncate": 100, - "values": true, - "valuesFormat": "value" - }, - "legendPosition": "right", - "maxLegendLines": 1, - "nestedLegend": false, - "palette": { - "name": "default", - "type": "palette" - }, - "truncateLegend": true, - "type": "pie" - }, - "title": "Distribution of Session Levels used while logging out [Filebeat Salesforce]", - "type": "pie" - } - }, - "coreMigrationVersion": "7.15.0", - "id": "2b7921e0-5d6d-11ec-9523-d1b667ac64c0", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2022-05-06T11:14:56.119Z", - "version": "WzMzNDgxLDNd" -} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/31366a60-5751-11ec-8f0b-05e8b06e1b10.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/31366a60-5751-11ec-8f0b-05e8b06e1b10.json deleted file mode 100644 index b051d51c422..00000000000 --- a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/31366a60-5751-11ec-8f0b-05e8b06e1b10.json +++ /dev/null @@ -1,183 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.action", - "negate": false, - "params": { - "query": "apex-execution" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.action": "apex-execution" - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - } - } - }, - "title": "[ApexExecution] Apex Performance over time [Filebeat Salesforce]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Average Execution Time (ms)", - "field": "event.duration" - }, - "schema": "metric", - "type": "avg" - }, - { - "enabled": true, - "id": "2", - "params": { - "drop_partials": false, - "extended_bounds": {}, - "field": "@timestamp", - "interval": "m", - "min_doc_count": 1, - "scaleMetricValues": false, - "timeRange": { - "from": "now-7d/d", - "to": "now" - }, - "useNormalizedEsInterval": true, - "used_interval": "1h" - }, - "schema": "segment", - "type": "date_histogram" - } - ], - "params": { - "addLegend": true, - "addTimeMarker": false, - "addTooltip": true, - "categoryAxes": [ - { - "id": "CategoryAxis-1", - "labels": { - "filter": true, - "show": true, - "truncate": 100 - }, - "position": "bottom", - "scale": { - "type": "linear" - }, - "show": true, - "style": {}, - "title": {}, - "type": "category" - } - ], - "detailedTooltip": true, - "fittingFunction": "linear", - "grid": { - "categoryLines": true, - "valueAxis": "ValueAxis-1" - }, - "labels": {}, - "legendPosition": "right", - "maxLegendLines": 1, - "palette": { - "name": "default", - "type": "palette" - }, - "radiusRatio": 9, - "seriesParams": [ - { - "circlesRadius": 3, - "data": { - "id": "1", - "label": "Average Execution Time (ms)" - }, - "drawLinesBetweenPoints": true, - "interpolate": "cardinal", - "lineWidth": 2, - "mode": "normal", - "show": true, - "showCircles": true, - "type": "area", - "valueAxis": "ValueAxis-1" - } - ], - "thresholdLine": { - "color": "#E7664C", - "show": false, - "style": "full", - "value": 10, - "width": 1 - }, - "times": [], - "truncateLegend": true, - "type": "line", - "valueAxes": [ - { - "id": "ValueAxis-1", - "labels": { - "filter": false, - "rotate": 0, - "show": true, - "truncate": 100 - }, - "name": "LeftAxis-1", - "position": "left", - "scale": { - "mode": "normal", - "type": "linear" - }, - "show": true, - "style": {}, - "title": { - "text": "Average Execution Time (ms)" - }, - "type": "value" - } - ] - }, - "title": "[ApexExecution] Apex Performance over time [Filebeat Salesforce]", - "type": "line" - } - }, - "coreMigrationVersion": "7.15.0", - "id": "31366a60-5751-11ec-8f0b-05e8b06e1b10", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2022-05-06T11:14:55.111Z", - "version": "WzMzNDc0LDNd" -} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/33be8340-5d90-11ec-9523-d1b667ac64c0.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/33be8340-5d90-11ec-9523-d1b667ac64c0.json deleted file mode 100644 index 12181d534d8..00000000000 --- a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/33be8340-5d90-11ec-9523-d1b667ac64c0.json +++ /dev/null @@ -1,117 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.dataset", - "negate": false, - "params": { - "query": "salesforce.login" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "salesforce.login" - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - } - } - }, - "title": "[Login] Success rate [Filebeat Salesforce]", - "uiStateJSON": { - "vis": { - "legendOpen": false - } - }, - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "field": "event.outcome", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "segment", - "type": "terms" - } - ], - "params": { - "addLegend": false, - "addTooltip": true, - "distinctColors": false, - "isDonut": true, - "labels": { - "last_level": false, - "percentDecimals": 2, - "position": "default", - "show": true, - "truncate": 100, - "values": true, - "valuesFormat": "percent" - }, - "legendPosition": "right", - "maxLegendLines": 1, - "nestedLegend": false, - "palette": { - "name": "default", - "type": "palette" - }, - "truncateLegend": true, - "type": "pie" - }, - "title": "[Login] Success rate [Filebeat Salesforce]", - "type": "pie" - } - }, - "coreMigrationVersion": "7.15.0", - "id": "33be8340-5d90-11ec-9523-d1b667ac64c0", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2022-05-06T11:14:54.091Z", - "version": "WzMzNDU5LDNd" -} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/416da3a0-574f-11ec-8f0b-05e8b06e1b10.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/416da3a0-574f-11ec-8f0b-05e8b06e1b10.json deleted file mode 100644 index e2959b00121..00000000000 --- a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/416da3a0-574f-11ec-8f0b-05e8b06e1b10.json +++ /dev/null @@ -1,120 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.dataset", - "negate": false, - "params": { - "query": "salesforce.apex" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "salesforce.apex" - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - } - } - }, - "title": "Categorization by User type [Filebeat Salesforce]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "field": "user.roles", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 20 - }, - "schema": "segment", - "type": "terms" - } - ], - "params": { - "addLegend": true, - "addTooltip": true, - "colorSchema": "Greens", - "colorsNumber": 4, - "colorsRange": [], - "enableHover": false, - "invertColors": false, - "legendPosition": "right", - "percentageMode": false, - "setColorRange": false, - "times": [], - "type": "heatmap", - "valueAxes": [ - { - "id": "ValueAxis-1", - "labels": { - "color": "black", - "overwriteColor": false, - "rotate": 0, - "show": false - }, - "scale": { - "defaultYExtents": false, - "type": "linear" - }, - "show": false, - "type": "value" - } - ] - }, - "title": "Categorization by User type [Filebeat Salesforce]", - "type": "heatmap" - } - }, - "coreMigrationVersion": "7.15.0", - "id": "416da3a0-574f-11ec-8f0b-05e8b06e1b10", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2022-05-06T11:14:55.111Z", - "version": "WzMzNDcyLDNd" -} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/4f9923d0-574c-11ec-8f0b-05e8b06e1b10.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/4f9923d0-574c-11ec-8f0b-05e8b06e1b10.json deleted file mode 100644 index 6a2eea5e32f..00000000000 --- a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/4f9923d0-574c-11ec-8f0b-05e8b06e1b10.json +++ /dev/null @@ -1,127 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.outcome", - "negate": false, - "params": { - "query": "success" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.outcome": "success" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "event.dataset", - "negate": false, - "params": { - "query": "salesforce.apex" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "salesforce.apex" - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - } - } - }, - "title": "Successful requests [Filebeat Salesforce]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - } - ], - "params": { - "addLegend": false, - "addTooltip": true, - "metric": { - "colorSchema": "Green to Red", - "colorsRange": [ - { - "from": 0, - "to": 10000 - } - ], - "invertColors": false, - "labels": { - "show": true - }, - "metricColorMode": "None", - "percentageMode": false, - "style": { - "bgColor": false, - "bgFill": "#000", - "fontSize": 60, - "labelColor": false, - "subText": "" - }, - "useRanges": false - }, - "type": "metric" - }, - "title": "Successful requests [Filebeat Salesforce]", - "type": "metric" - } - }, - "coreMigrationVersion": "7.15.0", - "id": "4f9923d0-574c-11ec-8f0b-05e8b06e1b10", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2022-05-06T11:14:55.111Z", - "version": "WzMzNDY4LDNd" -} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/5b503310-4b8c-11ec-9959-a3c0f68b1e4f.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/5b503310-4b8c-11ec-9959-a3c0f68b1e4f.json deleted file mode 100644 index 94055c4d2c4..00000000000 --- a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/5b503310-4b8c-11ec-9959-a3c0f68b1e4f.json +++ /dev/null @@ -1,194 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.dataset", - "negate": false, - "params": { - "query": "salesforce.setupaudittrail" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "salesforce.setupaudittrail" - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - } - } - }, - "title": "[SetupAuditTrail] Number of Actions performed by Top 10 Delegated Users [Filebeat Salesforce]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "field": "event.action", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": true, - "otherBucketLabel": "Other", - "size": 7 - }, - "schema": "segment", - "type": "terms" - }, - { - "enabled": true, - "id": "3", - "params": { - "field": "event.url", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "group", - "type": "terms" - } - ], - "params": { - "addLegend": true, - "addTimeMarker": false, - "addTooltip": true, - "categoryAxes": [ - { - "id": "CategoryAxis-1", - "labels": { - "filter": true, - "rotate": 0, - "show": true, - "truncate": 100 - }, - "position": "bottom", - "scale": { - "type": "linear" - }, - "show": true, - "style": {}, - "title": {}, - "type": "category" - } - ], - "detailedTooltip": true, - "grid": { - "categoryLines": true, - "valueAxis": "ValueAxis-1" - }, - "labels": { - "show": false - }, - "legendPosition": "right", - "maxLegendLines": 1, - "palette": { - "name": "default", - "type": "palette" - }, - "radiusRatio": 0, - "seriesParams": [ - { - "circlesRadius": 3, - "data": { - "id": "1", - "label": "Count" - }, - "drawLinesBetweenPoints": true, - "interpolate": "linear", - "lineWidth": 2, - "mode": "stacked", - "show": true, - "showCircles": true, - "type": "histogram", - "valueAxis": "ValueAxis-1" - } - ], - "thresholdLine": { - "color": "#E7664C", - "show": false, - "style": "full", - "value": 10, - "width": 1 - }, - "times": [], - "truncateLegend": true, - "type": "histogram", - "valueAxes": [ - { - "id": "ValueAxis-1", - "labels": { - "filter": false, - "rotate": 0, - "show": true, - "truncate": 100 - }, - "name": "LeftAxis-1", - "position": "left", - "scale": { - "mode": "normal", - "type": "linear" - }, - "show": true, - "style": {}, - "title": { - "text": "Count" - }, - "type": "value" - } - ] - }, - "title": "[SetupAuditTrail] Number of Actions performed by Top 10 Delegated Users [Filebeat Salesforce]", - "type": "histogram" - } - }, - "coreMigrationVersion": "7.15.0", - "id": "5b503310-4b8c-11ec-9959-a3c0f68b1e4f", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2022-05-06T11:14:57.093Z", - "version": "WzMzNDg3LDNd" -} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/61eec180-5750-11ec-8f0b-05e8b06e1b10.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/61eec180-5750-11ec-8f0b-05e8b06e1b10.json deleted file mode 100644 index b08a0cd800e..00000000000 --- a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/61eec180-5750-11ec-8f0b-05e8b06e1b10.json +++ /dev/null @@ -1,176 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.dataset", - "negate": false, - "params": { - "query": "salesforce.apex" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "salesforce.apex" - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - } - } - }, - "title": "Response categorization by user agent [Filebeat Salesforce]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "field": "salesforce.apex.user_agent", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 20 - }, - "schema": "segment", - "type": "terms" - } - ], - "params": { - "addLegend": true, - "addTimeMarker": false, - "addTooltip": true, - "categoryAxes": [ - { - "id": "CategoryAxis-1", - "labels": { - "filter": true, - "show": true, - "truncate": 100 - }, - "position": "bottom", - "scale": { - "type": "linear" - }, - "show": true, - "style": {}, - "title": {}, - "type": "category" - } - ], - "detailedTooltip": true, - "grid": { - "categoryLines": false - }, - "labels": { - "show": false - }, - "legendPosition": "right", - "maxLegendLines": 1, - "palette": { - "name": "default", - "type": "palette" - }, - "radiusRatio": 0, - "seriesParams": [ - { - "circlesRadius": 3, - "data": { - "id": "1", - "label": "Count" - }, - "drawLinesBetweenPoints": true, - "interpolate": "linear", - "lineWidth": 2, - "mode": "stacked", - "show": true, - "showCircles": true, - "type": "histogram", - "valueAxis": "ValueAxis-1" - } - ], - "thresholdLine": { - "color": "#E7664C", - "show": false, - "style": "full", - "value": 10, - "width": 1 - }, - "times": [], - "truncateLegend": true, - "type": "histogram", - "valueAxes": [ - { - "id": "ValueAxis-1", - "labels": { - "filter": false, - "rotate": 0, - "show": true, - "truncate": 100 - }, - "name": "LeftAxis-1", - "position": "left", - "scale": { - "mode": "normal", - "type": "linear" - }, - "show": true, - "style": {}, - "title": { - "text": "Count" - }, - "type": "value" - } - ] - }, - "title": "Response categorization by user agent [Filebeat Salesforce]", - "type": "histogram" - } - }, - "coreMigrationVersion": "7.15.0", - "id": "61eec180-5750-11ec-8f0b-05e8b06e1b10", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2022-05-06T11:14:55.111Z", - "version": "WzMzNDc2LDNd" -} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/6d86efd0-5751-11ec-8f0b-05e8b06e1b10.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/6d86efd0-5751-11ec-8f0b-05e8b06e1b10.json deleted file mode 100644 index 13607f12d34..00000000000 --- a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/6d86efd0-5751-11ec-8f0b-05e8b06e1b10.json +++ /dev/null @@ -1,197 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.dataset", - "negate": false, - "params": { - "query": "salesforce.apex" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "salesforce.apex" - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - } - } - }, - "title": "[ApexExecution] Number of SOQL Queries per Entry Point [Filebeat Salesforce]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "drop_partials": false, - "extended_bounds": {}, - "field": "@timestamp", - "interval": "m", - "min_doc_count": 1, - "scaleMetricValues": false, - "timeRange": { - "from": "now-7d/d", - "to": "now" - }, - "useNormalizedEsInterval": true, - "used_interval": "1h" - }, - "schema": "segment", - "type": "date_histogram" - }, - { - "enabled": true, - "id": "3", - "params": { - "field": "salesforce.apex.entry_point", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "group", - "type": "terms" - } - ], - "params": { - "addLegend": true, - "addTimeMarker": false, - "addTooltip": true, - "categoryAxes": [ - { - "id": "CategoryAxis-1", - "labels": { - "filter": true, - "show": true, - "truncate": 100 - }, - "position": "bottom", - "scale": { - "type": "linear" - }, - "show": true, - "style": {}, - "title": {}, - "type": "category" - } - ], - "detailedTooltip": true, - "grid": { - "categoryLines": true, - "valueAxis": "ValueAxis-1" - }, - "labels": { - "show": false - }, - "legendPosition": "right", - "maxLegendLines": 1, - "palette": { - "name": "default", - "type": "palette" - }, - "radiusRatio": 0, - "seriesParams": [ - { - "circlesRadius": 3, - "data": { - "id": "1", - "label": "Count" - }, - "drawLinesBetweenPoints": true, - "interpolate": "linear", - "lineWidth": 2, - "mode": "stacked", - "show": true, - "showCircles": true, - "type": "histogram", - "valueAxis": "ValueAxis-1" - } - ], - "thresholdLine": { - "color": "#E7664C", - "show": false, - "style": "full", - "value": 10, - "width": 1 - }, - "times": [], - "truncateLegend": true, - "type": "histogram", - "valueAxes": [ - { - "id": "ValueAxis-1", - "labels": { - "filter": false, - "rotate": 0, - "show": true, - "truncate": 100 - }, - "name": "LeftAxis-1", - "position": "left", - "scale": { - "mode": "normal", - "type": "linear" - }, - "show": true, - "style": {}, - "title": { - "text": "Count" - }, - "type": "value" - } - ] - }, - "title": "[ApexExecution] Number of SOQL Queries per Entry Point [Filebeat Salesforce]", - "type": "histogram" - } - }, - "coreMigrationVersion": "7.15.0", - "id": "6d86efd0-5751-11ec-8f0b-05e8b06e1b10", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2022-05-06T11:14:55.111Z", - "version": "WzMzNDc3LDNd" -} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/7a22ead0-5758-11ec-8f0b-05e8b06e1b10.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/7a22ead0-5758-11ec-8f0b-05e8b06e1b10.json deleted file mode 100644 index 42ae14f972e..00000000000 --- a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/7a22ead0-5758-11ec-8f0b-05e8b06e1b10.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "title": "Dashboards [Filebeat salesforce]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [], - "params": { - "fontSize": 12, - "markdown": "[Apex Dashboard](#/dashboard/salesforce-59ef0af0-5749-11ec-8f0b-05e8b06e1b10) | [Login Dashboard](#/dashboard/salesforce-1659aef0-574c-11ec-8f0b-05e8b06e1b10) | [Logout Dashboard](#/dashboard/salesforce-6c750440-5749-11ec-8f0b-05e8b06e1b10) | [SetupAuditTrail Dashboard](#/dashboard/salesforce-790da810-5749-11ec-8f0b-05e8b06e1b10)", - "openLinksInNewTab": false - }, - "title": "Dashboards [Filebeat salesforce]", - "type": "markdown" - } - }, - "coreMigrationVersion": "7.15.0", - "id": "7a22ead0-5758-11ec-8f0b-05e8b06e1b10", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "type": "visualization", - "updated_at": "2022-05-06T11:14:54.091Z", - "version": "WzMzNDUyLDNd" -} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/80c0b730-5d90-11ec-9523-d1b667ac64c0.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/80c0b730-5d90-11ec-9523-d1b667ac64c0.json deleted file mode 100644 index a9de8fa9881..00000000000 --- a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/80c0b730-5d90-11ec-9523-d1b667ac64c0.json +++ /dev/null @@ -1,178 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.dataset", - "negate": false, - "params": { - "query": "salesforce.login" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "salesforce.login" - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - } - } - }, - "title": "[Login] Top IP addresses by request count [Filebeat Salesforce]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "field": "source.ip", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "segment", - "type": "terms" - } - ], - "params": { - "addLegend": true, - "addTimeMarker": false, - "addTooltip": true, - "categoryAxes": [ - { - "id": "CategoryAxis-1", - "labels": { - "filter": true, - "rotate": 0, - "show": true, - "truncate": 100 - }, - "position": "bottom", - "scale": { - "type": "linear" - }, - "show": true, - "style": {}, - "title": {}, - "type": "category" - } - ], - "detailedTooltip": true, - "grid": { - "categoryLines": true, - "valueAxis": "ValueAxis-1" - }, - "labels": { - "show": false - }, - "legendPosition": "right", - "maxLegendLines": 1, - "palette": { - "name": "default", - "type": "palette" - }, - "radiusRatio": 0, - "seriesParams": [ - { - "circlesRadius": 1, - "data": { - "id": "1", - "label": "Count" - }, - "drawLinesBetweenPoints": true, - "interpolate": "linear", - "lineWidth": 2, - "mode": "stacked", - "show": true, - "showCircles": true, - "type": "histogram", - "valueAxis": "ValueAxis-1" - } - ], - "thresholdLine": { - "color": "#E7664C", - "show": false, - "style": "full", - "value": 10, - "width": 1 - }, - "times": [], - "truncateLegend": true, - "type": "histogram", - "valueAxes": [ - { - "id": "ValueAxis-1", - "labels": { - "filter": false, - "rotate": 0, - "show": true, - "truncate": 100 - }, - "name": "LeftAxis-1", - "position": "left", - "scale": { - "mode": "normal", - "type": "linear" - }, - "show": true, - "style": {}, - "title": { - "text": "" - }, - "type": "value" - } - ] - }, - "title": "[Login] Top IP addresses by request count [Filebeat Salesforce]", - "type": "histogram" - } - }, - "coreMigrationVersion": "7.15.0", - "id": "80c0b730-5d90-11ec-9523-d1b667ac64c0", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2022-05-06T11:14:54.091Z", - "version": "WzMzNDYwLDNd" -} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/86081670-5d95-11ec-9523-d1b667ac64c0.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/86081670-5d95-11ec-9523-d1b667ac64c0.json deleted file mode 100644 index 054be350385..00000000000 --- a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/86081670-5d95-11ec-9523-d1b667ac64c0.json +++ /dev/null @@ -1,212 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.dataset", - "negate": false, - "params": { - "query": "salesforce.apex" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "salesforce.apex" - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - } - } - }, - "title": "[Apex] DB_TOTAL_TIME-CPU_TIME comparision [Filebeat Salesforce]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "drop_partials": false, - "extended_bounds": {}, - "field": "@timestamp", - "interval": "auto", - "min_doc_count": 1, - "scaleMetricValues": false, - "timeRange": { - "from": "now-7d/d", - "to": "now" - }, - "useNormalizedEsInterval": true, - "used_interval": "3h" - }, - "schema": "segment", - "type": "date_histogram" - }, - { - "enabled": true, - "id": "3", - "params": { - "field": "salesforce.apex.cpu_time", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "group", - "type": "terms" - }, - { - "enabled": true, - "id": "4", - "params": { - "field": "salesforce.apex.db_total_time", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "group", - "type": "terms" - } - ], - "params": { - "addLegend": true, - "addTimeMarker": false, - "addTooltip": true, - "categoryAxes": [ - { - "id": "CategoryAxis-1", - "labels": { - "filter": true, - "show": true, - "truncate": 100 - }, - "position": "bottom", - "scale": { - "type": "linear" - }, - "show": true, - "style": {}, - "title": {}, - "type": "category" - } - ], - "detailedTooltip": true, - "fittingFunction": "linear", - "grid": { - "categoryLines": true, - "valueAxis": "ValueAxis-1" - }, - "labels": {}, - "legendPosition": "right", - "maxLegendLines": 1, - "palette": { - "name": "default", - "type": "palette" - }, - "radiusRatio": 9, - "seriesParams": [ - { - "circlesRadius": 1, - "data": { - "id": "1", - "label": "Count" - }, - "drawLinesBetweenPoints": true, - "interpolate": "linear", - "lineWidth": 2, - "mode": "stacked", - "show": true, - "showCircles": true, - "type": "area", - "valueAxis": "ValueAxis-1" - } - ], - "thresholdLine": { - "color": "#E7664C", - "show": false, - "style": "full", - "value": 10, - "width": 1 - }, - "times": [], - "truncateLegend": true, - "type": "area", - "valueAxes": [ - { - "id": "ValueAxis-1", - "labels": { - "filter": false, - "rotate": 0, - "show": true, - "truncate": 100 - }, - "name": "LeftAxis-1", - "position": "left", - "scale": { - "mode": "normal", - "type": "linear" - }, - "show": true, - "style": {}, - "title": { - "text": "" - }, - "type": "value" - } - ] - }, - "title": "[Apex] DB_TOTAL_TIME-CPU_TIME comparision [Filebeat Salesforce]", - "type": "area" - } - }, - "coreMigrationVersion": "7.15.0", - "id": "86081670-5d95-11ec-9523-d1b667ac64c0", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2022-05-06T11:14:55.111Z", - "version": "WzMzNDcwLDNd" -} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/8cec4c30-574c-11ec-8f0b-05e8b06e1b10.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/8cec4c30-574c-11ec-8f0b-05e8b06e1b10.json deleted file mode 100644 index c0e143f7a98..00000000000 --- a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/8cec4c30-574c-11ec-8f0b-05e8b06e1b10.json +++ /dev/null @@ -1,127 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.outcome", - "negate": false, - "params": { - "query": "failure" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.outcome": "failure" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "event.dataset", - "negate": false, - "params": { - "query": "salesforce.apex" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "salesforce.apex" - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - } - } - }, - "title": "Failed requests [Filebeat Salesforce]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - } - ], - "params": { - "addLegend": false, - "addTooltip": true, - "metric": { - "colorSchema": "Green to Red", - "colorsRange": [ - { - "from": 0, - "to": 10000 - } - ], - "invertColors": false, - "labels": { - "show": true - }, - "metricColorMode": "None", - "percentageMode": false, - "style": { - "bgColor": false, - "bgFill": "#000", - "fontSize": 60, - "labelColor": false, - "subText": "" - }, - "useRanges": false - }, - "type": "metric" - }, - "title": "Failed requests [Filebeat Salesforce]", - "type": "metric" - } - }, - "coreMigrationVersion": "7.15.0", - "id": "8cec4c30-574c-11ec-8f0b-05e8b06e1b10", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2022-05-06T11:14:55.111Z", - "version": "WzMzNDY5LDNd" -} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/93c37330-5751-11ec-8f0b-05e8b06e1b10.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/93c37330-5751-11ec-8f0b-05e8b06e1b10.json deleted file mode 100644 index 6a868544083..00000000000 --- a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/93c37330-5751-11ec-8f0b-05e8b06e1b10.json +++ /dev/null @@ -1,179 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.dataset", - "negate": false, - "params": { - "query": "salesforce.apex" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "salesforce.apex" - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - } - } - }, - "title": "[ApexExecution] Top Entrypoints by Request Count [Filebeat Salesforce]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "Entrypoint", - "field": "salesforce.apex.entry_point", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": true, - "otherBucketLabel": "Other", - "size": 10 - }, - "schema": "segment", - "type": "terms" - } - ], - "params": { - "addLegend": true, - "addTimeMarker": false, - "addTooltip": true, - "categoryAxes": [ - { - "id": "CategoryAxis-1", - "labels": { - "filter": true, - "rotate": 0, - "show": true, - "truncate": 100 - }, - "position": "bottom", - "scale": { - "type": "linear" - }, - "show": true, - "style": {}, - "title": {}, - "type": "category" - } - ], - "detailedTooltip": true, - "grid": { - "categoryLines": true, - "valueAxis": "ValueAxis-1" - }, - "labels": { - "show": false - }, - "legendPosition": "right", - "maxLegendLines": 1, - "palette": { - "name": "default", - "type": "palette" - }, - "radiusRatio": 0, - "seriesParams": [ - { - "circlesRadius": 3, - "data": { - "id": "1", - "label": "Count" - }, - "drawLinesBetweenPoints": true, - "interpolate": "linear", - "lineWidth": 2, - "mode": "stacked", - "show": true, - "showCircles": true, - "type": "histogram", - "valueAxis": "ValueAxis-1" - } - ], - "thresholdLine": { - "color": "#E7664C", - "show": false, - "style": "full", - "value": 10, - "width": 1 - }, - "times": [], - "truncateLegend": true, - "type": "histogram", - "valueAxes": [ - { - "id": "ValueAxis-1", - "labels": { - "filter": false, - "rotate": 0, - "show": true, - "truncate": 100 - }, - "name": "LeftAxis-1", - "position": "left", - "scale": { - "mode": "normal", - "type": "linear" - }, - "show": true, - "style": {}, - "title": { - "text": "Count" - }, - "type": "value" - } - ] - }, - "title": "[ApexExecution] Top Entrypoints by Request Count [Filebeat Salesforce]", - "type": "histogram" - } - }, - "coreMigrationVersion": "7.15.0", - "id": "93c37330-5751-11ec-8f0b-05e8b06e1b10", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2022-05-06T11:14:55.111Z", - "version": "WzMzNDczLDNd" -} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/ab958760-5d90-11ec-9523-d1b667ac64c0.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/ab958760-5d90-11ec-9523-d1b667ac64c0.json deleted file mode 100644 index 04012fe908c..00000000000 --- a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/ab958760-5d90-11ec-9523-d1b667ac64c0.json +++ /dev/null @@ -1,176 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.dataset", - "negate": false, - "params": { - "query": "salesforce.login" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "salesforce.login" - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - } - } - }, - "title": "[Login] Login type [Filebeat Salesforce]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "field": "salesforce.login.login_type", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "segment", - "type": "terms" - } - ], - "params": { - "addLegend": true, - "addTimeMarker": false, - "addTooltip": true, - "categoryAxes": [ - { - "id": "CategoryAxis-1", - "labels": { - "filter": false, - "rotate": 0, - "show": true, - "truncate": 200 - }, - "position": "left", - "scale": { - "type": "linear" - }, - "show": true, - "style": {}, - "title": {}, - "type": "category" - } - ], - "detailedTooltip": true, - "grid": { - "categoryLines": true, - "valueAxis": "ValueAxis-1" - }, - "labels": {}, - "legendPosition": "right", - "maxLegendLines": 1, - "palette": { - "name": "default", - "type": "palette" - }, - "radiusRatio": 0, - "seriesParams": [ - { - "circlesRadius": 1, - "data": { - "id": "1", - "label": "Count" - }, - "drawLinesBetweenPoints": true, - "interpolate": "linear", - "lineWidth": 2, - "mode": "normal", - "show": true, - "showCircles": true, - "type": "histogram", - "valueAxis": "ValueAxis-1" - } - ], - "thresholdLine": { - "color": "#E7664C", - "show": false, - "style": "full", - "value": 10, - "width": 1 - }, - "times": [], - "truncateLegend": true, - "type": "histogram", - "valueAxes": [ - { - "id": "ValueAxis-1", - "labels": { - "filter": true, - "rotate": 75, - "show": true, - "truncate": 100 - }, - "name": "LeftAxis-1", - "position": "bottom", - "scale": { - "mode": "normal", - "type": "linear" - }, - "show": true, - "style": {}, - "title": { - "text": "" - }, - "type": "value" - } - ] - }, - "title": "[Login] Login type [Filebeat Salesforce]", - "type": "horizontal_bar" - } - }, - "coreMigrationVersion": "7.15.0", - "id": "ab958760-5d90-11ec-9523-d1b667ac64c0", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2022-05-06T11:14:54.091Z", - "version": "WzMzNDYxLDNd" -} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/baeaca80-cd2b-11ec-83d5-7f8e1b7a2529.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/baeaca80-cd2b-11ec-83d5-7f8e1b7a2529.json deleted file mode 100644 index 57d93e6947f..00000000000 --- a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/baeaca80-cd2b-11ec-83d5-7f8e1b7a2529.json +++ /dev/null @@ -1,177 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.dataset", - "negate": false, - "params": { - "query": "salesforce.login" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "salesforce.login" - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - } - } - }, - "title": "[Login] Application type [Filebeat Salesforce]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "Application Type", - "field": "salesforce.login.application", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "segment", - "type": "terms" - } - ], - "params": { - "addLegend": true, - "addTimeMarker": false, - "addTooltip": true, - "categoryAxes": [ - { - "id": "CategoryAxis-1", - "labels": { - "filter": false, - "rotate": 0, - "show": true, - "truncate": 200 - }, - "position": "left", - "scale": { - "type": "linear" - }, - "show": true, - "style": {}, - "title": {}, - "type": "category" - } - ], - "detailedTooltip": true, - "grid": { - "categoryLines": true, - "valueAxis": "ValueAxis-1" - }, - "labels": {}, - "legendPosition": "right", - "maxLegendLines": 1, - "palette": { - "name": "default", - "type": "palette" - }, - "radiusRatio": 0, - "seriesParams": [ - { - "circlesRadius": 1, - "data": { - "id": "1", - "label": "Count" - }, - "drawLinesBetweenPoints": true, - "interpolate": "linear", - "lineWidth": 2, - "mode": "normal", - "show": true, - "showCircles": true, - "type": "histogram", - "valueAxis": "ValueAxis-1" - } - ], - "thresholdLine": { - "color": "#E7664C", - "show": false, - "style": "full", - "value": 10, - "width": 1 - }, - "times": [], - "truncateLegend": true, - "type": "histogram", - "valueAxes": [ - { - "id": "ValueAxis-1", - "labels": { - "filter": true, - "rotate": 75, - "show": true, - "truncate": 100 - }, - "name": "LeftAxis-1", - "position": "bottom", - "scale": { - "mode": "normal", - "type": "linear" - }, - "show": true, - "style": {}, - "title": { - "text": "" - }, - "type": "value" - } - ] - }, - "title": "[Login] Application type [Filebeat Salesforce]", - "type": "horizontal_bar" - } - }, - "coreMigrationVersion": "7.15.0", - "id": "baeaca80-cd2b-11ec-83d5-7f8e1b7a2529", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2022-05-06T11:14:54.091Z", - "version": "WzMzNDY0LDNd" -} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/c69e97e0-5d72-11ec-9523-d1b667ac64c0.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/c69e97e0-5d72-11ec-9523-d1b667ac64c0.json deleted file mode 100644 index 79323ba97fc..00000000000 --- a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/c69e97e0-5d72-11ec-9523-d1b667ac64c0.json +++ /dev/null @@ -1,101 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.outcome", - "negate": false, - "params": { - "query": "success" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.outcome": "success" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "savedSearchRefName": "search_0", - "title": "Successful login [Filebeat Salesforce]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - } - ], - "params": { - "addLegend": false, - "addTooltip": true, - "metric": { - "colorSchema": "Green to Red", - "colorsRange": [ - { - "from": 0, - "to": 10000 - } - ], - "invertColors": false, - "labels": { - "show": true - }, - "metricColorMode": "None", - "percentageMode": false, - "style": { - "bgColor": false, - "bgFill": "#000", - "fontSize": 60, - "labelColor": false, - "subText": "" - }, - "useRanges": false - }, - "type": "metric" - }, - "title": "Successful login [Filebeat Salesforce]", - "type": "metric" - } - }, - "coreMigrationVersion": "7.15.0", - "id": "c69e97e0-5d72-11ec-9523-d1b667ac64c0", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "ef8b6070-5d6d-11ec-9523-d1b667ac64c0", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization", - "updated_at": "2022-05-06T11:14:54.091Z", - "version": "WzMzNDU0LDNd" -} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/cf5f92c0-4b8a-11ec-9959-a3c0f68b1e4f.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/cf5f92c0-4b8a-11ec-9959-a3c0f68b1e4f.json deleted file mode 100644 index f7ce080fb57..00000000000 --- a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/cf5f92c0-4b8a-11ec-9959-a3c0f68b1e4f.json +++ /dev/null @@ -1,178 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.dataset", - "negate": false, - "params": { - "query": "salesforce.setupaudittrail" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "salesforce.setupaudittrail" - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - } - } - }, - "title": "[SetupAuditTrail] Top 10 Section Over Time [Filebeat Salesforce]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "Salesforce Section", - "field": "salesforce.setup_audit_trail.section", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": true, - "otherBucketLabel": "Other", - "size": 9 - }, - "schema": "segment", - "type": "terms" - } - ], - "params": { - "addLegend": true, - "addTimeMarker": false, - "addTooltip": true, - "categoryAxes": [ - { - "id": "CategoryAxis-1", - "labels": { - "filter": true, - "rotate": 0, - "show": true, - "truncate": 100 - }, - "position": "bottom", - "scale": { - "type": "linear" - }, - "show": true, - "style": {}, - "title": {}, - "type": "category" - } - ], - "detailedTooltip": true, - "fittingFunction": "linear", - "grid": { - "categoryLines": true, - "valueAxis": "ValueAxis-1" - }, - "labels": {}, - "legendPosition": "right", - "maxLegendLines": 1, - "palette": { - "name": "default", - "type": "palette" - }, - "radiusRatio": 9, - "seriesParams": [ - { - "circlesRadius": 3, - "data": { - "id": "1", - "label": "Count" - }, - "drawLinesBetweenPoints": true, - "interpolate": "linear", - "lineWidth": 2, - "mode": "stacked", - "show": true, - "showCircles": true, - "type": "histogram", - "valueAxis": "ValueAxis-1" - } - ], - "thresholdLine": { - "color": "#E7664C", - "show": false, - "style": "full", - "value": 10, - "width": 1 - }, - "times": [], - "truncateLegend": true, - "type": "area", - "valueAxes": [ - { - "id": "ValueAxis-1", - "labels": { - "filter": false, - "rotate": 0, - "show": true, - "truncate": 100 - }, - "name": "LeftAxis-1", - "position": "left", - "scale": { - "mode": "normal", - "type": "linear" - }, - "show": true, - "style": {}, - "title": { - "text": "Count" - }, - "type": "value" - } - ] - }, - "title": "[SetupAuditTrail] Top 10 Section Over Time [Filebeat Salesforce]", - "type": "area" - } - }, - "coreMigrationVersion": "7.15.0", - "id": "cf5f92c0-4b8a-11ec-9959-a3c0f68b1e4f", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2022-05-06T11:14:57.093Z", - "version": "WzMzNDg2LDNd" -} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/e6da1080-5d8f-11ec-9523-d1b667ac64c0.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/e6da1080-5d8f-11ec-9523-d1b667ac64c0.json deleted file mode 100644 index df92bb1248c..00000000000 --- a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/e6da1080-5d8f-11ec-9523-d1b667ac64c0.json +++ /dev/null @@ -1,117 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.dataset", - "negate": false, - "params": { - "query": "salesforce.login" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "salesforce.login" - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - } - } - }, - "title": "[Login] User Names [Filebeat Salesforce]", - "uiStateJSON": { - "vis": { - "legendOpen": false - } - }, - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "field": "user.id", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "segment", - "type": "terms" - } - ], - "params": { - "addLegend": false, - "addTooltip": true, - "distinctColors": false, - "isDonut": true, - "labels": { - "last_level": false, - "percentDecimals": 2, - "position": "default", - "show": true, - "truncate": 100, - "values": true, - "valuesFormat": "percent" - }, - "legendPosition": "right", - "maxLegendLines": 1, - "nestedLegend": false, - "palette": { - "name": "default", - "type": "palette" - }, - "truncateLegend": true, - "type": "pie" - }, - "title": "[Login] User Names [Filebeat Salesforce]", - "type": "pie" - } - }, - "coreMigrationVersion": "7.15.0", - "id": "e6da1080-5d8f-11ec-9523-d1b667ac64c0", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2022-05-06T11:14:54.091Z", - "version": "WzMzNDU4LDNd" -} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/e8175600-5d90-11ec-9523-d1b667ac64c0.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/e8175600-5d90-11ec-9523-d1b667ac64c0.json deleted file mode 100644 index 4b770227c35..00000000000 --- a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/e8175600-5d90-11ec-9523-d1b667ac64c0.json +++ /dev/null @@ -1,118 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.dataset", - "negate": false, - "params": { - "query": "salesforce.login" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "salesforce.login" - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - } - } - }, - "title": "[Login] Activity segmentation by browser/client [Filebeat Salesforce]", - "uiStateJSON": { - "vis": { - "legendOpen": false - } - }, - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "User Agent", - "field": "user_agent.name", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "segment", - "type": "terms" - } - ], - "params": { - "addLegend": false, - "addTooltip": true, - "distinctColors": false, - "isDonut": true, - "labels": { - "last_level": false, - "percentDecimals": 2, - "position": "default", - "show": true, - "truncate": 100, - "values": true, - "valuesFormat": "percent" - }, - "legendPosition": "right", - "maxLegendLines": 1, - "nestedLegend": false, - "palette": { - "name": "default", - "type": "palette" - }, - "truncateLegend": true, - "type": "pie" - }, - "title": "[Login] Activity segmentation by browser/client [Filebeat Salesforce]", - "type": "pie" - } - }, - "coreMigrationVersion": "7.15.0", - "id": "e8175600-5d90-11ec-9523-d1b667ac64c0", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2022-05-06T11:14:54.091Z", - "version": "WzMzNDYyLDNd" -} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/f4e05440-5d72-11ec-9523-d1b667ac64c0.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/f4e05440-5d72-11ec-9523-d1b667ac64c0.json deleted file mode 100644 index efa79f91094..00000000000 --- a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/f4e05440-5d72-11ec-9523-d1b667ac64c0.json +++ /dev/null @@ -1,101 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.outcome", - "negate": false, - "params": { - "query": "failure" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.outcome": "failure" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "savedSearchRefName": "search_0", - "title": "[Login] Failed login attempts [Filebeat Salesforce]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - } - ], - "params": { - "addLegend": false, - "addTooltip": true, - "metric": { - "colorSchema": "Green to Red", - "colorsRange": [ - { - "from": 0, - "to": 10000 - } - ], - "invertColors": false, - "labels": { - "show": true - }, - "metricColorMode": "None", - "percentageMode": false, - "style": { - "bgColor": false, - "bgFill": "#000", - "fontSize": 60, - "labelColor": false, - "subText": "" - }, - "useRanges": false - }, - "type": "metric" - }, - "title": "[Login] Failed login attempts [Filebeat Salesforce]", - "type": "metric" - } - }, - "coreMigrationVersion": "7.15.0", - "id": "f4e05440-5d72-11ec-9523-d1b667ac64c0", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "ef8b6070-5d6d-11ec-9523-d1b667ac64c0", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization", - "updated_at": "2022-05-06T11:14:54.091Z", - "version": "WzMzNDU1LDNd" -} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/f5942600-5d95-11ec-9523-d1b667ac64c0.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/f5942600-5d95-11ec-9523-d1b667ac64c0.json deleted file mode 100644 index f3866d2ed33..00000000000 --- a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/f5942600-5d95-11ec-9523-d1b667ac64c0.json +++ /dev/null @@ -1,179 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.dataset", - "negate": false, - "params": { - "query": "salesforce.setupaudittrail" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "salesforce.setupaudittrail" - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - } - } - }, - "title": "[SetupAuditTrail] Top 10 Actions Performed [Filebeat Salesforce]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "Action Performed", - "field": "event.action", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": true, - "otherBucketLabel": "Other", - "size": 9 - }, - "schema": "segment", - "type": "terms" - } - ], - "params": { - "addLegend": true, - "addTimeMarker": false, - "addTooltip": true, - "categoryAxes": [ - { - "id": "CategoryAxis-1", - "labels": { - "filter": true, - "rotate": 0, - "show": true, - "truncate": 100 - }, - "position": "bottom", - "scale": { - "type": "linear" - }, - "show": true, - "style": {}, - "title": {}, - "type": "category" - } - ], - "detailedTooltip": true, - "grid": { - "categoryLines": true, - "valueAxis": "ValueAxis-1" - }, - "labels": { - "show": false - }, - "legendPosition": "right", - "maxLegendLines": 1, - "palette": { - "name": "default", - "type": "palette" - }, - "radiusRatio": 0, - "seriesParams": [ - { - "circlesRadius": 3, - "data": { - "id": "1", - "label": "Count" - }, - "drawLinesBetweenPoints": true, - "interpolate": "linear", - "lineWidth": 2, - "mode": "stacked", - "show": true, - "showCircles": true, - "type": "histogram", - "valueAxis": "ValueAxis-1" - } - ], - "thresholdLine": { - "color": "#E7664C", - "show": false, - "style": "full", - "value": 10, - "width": 1 - }, - "times": [], - "truncateLegend": true, - "type": "histogram", - "valueAxes": [ - { - "id": "ValueAxis-1", - "labels": { - "filter": false, - "rotate": 0, - "show": true, - "truncate": 100 - }, - "name": "LeftAxis-1", - "position": "left", - "scale": { - "mode": "normal", - "type": "linear" - }, - "show": true, - "style": {}, - "title": { - "text": "Count" - }, - "type": "value" - } - ] - }, - "title": "[SetupAuditTrail] Top 10 Actions Performed [Filebeat Salesforce]", - "type": "histogram" - } - }, - "coreMigrationVersion": "7.15.0", - "id": "f5942600-5d95-11ec-9523-d1b667ac64c0", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2022-05-06T11:14:57.093Z", - "version": "WzMzNDg5LDNd" -} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/fbb560f0-5d8e-11ec-9523-d1b667ac64c0.json b/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/fbb560f0-5d8e-11ec-9523-d1b667ac64c0.json deleted file mode 100644 index 6e4e809261e..00000000000 --- a/x-pack/filebeat/module/salesforce/_meta/kibana/7/visualization/fbb560f0-5d8e-11ec-9523-d1b667ac64c0.json +++ /dev/null @@ -1,114 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.dataset", - "negate": false, - "params": { - "query": "salesforce.login" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "salesforce.login" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "title": "Login over time [Filebeat Salesforce]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [], - "params": { - "axis_formatter": "number", - "axis_position": "left", - "axis_scale": "normal", - "drop_last_bucket": 0, - "filter": { - "language": "kuery", - "query": "event.dataset : \"salesforce.login\" " - }, - "id": "ad12785a-5d43-469d-9114-6a83add168c3", - "index_pattern_ref_name": "metrics_0_index_pattern", - "interval": "", - "isModelInvalid": false, - "max_bars": 50, - "max_lines_legend": 1, - "series": [ - { - "axis_position": "right", - "chart_type": "line", - "color": "#68BC00", - "fill": 0.5, - "formatter": "default", - "id": "24098913-4cc2-4304-ab59-1003aa7a9655", - "line_width": 1, - "metrics": [ - { - "id": "434e8b7d-76b7-4947-95d1-aabedd41f524", - "type": "count" - } - ], - "palette": { - "name": "default", - "type": "palette" - }, - "point_size": 1, - "separate_axis": 0, - "split_mode": "everything", - "stacked": "none", - "time_range_mode": "entire_time_range" - } - ], - "show_grid": 1, - "show_legend": 1, - "time_field": "", - "time_range_mode": "entire_time_range", - "tooltip_mode": "show_all", - "truncate_legend": 1, - "type": "timeseries", - "use_kibana_indexes": true - }, - "title": "Login over time [Filebeat Salesforce]", - "type": "metrics" - } - }, - "coreMigrationVersion": "7.15.0", - "id": "fbb560f0-5d8e-11ec-9523-d1b667ac64c0", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "filebeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "filebeat-*", - "name": "metrics_0_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2022-05-06T11:57:27.761Z", - "version": "WzMzODI0LDNd" -} \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/apex-rest/_meta/fields.yml b/x-pack/filebeat/module/salesforce/apex-rest/_meta/fields.yml deleted file mode 100644 index ed400781b6b..00000000000 --- a/x-pack/filebeat/module/salesforce/apex-rest/_meta/fields.yml +++ /dev/null @@ -1,203 +0,0 @@ -- name: salesforce - type: group - release: beta - description: > - Fileset for ingesting Salesforce Apex logs. - fields: - - name: access_mode - type: keyword - description: > - The mode of collecting logs from Salesforce - "rest" or "stream". - - name: apex - type: group - release: beta - description: > - Fileset for ingesting Salesforce Apex logs. - fields: - - name: action - type: keyword - description: > - Action performed by the callout. - - name: callout_time - type: keyword - description: > - Time spent waiting on webservice callouts, in milliseconds. - - name: class_name - type: keyword - description: > - The Apex class name. If the class is part of a managed package, this string includes the package namespace. - - name: client_name - type: keyword - description: > - The name of the client that's using Salesforce services. This field is an optional parameter that can be passed in API calls. If blank, the caller didnt specify a client in the CallOptions header. - - name: cpu_time - type: keyword - description: > - The CPU time in milliseconds used to complete the request. - - name: db_blocks - type: keyword - description: > - Indicates how much activity is occurring in the database. A high value for this field suggests that adding indexes or filters on your queries would benefit performance. - - name: db_cpu_time - type: keyword - description: > - The CPU time in milliseconds to complete the request. Indicates the amount of activity taking place in the database layer during the request. - - name: db_total_time - type: keyword - description: > - Time (in milliseconds) spent waiting for database processing in aggregate for all operations in the request. Compare this field to CPU_TIME to determine whether performance issues are occurring in the database layer or in your own code. - - name: entity - type: keyword - description: > - Name of the external object being accessed. - - name: entity_name - type: keyword - description: > - The name of the object affected by the trigger. - - name: entry_point - type: keyword - description: > - The entry point for this Apex execution. - - name: event_type - type: keyword - description: > - The type of event. The value is always ApexCallout. - - name: execute_ms - type: keyword - description: > - How long it took (in milliseconds) for Salesforce to prepare and execute the query. Available in API version 42.0 and later. - - name: fetch_ms - type: keyword - description: > - How long it took (in milliseconds) to retrieve the query results from the external system. Available in API version 42.0 and later. - - name: filter - type: keyword - description: > - Field expressions to filter which rows to return. Corresponds to WHERE in SOQL queries. - - name: is_long_running_request - type: keyword - description: > - Indicates whether the request is counted against your org's concurrent long-running Apex request limit (true) or not (false). - - name: limit - type: keyword - description: > - Maximum number of rows to return for a query. Corresponds to LIMIT in SOQL queries. - - name: limit_usage_percent - type: keyword - description: > - The percentage of Apex SOAP calls that were made against the organization's limit. - - name: login_key - type: keyword - description: > - The string that ties together all events in a given user's login session. It starts with a login event and ends with either a logout event or the user session expiring. - - name: media_type - type: keyword - description: > - The media type of the response. - - name: message - type: keyword - description: > - Error or warning message associated with the failed call. - - name: method_name - type: keyword - description: > - The name of the calling Apex method. - - name: number_fields - type: keyword - description: > - The number of fields or columns, where applicable. - - name: number_soql_queries - type: keyword - description: > - The number of SOQL queries that were executed during the event. - - name: offset - type: keyword - description: > - Number of rows to skip when paging through a result set. Corresponds to OFFSET in SOQL queries. - - name: orderby - type: keyword - description: > - Field or column to use for sorting query results, and whether to sort the results in ascending (default) or descending order. Corresponds to ORDER BY in SOQL queries. - - name: organization_id - type: keyword - description: > - The 15-character ID of the organization. - - name: query - type: keyword - description: > - The SOQL query, if one was performed. - - name: quiddity - type: keyword - description: > - The type of outer execution associated with this event. - - name: request.id - type: keyword - description: > - The unique ID of a single transaction. A transaction can contain one or more events. Each event in a given transaction has the same REQUEST_ID. - - name: request.status - type: keyword - description: > - The status of the request for a page view or user interface action. - - name: rows.total - type: keyword - description: > - Total number of records in the result set. The value is always -1 if the custom adapter's DataSource.Provider class doesn't declare the QUERY_TOTAL_SIZE capability. - - name: rows.fetched - type: keyword - description: > - Number of rows fetched by the callout. Available in API version 42.0 and later. - - name: rows.processed - type: keyword - description: > - The number of rows that were processed in the request. - - name: run_time - type: keyword - description: > - Not used for this event type. Use the TIME field instead. - - name: select - type: keyword - description: > - Comma-separated list of fields being queried. Corresponds to SELECT in SOQL queries. - - name: subqueries - type: keyword - description: > - Reserved for future use. - - name: throughput - type: keyword - description: > - Number of records retrieved in one second. - - name: trigger - type: group - fields: - - name: id - type: keyword - description: > - The 15-character ID of the trigger that was fired. - - name: name - type: keyword - description: > - For triggers coming from managed packages, TRIGGER_NAME includes a namespace prefix separated with a . character. If no namespace prefix is present, the trigger is from an unmanaged trigger. - - name: type - type: keyword - description: > - The type of this trigger. - - name: type - type: keyword - description: > - The type of Apex callout. - - name: uri - type: keyword - description: > - The URI of the page that's receiving the request. - - name: uri_id_derived - type: keyword - description: > - The 18-character case-safe ID of the URI of the page that's receiving the request. - - name: user_agent - type: keyword - description: > - The numeric code for the type of client used to make the request (for example, the browser, application, or API). - - name: user_id_derived - type: keyword - description: > - The 18-character case-safe ID of the user who's using Salesforce services through the UI or the API. diff --git a/x-pack/filebeat/module/salesforce/apex-rest/config/apex-rest.yml b/x-pack/filebeat/module/salesforce/apex-rest/config/apex-rest.yml deleted file mode 100644 index 5a5af4ab5d3..00000000000 --- a/x-pack/filebeat/module/salesforce/apex-rest/config/apex-rest.yml +++ /dev/null @@ -1,71 +0,0 @@ -{{ if eq .input "httpjson" }} - -type: httpjson -interval: {{ .interval }} -request.method: GET -auth.oauth2: - enabled: true - {{ if .client_id }} - client.id: {{ .client_id }} - {{ end }} - {{ if .client_secret }} - client.secret: {{ .client_secret }} - {{ end }} - {{ if .token_url }} - token_url: {{ .token_url }} - {{ end }} - {{ if .user }} - user: {{ .user }} - {{ end }} - {{ if .password }} - password: {{ .password }} - {{ end }} -# Query params will be overwritten by request.transforms from start of the input and -# it is to indicate that this url is for Apex type of events as cursor stores the url as source. -# Each filebeat input cursor source needs to be uniquely identified with a name. -request.url: {{ .url }}/services/data/v52.0/query?q=apex+rest -{{ if .proxy_url }} -request.proxy_url: {{ .proxy_url }} -{{ end }} -request.transforms: - - set: - target: url.params.q - value: "SELECT Id,CreatedDate,LogDate,LogFile FROM EventLogFile WHERE Interval = 'Hourly' AND LogDate > [[.cursor.last_published_apex]] AND (EventType = 'ApexCallout' OR EventType = 'ApexExecution' OR EventType = 'ApexRestApi' OR EventType = 'ApexSoap' OR EventType = 'ApexTrigger' OR EventType = 'ExternalCustomApexCallout') ORDER BY LogDate ASC NULLS FIRST" - default: "SELECT Id,CreatedDate,LogDate,LogFile FROM EventLogFile WHERE Interval = 'Hourly' AND (EventType = 'ApexCallout' OR EventType = 'ApexExecution' OR EventType = 'ApexRestApi' OR EventType = 'ApexSoap' OR EventType = 'ApexTrigger' OR EventType = 'ExternalCustomApexCallout') ORDER BY LogDate ASC NULLS FIRST" -response.pagination: - - set: - target: url.value - value: '[[if (ne .last_response.body.done true)]]{{ .url }}[[.last_response.body.nextRecordsUrl]][[end]]' - fail_on_template_error: true -chain: - - step: - request.url: {{ .url }}/services/data/v52.0/sobjects/EventLogFile/$.records[:].Id/LogFile - request.method: GET - replace: $.records[:].Id -cursor: - last_published_apex: - value: '[[(formatDate ((parseDate .last_event.TIMESTAMP_DERIVED "RFC3339").Add (parseDuration "-1h")))]]' - -{{ else if eq .input "file" }} - -type: log -paths: -{{ range $i, $path := .paths }} - - {{$path}} -{{ end }} -exclude_files: [".gz$"] - -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -processors: - - decode_json_fields: - fields: [message] - target: "json" - - add_fields: - target: '' - fields: - ecs.version: 1.12.0 - - add_locale: ~ diff --git a/x-pack/filebeat/module/salesforce/apex-rest/ingest/pipeline.yml b/x-pack/filebeat/module/salesforce/apex-rest/ingest/pipeline.yml deleted file mode 100644 index 9af3151aba2..00000000000 --- a/x-pack/filebeat/module/salesforce/apex-rest/ingest/pipeline.yml +++ /dev/null @@ -1,353 +0,0 @@ ---- -description: Pipeline for parsing Salesforce apex logs -processors: -- set: - field: event.ingested - value: '{{_ingest.timestamp}}' -- remove: - field: - - message - ignore_missing: true - -- set: - field: salesforce.access_mode - value: rest - ignore_failure: true - -- date: - field: json.TIMESTAMP_DERIVED - target_field: "@timestamp" - formats: - - ISO8601 - ignore_failure: true - -- rename: - field: json.CALLOUT_TIME - target_field: salesforce.apex.callout_time - ignore_missing: true -- rename: - field: json.CPU_TIME - target_field: salesforce.apex.cpu_time - ignore_missing: true -- rename: - field: json.DB_BLOCKS - target_field: salesforce.apex.db_blocks - ignore_missing: true -- rename: - field: json.DB_CPU_TIME - target_field: salesforce.apex.db_cpu_time - ignore_missing: true -- rename: - field: json.DB_TOTAL_TIME - target_field: salesforce.apex.db_total_time - ignore_missing: true -- rename: - field: json.ENTITY_NAME - target_field: salesforce.apex.entity_name - ignore_missing: true -- rename: - field: json.ENTRY_POINT - target_field: salesforce.apex.entry_point - ignore_missing: true -- rename: - field: json.EVENT_TYPE - target_field: salesforce.apex.event_type - ignore_missing: true -- rename: - field: json.IS_LONG_RUNNING_REQUEST - target_field: salesforce.apex.is_long_running_request - ignore_missing: true -- rename: - field: json.LOGIN_KEY - target_field: salesforce.apex.login_key - ignore_missing: true -- rename: - field: json.MEDIA_TYPE - target_field: salesforce.apex.media_type - ignore_missing: true -- rename: - field: json.METHOD_NAME - target_field: salesforce.apex.method_name - ignore_missing: true -- rename: - field: json.NUMBER_FIELDS - target_field: salesforce.apex.number_fields - ignore_missing: true -- rename: - field: json.NUMBER_SOQL_QUERIES - target_field: salesforce.apex.number_soql_queries - ignore_missing: true -- rename: - field: json.OFFSET - target_field: salesforce.apex.offset - ignore_missing: true -- rename: - field: json.ORDERBY - target_field: salesforce.apex.orderby - ignore_missing: true -- rename: - field: json.ORGANIZATION_ID - target_field: salesforce.apex.organization_id - ignore_missing: true -- rename: - field: json.QUERY - target_field: salesforce.apex.query - ignore_missing: true -- rename: - field: json.QUIDDITY - target_field: salesforce.apex.quiddity - ignore_missing: true -- rename: - field: json.REQUEST_ID - target_field: salesforce.apex.request.id - ignore_missing: true -- rename: - field: json.REQUEST_STATUS - target_field: salesforce.apex.request.status - ignore_missing: true -- rename: - field: json.ROWS - target_field: salesforce.apex.rows.total - ignore_missing: true -- rename: - field: json.ROWS_FETCHED - target_field: salesforce.apex.rows.fetched - ignore_missing: true -- rename: - field: json.ROWS_PROCESSED - target_field: salesforce.apex.rows.processed - ignore_missing: true -- rename: - field: json.RUN_TIME - target_field: salesforce.apex.run_time - ignore_missing: true -- rename: - field: json.SELECT - target_field: salesforce.apex.select - ignore_missing: true -- rename: - field: json.SUBQUERIES - target_field: salesforce.apex.subqueries - ignore_missing: true -- rename: - field: json.THROUGHPUT - target_field: salesforce.apex.throughput - ignore_missing: true -- rename: - field: json.TRIGGER_ID - target_field: salesforce.apex.trigger.id - ignore_missing: true -- rename: - field: json.TRIGGER_NAME - target_field: salesforce.apex.trigger.name - ignore_missing: true -- rename: - field: json.TRIGGER_TYPE - target_field: salesforce.apex.trigger.type - ignore_missing: true -- rename: - field: json.TYPE - target_field: salesforce.apex.type - ignore_missing: true -- rename: - field: json.URI - target_field: salesforce.apex.uri - ignore_missing: true -- rename: - field: json.URI_ID_DERIVED - target_field: salesforce.apex.uri_id_derived - ignore_missing: true -- rename: - field: json.USER_AGENT - target_field: salesforce.apex.user_agent - ignore_missing: true -- rename: - field: json.USER_ID_DERIVED - target_field: salesforce.apex.user_id_derived - ignore_missing: true - -####################### -## ECS Event Mapping ## -####################### - -- set: - field: event.dataset - value: "salesforce.apex" -- set: - field: event.kind - value: "event" -- set: - field: event.module - value: "salesforce" - -- set: - field: event.type - value: "connection" - if: 'ctx?.salesforce?.apex?.event_type != "ApexExecution"' - -- set: - field: event.category - value: "network" - if: 'ctx?.salesforce?.apex?.event_type != "ApexTrigger" && ctx?.salesforce?.apex?.event_type != "ApexExecution"' - -- script: - if: ctx?.salesforce?.apex?.event_type != null && ctx?.salesforce?.apex?.event_type != "" - lang: painless - source: | - def eventType = ctx?.salesforce?.apex?.event_type?.toLowerCase(); - Map referenceTable = [ - "apexcallout": "apex-callout", - "apextrigger": "apex-trigger", - "apexexecution": "apex-execution", - "apexrestApi": "apex-rest", - "apexsoap": "apex-soap", - "externalcustomapexcallout": ["apex-external-custom-callout"] - ]; - - ctx.event.action = referenceTable[eventType]; - -- rename: - field: json.TIME - target_field: event.duration - if: 'ctx?.salesforce?.apex?.event_type == "ApexCallout" && ctx?.json?.TIME != ""' -- rename: - field: json.EXEC_TIME - target_field: event.duration - if: '(ctx?.salesforce?.apex?.event_type == "ApexTrigger" || ctx?.salesforce?.apex?.event_type == "ApexExecution") && ctx?.json?.EXEC_TIME != ""' -- rename: - field: salesforce.apex.run_time - target_field: event.duration - if: '(ctx?.salesforce?.apex?.event_type == "ApexRestApi" || ctx?.salesforce?.apex?.event_type == "ApexSoap") && ctx?.salesforce?.apex?.run_time != ""' -- rename: - field: json.TOTAL_MS - target_field: event.duration - if: 'ctx?.salesforce?.apex?.event_type == "ExternalCustomApexCallout" && ctx?.json?.TOTAL_MS != ""' - -- set: - field: event.outcome - value: success - if: 'ctx?.json?.SUCCESS == "1" && ctx?.json?.SUCCESS != null' - ignore_failure: true -- set: - field: event.outcome - value: failure - if: 'ctx?.json?.SUCCESS != "1" && ctx?.json?.SUCCESS != null' - ignore_failure: true -- set: - field: event.outcome - value: success - if: 'ctx?.json?.STATUS == "1" && ctx?.json?.STATUS != null' - ignore_failure: true -- set: - field: event.outcome - value: failure - if: 'ctx?.json?.STATUS != "1" && ctx?.json?.STATUS != null' - ignore_failure: true - -- rename: - field: json.URL - target_field: event.url - ignore_missing: true - if: 'ctx?.salesforce?.apex?.event_type == "ApexCallout"' -- rename: - field: salesforce.apex.uri - target_field: event.url - ignore_missing: true - if: 'ctx?.salesforce?.apex?.event_type != "ApexCallout" && ctx?.salesforce?.apex?.event_type != "ExternalCustomApexCallout"' - -###################### -## ECS User Mapping ## -###################### - -- rename: - field: json.USER_ID - target_field: user.id - ignore_missing: true -- rename: - field: json.USER_TYPE - target_field: user.roles - ignore_missing: true - -######################## -## ECS Source Mapping ## -######################## - -# A Salesforce internal IP (such as a login from Salesforce Workbench or AppExchange) is shown as “Salesforce.com IP” -- rename: - field: json.CLIENT_IP - target_field: source.ip - ignore_missing: true - if: 'ctx?.json?.CLIENT_IP != "Salesforce.com IP" && ctx?.json?.CLIENT_IP != "" && ctx?.json?.CLIENT_IP != null' - -############################ -## ECS Source.Geo Mapping ## -############################ - -# A Salesforce internal IP (such as a login from Salesforce Workbench or AppExchange) is shown as “Salesforce.com IP” -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - if: 'ctx?.source?.ip != "Salesforce.com IP" && ctx?.source?.ip != "" && ctx?.source?.ip != null' - -############################ -## ECS Related.ip Mapping ## -############################ - -- append: - field: related.ip - value: "{{{source.ip}}}" - if: ctx?.source?.ip != null - allow_duplicates: false - ignore_failure: true - -###################### -## ECS HTTP Mapping ## -###################### - -- rename: - field: json.METHOD - target_field: http.request.method - ignore_missing: true -- rename: - field: json.REQUEST_SIZE - target_field: http.request.bytes - ignore_missing: true -- rename: - field: json.RESPONSE_SIZE - target_field: http.response.bytes - ignore_missing: true -- rename: - field: json.STATUS_CODE - target_field: http.response.status_code - ignore_missing: true - -############# -## Cleanup ## -############# - -- script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -- remove: - field: - - json - ignore_missing: true -on_failure: -- set: - field: error.message - value: '{{_ingest.on_failure_message}}' diff --git a/x-pack/filebeat/module/salesforce/apex-rest/manifest.yml b/x-pack/filebeat/module/salesforce/apex-rest/manifest.yml deleted file mode 100644 index 54b0495bb70..00000000000 --- a/x-pack/filebeat/module/salesforce/apex-rest/manifest.yml +++ /dev/null @@ -1,20 +0,0 @@ -module_version: 1.0 - -var: - - name: input - default: httpjson - - name: interval - default: 1h - - name: tags - default: [salesforce-apex-rest,forwarded] - - name: proxy_url - - name: client_id - - name: client_secret - - name: token_url - - name: user - - name: password - - name: url - -ingest_pipeline: - - ingest/pipeline.yml -input: config/apex-rest.yml diff --git a/x-pack/filebeat/module/salesforce/apex/_meta/fields.yml b/x-pack/filebeat/module/salesforce/apex/_meta/fields.yml new file mode 100644 index 00000000000..e61297a739a --- /dev/null +++ b/x-pack/filebeat/module/salesforce/apex/_meta/fields.yml @@ -0,0 +1,174 @@ +- name: salesforce + type: group + release: beta + description: > + Fileset for ingesting Salesforce Apex logs. + fields: + - name: instance_url + type: keyword + description: The Instance URL of the Salesforce instance. + - name: apex + type: group + release: beta + description: > + Fileset for ingesting Salesforce Apex logs. + fields: + - name: document_id + type: keyword + description: Unique ID of the Apex document. + - name: action + type: keyword + description: Action performed by the callout. + - name: callout_time + type: float + description: Time spent waiting on web service callouts, in milliseconds. + unit: ms + metric_type: gauge + - name: class_name + type: keyword + description: The Apex class name. If the class is part of a managed package, this string includes the package namespace. + - name: client_name + type: keyword + description: The name of the client that's using Salesforce services. This field is an optional parameter that can be passed in API calls. If blank, the caller didn't specify a client in the CallOptions header. + - name: cpu_time + type: float + description: The CPU time in milliseconds used to complete the request. + unit: ms + metric_type: gauge + - name: db_blocks + type: long + description: Indicates how much activity is occurring in the database. A high value for this field suggests that adding indexes or filters on your queries would benefit performance. + metric_type: gauge + - name: db_cpu_time + type: float + description: The CPU time in milliseconds to complete the request. Indicates the amount of activity taking place in the database layer during the request. + unit: ms + metric_type: gauge + - name: db_total_time + type: float + description: Time (in milliseconds) spent waiting for database processing in aggregate for all operations in the request. Compare this field to cpu_time to determine whether performance issues are occurring in the database layer or in your own code. + unit: ms + metric_type: gauge + - name: entity + type: keyword + description: Name of the external object being accessed. + - name: entity_name + type: keyword + description: The name of the object affected by the trigger. + - name: entry_point + type: keyword + description: The entry point for this Apex execution. + - name: event_type + type: keyword + description: The type of event. + - name: execute_ms + type: float + description: How long it took (in milliseconds) for Salesforce to prepare and execute the query. Available in API version 42.0 and later. + unit: ms + metric_type: gauge + - name: fetch_ms + type: float + description: How long it took (in milliseconds) to retrieve the query results from the external system. Available in API version 42.0 and later. + unit: ms + metric_type: gauge + - name: filter + type: keyword + description: Field expressions to filter which rows to return. Corresponds to WHERE in SOQL queries. + - name: is_long_running_request + type: keyword + description: Indicates whether the request is counted against your org's concurrent long-running Apex request limit (true) or not (false). + - name: limit + type: long + description: Maximum number of rows to return for a query. Corresponds to LIMIT in SOQL queries. + - name: limit_usage_pct + type: float + description: The percentage of Apex SOAP calls that were made against the organization's limit. + unit: percent + metric_type: gauge + - name: login_key + type: keyword + description: The string that ties together all events in a given user's login session. It starts with a login event and ends with either a logout event or the user session expiring. + - name: media_type + type: keyword + description: The media type of the response. + - name: message + type: text + description: Error or warning message associated with the failed call. + - name: method_name + type: keyword + description: The name of the calling Apex method. + - name: fields_count + type: long + description: The number of fields or columns, where applicable. + - name: soql_queries_count + type: long + description: The number of SOQL queries that were executed during the event. + - name: offset + type: long + description: Number of rows to skip when paging through a result set. Corresponds to OFFSET in SOQL queries. + - name: orderby + type: keyword + description: Field or column to use for sorting query results, and whether to sort the results in ascending (default) or descending order. Corresponds to ORDER BY in SOQL queries. + - name: organization_id + type: keyword + description: The 15-character ID of the organization. + - name: query + type: keyword + description: The SOQL query, if one was performed. + - name: quiddity + type: keyword + description: The type of outer execution associated with this event. + - name: request_id + type: keyword + description: The unique ID of a single transaction. A transaction can contain one or more events. Each event in a given transaction has the same request_id. + - name: request_status + type: keyword + description: The status of the request for a page view or user interface action. + - name: rows_total + type: long + description: Total number of records in the result set. The value is always -1 if the custom adapter's DataSource.Provider class doesn't declare the QUERY_TOTAL_SIZE capability. + - name: rows_fetched + type: long + description: Number of rows fetched by the callout. Available in API version 42.0 and later. + - name: rows_processed + type: long + description: The number of rows that were processed in the request. + - name: run_time + type: float + description: The amount of time that the request took in milliseconds. + unit: ms + metric_type: gauge + - name: select + type: keyword + description: Comma-separated list of fields being queried. Corresponds to SELECT in SOQL queries. + - name: subqueries + type: keyword + description: Reserved for future use. + - name: throughput + type: float + description: Number of records retrieved in one second. + metric_type: gauge + - name: trigger_id + type: keyword + description: The 15-character ID of the trigger that was fired. + - name: trigger_name + type: keyword + description: For triggers coming from managed packages, trigger_name includes a namespace prefix separated with a . character. If no namespace prefix is present, the trigger is from an unmanaged trigger. + - name: trigger_type + type: keyword + description: The type of this trigger. + - name: type + type: keyword + description: The type of Apex callout. + - name: uri + type: keyword + description: The URI of the page that's receiving the request. + - name: uri_derived_id + type: keyword + description: The 18-character case-safe ID of the URI of the page that's receiving the request. + - name: user_agent + type: keyword + description: The numeric code for the type of client used to make the request (for example, the browser, application, or API). + - name: user_id_derived + type: keyword + description: The 18-character case-safe ID of the user who's using Salesforce services through the UI or the API. \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/apex/config/apex.yml b/x-pack/filebeat/module/salesforce/apex/config/apex.yml new file mode 100644 index 00000000000..ace9bcb93fd --- /dev/null +++ b/x-pack/filebeat/module/salesforce/apex/config/apex.yml @@ -0,0 +1,40 @@ +{{ if eq .input "salesforce" }} + +id: apex +type: salesforce +enabled: true +{{ if .api_version }} +version: {{ .api_version }} +{{ end }} +auth.oauth2: {{ .authentication | tojson }} +url: {{ .url }} +event_monitoring_method: + event_log_file: + enabled: true + interval: {{ .elf_interval }} + query: + default: SELECT Id,CreatedDate,LogDate,LogFile FROM EventLogFile WHERE {{ if .initial_interval }}LogDate > [[ (formatTime (now.Add (parseDuration "-{{ .initial_interval }}")) "2006-01-02T15:04:05.000Z0700") ]] AND{{ end }} Interval = '{{ .log_file_interval }}' AND (EventType = 'ApexCallout' OR EventType = 'ApexExecution' OR EventType = 'ApexRestApi' OR EventType = 'ApexSoap' OR EventType = 'ApexTrigger' OR EventType = 'ExternalCustomApexCallout') ORDER BY LogDate ASC NULLS FIRST + value: SELECT Id,CreatedDate,LogDate,LogFile FROM EventLogFile WHERE Interval = '{{ .log_file_interval }}' AND CreatedDate > [[ .cursor.event_log_file.last_event_time ]] AND (EventType = 'ApexCallout' OR EventType = 'ApexExecution' OR EventType = 'ApexRestApi' OR EventType = 'ApexSoap' OR EventType = 'ApexTrigger' OR EventType = 'ExternalCustomApexCallout') ORDER BY LogDate ASC NULLS FIRST + cursor: + field: "CreatedDate" + +{{ else if eq .input "file" }} + +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - add_fields: + target: salesforce + fields: + instance_url: {{ .url }} + - add_locale: ~ diff --git a/x-pack/filebeat/module/salesforce/apex/ingest/pipeline.yml b/x-pack/filebeat/module/salesforce/apex/ingest/pipeline.yml new file mode 100644 index 00000000000..92ca1feabd8 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/apex/ingest/pipeline.yml @@ -0,0 +1,531 @@ +--- +description: Pipeline for parsing Salesforce Apex logs +processors: + - json: + field: message + target_field: json + on_failure: + - append: + field: error.message + value: "Failed to parse JSON: {{{_ingest.on_failure_message}}}" + - set: + field: event.original + copy_from: message + ignore_empty_value: true + ignore_failure: true + if: "ctx.event?.original == null" + - set: + field: ecs.version + value: "8.11.0" + ignore_failure: true + ignore_empty_value: true + - set: + field: event.ingested + copy_from: _ingest.timestamp + - set: + field: salesforce.apex.document_id + copy_from: _id + ignore_empty_value: true + - date: + field: json.TIMESTAMP_DERIVED + target_field: "@timestamp" + formats: + - ISO8601 + on_failure: + - append: + field: error.message + value: "Failed to parse TIMESTAMP_DERIVED field: {{{_ingest.on_failure_message}}}" + - rename: + field: json.ACTION + target_field: salesforce.apex.action + ignore_missing: true + ignore_failure: true + - convert: + field: json.CALLOUT_TIME + target_field: salesforce.apex.callout_time + type: float + ignore_missing: true + ignore_failure: true + - rename: + field: json.CLASS_NAME + target_field: salesforce.apex.class_name + ignore_missing: true + ignore_failure: true + - rename: + field: json.CLIENT_NAME + target_field: salesforce.apex.client_name + ignore_missing: true + ignore_failure: true + - convert: + field: json.CPU_TIME + target_field: salesforce.apex.cpu_time + type: float + ignore_missing: true + ignore_failure: true + - convert: + field: json.DB_BLOCKS + target_field: salesforce.apex.db_blocks + type: long + ignore_missing: true + ignore_failure: true + - convert: + field: json.DB_CPU_TIME + target_field: salesforce.apex.db_cpu_time + type: float + ignore_missing: true + ignore_failure: true + - convert: + field: json.DB_TOTAL_TIME + target_field: salesforce.apex.db_total_time + type: float + ignore_missing: true + ignore_failure: true + - rename: + field: json.ENTITY + target_field: salesforce.apex.entity + ignore_missing: true + ignore_failure: true + - rename: + field: json.ENTITY_NAME + target_field: salesforce.apex.entity_name + ignore_missing: true + ignore_failure: true + - rename: + field: json.ENTRY_POINT + target_field: salesforce.apex.entry_point + ignore_missing: true + ignore_failure: true + - rename: + field: json.EVENT_TYPE + target_field: salesforce.apex.event_type + ignore_missing: true + ignore_failure: true + - convert: + field: json.EXECUTE_MS + target_field: salesforce.apex.execute_ms + type: float + ignore_missing: true + ignore_failure: true + - convert: + field: json.FETCH_MS + target_field: salesforce.apex.fetch_ms + type: float + ignore_missing: true + ignore_failure: true + - rename: + field: json.FILTER + target_field: salesforce.apex.filter + ignore_missing: true + ignore_failure: true + - rename: + field: json.IS_LONG_RUNNING_REQUEST + target_field: salesforce.apex.is_long_running_request + ignore_missing: true + ignore_failure: true + - rename: + field: json.LOGIN_KEY + target_field: salesforce.apex.login_key + ignore_missing: true + ignore_failure: true + - convert: + field: json.LIMIT + target_field: salesforce.apex.limit + type: long + ignore_missing: true + ignore_failure: true + - convert: + field: json.LIMIT_USAGE_PERCENT + target_field: salesforce.apex.limit_usage_pct + type: float + ignore_missing: true + ignore_failure: true + - rename: + field: json.MEDIA_TYPE + target_field: salesforce.apex.media_type + ignore_missing: true + ignore_failure: true + - rename: + field: json.MESSAGE + target_field: salesforce.apex.message + ignore_missing: true + ignore_failure: true + - rename: + field: json.METHOD_NAME + target_field: salesforce.apex.method_name + ignore_missing: true + ignore_failure: true + - convert: + field: json.NUMBER_FIELDS + target_field: salesforce.apex.fields_count + type: long + ignore_missing: true + ignore_failure: true + - convert: + field: json.NUMBER_SOQL_QUERIES + target_field: salesforce.apex.soql_queries_count + type: long + ignore_missing: true + ignore_failure: true + - convert: + field: json.OFFSET + target_field: salesforce.apex.offset + type: long + ignore_missing: true + ignore_failure: true + - rename: + field: json.ORDERBY + target_field: salesforce.apex.orderby + ignore_missing: true + ignore_failure: true + - rename: + field: json.ORGANIZATION_ID + target_field: salesforce.apex.organization_id + ignore_missing: true + ignore_failure: true + - rename: + field: json.QUERY + target_field: salesforce.apex.query + ignore_missing: true + ignore_failure: true + - rename: + field: json.QUIDDITY + target_field: salesforce.apex.quiddity + ignore_missing: true + ignore_failure: true + - rename: + field: json.REQUEST_ID + target_field: salesforce.apex.request_id + ignore_missing: true + ignore_failure: true + - rename: + field: json.REQUEST_STATUS + target_field: salesforce.apex.request_status + ignore_missing: true + ignore_failure: true + - convert: + field: json.ROWS + target_field: salesforce.apex.rows_total + type: long + ignore_missing: true + ignore_failure: true + - convert: + field: json.ROWS_FETCHED + target_field: salesforce.apex.rows_fetched + type: long + ignore_missing: true + ignore_failure: true + - convert: + field: json.ROWS_PROCESSED + target_field: salesforce.apex.rows_processed + type: long + ignore_missing: true + ignore_failure: true + - convert: + field: json.RUN_TIME + target_field: salesforce.apex.run_time + type: float + ignore_missing: true + ignore_failure: true + - rename: + field: json.SELECT + target_field: salesforce.apex.select + ignore_missing: true + ignore_failure: true + - rename: + field: json.SUBQUERIES + target_field: salesforce.apex.subqueries + ignore_missing: true + ignore_failure: true + - convert: + field: json.THROUGHPUT + target_field: salesforce.apex.throughput + type: float + ignore_missing: true + ignore_failure: true + - rename: + field: json.TRIGGER_ID + target_field: salesforce.apex.trigger_id + ignore_missing: true + ignore_failure: true + - rename: + field: json.TRIGGER_NAME + target_field: salesforce.apex.trigger_name + ignore_missing: true + ignore_failure: true + - rename: + field: json.TRIGGER_TYPE + target_field: salesforce.apex.trigger_type + ignore_missing: true + ignore_failure: true + - rename: + field: json.TYPE + target_field: salesforce.apex.type + ignore_missing: true + ignore_failure: true + - rename: + field: json.URI + target_field: salesforce.apex.uri + ignore_missing: true + ignore_failure: true + - rename: + field: json.URI_ID_DERIVED + target_field: salesforce.apex.uri_derived_id + ignore_missing: true + ignore_failure: true + - rename: + field: json.USER_AGENT + target_field: salesforce.apex.user_agent + ignore_missing: true + ignore_failure: true + - script: + description: Set request user agent value from user agent numeric code. + lang: painless + params: + user_agent_map: + "100": "Internet Explorer" + "110": "Firefox" + "130": "Chrome" + "140": "Safari" + "150": "Opera" + "160": "Android" + "170": "Netscape" + "180": "Webkit" + "190": "Gecko" + "230": "Blackberry" + "240": "Good Access" + "999": "Unknown" + if: "ctx.salesforce?.apex?.user_agent != null" + source: | + if (params.user_agent_map.containsKey(ctx.salesforce.apex.user_agent.toString().substring(0,3))) { + ctx.salesforce.apex.user_agent = params.user_agent_map[ctx.salesforce.apex.user_agent.toString().substring(0,3)]; + } + on_failure: + - append: + field: error.message + value: "Failed to set salesforce.apex.user_agent: {{{_ingest.on_failure_message}}}" + - rename: + field: json.USER_ID_DERIVED + target_field: salesforce.apex.user_id_derived + ignore_missing: true + ignore_failure: true + + ####################### + ## ECS Event Mapping ## + ####################### + + - set: + field: event.kind + value: event + if: ctx.event?.kind == null + - set: + field: event.type + value: connection + if: ctx.salesforce?.apex?.event_type != "ApexExecution" + ignore_failure: true + - append: + field: event.category + value: network + if: ctx.salesforce?.apex?.event_type != "ApexTrigger" && ctx.salesforce?.apex?.event_type != "ApexExecution" + allow_duplicates: false + ignore_failure: true + - script: + description: Set event.action field based on the type of Apex event received. + if: ctx.salesforce?.apex?.event_type != null + lang: painless + params: + event_action_map: + apexcallout: apex-callout + apextrigger: apex-trigger + apexexecution: apex-execution + apexrestapi: apex-rest + apexsoap: apex-soap + externalcustomapexcallout: apex-external-custom-callout + source: | + def eventType = ctx?.salesforce?.apex?.event_type?.toLowerCase(); + if (params.event_action_map.containsKey(eventType)) { + ctx.event.action = params.event_action_map[eventType]; + } + on_failure: + - append: + field: error.message + value: "Failed to set event.action from salesforce.apex.event_type: {{{_ingest.on_failure_message}}}" + - convert: + field: json.TIME + target_field: event.duration + type: float + if: ctx.salesforce?.apex?.event_type == "ApexCallout" && ctx.json?.TIME != null + ignore_failure: true + - convert: + field: json.EXEC_TIME + target_field: event.duration + type: float + if: (ctx.salesforce?.apex?.event_type == "ApexTrigger" || ctx.salesforce?.apex?.event_type == "ApexExecution") && ctx.json?.EXEC_TIME != null + ignore_failure: true + - convert: + field: salesforce.apex.run_time + target_field: event.duration + type: float + if: (ctx.salesforce?.apex?.event_type == "ApexRestApi" || ctx.salesforce?.apex?.event_type == "ApexSoap") && ctx.salesforce?.apex?.run_time != null + ignore_failure: true + - convert: + field: json.TOTAL_MS + target_field: event.duration + type: float + if: ctx.salesforce?.apex?.event_type == "ExternalCustomApexCallout" && ctx.json?.TOTAL_MS != null + ignore_failure: true + - set: + field: event.outcome + value: success + if: (ctx.json?.SUCCESS == "1" && ctx.json?.SUCCESS != null) || (ctx.json?.STATUS == "1" && ctx.json?.STATUS != null) + ignore_failure: true + - set: + field: event.outcome + value: failure + if: (ctx.json?.SUCCESS != "1" && ctx.json?.SUCCESS != null) || (ctx.json?.STATUS != "1" && ctx.json?.STATUS != null) + ignore_failure: true + - rename: + field: json.URL + target_field: event.url + if: ctx.salesforce?.apex?.event_type == "ApexCallout" + ignore_missing: true + ignore_failure: true + - rename: + field: salesforce.apex.uri + target_field: event.url + if: ctx.salesforce?.apex?.event_type != "ApexCallout" && ctx.salesforce?.apex?.event_type != "ExternalCustomApexCallout" + ignore_missing: true + ignore_failure: true + - set: + field: event.dataset + value: salesforce.apex + if: ctx.event?.dataset == null + - set: + field: event.module + value: salesforce + if: ctx.event?.module == null + + ###################### + ## ECS User Mapping ## + ###################### + + - rename: + field: json.USER_ID + target_field: user.id + ignore_missing: true + ignore_failure: true + - append: + field: user.roles + value: "{{{json.USER_TYPE}}}" + allow_duplicates: false + ignore_failure: true + - remove: + field: json.USER_TYPE + ignore_missing: true + ignore_failure: true + + ######################## + ## ECS Source Mapping ## + ######################## + + # A Salesforce internal IP (such as a login from Salesforce Workbench or AppExchange) is shown as "Salesforce.com IP" + - rename: + field: json.CLIENT_IP + target_field: source.ip + if: ctx.json?.CLIENT_IP != "Salesforce.com IP" && ctx.json?.CLIENT_IP != null + ignore_missing: true + ignore_failure: true + + ############################ + ## ECS source.geo Mapping ## + ############################ + + # A Salesforce internal IP (such as a login from Salesforce Workbench or AppExchange) is shown as "Salesforce.com IP" + - geoip: + field: source.ip + target_field: source.geo + if: ctx.source?.ip != "Salesforce.com IP" && ctx.source?.ip != null + ignore_missing: true + ignore_failure: true + + ############################ + ## ECS related.ip Mapping ## + ############################ + + - append: + field: related.ip + value: "{{{source.ip}}}" + if: ctx?.source?.ip != null + allow_duplicates: false + ignore_failure: true + + ###################### + ## ECS HTTP Mapping ## + ###################### + + - rename: + field: json.METHOD + target_field: http.request.method + ignore_missing: true + ignore_failure: true + - convert: + field: json.REQUEST_SIZE + target_field: http.request.bytes + type: long + ignore_missing: true + ignore_failure: true + - convert: + field: json.RESPONSE_SIZE + target_field: http.response.bytes + type: long + ignore_missing: true + ignore_failure: true + - convert: + field: json.STATUS_CODE + target_field: http.response.status_code + type: long + ignore_missing: true + ignore_failure: true + + ############# + ## Cleanup ## + ############# + + - script: + description: Drops null/empty values recursively + lang: painless + source: | + boolean dropEmptyFields(Object object) { + if (object == null || object == "") { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return ((Map) object).isEmpty(); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return ((List) object).isEmpty(); + } + return false; + } + dropEmptyFields(ctx); + - remove: + field: + - json + - message + ignore_failure: true + ignore_missing: true + - remove: + field: event.original + if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + +on_failure: + - set: + field: event.kind + value: pipeline_error + - set: + field: error.message + value: "{{{_ingest.on_failure_message}}}" + - set: + field: error.type + value: "{{{_ingest.on_failure_processor_type}}}" diff --git a/x-pack/filebeat/module/salesforce/apex/manifest.yml b/x-pack/filebeat/module/salesforce/apex/manifest.yml new file mode 100644 index 00000000000..d0753e7e38d --- /dev/null +++ b/x-pack/filebeat/module/salesforce/apex/manifest.yml @@ -0,0 +1,19 @@ +module_version: 1.0 + +var: + - name: input + default: salesforce + - name: tags + default: [salesforce-apex,forwarded] + - name: api_version + - name: authentication + - name: url + - name: elf_interval + default: 1h + - name: initial_interval + - name: log_file_interval + default: Hourly + +ingest_pipeline: + - ingest/pipeline.yml +input: config/apex.yml diff --git a/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_callout.ndjson.log b/x-pack/filebeat/module/salesforce/apex/test/salesforce_apex_callout.ndjson.log similarity index 100% rename from x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_callout.ndjson.log rename to x-pack/filebeat/module/salesforce/apex/test/salesforce_apex_callout.ndjson.log diff --git a/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_callout.ndjson.log-expected.json b/x-pack/filebeat/module/salesforce/apex/test/salesforce_apex_callout.ndjson.log-expected.json similarity index 82% rename from x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_callout.ndjson.log-expected.json rename to x-pack/filebeat/module/salesforce/apex/test/salesforce_apex_callout.ndjson.log-expected.json index fe5d3ed8e31..43e592a85c9 100644 --- a/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_callout.ndjson.log-expected.json +++ b/x-pack/filebeat/module/salesforce/apex/test/salesforce_apex_callout.ndjson.log-expected.json @@ -2,16 +2,18 @@ { "@timestamp": "2021-11-02T09:12:50.488Z", "event.action": "apex-callout", - "event.category": "network", + "event.category": [ + "network" + ], "event.dataset": "salesforce.apex", - "event.duration": 1293, + "event.duration": 1293.0, "event.kind": "event", "event.module": "salesforce", "event.outcome": "failure", "event.timezone": "-02:00", "event.type": "connection", "event.url": "https://api-prod.guidance.sfdc.sh/odata/Accounts?%24top=1&%24filter=%28startswith%28Organization_id_dw__c%2C%2700D5j000000VI3n%27%29%29&%24select=Aov_band__c%2CCombo_sector__c%2CCsg_coverage__c%2CCsg_portfolio__c%2CId%2CIndustry%2CL1_aov_cloud1__c%2CL1_aov_cloud2__c%2CLocked_industry__c%2CLocked_sector__c%2CSfdc_sector__c%2CSfid%2CSub_sector__c%2CSupportLevel__c%2CTotal_aov__c", - "fileset.name": "apex-rest", + "fileset.name": "apex", "http.request.bytes": -1, "http.request.method": "GET", "http.response.bytes": 256, @@ -20,19 +22,19 @@ "related.ip": [ "10.0.1.123" ], - "salesforce.access_mode": "rest", - "salesforce.apex.cpu_time": -1, + "salesforce.apex.cpu_time": -1.0, "salesforce.apex.event_type": "ApexCallout", "salesforce.apex.organization_id": "00D5j000000VI3n", - "salesforce.apex.run_time": 1305, + "salesforce.apex.run_time": 1305.0, "salesforce.apex.type": "OData", "salesforce.apex.uri": "CALLOUT-LOG", "salesforce.apex.user_id_derived": "0055j000000utlPAAQ", + "salesforce.instance_url": "", "service.type": "salesforce", "source.ip": "10.0.1.123", "tags": [ "forwarded", - "salesforce-apex-rest" + "salesforce-apex" ], "user.id": "0055j000000utlP" } diff --git a/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_execution.ndjson.log b/x-pack/filebeat/module/salesforce/apex/test/salesforce_apex_execution.ndjson.log similarity index 100% rename from x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_execution.ndjson.log rename to x-pack/filebeat/module/salesforce/apex/test/salesforce_apex_execution.ndjson.log diff --git a/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_execution.ndjson.log-expected.json b/x-pack/filebeat/module/salesforce/apex/test/salesforce_apex_execution.ndjson.log-expected.json similarity index 66% rename from x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_execution.ndjson.log-expected.json rename to x-pack/filebeat/module/salesforce/apex/test/salesforce_apex_execution.ndjson.log-expected.json index e39794b7bcf..42a58a9bb25 100644 --- a/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_execution.ndjson.log-expected.json +++ b/x-pack/filebeat/module/salesforce/apex/test/salesforce_apex_execution.ndjson.log-expected.json @@ -3,31 +3,31 @@ "@timestamp": "2021-11-02T09:20:46.003Z", "event.action": "apex-execution", "event.dataset": "salesforce.apex", - "event.duration": 1, + "event.duration": 1.0, "event.kind": "event", "event.module": "salesforce", "event.timezone": "-02:00", - "fileset.name": "apex-rest", + "fileset.name": "apex", "input.type": "log", "log.offset": 0, - "salesforce.access_mode": "rest", - "salesforce.apex.callout_time": 0, - "salesforce.apex.cpu_time": 79, - "salesforce.apex.db_total_time": 0, + "salesforce.apex.callout_time": 0.0, + "salesforce.apex.cpu_time": 79.0, + "salesforce.apex.db_total_time": 0.0, "salesforce.apex.entry_point": "VF- /apex/listApexClass.apexp", "salesforce.apex.event_type": "ApexExecution", "salesforce.apex.is_long_running_request": 0, "salesforce.apex.login_key": "MroEDyLplzWdOHPJ", - "salesforce.apex.number_soql_queries": 0, "salesforce.apex.organization_id": "00D5j000000VI3n", "salesforce.apex.quiddity": "V", - "salesforce.apex.request.id": "4fDkD4xoOfMXKFl1cJOo_V", - "salesforce.apex.run_time": 162, + "salesforce.apex.request_id": "4fDkD4xoOfMXKFl1cJOo_V", + "salesforce.apex.run_time": 162.0, + "salesforce.apex.soql_queries_count": 0, "salesforce.apex.user_id_derived": "0055j000000utlPAAQ", + "salesforce.instance_url": "", "service.type": "salesforce", "tags": [ "forwarded", - "salesforce-apex-rest" + "salesforce-apex" ], "user.id": "0055j000000utlP" } diff --git a/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_external_callout.ndjson.log b/x-pack/filebeat/module/salesforce/apex/test/salesforce_apex_external_callout.ndjson.log similarity index 100% rename from x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_external_callout.ndjson.log rename to x-pack/filebeat/module/salesforce/apex/test/salesforce_apex_external_callout.ndjson.log diff --git a/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_external_callout.ndjson.log-expected.json b/x-pack/filebeat/module/salesforce/apex/test/salesforce_apex_external_callout.ndjson.log-expected.json similarity index 60% rename from x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_external_callout.ndjson.log-expected.json rename to x-pack/filebeat/module/salesforce/apex/test/salesforce_apex_external_callout.ndjson.log-expected.json index 74aa47c145d..bab3aba3fdb 100644 --- a/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_external_callout.ndjson.log-expected.json +++ b/x-pack/filebeat/module/salesforce/apex/test/salesforce_apex_external_callout.ndjson.log-expected.json @@ -1,31 +1,37 @@ [ { "@timestamp": "2021-11-10T10:11:09.997Z", - "event.action": [ - "apex-external-custom-callout" + "event.action": "apex-external-custom-callout", + "event.category": [ + "network" ], - "event.category": "network", "event.dataset": "salesforce.apex", - "event.duration": 13, + "event.duration": 13.0, "event.kind": "event", "event.module": "salesforce", "event.outcome": "failure", "event.timezone": "-02:00", "event.type": "connection", - "fileset.name": "apex-rest", + "fileset.name": "apex", "input.type": "log", "log.offset": 0, - "salesforce.access_mode": "rest", + "salesforce.apex.action": "query", + "salesforce.apex.entity": "HealthcareBlog", "salesforce.apex.event_type": "ExternalCustomApexCallout", + "salesforce.apex.execute_ms": 8.0, + "salesforce.apex.fetch_ms": 5.0, + "salesforce.apex.limit": 51, + "salesforce.apex.message": "Unauthorized endpoint, please check Setup->Security->Remote site settings. endpoint = https://www.healthcare.gov/api/blog.json : ()", "salesforce.apex.offset": 0, "salesforce.apex.orderby": "(Order:[columnName=ExternalId, direction=ASCENDING, tableName=HealthcareBlog], Order:[columnName=ExternalId, direction=ASCENDING, tableName=HealthcareBlog])", "salesforce.apex.organization_id": "00D5j000000VI3n", - "salesforce.apex.request.id": "TID:10799890000ce8142a", + "salesforce.apex.request_id": "TID:10799890000ce8142a", "salesforce.apex.select": "(ColumnSelection:[aggregation=NONE, columnName=DisplayUrl, tableName=HealthcareBlog], ColumnSelection:[aggregation=NONE, columnName=ExternalId, tableName=HealthcareBlog])", + "salesforce.instance_url": "", "service.type": "salesforce", "tags": [ "forwarded", - "salesforce-apex-rest" + "salesforce-apex" ], "user.id": "0055j000000utlP" } diff --git a/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_rest.ndjson.log b/x-pack/filebeat/module/salesforce/apex/test/salesforce_apex_rest.ndjson.log similarity index 100% rename from x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_rest.ndjson.log rename to x-pack/filebeat/module/salesforce/apex/test/salesforce_apex_rest.ndjson.log diff --git a/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_rest.ndjson.log-expected.json b/x-pack/filebeat/module/salesforce/apex/test/salesforce_apex_rest.ndjson.log-expected.json similarity index 63% rename from x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_rest.ndjson.log-expected.json rename to x-pack/filebeat/module/salesforce/apex/test/salesforce_apex_rest.ndjson.log-expected.json index ffed6673131..dcda8505712 100644 --- a/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_rest.ndjson.log-expected.json +++ b/x-pack/filebeat/module/salesforce/apex/test/salesforce_apex_rest.ndjson.log-expected.json @@ -1,15 +1,18 @@ [ { "@timestamp": "2021-11-09T06:00:01.635Z", - "event.category": "network", + "event.action": "apex-rest", + "event.category": [ + "network" + ], "event.dataset": "salesforce.apex", - "event.duration": 478, + "event.duration": 478.0, "event.kind": "event", "event.module": "salesforce", "event.timezone": "-02:00", "event.type": "connection", "event.url": "/Account/", - "fileset.name": "apex-rest", + "fileset.name": "apex", "http.request.method": "POST", "http.response.status_code": 200, "input.type": "log", @@ -17,26 +20,29 @@ "related.ip": [ "43.224.11.237" ], - "salesforce.access_mode": "rest", - "salesforce.apex.cpu_time": 94, + "salesforce.apex.cpu_time": 94.0, "salesforce.apex.db_blocks": 4401, - "salesforce.apex.db_cpu_time": 130, - "salesforce.apex.db_total_time": 232002551, + "salesforce.apex.db_cpu_time": 130.0, + "salesforce.apex.db_total_time": 232002540.0, "salesforce.apex.event_type": "ApexRestApi", "salesforce.apex.login_key": "ieC2BVibz9GliuON", "salesforce.apex.media_type": "application/json;charset=UTF-8", "salesforce.apex.organization_id": "00D5j000000VI3n", - "salesforce.apex.request.id": "4fMAJzbahOQk2kl1cJ0uSV", - "salesforce.apex.request.status": "S", + "salesforce.apex.request_id": "4fMAJzbahOQk2kl1cJ0uSV", + "salesforce.apex.request_status": "S", + "salesforce.apex.run_time": 478.0, "salesforce.apex.user_agent": 5236, "salesforce.apex.user_id_derived": "0055j000000utlPAAQ", + "salesforce.instance_url": "", "service.type": "salesforce", "source.ip": "43.224.11.237", "tags": [ "forwarded", - "salesforce-apex-rest" + "salesforce-apex" ], "user.id": "0055j000000utlP", - "user.roles": "Standard" + "user.roles": [ + "Standard" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_soap.ndjson.log b/x-pack/filebeat/module/salesforce/apex/test/salesforce_apex_soap.ndjson.log similarity index 100% rename from x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_soap.ndjson.log rename to x-pack/filebeat/module/salesforce/apex/test/salesforce_apex_soap.ndjson.log diff --git a/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_soap.ndjson.log-expected.json b/x-pack/filebeat/module/salesforce/apex/test/salesforce_apex_soap.ndjson.log-expected.json similarity index 59% rename from x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_soap.ndjson.log-expected.json rename to x-pack/filebeat/module/salesforce/apex/test/salesforce_apex_soap.ndjson.log-expected.json index 96feff5da7d..b3da78384fa 100644 --- a/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_soap.ndjson.log-expected.json +++ b/x-pack/filebeat/module/salesforce/apex/test/salesforce_apex_soap.ndjson.log-expected.json @@ -2,37 +2,44 @@ { "@timestamp": "2021-11-09T11:48:38.534Z", "event.action": "apex-soap", - "event.category": "network", + "event.category": [ + "network" + ], "event.dataset": "salesforce.apex", - "event.duration": 36, + "event.duration": 36.0, "event.kind": "event", "event.module": "salesforce", "event.timezone": "-02:00", "event.type": "connection", "event.url": "APEXSOAP", - "fileset.name": "apex-rest", + "fileset.name": "apex", "input.type": "log", "log.offset": 0, "related.ip": [ "43.224.11.237" ], - "salesforce.access_mode": "rest", - "salesforce.apex.cpu_time": 17, - "salesforce.apex.db_total_time": 14928037, + "salesforce.apex.class_name": "ContactResource", + "salesforce.apex.cpu_time": 17.0, + "salesforce.apex.db_total_time": 14928037.0, "salesforce.apex.event_type": "ApexSoap", + "salesforce.apex.limit_usage_pct": 2.67, "salesforce.apex.login_key": "1HQDaq9tglsI4Nlo", "salesforce.apex.method_name": "getContactIdAndNames", "salesforce.apex.organization_id": "00D5j000000VI3n", - "salesforce.apex.request.id": "4fMTLXm8qV3kTVl1cJNxMV", - "salesforce.apex.request.status": "S", + "salesforce.apex.request_id": "4fMTLXm8qV3kTVl1cJNxMV", + "salesforce.apex.request_status": "S", + "salesforce.apex.run_time": 36.0, "salesforce.apex.user_id_derived": "0055j000000utlPAAQ", + "salesforce.instance_url": "", "service.type": "salesforce", "source.ip": "43.224.11.237", "tags": [ "forwarded", - "salesforce-apex-rest" + "salesforce-apex" ], "user.id": "0055j000000utlP", - "user.roles": "Standard" + "user.roles": [ + "Standard" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_trigger.ndjson.log b/x-pack/filebeat/module/salesforce/apex/test/salesforce_apex_trigger.ndjson.log similarity index 100% rename from x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_trigger.ndjson.log rename to x-pack/filebeat/module/salesforce/apex/test/salesforce_apex_trigger.ndjson.log diff --git a/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_trigger.ndjson.log-expected.json b/x-pack/filebeat/module/salesforce/apex/test/salesforce_apex_trigger.ndjson.log-expected.json similarity index 62% rename from x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_trigger.ndjson.log-expected.json rename to x-pack/filebeat/module/salesforce/apex/test/salesforce_apex_trigger.ndjson.log-expected.json index 6e04d3436ce..f95936eb435 100644 --- a/x-pack/filebeat/module/salesforce/apex-rest/test/salesforce_apex_trigger.ndjson.log-expected.json +++ b/x-pack/filebeat/module/salesforce/apex/test/salesforce_apex_trigger.ndjson.log-expected.json @@ -3,28 +3,28 @@ "@timestamp": "2021-11-02T09:25:02.894Z", "event.action": "apex-trigger", "event.dataset": "salesforce.apex", - "event.duration": 4, + "event.duration": 4.0, "event.kind": "event", "event.module": "salesforce", "event.timezone": "-02:00", "event.type": "connection", - "fileset.name": "apex-rest", + "fileset.name": "apex", "input.type": "log", "log.offset": 0, - "salesforce.access_mode": "rest", - "salesforce.apex.cpu_time": 3, + "salesforce.apex.cpu_time": 3.0, "salesforce.apex.entity_name": "Book__c", "salesforce.apex.event_type": "ApexTrigger", "salesforce.apex.organization_id": "00D5j000000VI3n", - "salesforce.apex.request.id": "4fDkS1iz2_p5i-l1cJOqAV", - "salesforce.apex.trigger.id": "01q5j000000ClvF", - "salesforce.apex.trigger.name": "HelloWorldTrigger", - "salesforce.apex.trigger.type": "BeforeInsert", + "salesforce.apex.request_id": "4fDkS1iz2_p5i-l1cJOqAV", + "salesforce.apex.trigger_id": "01q5j000000ClvF", + "salesforce.apex.trigger_name": "HelloWorldTrigger", + "salesforce.apex.trigger_type": "BeforeInsert", "salesforce.apex.user_id_derived": "0055j000000utlPAAQ", + "salesforce.instance_url": "", "service.type": "salesforce", "tags": [ "forwarded", - "salesforce-apex-rest" + "salesforce-apex" ], "user.id": "0055j000000utlP" } diff --git a/x-pack/filebeat/module/salesforce/fields.go b/x-pack/filebeat/module/salesforce/fields.go index acb402db804..78aa4fa0cc6 100644 --- a/x-pack/filebeat/module/salesforce/fields.go +++ b/x-pack/filebeat/module/salesforce/fields.go @@ -19,5 +19,5 @@ func init() { // AssetSalesforce returns asset data. // This is the base64 encoded zlib format compressed contents of module/salesforce. func AssetSalesforce() string { - return "eJzsfN1uG7mS/32eopCbSQBZ/zP/3QEOcrGAJlYmWuTDYzsYnL0RKHZJ4ppN9vDDsvYqr3GAc14uT7KoIrvVauvDidXOnMXoJo7UTf6qWKz6VbG6z+AG16/AC41+bp3EZwBBBY2v4PlV8+XzZwAFeulUFZQ1r+A/ngEAbC6A97aImm6eK9SFf8W/0+cMjCixM0P9CesKX8HC2Vi1vnWoUXh8BTMMovX9DgT1543S6DHA3DpQZoE+KLNo4xtVeAfaLvywdV8XaxuvkBK9n5a2wK3fa9A3uF5ZV3R+OwCRPtdLBBoR7Byk1Rol4yRcMHe2bCM+g+cOfXgO1sFzHxyK8vlwN9QK73Zi7Cr2kHIfgP7blLxP0dvKpjnv/XxY1w9ATJ8Rjw0Vurl1JRYwW0NYIkihtY2hC3UDKl8wDarsmsCJoF2rEsFXaAKshGJtWgMrnHl0t0o2GP0AlIFSaa08SmuKewpuodbC+yn93RPmZV5nnognHcJknlTKXykPlXCBbFxAKYxYYAGVkDdigQMIS+XBB0fCKiN1LNDzzfkKHtFXQuIhGRWa0LOQNDrJkASjCSEsRfjBQ/Qdu8/L5YdwTdKxtZMahAHL8whNKhElBnQ8CkhhYEZCe48Fre7oYsLL7VmbMy3MzaCxU3RQqMIEMhap5msQNSRl+KLXQuuPPJWHJYoC3QHtVbFPmyY0F5+AZuhaLUQSNliQtqw0BmTsDn+P6A9sxGI2nWkrb3w/iCemUFIE9LC0KyijXLI/ulVhTYtopYwumyvjLUQQM+FxCCNYqsUSboWOyF4xbJbfxwV5SJ+WWxRFGqHAO/Tk0udKB3SeNvzaRge/R3QKPaxs1AXM0OBchdprCXNoOxSz6Xdc033L2dIrfS1KG01yCrVyg7ghpVRaSOwqF7RYk9VH1vxDzSTYIHTfDvtFRwMvOy6cDKERo3KWeEQ2H7FYOFyIkKxFaA22QifSvs0aaPT32paVcNg2qmBpHabXk/dj+rsgf1Iqg7BaYliia9sLKO8jeqAh9tpwVjMH9GSHdmVA2uKAuaEJKqz7UfCHltPFu4COXKed/TfKADMkARIvw+IYvieMDhmfmM9Rhg3BCE4tFoccMZrg1tPKKhP6A8qTAE+ycVEcwPEOZaTbDyC8pThLSPoDSMOQJnmuIX+VHCoFUL0S6wT39TG6lsTBadlTmHhrV6AtbaEAwdqbHX6A9NuiBcFC5ZD3sDBFDZBtg7z9egijW6G0mGmsGcAtOk9s9d////AvfJMW4ZAJzTHI5fcUOVhwGJzC25Zg4NBHHXJOs7WX/doHLE8hOcfPfuR+w84W7ypHrpt8c7B5QlgtlVyCsyufZY/OkK92Dn1VB8Tf3o4vxyTZ1cdf39Whfb8syk9JzVMXjVH0bwoBfdOdOmi0og5tOkmBGgsQC6GMDzksuMUP9JOhQELRjgCfZcDJn9RDaFWqAC+Ci/iSIouxAV7Mhfb4cr8K+KZ+BH4v7lQZSzCxnFGsm3dWL8Xiekt2VvLd5P3k+uEryWJMoxcLnFboJPbp2vMElDTZeVqDq4+ji5RGJN65QodQigKb1eSA5RbCqP9h3vGDT6APyGQXykxvsKeQT5LkfJAhB2LBwS6SbRJH4sjA/EjAQt2ioTzCEXBCBj5t0iFMAvggXPCwUmEJIv/OtycPTIvKv6FKo9MlNoZ8jU17gUavRyUvoAjcfv2UWCjRc5DkOZpQmTYsGak/wNNK9GSH/YAaO2eZN66EYxeQZwPhvZVKkANhTRPWuVAaC7bLQ3DD0hZPmdQLrRvnlWbfjy45j2kqZPWIr/FRaSbSsLQ6lsYPyF8TlagqrSSFzqNovf1dT7PPegrMbR/Z8j+Z+BTtbC6xvb0C2PncY0+u88O9OOBvVEXaNVCJRULobFyQC0lMBjyGe6Hh45s3V+OviA3WFehmPXnRRFkaayF80ac001vHeekWNRuwQ2wYgOWrasfC3I3crZdouHDxosC5iDpwQCc4+XuW6b5mLs/Hl/Dz375GN5uINFW7dHAiY/3xpzO5FE5I4nKT8yaFa82/HyVrsD9sjarWA1BzsJTXC7+pXB8Cpoqit6S8naXZSIprUscd7l75Y5u7rnD0uc7RqN8j5hUW4JVZaErJhfHpsGEIo/Z/uSArrQlCGda8dVBalx2VH8JYyGWmCS0i0h5hKVKly1OMuRz/+ml8dT2dnB/Xgw8ixB4ddBp/QxwSTU+st6KYfatwRQIz8VEmoJsLiflU5gB+u/JDLrn1hJ2GbtN2lNYVrULZxjXvqhqc/Ui7iCN99MGWIApRBSaO5yKIKxudxOGFs7eqQJcPLwqL3vwQoECpU/EN4ddP48u/Ta8/Xo/eTa8m/zUGKSoxU1qF9RHlcHqOPZl5J47lubrHW4/PtFmSXMfsS5ZtHpHicsMfmrm7JdL9kKPpsQr8wYZ0ktHU05JfoKGH8Mknq+EibT4KMj6gOOC/PWqUPdGd17YsxZnHSjh201r50CKYqaqaAnRxL5Jfjd+NX38Fx/Fx1ivfvESP7jarfh5DdJyu7QeUmVwV+yeT2TvV5TC2VookqVZ2AGKqE+/Ft+sUHw4cqrfH3hliHyL6A8WHw7Qqi5b3svAwV24Xj2lD3pMAnhj0G9q6CZ0HaUs+uHG27B5Y+wFcX05++WV8Of0wej/eHFmLzUE1VA7n6g42eyzXH4bQKIVPdY29f5Py9JdHEwZbKlO5eioMRFOD2nuk0FbgnkrEiRXYJoXsA48edzzNMULqTTh2WBCd6g/Kp8tJvQGYXuW2AYcS1e2DjzOjU1NVTAt06rbPsPvjX1tbVwqPZ17MsbWJTySORzcVi14LoiaW6JTk88scnDeGkRsm6haEUtxsnVfDC7oB70RZaUxbcUY8BN2gLrnQ9APiyaOLyYFSNkv6h1g55vOrpT3Us9LUOnipJ3UNdHQx2Uh4v4dvyKXVZ12RnqKT7x0XdV9cjq+uX35dR1+ldlVpH9nO1/idi8nuTdCePlPv0yKo+XxedAJCW/TL57/X7C7eOy8/Vtt/JKRvqecz3u9X0W+WKYYlmpC3+zRXpR3O0aGRJzae7clyETq5qNkaBAVWV5xVwoU1qIKunNfXVnXeynm8gY8Vmsk5vLbGoAx1wcOrhTlLVwcrrb7XobYvOfzpx/3JYacNT3XJ6SOVMrkAURQOvd/RfsdWcqABb9T+mksZRmga8oXnxi7fGFG33/Y3625maOSSPXxVje/kUpgFviQ9+aVdGbr7y+d/bO4ZSlvC5OLL53/uUdDurqxH6ufbuuu2Fv5bOrNEVbGe0aWmod0iH2rCeqynzTIbYWwtcipiNd1MzkbDLLkawqRpLt102WZR/vP859dQUHR2AzAYVtbdkOLanVGpQH7+87RuuPpjNWQd7dA5UVg70JXDgXg3qsPl/EdC++oSfqfeenJAf9Rac1funXXmR0f609WWj1TvHhtrGzfHDiFxkxZmbnA62Gb/oMzsscbd5fSgjEfjVVC3x5Iyjo0PSMselqg8kSB1jnI4sP+rZilX/NyOMouvTVWahPPEm2AzcEMXUkdt7UOHcGG9V0QJ2eH7uuT1qk2KBvBznRy3hGZtfLza+u4cb1HbCp1nfjm+q7R1dN+H/zfaS8D/z9Hu/ZJmCz99lPzrdpTMeDui1w8aJYfdyq4OMv5e09jNMRBZZIKU5q1rqJ0r22nMgAj6J3Nj7Mp8+fxP+i01+e1LgKVDEbCYztYnXYFPpoG0h7YJHRM96j3S1c27wdbTYq40b/iERxkdMf/KaiXXR543264eLNCe3HpbDmQTKtin/oK2abjf0WqW7KWpJ2xyyUMSLJUP1p3WAq6dkDeUbW7VHrwlUp8JoHNI2XW6osm9cqWDvI+SUQuXZVLGB34OqJvCa29bebw1G129TXINYBTD8ipBSHlN++esTj+AMqV9KgAKr1JfUHBE13LJZiYk25HYaNg6tVCUY297lkPq7i9baVa/G9jqitJOVMnmT27D7WOwvTvtwQ00HbA2BmlP7ThyR8UO1GnWfemFZheaUtE6Xt470HwUtrbBV7aKPCNYo9epb48LFE31IlH75ly+tEYF6zyzYeXQA94FJzoWO4C6QlRGHdTZXMhAUXHbrGFi0tCSawQtP7VAg46LKq1cjjebx5Cs8DJpakw/TRo9Zcmy1g2u6ntzRSLl3fnng/c2ezFn7akVodFd4yR3D8KVo9onCa1zApFUXaemKQLv0l+KtazgYtCeVvn0OOtu68k7c6qJJ57OZLK3O+NhN5uOsm5nta99bnIQFuYoQnR116qPVWVdABU2RiETw8OCOHRaV4dVaq28z5mFw1fwdvLL2+no6urT5ejD6/EA3n38bQBX16MP56PL8yNpi91qWOglb6mE66Zb71Lt/BsOV3paxu1nSP3uRc3WX8fYJrNPJQc+VOCuXhLNzjtdO8N/IVOBP09uDp3c/Hm+twNU1YNO2lUE1k/T35PYF8TKmva22w0un6/3AHBDQmqDrrPAuj0yz524ogjJPL9f0nv/oOvr1fl9jwL2wto6Czhxmv2o44BKizC3ruxBZVsNKHlR6+mYQwlOzcnbSZHSlZS72hi63MnE7lNTG+LtrY6piHByEbx0iKY1x7aNnk6Kmjn0IEJNCLZcFAPlpOHojnraAvm+7p3HV8bvy2RU4Jxzeo9qnkCyxjs0DfjN4Y9Jb8PRa1Y+pXAx7Nqx5KalVvKmPsjIzHQWQ2B6sRmX1dMstSrzoEXkB/CVadJCLoBa5hqqpACmQk05UpY7aKVbysNfjh0tfF+O/o1HC9+p4PlnkeDPIsG3FwkcVlqc1mAvMbdd82u6JudZg2wWW/aTCWN6cUVO5uboGs1X1qt2fGzO7Tf/SW/vG9KcWqybyTj3M18+/z3AIgonTMBUuJwhZ59qEW1MPS7SGs+P3N1uugRG4OOMZJxxADHgA9mUyNrayESYiUaqAJYjerqtSvy99QKPUvFTNrVl8YurHLJJNE/eZB8OK2UKu9oT0uUSy+7LBU/sXHa4ZI8hVlMRCxWmwQml+/bOO09+rwjFiEBcE4avcs59UPhx82zSsXhANod3JyYDeVCIpmjenkKWxGqCdJrMvKwUBQ75uYymCVvNYczPTqU8yIPUNhZnwZ7xHy0OlPu5RT2gMmmCQdc5th1OPfYTnwzy4eTRKb2Pp4yOD3pwqmniQ81vKZsSvzqtOfDB09nIN+x283aAOjxTlMjLl7OM7ZsKVSSnmXvrWjfuDikP7Xn9t5+O97wWypNzPa1S5lHr9nX8uAIbctoWLX109wdz/aS0JOCSW1wbi79AV15heM2WlXbDeRJhx/Va3SB8+fyPdHVBCqaQkI6tArwfnb9K/IDXQSuJxrfPavemqZU1XPOcNo8/TdPjT0+zrzzuer/so7PLxlY3/qxEE/N7OlrmnLo9segs33t+qosImOMXfXB/qVnDhbNzpXH47H8DAAD//5tayEY=" + return "eJzUXM2S20aSvuspMuYiKZbNGM+uJzZ02AhaTa04K1nt/gmH98IoAgmytgtVcP2QzT3pQTwvpyeZqKzCD0GAbDbRbZsXtQigKiv/88sEL+Aet+/AMIEmUzrBVwCWW4Hv4C831Zd/eQWQokk0LyxX8h381ysAgPoG+KxSJ/zDGUeRmnd03X8uQLIcWzuUH7st8B0stXJF41uNApnBd7BAyxrfd1BQfj5wgQYtZEoDl0s0lstlk75JgQ8g1NKMG8+1aW3Sy6WxTCY4d1rs3FBSfY/bjdJp69oOjbcrhFlcB+6uP4HKwK6wSVe5zbiTCFbgQ+fmbZYdYtsR1j2dfX0sbJ4gVYnLUdo5b3PqGCf3yL6T/FeHMLss2UhElRu0CWswMfHPn7v7hFaBAnWmdI4pLLZERMKEUO7A9vGGueU59hKRCcXsMRJueY5gCpQWNoyTiJSEDS7AoF7zpCLGjIBLyLkQ3GCiZLonNv9xktt3kJuOSzlazZN51DXmlvuUV8cTzJi5//tcDt+WIqUlafkxzIKow1fcQMG09fJnkDPJlphCwZJ7tsQR2BU3YKz2fOEyES5FQw/HO2hFU7C2se2ehntlHeo4fp1SW8PSYFfMvjbgTMvCogjNGG79Ociu/IGZBEUrMuEPz3K0qGkVSJiEhT+eMZh6iU+uZqQChvi2EEzejyolRQ0pT+Vr61Uo4dkWWEkTl3TXeybEF9rLwApZivoAowo3hEb7Xa/uwK/UVllw/lRWQaLyQqBFolHjrw5Nh7kNpc/pYr4QKrnvWiY8L5RcHjvYTKY8YRYNrNQGcpesyA2tud16oaokcToqKh0rZZYtmMExTGDFlytYM+GQ/LGt1cG4pffNJoifpWlYIcUHNKA0ZFxY1MZ7ha1yGn51qDka2CgnUligxIzb0oXtR52n8OoF9KBPBRpM9l+zXDkZfEPJacvuPYcKwSjS7nAaBNt6k3AkhpdSLassE0OFgjctTr1tBQevPdVxC60SNCbqHFsuNS6ZDSrGhABVoGbB9iOnKj6/V3nBNDY10cskSt7/nXqnlHOJsFmhXaFuKhlwYxwa8Ev0Kn4UB+UfQXnVRkKi0k4dHUYeKC2323P9/I8NH48PFrX31Grxf5hYWKA/Kks85zHt96aBkmcJO5ESlmWY2DptsZovl4ccPEqrt/NCcdmljCeTRMsBLVd7NYr2+ICJ8zceoGXtg7LfcwhS/AOeO7TqgU2JLpx3atkJpvpRbShkALdglbrvMFvPkEYqYBUUGsnkmExLQkhs3qNvxzBZMy7YQmAZ9deojU9P/+Nv47/SQ4LZLukOZToZ2mT1EqyxCrQnC9cNBoBG44Q1kGmV7xqe2RqL+R+BQxSLz9XXD+Rt8aHQ3nd752xVXBo2K56sQKuNiVxyWnpnrTWaooycP3+cXk89D26+/PSpTAj6lZ6buRfIXDspuf83xIBzj1FH6jI+NAKMT4gSH7sxBbZkviKOEUAvX/tL0scMH9g8aReRtOA8yiUEz7mFN1Y7fOuDiFQW3mRMGHzbf1h66Kw07zN74LnLQbp84aNX1hJHiK6l1bZE82n2eXb7eNEQtXNn2BLnRdJP96MTrgJ1gtL6ykhlgZ03XyZXoYIIKeYGNULOUqwEQyFFL5nk/0/ZwmsTCOs3pLjNedYk1JLL+T2eHa39wWONSCe0Pj+2ahm00idCFBYoCWKw5GuUvhDR/pyeBjDBEMcws2As09bAhtsVsHidHg9+28uZriEPq/tblLPxHhWswK9eruotnXvi+tUgx5SzwWIhrVZFxGCUXkPNgRo5R+OVsHd7iw9H9W+qtaJsb8M0WXNcFJgxKuHM+wJinScpY1xgSnp5iCq7UunzVO5MiMrjhH366QiA2Jwc2lm+haio/EpY1nMsUcLl0oy8K/UZQlEInvhI10+TUb+KeXQwg1PW9F4NrxGzlrRZYR3JuFSWGTyPtB/3HLG554VnlYSCLQMhWrmlN9iQRYBBu+ebv3z4cDM9wTkrnaJenO2dQrivhOwpcSbUaEZpKup2EqAROZoqpiq6qzRjypC8GzMJSoIK3qSYMScshUi/cfyeqN/nwfXl9Bp++OUULtSBYQDA1+vZd99fJCumWeIznhr6be7UTw/xaggqquNvR8AzUL7QZaYGgw+RwNN0gCqzWbgo55lR1U0dPpObY7YWE6eBpOSa0DwDw+VS+BqTSRPQ9zFMmv8l6DJR0jIuiZtKQ6509BBmDFOWrGKYbATi5gorFmAf4x11fZrjJzaWWddfuJyUR/iV6sAZUtGQ8hU+mK05bvzRKMRzaVFnLMHYkDhAqdqYgBSd56b9Cs3UFBOl0wa8U3s/f5qAOHIDTGzY1sDFd17VKf45Y1UOLGWFpUzokll2o5xOcHyl1ZqnqCNCnyo08rWFFBMRICOEn+6m17/Mb7/cTj7Nb2b/O4WEFWzBBbfbIzygKhP7NfQJESEu2e7ePL1e3CE4gmxnkrwbX0Mgq+JqtUUbpuunzMmBINoaYg3AHyXQDdWnGv7FOk8GBR6ogx5pyO9VnrMLgwXT5EEFN7aRcAUEL0S+dC9E3kw/Td+fkCYYt4j3nEv2NRrUa0zJ3WTOOk2VRP/WMe0p3JmV4497/qTEZ0gjvTMPkj+ztxAByudNI+Im0byYgYzrQ9G8JGqIKuODr//CegYSlRNir1Xebmya0c62dWuT1Q1NKDRm/AFqNY416RiqY1NPUKr9h7jxfxmUdrTDFB7xNSbByZKoo7hxSevQaC0lNcd3H3jX0I8+1uJ3mg+x6d31rFRMSh9iq1hjgnx9tEvVIGaeouZrTIcynv9sGE/CDF4YljUHMQYi3KCes2U3VnR6Ae9y1DyhFlLsONRijX3vssOcs/ud1iK88Q/gA8sLgcEoFj4Mox6V9bbfaORzu8nV7ADESGfiaSmQF5EGZZublTo0ZVBVwSS+WYlFTa5m9Vn2J7fGBHG9ahP/EvNbnwhce3M9vbl9e9IcV/8A0qPHuMrBo7RvSKvSiKfuQMlVvUylmKFzeKTireloe6H+WbFjY1tD+9HmKNnV7LgviNn3ECSUifz+7J2nJLqqkOa5vSZtxVtnV4MxNxrhQN7Zk4bSlqoT8MmgQYstMB84dXpRMG23wFN/Z1beW5TFG9WsEr4UKGeX8F5JiYkty3jDl/Ii3G1Voo5jsBoz1CiTQTTo5Y/XHsDqqwy//66/MqxFbTr0+OmqI3CN/ajAY5D3m0DRBa3kU3Wnud0SGKOVMCF6lH5HQYbM1xaxAjWuKJS2wO0IDA01UX9OhtECVhSGGKKxCGjlo3n52Cp7oA5Q7OhE2Kpsvswux3Bn4pxLgEOsKpVqS80h4k7sEPkUm8CpqiX08wr9/+kmH6NAudAKov/Q2A3jcuQzd9xU29LUItPW15e+KKBQN13HfLzJPpVZlCCdELDAhDmDNaxOXVRWeGGlsMBMaaxJo4saWbVHldusP09u/md29/fJw1T/25fi+8dL7O/HtX9fWockpdaoN5pbKiJc23n8+bt4JVdW3Filt2ckJLeaJfem1LRyV6Ngq1yEVrVGL5jSnONAXDyj95Y8cYLpeNxqCr0tfWFUQwVUQJxIQT+GU4xg4uwqOpXQjlDEpjB3ZEY+ueZhxAOZ4aFNYbWvP6OMFiy5p2SnFJHSfMklEy3f383NjkzlpLSrzFACIzoSr1JVOndfojpHjrv5SJ3CE4f/G1U1vdXRFa0I9iybXQFLU43G9OQvacrDEPGcy0x1EtwRPXao/cfNlx997sKZiHkoof3VyuBX1nm4EvOqyiNVkzofb2+v4nSxKXuDpdV1poWt0ezuzPAklpcurMZYa36GXUqspHVn0x+O4NvX3+7kvVQb+e3rP/21MPPRl0JG+nk75J/2Nkkl55PHyie7r53EeanZFbwpI3kpBpJV4+aflb5foExWVO8WxfQhWTG5xLcUulZqI/3T377+Vj8zTlQOs6tvX//Zw4zuseFejHygqfEd9/aU6WFWFMRSH+DZdj9TOQpwdkLfzQFhnmNn7ycsmSq3EEdDY8kYyaQq+RLaUtW4rVZOEppXjGFWvSxRv2ASz/uPyx/eQ6r5GvUIJNqN0uSrm6O7wetf/vDaVFL5o80MnyeW3vHTJwWa0JjtbLmR2+82mMOt9ZMIObmlfrRnfNL2v3ev+Hr609305nY+uzx8ys4+8UknHbI/fKSZ93jHOUQP7zxzipjoM6jwUMgntOD0XgD3NKLbwK1Pu1Eabvl6GDS9dlhMuOAqenWlq9l3TFnKMW2ryi0wdoxqW6sQhUIJnmyPvol4ni6FudCXrwG6sXG101x9FnC8YLqt2Z9COfr7YOP77xIfQcuHRsQGQIT2z+A/h3GiX2Kl7X5XvOgZccJ+plQWHiDE6KpK6qpWOpkRDV4KtaTJS9JSHC/HcGOZTJlOSzTSe+GPfLm6mBjjNCWA8cqB3toQPYpDp4zn8b7hUYeaXM1G8IU5u/qbP89duy94bJb9DJv7U+Nhf7S+Vb9O/M7drH7ChulxFcVZkbRbLZttzV1bCqEWXKF2rKmbuNh/fwYCy6aR19dgQiWOUw4Jxr2D8TMbTOI5QapuQltCbgA/p7Pz/JK2m8bHFbm9ZO1UuYtzIPJu8p5c+haC2Uzp/BlYtjOgEoVabkc4JKPk23tYavmkJVqp3F6DSLr2KzJ1VWuUcKEkGPwIJtGIsrHHro4Od4ozS8eTlOJZismD40DnnuOlBoP2TyS5pe7EfK8IGuBclQOpBtIrvESGzoPYksfDlLKxDqP2njwRPLkvy+dYMy2ctZT11Ou+NnXqx/O4ZBpTe1mBwzRREDpdPPcRjtsyDwqFcBgbq2j/a0+8CE3ZoX3dnaz6FAfcfx35hhRY05ILVThBbSslxTYkzgSjVxh7gJ/K91UgV5JbpQ3lVFyjAXywmrU6gfXwQe6E5RcZS6wXyG67EGYyLJ0QSN1Q9iVK1AT9N4BEym4N2lDxX1P7NKU2/KzOEMLJoob5oiw+GyHxIO54+eCzVY8zRspq7iDcVXX5uheh/kbZ4vXpfYCEAqtLXDS0sLr4F5pVxOC07XzpV4OeFYMeIDR3wC8GrSvmzKXczq1mXDw3EtM5pnjjqZh4Im49DX94NKbhfxIlO3CBs5MbWhScTKtfLKAKxfMJQhuRstecpdgaTeEZTLk0FkNmayARyqUXVl3QH42QFSd4Wbkgl2GDUdsom4perv3Cjpkaxke3NMYN6ZUf9bZIpYco6KeB5j4cDqsO1OC6mJgqFalfEy7DgvdOUXwxb9x9KP6GWewVNh7rdmSPHWf69++PjzOl3BSCDQzbZE6I5n00nk5qHIyiwY22dVBiFlgWDriiJn6l71eo8xu070mvgi1chiN03C/4PcK3r7+Fu1PP4JzHwSK08Hly+S5EpYBW8gSlaSINvWVHoaThC4Hz6sWTeXjx5GWsymDXzz+eW/Bgpam1N8tRuvhSfkOZQ/d6b+7uM71P48O+prf6qV8ut3ClVcYFjl/9KwAA//+kiPAE" } diff --git a/x-pack/filebeat/module/salesforce/login-rest/_meta/fields.yml b/x-pack/filebeat/module/salesforce/login-rest/_meta/fields.yml deleted file mode 100644 index afbfae384e2..00000000000 --- a/x-pack/filebeat/module/salesforce/login-rest/_meta/fields.yml +++ /dev/null @@ -1,62 +0,0 @@ -- name: salesforce.login - type: group - release: beta - description: > - Fileset for ingesting Salesforce Login (REST) logs. - fields: - - name: api_type - type: keyword - description: > - The type of API request. - - name: api_version - type: keyword - description: > - The version of the API that’s being used. - - name: login_key - type: keyword - description: > - The string that ties together all events in a given user’s login session. It starts with a login event and ends with either a logout event or the user session expiring. - - name: authentication_method_reference - type: keyword - description: > - The authentication method used by a third-party identification provider for an OpenID Connect single sign-on protocol. This field is available in API version 51.0 and later. - - name: client_ip - type: keyword - description: > - The IP address of the client that’s using Salesforce services. A Salesforce internal IP (such as a login from Salesforce Workbench or AppExchange) is shown as “Salesforce.com IP”. - - name: cpu_time - type: keyword - description: > - The CPU time in milliseconds used to complete the request. This field indicates the amount of activity taking place in the app server layer. - - name: db_total_time - type: keyword - description: > - The time in nanoseconds for a database round trip. Includes time spent in the JDBC driver, network to the database, and DB_CPU_TIME. Compare this field to CPU_TIME to determine whether performance issues are occurring in the database layer or in your own code. - - name: event_type - type: keyword - description: > - The type of event. The value is always Login. - - name: organization_id - type: keyword - description: > - The 15-character ID of the organization. - - name: request_id - type: keyword - description: > - The unique ID of a single transaction. A transaction can contain one or more events. Each event in a given transaction has the same REQUEST_ID. - - name: request_status - type: keyword - description: > - The status of the request for a page view or user interface action. - - name: run_time - type: keyword - description: > - The amount of time that the request took in milliseconds. - - name: uri_id_derived - type: keyword - description: > - The 18-character case insensitive ID of the URI of the page that’s receiving the request. - - name: user_id_derived - type: keyword - description: > - The 18-character case insensitive ID of the user who’s using Salesforce services through the UI or the API. \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/login-rest/config/login-rest.yml b/x-pack/filebeat/module/salesforce/login-rest/config/login-rest.yml deleted file mode 100644 index 380c746d739..00000000000 --- a/x-pack/filebeat/module/salesforce/login-rest/config/login-rest.yml +++ /dev/null @@ -1,71 +0,0 @@ -{{ if eq .input "httpjson" }} - -type: httpjson -interval: {{ .interval }} -request.method: GET -auth.oauth2: - enabled: true - {{ if .client_id }} - client.id: {{ .client_id }} - {{ end }} - {{ if .client_secret }} - client.secret: {{ .client_secret }} - {{ end }} - {{ if .token_url }} - token_url: {{ .token_url }} - {{ end }} - {{ if .user }} - user: {{ .user }} - {{ end }} - {{ if .password }} - password: {{ .password }} - {{ end }} -# Query params will be overwritten by request.transforms from start of the input and -# it is to indicate that this url is for Login type of events as cursor stores the url as source. -# Each filebeat input cursor source needs to be uniquely identified with a name. -request.url: {{ .url }}/services/data/v52.0/query?q=login+rest -{{ if .proxy_url }} -request.proxy_url: {{ .proxy_url }} -{{ end }} -request.transforms: - - set: - target: url.params.q - value: "SELECT Id,CreatedDate,LogDate,LogFile FROM EventLogFile WHERE Interval = 'Hourly' AND EventType = 'Login' AND LogDate > [[.cursor.last_published_login]] ORDER BY LogDate ASC NULLS FIRST" - default: "SELECT Id,CreatedDate,LogDate,LogFile FROM EventLogFile WHERE Interval = 'Hourly' AND EventType = 'Login' ORDER BY LogDate ASC NULLS FIRST" -response.pagination: - - set: - target: url.value - value: '[[if (ne .last_response.body.done true)]]{{ .url }}[[.last_response.body.nextRecordsUrl]][[end]]' - fail_on_template_error: true -chain: - - step: - request.url: {{ .url }}/services/data/v52.0/sobjects/EventLogFile/$.records[:].Id/LogFile - request.method: GET - replace: $.records[:].Id -cursor: - last_published_login: - value: '[[(formatDate ((parseDate .last_event.TIMESTAMP_DERIVED "RFC3339").Add (parseDuration "-1h")))]]' - -{{ else if eq .input "file" }} - -type: log -paths: -{{ range $i, $path := .paths }} - - {{$path}} -{{ end }} -exclude_files: [".gz$"] - -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -processors: - - decode_json_fields: - fields: [message] - target: "json" - - add_fields: - target: '' - fields: - ecs.version: 1.12.0 - - add_locale: ~ diff --git a/x-pack/filebeat/module/salesforce/login-rest/ingest/pipeline.yml b/x-pack/filebeat/module/salesforce/login-rest/ingest/pipeline.yml deleted file mode 100644 index 2f2de778a0f..00000000000 --- a/x-pack/filebeat/module/salesforce/login-rest/ingest/pipeline.yml +++ /dev/null @@ -1,224 +0,0 @@ ---- -description: Pipeline for parsing Salesforce Login (REST) logs -processors: -- set: - field: event.ingested - value: '{{_ingest.timestamp}}' -- remove: - field: - - message - ignore_missing: true - -- set: - field: salesforce.access_mode - value: rest - ignore_failure: true - -- date: - field: json.TIMESTAMP_DERIVED - target_field: "@timestamp" - formats: - - ISO8601 - ignore_failure: true - -- rename: - field: json.API_TYPE - target_field: salesforce.login.api_type - ignore_missing: true -- rename: - field: json.AUTHENTICATION_METHOD_REFERENCE - target_field: salesforce.login.authentication_method_reference - ignore_missing: true -- rename: - field: json.REQUEST_STATUS - target_field: salesforce.login.request_status - ignore_missing: true -- rename: - field: json.API_VERSION - target_field: salesforce.login.api_version - ignore_missing: true -- rename: - field: json.USER_ID_DERIVED - target_field: salesforce.login.user_id_derived - ignore_missing: true -- rename: - field: json.LOGIN_KEY - target_field: salesforce.login.login_key - ignore_missing: true -- rename: - field: json.EVENT_TYPE - target_field: salesforce.login.event_type - ignore_missing: true -- rename: - field: json.REQUEST_ID - target_field: salesforce.login.request_id - ignore_missing: true -- rename: - field: json.ORGANIZATION_ID - target_field: salesforce.login.organization_id - ignore_missing: true -- rename: - field: json.RUN_TIME - target_field: salesforce.login.run_time - ignore_missing: true -- rename: - field: json.CPU_TIME - target_field: salesforce.login.cpu_time - ignore_missing: true -- rename: - field: json.DB_TOTAL_TIME - target_field: salesforce.login.db_total_time - ignore_missing: true -- rename: - field: json.CLIENT_IP - target_field: salesforce.login.client_ip - ignore_missing: true -- rename: - field: json.URI_ID_DERIVED - target_field: salesforce.login.uri_id_derived - ignore_missing: true - -####################### -## ECS Event Mapping ## -####################### - -- rename: - field: json.URI - target_field: event.url - ignore_missing: true -- set: - field: event.outcome - value: success - if: 'ctx?.json?.LOGIN_STATUS == "LOGIN_NO_ERROR" && ctx?.json?.LOGIN_STATUS != null' - ignore_failure: true -- set: - field: event.outcome - value: failure - if: 'ctx?.json?.LOGIN_STATUS != "LOGIN_NO_ERROR" && ctx?.json?.LOGIN_STATUS != null' - ignore_failure: true -- set: - field: event.type - value: "info" -- set: - field: event.kind - value: "event" -- set: - field: event.action - value: "login-attempt" -- set: - field: event.category - value: "authentication" -- set: - field: event.dataset - value: "salesforce.login" -- set: - field: event.module - value: "salesforce" - -###################### -## ECS User Mapping ## -###################### - -# As per the following article, the username must be in the format of an email address. -# Reference: https://help.salesforce.com/s/articleView?language=en_US&type=5&id=sf.basics_intro_usernames_passwords.htm -- rename: - field: json.USER_NAME - target_field: user.email - ignore_missing: true -- rename: - field: json.USER_ID - target_field: user.id - ignore_missing: true -- rename: - field: json.USER_TYPE - target_field: user.roles - ignore_missing: true - -######################## -## ECS Source Mapping ## -######################## - -- rename: - field: json.SOURCE_IP - target_field: source.ip - ignore_missing: true - if: 'ctx?.json?.SOURCE_IP != "Salesforce.com IP"' - -############################ -## ECS Source.Geo Mapping ## -############################ - -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - -############################ -## ECS Related.ip Mapping ## -############################ - -- append: - field: related.ip - value: "{{{source.ip}}}" - if: ctx?.source?.ip != null - allow_duplicates: false - ignore_failure: true - -- append: - field: related.ip - value: "{{{salesforce.login.client_ip}}}" - if: 'ctx?.salesforce?.login?.client_ip != "Salesforce.com IP" && ctx?.salesforce?.login?.client_ip != null' - allow_duplicates: false - ignore_failure: true - -############################ -## ECS User Agent Mapping ## -############################ - -- rename: - field: json.BROWSER_TYPE - target_field: user_agent.name - ignore_missing: true - -##################### -## ECS TLS Mapping ## -##################### - -- rename: - field: json.CIPHER_SUITE - target_field: tls.cipher - ignore_missing: true -- dissect: - pattern: "%{tls.version_protocol}v%{tls.version}" - field: "json.TLS_PROTOCOL" - ignore_failure: true - -############# -## Cleanup ## -############# - -- script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -- remove: - field: - - json - ignore_missing: true -on_failure: -- set: - field: error.message - value: '{{_ingest.on_failure_message}}' diff --git a/x-pack/filebeat/module/salesforce/login-rest/manifest.yml b/x-pack/filebeat/module/salesforce/login-rest/manifest.yml deleted file mode 100644 index 15450bab7f2..00000000000 --- a/x-pack/filebeat/module/salesforce/login-rest/manifest.yml +++ /dev/null @@ -1,20 +0,0 @@ -module_version: 1.0 - -var: - - name: input - default: httpjson - - name: interval - default: 1h - - name: tags - default: [salesforce-login-rest, forwarded] - - name: proxy_url - - name: client_id - - name: client_secret - - name: token_url - - name: user - - name: password - - name: url - -ingest_pipeline: - - ingest/pipeline.yml -input: config/login-rest.yml diff --git a/x-pack/filebeat/module/salesforce/login-stream/_meta/fields.yml b/x-pack/filebeat/module/salesforce/login-stream/_meta/fields.yml deleted file mode 100644 index 9d807a7bf77..00000000000 --- a/x-pack/filebeat/module/salesforce/login-stream/_meta/fields.yml +++ /dev/null @@ -1,58 +0,0 @@ -- name: salesforce.login - type: group - release: beta - description: > - Fileset for ingesting Salesforce Login (Streaming) logs. - fields: - - name: application - type: keyword - description: > - The application used to access the org. Possible values include: AppExchange, Browser, Salesforce for iOS, Salesforce Developers API Explorer, N/A - - name: auth_method_reference - type: keyword - description: > - The authentication method used by a third-party identification provider for an OpenID Connect single sign-on protocol. - - name: auth_service_id - type: keyword - description: > - The 18-character ID for an authentication service for a login event. - - name: client_version - type: keyword - description: > - The version number of the login client. If no version number is available, “Unknown” is returned. - - name: created_by_id - type: keyword - description: > - Unavailable - - name: evaluation_time - type: keyword - description: > - The amount of time it took to evaluate the transaction security policy, in milliseconds. - - name: login_geo_id - type: keyword - description: > - The Salesforce ID of the LoginGeo object associated with the login user’s IP address. - - name: login_history_id - type: keyword - description: > - Tracks a user session so you can correlate user activity with a particular login instance. This field is also available on the LoginHistory, AuthSession, and LoginHistory objects, making it easier to trace events back to a user’s original authentication. - - name: login_type - type: keyword - description: > - The type of login used to access the session. - - name: policy_id - type: keyword - description: > - The ID of the transaction security policy associated with this event. - - name: policy_outcome - type: keyword - description: > - The result of the transaction policy. - - name: related_event_identifier - type: keyword - description: > - This field is populated only when the activity that this event monitors requires extra authentication, such as multi-factor authentication. In this case, Salesforce generates more events and sets the RelatedEventIdentifier field of the new events to the value of the EventIdentifier field of the original event. Use this field with the EventIdentifier field to correlate all the related events. If no extra authentication is required, this field is blank. - - name: session_level - type: keyword - description: > - Session-level security controls user access to features that support it, such as connected apps and reporting. Possible values are: HIGH_ASSURANCE, LOW, STANDARD \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/login-stream/config/login-stream.yml b/x-pack/filebeat/module/salesforce/login-stream/config/login-stream.yml deleted file mode 100644 index 3db5b0dd49e..00000000000 --- a/x-pack/filebeat/module/salesforce/login-stream/config/login-stream.yml +++ /dev/null @@ -1,44 +0,0 @@ -{{ if eq .input "cometd" }} - -type: cometd -channel_name: /event/LoginEventStream -auth.oauth2: - {{ if .client_id }} - client.id: {{ .client_id }} - {{ end }} - {{ if .client_secret }} - client.secret: {{ .client_secret }} - {{ end }} - {{ if .token_url }} - token_url: {{ .token_url }} - {{ end }} - {{ if .user }} - user: {{ .user }} - {{ end }} - {{ if .password }} - password: {{ .password }} - {{ end }} - -{{ else if eq .input "file" }} - -type: log -paths: -{{ range $i, $path := .paths }} - - {{$path}} -{{ end }} -exclude_files: [".gz$"] - -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -processors: - - decode_json_fields: - fields: [message] - target: "json" - - add_fields: - target: '' - fields: - ecs.version: 1.12.0 - - add_locale: ~ diff --git a/x-pack/filebeat/module/salesforce/login-stream/ingest/pipeline.yml b/x-pack/filebeat/module/salesforce/login-stream/ingest/pipeline.yml deleted file mode 100644 index a24e65d1a21..00000000000 --- a/x-pack/filebeat/module/salesforce/login-stream/ingest/pipeline.yml +++ /dev/null @@ -1,278 +0,0 @@ ---- -description: Pipeline for parsing Salesforce Login (Streaming) logs -processors: -- set: - field: event.ingested - value: '{{_ingest.timestamp}}' -- remove: - field: - - message - ignore_missing: true - -- set: - field: salesforce.access_mode - value: stream - ignore_failure: true - -- date: - field: json.EventDate - target_field: "@timestamp" - formats: - - ISO8601 - ignore_failure: true -- rename: - field: json.schema - target_field: salesforce.login.schema - ignore_missing: true -- rename: - field: json.ApiType - target_field: salesforce.login.api_type - ignore_missing: true -- rename: - field: json.AuthMethodReference - target_field: salesforce.login.auth_method_reference - ignore_missing: true -- rename: - field: json.LoginType - target_field: salesforce.login.login_type - ignore_missing: true -- rename: - field: json.PolicyOutcome - target_field: salesforce.login.policy_outcome - ignore_missing: true -- rename: - field: json.AuthServiceId - target_field: salesforce.login.auth_service_id - ignore_missing: true -- rename: - field: json.EvaluationTime - target_field: salesforce.login.evaluation_time - ignore_missing: true -- rename: - field: json.ClientVersion - target_field: salesforce.login.client_version - ignore_missing: true -- rename: - field: json.LoginGeoId - target_field: salesforce.login.login_geo_id - ignore_missing: true -- rename: - field: json.LoginHistoryId - target_field: salesforce.login.login_history_id - ignore_missing: true -- rename: - field: json.CreatedById - target_field: salesforce.login.created_by_id - ignore_missing: true -- rename: - field: json.ApiVersion - target_field: salesforce.login.api_version - ignore_missing: true -- rename: - field: json.RelatedEventIdentifier - target_field: salesforce.login.related_event_identifier - ignore_missing: true -- rename: - field: json.LoginKey - target_field: salesforce.login.login_key - ignore_missing: true -- rename: - field: json.Application - target_field: salesforce.login.application - ignore_missing: true -- rename: - field: json.PolicyId - target_field: salesforce.login.policy_id - ignore_missing: true -- rename: - field: json.SessionLevel - target_field: salesforce.login.session_level - ignore_missing: true -- rename: - field: json.replayId - target_field: salesforce.login.replay_id - ignore_missing: true - -####################### -## ECS Event Mapping ## -####################### - -- set: - field: event.outcome - value: success - if: 'ctx?.json?.Status == "Success" && ctx?.json?.Status != null' - ignore_failure: true -- set: - field: event.outcome - value: failure - if: 'ctx?.json?.Status != "Success" && ctx?.json?.Status != null' - ignore_failure: true -- date: - field: json.CreatedDate - target_field: event.created - formats: - - ISO8601 - ignore_failure: true -- rename: - field: json.LoginUrl - target_field: event.url - ignore_missing: true -- set: - field: event.type - value: "info" -- set: - field: event.kind - value: "event" -- set: - field: event.action - value: "login-attempt" -- set: - field: event.category - value: "authentication" -- set: - field: event.dataset - value: "salesforce.login" -- set: - field: event.module - value: "salesforce" - -###################### -## ECS User Mapping ## -###################### - -# As per the following article, the username must be in the format of an email address. -# Reference: https://help.salesforce.com/s/articleView?language=en_US&type=5&id=sf.basics_intro_usernames_passwords.htm -- rename: - field: json.Username - target_field: user.email - ignore_missing: true -- rename: - field: json.UserId - target_field: user.id - ignore_missing: true -- rename: - field: json.UserType - target_field: user.roles - ignore_missing: true - -######################## -## ECS Source Mapping ## -######################## - -- rename: - field: json.SourceIp - target_field: source.ip - ignore_missing: true - -############################ -## ECS Related.ip Mapping ## -############################ - -- append: - field: related.ip - value: "{{{source.ip}}}" - if: ctx?.source?.ip != null - allow_duplicates: false - ignore_failure: true - -############################ -## ECS Source.Geo Mapping ## -############################ - -- rename: - field: json.LoginLatitude - target_field: source.geo.location.lat - ignore_missing: true -- rename: - field: json.LoginLongitude - target_field: source.geo.location.lon - ignore_missing: true -- rename: - field: json.CountryIso - target_field: source.geo.country_iso_code - ignore_missing: true -- rename: - field: json.PostalCode - target_field: source.geo.postal_code - ignore_missing: true -- rename: - field: json.City - target_field: source.geo.city_name - ignore_missing: true -- rename: - field: json.Subdivision - target_field: source.geo.region_name - ignore_missing: true -- rename: - field: json.Country - target_field: source.geo.country_name - ignore_missing: true - -############################ -## ECS User Agent Mapping ## -############################ - -- rename: - field: json.Browser - target_field: user_agent.name - ignore_missing: true -- rename: - field: json.Platform - target_field: user_agent.os.platform - ignore_missing: true - -###################### -## ECS HTTP Mapping ## -###################### - -- rename: - field: json.HttpMethod - target_field: http.request.method - ignore_missing: true -- rename: - field: json.AdditionalInfo - target_field: http.request.body.content - ignore_missing: true - -##################### -## ECS TLS Mapping ## -##################### - -- rename: - field: json.CipherSuite - target_field: tls.cipher - ignore_missing: true -- dissect: - pattern: "%{tls.version_protocol} %{tls.version}" - field: "json.TlsProtocol" - ignore_failure: true - -############# -## Cleanup ## -############# - -- script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -- remove: - field: - - json - ignore_missing: true -on_failure: -- set: - field: error.message - value: '{{_ingest.on_failure_message}}' diff --git a/x-pack/filebeat/module/salesforce/login-stream/manifest.yml b/x-pack/filebeat/module/salesforce/login-stream/manifest.yml deleted file mode 100644 index 92411aa750e..00000000000 --- a/x-pack/filebeat/module/salesforce/login-stream/manifest.yml +++ /dev/null @@ -1,16 +0,0 @@ -module_version: 1.0 - -var: - - name: input - default: cometd - - name: tags - default: [salesforce-login-stream, forwarded] - - name: client_id - - name: client_secret - - name: token_url - - name: user - - name: password - -ingest_pipeline: - - ingest/pipeline.yml -input: config/login-stream.yml diff --git a/x-pack/filebeat/module/salesforce/login/_meta/fields.yml b/x-pack/filebeat/module/salesforce/login/_meta/fields.yml new file mode 100644 index 00000000000..dda4f422037 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/login/_meta/fields.yml @@ -0,0 +1,102 @@ +- name: salesforce.login + type: group + release: beta + description: > + Fileset for ingesting Salesforce Login (REST) logs. + fields: + - name: document_id + type: keyword + description: Unique Id. + - name: application + type: keyword + description: The application used to access the organization. + - name: api + type: group + fields: + - name: type + type: keyword + description: The type of Salesforce API request. + - name: version + type: keyword + description: The version of the Salesforce API that's being used. + - name: auth + type: group + fields: + - name: service_id + type: keyword + description: The authentication method used by a third-party identification provider for an OpenID Connect single sign-on protocol. + - name: method_reference + type: keyword + description: The authentication method used by a third-party identification provider for an OpenID Connect single sign-on protocol. This field is available in API version 51.0 and later. + - name: session + type: group + fields: + - name: level + type: text + description: Session-level security controls user access to features that support it, such as connected apps and reporting. This field is available in API version 42.0 and later. + - name: key + type: keyword + description: The user's unique session ID. Use this value to identify all user events within a session. When a user logs out and logs in again, a new session is started. For LoginEvent, this field is often null because the event is captured before a session is created. For example, vMASKIU6AxEr+Op5. This field is available in API version 46.0 and later. + - name: key + type: keyword + overwrite: true + description: The string that ties together all events in a given user's login session. It starts with a login event and ends with either a logout event or the user session expiring. + - name: history_id + type: keyword + description: Tracks a user session so you can correlate user activity with a particular login instance. This field is also available on the LoginHistory, AuthSession, and other objects, making it easier to trace events back to a user's original authentication. + - name: type + type: keyword + description: The type of login used to access the session. + - name: geo_id + type: keyword + description: The Salesforce ID of the LoginGeo object associated with the login user's IP address. + - name: additional_info + type: text + description: JSON serialization of additional information that's captured from the HTTP headers during a login request. + - name: client_version + type: keyword + description: The version number of the login client. If no version number is available, “Unknown” is returned. + - name: client_ip + type: keyword + description: The IP address of the client that's using Salesforce services. A Salesforce internal IP (such as a login from Salesforce Workbench or AppExchange) is shown as “Salesforce.com IP”. + - name: cpu_time + type: long + description: The CPU time in milliseconds used to complete the request. This field indicates the amount of activity taking place in the app server layer. + metric_type: gauge + unit: ms + - name: db_time_total + type: double + description: The time in nanoseconds for a database round trip. Includes time spent in the JDBC driver, network to the database, and DB's CPU time. Compare this field to cpu_time to determine whether performance issues are occurring in the database layer or in your own code. + metric_type: gauge + unit: ms + - name: event_type + type: keyword + description: The type of event. The value is always Login. + - name: organization_id + type: keyword + description: The 15-character ID of the organization. + - name: request_id + type: keyword + description: The unique ID of a single transaction. A transaction can contain one or more events. Each event in a given transaction has the same REQUEST_ID. + - name: request_status + type: keyword + description: The status of the request for a page view or user interface action. + - name: run_time + type: long + description: The amount of time that the request took in milliseconds. + metric_type: gauge + unit: ms + - name: user_id + type: keyword + description: The 15-character ID of the user who's using Salesforce services through the UI or the API. + - name: uri_id_derived + type: keyword + description: The 18-character case insensitive ID of the URI of the page that's receiving the request. + - name: evaluation_time + type: float + description: The amount of time it took to evaluate the transaction security policy, in milliseconds. + metric_type: gauge + unit: ms + - name: login_type + type: keyword + description: The type of login used to access the session. diff --git a/x-pack/filebeat/module/salesforce/login/config/login.yml b/x-pack/filebeat/module/salesforce/login/config/login.yml new file mode 100644 index 00000000000..8bdd5df6e0f --- /dev/null +++ b/x-pack/filebeat/module/salesforce/login/config/login.yml @@ -0,0 +1,71 @@ +{{ if eq .input "salesforce" }} + +id: login +type: salesforce +enabled: true +{{ if .api_version }} +version: {{ .api_version }} +{{ end }} +auth.oauth2: {{ .authentication | tojson }} +url: {{ .url }} +event_monitoring_method: + event_log_file: + enabled: {{ if .event_log_file }}true{{ else }}false{{ end }} + interval: {{ .elf_interval }} + query: + default: SELECT CreatedDate,LogDate,LogFile FROM EventLogFile WHERE {{ if .initial_interval }}LogDate > [[ (formatTime (now.Add (parseDuration "-{{ .initial_interval }}")) "2006-01-02T15:04:05.000Z0700") ]] AND{{ end }} Interval = '{{ .log_file_interval }}' AND EventType = 'Login' ORDER BY LogDate ASC NULLS FIRST + value: SELECT CreatedDate,LogDate,LogFile FROM EventLogFile WHERE Interval = '{{ .log_file_interval }}' AND EventType = 'Login' AND CreatedDate > [[ .cursor.event_log_file.last_event_time ]] ORDER BY LogDate ASC NULLS FIRST + cursor: + field: "CreatedDate" + object: + enabled: {{ if .real_time }}true{{ else }}false{{ end }} + interval: {{ .real_time_interval }} + query: + default: SELECT FIELDS(STANDARD) FROM LoginEvent{{ if .initial_interval }} WHERE EventDate > [[ (formatTime (now.Add (parseDuration "-{{ .initial_interval }}")) "2006-01-02T15:04:05.000Z0700") ]]{{ end }} + value: SELECT FIELDS(STANDARD) FROM LoginEvent WHERE EventDate > [[ .cursor.object.first_event_time ]] + cursor: + field: "EventDate" + +processors: + - add_fields: + target: salesforce + fields: + instance_url: {{ .url }} + - add_locale: ~ + +{{ else if eq .input "file" }} + +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] + +processors: + - add_fields: + target: salesforce + fields: + instance_url: {{ .url }} + - decode_json_fields: + fields: ["message"] + target: "json" + - script: + lang: javascript + source: > + function process(event) { + if (event.Get("json.EVENT_TYPE") == "Login") { + event.Put("event.provider", "EventLogFile"); + } else { + event.Put("event.provider", "Object"); + } + } + - drop_fields: + fields: json + ignore_missing: true + - add_locale: ~ + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} diff --git a/x-pack/filebeat/module/salesforce/login/ingest/default.yml b/x-pack/filebeat/module/salesforce/login/ingest/default.yml new file mode 100644 index 00000000000..e9bb56124fc --- /dev/null +++ b/x-pack/filebeat/module/salesforce/login/ingest/default.yml @@ -0,0 +1,123 @@ +--- +description: Pipeline for parsing Salesforce Login logs. +processors: + - json: + field: message + target_field: json + on_failure: + - append: + field: error.message + value: "Failed to parse JSON: {{{_ingest.on_failure_message}}}" + - set: + field: event.original + copy_from: message + ignore_empty_value: true + ignore_failure: true + if: "ctx.event?.original == null" + - set: + field: event.ingested + value: "{{_ingest.timestamp}}" + - set: + field: ecs.version + value: "8.11.0" + ignore_failure: true + ignore_empty_value: true + - set: + field: salesforce.login.document_id + copy_from: _id + ignore_empty_value: true + + - pipeline: + name: '{< IngestPipeline "object" >}' + if: ctx.event?.provider == "Object" + - pipeline: + name: '{< IngestPipeline "eventlogfile" >}' + if: ctx.event?.provider == "EventLogFile" + + - set: + field: event.type + value: ["info"] + ignore_failure: true + ignore_empty_value: true + - set: + field: event.kind + value: "event" + ignore_failure: true + ignore_empty_value: true + - set: + field: event.action + value: "login-attempt" + ignore_failure: true + ignore_empty_value: true + - set: + field: event.category + value: ["authentication"] + ignore_failure: true + ignore_empty_value: true + - set: + field: event.dataset + value: "salesforce.login" + ignore_failure: true + ignore_empty_value: true + - set: + field: event.module + value: "salesforce" + ignore_failure: true + ignore_empty_value: true + - append: + field: related.ip + value: "{{{source.ip}}}" + allow_duplicates: false + ignore_failure: true + if: ctx.source?.ip != null + - append: + field: related.ip + value: "{{{salesforce.login.client_ip}}}" + allow_duplicates: false + ignore_failure: true + if: ctx.salesforce?.login?.client_ip != null && ctx.salesforce.login.client_ip != "Salesforce.com IP" + + ############# + ## Cleanup ## + ############# + + # Drop empty fields + - script: + description: Drops null/empty values recursively + lang: painless + source: | + boolean dropEmptyFields(Object object) { + if (object == null || object == "") { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return ((Map) object).isEmpty(); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return ((List) object).isEmpty(); + } + return false; + } + dropEmptyFields(ctx); + - remove: + field: + - json + - message + ignore_failure: true + ignore_missing: true + - remove: + field: event.original + if: "ctx.tags == null || !ctx.tags.contains('preserve_original_event')" + ignore_failure: true + ignore_missing: true + +on_failure: + - set: + field: event.kind + value: pipeline_error + - set: + field: error.message + value: "{{{_ingest.on_failure_message}}}" + - set: + field: error.type + value: "{{{_ingest.on_failure_processor_type}}}" diff --git a/x-pack/filebeat/module/salesforce/login/ingest/eventlogfile.yml b/x-pack/filebeat/module/salesforce/login/ingest/eventlogfile.yml new file mode 100644 index 00000000000..3ef578125b9 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/login/ingest/eventlogfile.yml @@ -0,0 +1,221 @@ +description: Pipeline for parsing Salesforce Login (EventLogFile) logs. +processors: + - date: + field: json.TIMESTAMP_DERIVED + target_field: "@timestamp" + formats: + - ISO8601 + on_failure: + - append: + field: error.message + value: >- + Failed to parse TIMESTAMP_DERIVED field: + {{{_ingest.on_failure_message}}} + - rename: + field: json.API_TYPE + target_field: salesforce.login.api.type + ignore_missing: true + ignore_failure: true + - script: + description: Set api type value from api type character. + lang: painless + params: + api_type_map: + D: Apex Class + E: SOAP Enterprise + I: SOAP Cross Instance + M: SOAP Metadata + O: Old SOAP + P: SOAP Partner + S: SOAP Apex + T: SOAP Tooling + X: XmlRPC + f: Feed + l: Live Agent + p: SOAP ClientSync + source: > + ctx.salesforce.login.api.type = + params.api_type_map.getOrDefault(ctx.salesforce?.login?.api?.type, + ctx.salesforce.login.api.type); + on_failure: + - append: + field: error.message + value: >- + Failed to set salesforce.login.api.type: + {{{_ingest.on_failure_message}}} + - rename: + field: json.AUTHENTICATION_METHOD_REFERENCE + target_field: salesforce.login.auth.service_id + ignore_missing: true + ignore_failure: true + - rename: + field: json.REQUEST_STATUS + target_field: salesforce.login.request_status + ignore_missing: true + ignore_failure: true + - script: + description: Set request status value from request status character. + lang: painless + params: + request_status_map: + S: Success + F: Failure + U: Undefined + A: Authorization Error + R: Redirect + "N": Not Found + source: > + ctx.salesforce.login.request_status = + params.request_status_map.getOrDefault(ctx.salesforce?.login?.request_status, + ctx.salesforce.login.request_status); + on_failure: + - append: + field: error.message + value: >- + Failed to set salesforce.login.request_status: + {{{_ingest.on_failure_message}}} + - rename: + field: json.API_VERSION + target_field: salesforce.login.api.version + ignore_missing: true + ignore_failure: true + - rename: + field: json.USER_ID + target_field: salesforce.login.user_id + ignore_missing: true + ignore_failure: true + - rename: + field: json.LOGIN_KEY + target_field: salesforce.login.key + ignore_missing: true + ignore_failure: true + - rename: + field: json.EVENT_TYPE + target_field: salesforce.login.event_type + ignore_missing: true + ignore_failure: true + - rename: + field: json.REQUEST_ID + target_field: salesforce.login.request_id + ignore_missing: true + ignore_failure: true + - rename: + field: json.ORGANIZATION_ID + target_field: salesforce.login.organization_id + ignore_missing: true + ignore_failure: true + - convert: + field: json.RUN_TIME + type: long + target_field: salesforce.login.run_time + ignore_missing: true + ignore_failure: true + - convert: + field: json.CPU_TIME + type: long + target_field: salesforce.login.cpu_time + ignore_missing: true + ignore_failure: true + - convert: + field: json.DB_TOTAL_TIME + type: long + target_field: salesforce.login.db_time_total + ignore_missing: true + ignore_failure: true + - script: + description: >- + Convert db_time.total field from nanos (nanoseconds) to ms + (milliseconds). + lang: painless + source: | + if (ctx.salesforce?.login?.db_time?.total != null) { + ctx.salesforce.login.db_time_total = ctx.salesforce.login.db_time_total / 1000000; + } + on_failure: + - append: + field: error.message + value: >- + Failed to set salesforce.login.db_time_total: + {{{_ingest.on_failure_message}}} + - rename: + field: json.CLIENT_IP + target_field: salesforce.login.client_ip + ignore_missing: true + ignore_failure: true + - rename: + field: json.URI_ID_DERIVED + target_field: salesforce.login.uri_derived_id + ignore_missing: true + ignore_failure: true + - rename: + field: json.URI + target_field: event.url + ignore_missing: true + ignore_failure: true + - set: + field: event.outcome + value: success + if: >- + ctx.json?.LOGIN_STATUS == "LOGIN_NO_ERROR" && ctx.json?.LOGIN_STATUS != + null + ignore_empty_value: true + - set: + field: event.outcome + value: failure + if: >- + ctx.json?.LOGIN_STATUS != "LOGIN_NO_ERROR" && ctx.json?.LOGIN_STATUS != + null + ignore_empty_value: true + - rename: + field: json.USER_NAME + target_field: user.email + ignore_missing: true + ignore_failure: true + - rename: + field: json.USER_ID_DERIVED + target_field: user.id + ignore_missing: true + ignore_failure: true + - set: + value: + - "{{{json.USER_TYPE}}}" + field: user.roles + ignore_empty_value: true + ignore_failure: true + - remove: + field: json.USER_TYPE + ignore_missing: true + ignore_failure: true + - rename: + field: json.SOURCE_IP + target_field: source.ip + ignore_missing: true + ignore_failure: true + if: ctx.json?.SOURCE_IP != "Salesforce.com IP" + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + ignore_failure: true + - rename: + field: json.BROWSER_TYPE + target_field: user_agent.name + ignore_missing: true + ignore_failure: true + - rename: + field: json.CIPHER_SUITE + target_field: tls.cipher + ignore_missing: true + ignore_failure: true + - dissect: + pattern: "%{tls.version_protocol}v%{tls.version}" + field: json.TLS_PROTOCOL + ignore_failure: true + ignore_missing: true +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: "{{{ _ingest.on_failure_message }}}" diff --git a/x-pack/filebeat/module/salesforce/login/ingest/object.yml b/x-pack/filebeat/module/salesforce/login/ingest/object.yml new file mode 100644 index 00000000000..f9d1ef745df --- /dev/null +++ b/x-pack/filebeat/module/salesforce/login/ingest/object.yml @@ -0,0 +1,235 @@ +--- +description: Pipeline for parsing Salesforce Login (Object) logs. +processors: + - date: + field: json.EventDate + target_field: "@timestamp" + formats: + - ISO8601 + on_failure: + - append: + field: error.message + value: "Failed to parse EventDate field: {{{_ingest.on_failure_message}}}" + - rename: + field: json.AuthServiceId + target_field: salesforce.login.auth.service_id + ignore_missing: true + ignore_failure: true + - convert: + field: json.EvaluationTime + type: double + target_field: salesforce.login.evaluation_time + ignore_missing: true + ignore_failure: true + - rename: + field: json.ClientVersion + target_field: salesforce.login.client_version + ignore_missing: true + ignore_failure: true + - rename: + field: json.LoginGeoId + target_field: salesforce.login.geo_id + ignore_missing: true + ignore_failure: true + - rename: + field: json.LoginHistoryId + target_field: salesforce.login.history_id + ignore_missing: true + ignore_failure: true + - rename: + field: json.ApiType + target_field: salesforce.login.api.type + ignore_missing: true + ignore_failure: true + - rename: + field: json.AuthMethodReference + target_field: salesforce.login.auth.method_reference + ignore_missing: true + ignore_failure: true + - rename: + field: json.LoginType + target_field: salesforce.login.type + ignore_missing: true + ignore_failure: true + - rename: + field: json.PolicyOutcome + target_field: salesforce.login.policy_outcome + ignore_missing: true + ignore_failure: true + - rename: + field: json.ApiVersion + target_field: salesforce.login.api.version + ignore_missing: true + ignore_failure: true + - rename: + field: json.EventIdentifier + target_field: event.id + ignore_missing: true + ignore_failure: true + - rename: + field: json.RelatedEventIdentifier + target_field: salesforce.login.related_event_identifier + ignore_missing: true + ignore_failure: true + - rename: + field: json.LoginKey + target_field: salesforce.login.key + ignore_missing: true + ignore_failure: true + - rename: + field: json.Application + target_field: salesforce.login.application + ignore_missing: true + ignore_failure: true + - rename: + field: json.PolicyId + target_field: salesforce.login.policy_id + ignore_missing: true + ignore_failure: true + - rename: + field: json.SessionLevel + target_field: salesforce.login.session.level + ignore_missing: true + ignore_failure: true + - rename: + field: json.SessionKey + target_field: salesforce.login.session.key + ignore_missing: true + ignore_failure: true + - set: + field: event.outcome + value: success + if: 'ctx.json?.Status == "Success"' + ignore_empty_value: true + ignore_failure: true + - set: + field: event.outcome + value: failure + if: 'ctx.json?.Status != "Success" && ctx.json?.Status != null' + ignore_empty_value: true + ignore_failure: true + - date: + field: json.CreatedDate + target_field: event.created + formats: + - ISO8601 + on_failure: + - append: + field: error.message + value: "Failed to parse CreatedDate field: {{{_ingest.on_failure_message}}}" + - rename: + field: json.LoginUrl + target_field: event.url + ignore_missing: true + ignore_failure: true + - rename: + field: json.Username + target_field: user.email + ignore_missing: true + ignore_failure: true + - rename: + field: json.UserId + target_field: user.id + ignore_missing: true + ignore_failure: true + - set: + field: user.roles + value: "{{{json.UserType}}}" + if: ctx.json?.UserType != null + ignore_empty_value: true + ignore_failure: true + - remove: + field: json.UserType + ignore_missing: true + ignore_failure: true + - convert: + field: json.SourceIp + target_field: source.ip + type: ip + ignore_failure: true + on_failure: + - append: + field: error.message + value: "Failed to convert SourceIp to IP: {{{_ingest.on_failure_message}}}" + - rename: + field: json.LoginLatitude + target_field: source.geo.location.lat + ignore_missing: true + ignore_failure: true + - rename: + field: json.LoginLongitude + target_field: source.geo.location.lon + ignore_missing: true + ignore_failure: true + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + ignore_failure: true + if: '!ctx.source?.geo?.location?.containsKey("lat") && !ctx.source?.geo?.location?.containsKey("lon")' + - rename: + field: json.CountryIso + target_field: source.geo.country_iso_code + ignore_missing: true + ignore_failure: true + - rename: + field: json.PostalCode + target_field: source.geo.postal_code + ignore_missing: true + ignore_failure: true + - rename: + field: json.City + target_field: source.geo.city_name + ignore_missing: true + ignore_failure: true + - rename: + field: json.Subdivision + target_field: source.geo.region_name + ignore_missing: true + ignore_failure: true + - rename: + field: json.Country + target_field: source.geo.country_name + ignore_missing: true + ignore_failure: true + - rename: + field: json.Browser + target_field: user_agent.name + ignore_missing: true + ignore_failure: true + - rename: + field: json.Platform + target_field: user_agent.os.platform + ignore_missing: true + ignore_failure: true + - rename: + field: json.HttpMethod + target_field: http.request.method + ignore_missing: true + ignore_failure: true + - rename: + field: json.AdditionalInfo + target_field: salesforce.login.additional_info + ignore_missing: true + ignore_failure: true + - rename: + field: json.CipherSuite + target_field: tls.cipher + ignore_missing: true + ignore_failure: true + - dissect: + field: json.TlsProtocol + pattern: "%{tls.version_protocol} %{tls.version}" + ignore_missing: true + on_failure: + - append: + field: error.message + value: "Failed to dissect TlsProtocol: {{{_ingest.on_failure_message}}}" + +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: "{{{ _ingest.on_failure_message }}}" diff --git a/x-pack/filebeat/module/salesforce/login/manifest.yml b/x-pack/filebeat/module/salesforce/login/manifest.yml new file mode 100644 index 00000000000..46a625b308e --- /dev/null +++ b/x-pack/filebeat/module/salesforce/login/manifest.yml @@ -0,0 +1,25 @@ +module_version: 1.0 + +var: + - name: input + default: salesforce + - name: tags + default: [salesforce-login, forwarded] + - name: api_version + - name: authentication + - name: url + - name: event_log_file + - name: elf_interval + default: 1h + - name: real_time + - name: real_time_interval + default: 5m + - name: initial_interval + - name: log_file_interval + default: Hourly + +ingest_pipeline: + - ingest/default.yml + - ingest/eventlogfile.yml + - ingest/object.yml +input: config/login.yml diff --git a/x-pack/filebeat/module/salesforce/login-rest/test/salesforce_login.ndjson.log b/x-pack/filebeat/module/salesforce/login/test/salesforce_login_elf.ndjson.log similarity index 100% rename from x-pack/filebeat/module/salesforce/login-rest/test/salesforce_login.ndjson.log rename to x-pack/filebeat/module/salesforce/login/test/salesforce_login_elf.ndjson.log diff --git a/x-pack/filebeat/module/salesforce/login-rest/test/salesforce_login.ndjson.log-expected.json b/x-pack/filebeat/module/salesforce/login/test/salesforce_login_elf.ndjson.log-expected.json similarity index 67% rename from x-pack/filebeat/module/salesforce/login-rest/test/salesforce_login.ndjson.log-expected.json rename to x-pack/filebeat/module/salesforce/login/test/salesforce_login_elf.ndjson.log-expected.json index e056e6693e7..3327267833a 100644 --- a/x-pack/filebeat/module/salesforce/login-rest/test/salesforce_login.ndjson.log-expected.json +++ b/x-pack/filebeat/module/salesforce/login/test/salesforce_login_elf.ndjson.log-expected.json @@ -2,43 +2,50 @@ { "@timestamp": "2021-10-19T04:42:04.256Z", "event.action": "login-attempt", - "event.category": "authentication", + "event.category": [ + "authentication" + ], "event.dataset": "salesforce.login", "event.kind": "event", "event.module": "salesforce", "event.outcome": "success", + "event.provider": "EventLogFile", "event.timezone": "-02:00", - "event.type": "info", + "event.type": [ + "info" + ], "event.url": "/index.jsp", - "fileset.name": "login-rest", + "fileset.name": "login", "input.type": "log", "log.offset": 0, "related.ip": [ "43.224.11.237" ], - "salesforce.access_mode": "rest", - "salesforce.login.api_version": 9998, + "salesforce.instance_url": "", + "salesforce.login.api.version": 9998, "salesforce.login.client_ip": "43.224.11.237", "salesforce.login.cpu_time": 54, - "salesforce.login.db_total_time": 37142518, + "salesforce.login.db_time_total": 37142518, "salesforce.login.event_type": "Login", - "salesforce.login.login_key": "iQzw40l45YkJUNKj", + "salesforce.login.key": "iQzw40l45YkJUNKj", "salesforce.login.organization_id": "00D5j000000VI3n", "salesforce.login.request_id": "4exJslfc21z80-l1cJOnxV", "salesforce.login.run_time": 94, - "salesforce.login.user_id_derived": "0055j000000utlPAAQ", + "salesforce.login.user_id": "0055j000000utlP", "service.type": "salesforce", "source.ip": "43.224.11.237", "tags": [ "forwarded", - "salesforce-login-rest" + "salesforce-login" ], "tls.cipher": "ECDHE-RSA-AES256-GCM-SHA384", "tls.version": "1.2", "tls.version_protocol": "TLS", "user.email": "kush.rana@elastic.co", - "user.id": "0055j000000utlP", - "user.roles": "Standard", + "user.id": "0055j000000utlPAAQ", + "user.roles": [ + "Standard" + ], "user_agent.name": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/login-stream/test/salesforce_login.ndjson.log b/x-pack/filebeat/module/salesforce/login/test/salesforce_login_object.ndjson.log similarity index 100% rename from x-pack/filebeat/module/salesforce/login-stream/test/salesforce_login.ndjson.log rename to x-pack/filebeat/module/salesforce/login/test/salesforce_login_object.ndjson.log diff --git a/x-pack/filebeat/module/salesforce/login-stream/test/salesforce_login.ndjson.log-expected.json b/x-pack/filebeat/module/salesforce/login/test/salesforce_login_object.ndjson.log-expected.json similarity index 63% rename from x-pack/filebeat/module/salesforce/login-stream/test/salesforce_login.ndjson.log-expected.json rename to x-pack/filebeat/module/salesforce/login/test/salesforce_login_object.ndjson.log-expected.json index 564108c2357..ca49c41c757 100644 --- a/x-pack/filebeat/module/salesforce/login-stream/test/salesforce_login.ndjson.log-expected.json +++ b/x-pack/filebeat/module/salesforce/login/test/salesforce_login_object.ndjson.log-expected.json @@ -2,34 +2,39 @@ { "@timestamp": "2021-10-19T11:47:22.000Z", "event.action": "login-attempt", - "event.category": "authentication", + "event.category": [ + "authentication" + ], "event.dataset": "salesforce.login", + "event.id": "06af6d92-1167-467d-a826-ee8583f7134d", "event.kind": "event", "event.module": "salesforce", "event.outcome": "success", + "event.provider": "Object", "event.timezone": "-02:00", - "event.type": "info", + "event.type": [ + "info" + ], "event.url": "login.salesforce.com", - "fileset.name": "login-stream", - "http.request.body.content": "{}", + "fileset.name": "login", "http.request.method": "POST", "input.type": "log", "log.offset": 0, "related.ip": [ "123.201.231.106" ], - "salesforce.access_mode": "stream", - "salesforce.login.api_type": "N/A", - "salesforce.login.api_version": "N/A", + "salesforce.instance_url": "", + "salesforce.login.additional_info": "{}", + "salesforce.login.api.type": "N/A", + "salesforce.login.api.version": "N/A", "salesforce.login.application": "elastic integration", "salesforce.login.client_version": "N/A", - "salesforce.login.created_by_id": "0055j000000q9s7AAA", - "salesforce.login.evaluation_time": 0, - "salesforce.login.login_geo_id": "04F5j00000FadrI", - "salesforce.login.login_history_id": "0Ya5j00000GLxCdCAL", - "salesforce.login.login_key": "o3vhFaSRBb0OzpCl", - "salesforce.login.login_type": "Remote Access 2.0", - "salesforce.login.session_level": "STANDARD", + "salesforce.login.evaluation_time": 0.0, + "salesforce.login.geo_id": "04F5j00000FadrI", + "salesforce.login.history_id": "0Ya5j00000GLxCdCAL", + "salesforce.login.key": "o3vhFaSRBb0OzpCl", + "salesforce.login.session.level": "STANDARD", + "salesforce.login.type": "Remote Access 2.0", "service.type": "salesforce", "source.geo.city_name": "Surat", "source.geo.country_iso_code": "IN", @@ -41,7 +46,7 @@ "source.ip": "123.201.231.106", "tags": [ "forwarded", - "salesforce-login-stream" + "salesforce-login" ], "tls.cipher": "ECDHE-RSA-AES256-GCM-SHA384", "tls.version": "1.2", diff --git a/x-pack/filebeat/module/salesforce/logout-rest/_meta/fields.yml b/x-pack/filebeat/module/salesforce/logout-rest/_meta/fields.yml deleted file mode 100644 index 7ec7dcfc683..00000000000 --- a/x-pack/filebeat/module/salesforce/logout-rest/_meta/fields.yml +++ /dev/null @@ -1,62 +0,0 @@ -- name: salesforce.logout - type: group - release: beta - description: > - Fileset for parsing Salesforce Logout (REST) logs. - fields: - - name: session_level - type: keyword - description: > - Indicates the session-level security of the session that the user is logging out of for this event. Session-level security controls user access to features that support it, such as connected apps and reporting. Possible values are: HIGH_ASSURANCE, LOW, STANDARD - - name: login_key - type: keyword - description: > - The string that ties together all events in a given user’s login session. It starts with a login event and ends with either a logout event or the user session expiring. - - name: api_type - type: keyword - description: > - The type of API request. - - name: api_version - type: keyword - description: > - The version of the API that’s being used. - - name: app_type - type: keyword - description: > - The application type that was in use upon logging out. - - name: browser_type - type: keyword - description: > - The identifier string returned by the browser used at login. - - name: client_version - type: keyword - description: > - The version of the client that was in use upon logging out. - - name: event_type - type: keyword - description: > - The type of event. The value is always Logout. - - name: organization_by_id - type: keyword - description: > - The 15-character ID of the organization. - - name: platform_type - type: keyword - description: > - The code for the client platform. If a timeout caused the logout, this field is null. - - name: resolution_type - type: keyword - description: > - The screen resolution of the client. If a timeout caused the logout, this field is null. - - name: session_type - type: keyword - description: > - The session type that was used when logging out. - - name: user_id_derived - type: keyword - description: > - The 18-character case-safe ID of the user who’s using Salesforce services through the UI or the API. - - name: user_initiated_logout - type: keyword - description: > - The value is 1 if the user intentionally logged out of the organization by clicking the Logout button. If the user’s session timed out due to inactivity or another implicit logout action, the value is 0. \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/logout-rest/config/logout-rest.yml b/x-pack/filebeat/module/salesforce/logout-rest/config/logout-rest.yml deleted file mode 100644 index 29e8d8b1a79..00000000000 --- a/x-pack/filebeat/module/salesforce/logout-rest/config/logout-rest.yml +++ /dev/null @@ -1,70 +0,0 @@ -{{ if eq .input "httpjson" }} - -type: httpjson -interval: {{ .interval }} -request.method: GET -auth.oauth2: - {{ if .client_id }} - client.id: {{ .client_id }} - {{ end }} - {{ if .client_secret }} - client.secret: {{ .client_secret }} - {{ end }} - {{ if .token_url }} - token_url: {{ .token_url }} - {{ end }} - {{ if .user }} - user: {{ .user }} - {{ end }} - {{ if .password }} - password: {{ .password }} - {{ end }} -# Query params will be overwritten by request.transforms from start of the input and -# it is to indicate that this url is for Logout type of events as cursor stores the url as source. -# Each filebeat input cursor source needs to be uniquely identified with a name. -request.url: {{ .url }}/services/data/v52.0/query?q=logout+rest -{{ if .proxy_url }} -request.proxy_url: {{ .proxy_url }} -{{ end }} -request.transforms: - - set: - target: url.params.q - value: "SELECT Id,CreatedDate,LogDate,LogFile FROM EventLogFile WHERE Interval = 'Hourly' AND EventType = 'Logout' AND LogDate > [[.cursor.last_published_logout]] ORDER BY LogDate ASC NULLS FIRST" - default: "SELECT Id,CreatedDate,LogDate,LogFile FROM EventLogFile WHERE Interval = 'Hourly' AND EventType = 'Logout' ORDER BY LogDate ASC NULLS FIRST" -response.pagination: - - set: - target: url.value - value: '[[if (ne .last_response.body.done true)]]{{ .url }}[[.last_response.body.nextRecordsUrl]][[end]]' - fail_on_template_error: true -chain: - - step: - request.url: {{ .url }}/services/data/v52.0/sobjects/EventLogFile/$.records[:].Id/LogFile - request.method: GET - replace: $.records[:].Id -cursor: - last_published_logout: - value: '[[(formatDate ((parseDate .last_event.TIMESTAMP_DERIVED "RFC3339").Add (parseDuration "-1h")))]]' - -{{ else if eq .input "file" }} - -type: log -paths: -{{ range $i, $path := .paths }} - - {{$path}} -{{ end }} -exclude_files: [".gz$"] - -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -processors: - - decode_json_fields: - fields: [message] - target: "json" - - add_fields: - target: '' - fields: - ecs.version: 1.12.0 - - add_locale: ~ diff --git a/x-pack/filebeat/module/salesforce/logout-rest/ingest/pipeline.yml b/x-pack/filebeat/module/salesforce/logout-rest/ingest/pipeline.yml deleted file mode 100644 index 8222f65372a..00000000000 --- a/x-pack/filebeat/module/salesforce/logout-rest/ingest/pipeline.yml +++ /dev/null @@ -1,180 +0,0 @@ ---- -description: Pipeline for parsing Salesforce Logout (REST) logs -processors: -- set: - field: event.ingested - value: '{{_ingest.timestamp}}' -- remove: - field: - - message - ignore_missing: true - -- set: - field: salesforce.access_mode - value: rest - ignore_failure: true - -- date: - field: json.TIMESTAMP_DERIVED - target_field: "@timestamp" - formats: - - ISO8601 - ignore_failure: true - -- rename: - field: json.SESSION_TYPE - target_field: salesforce.logout.session_type - ignore_missing: true -- rename: - field: json.EVENT_TYPE - target_field: salesforce.logout.event_type - ignore_missing: true -- rename: - field: json.SESSION_LEVEL - target_field: salesforce.logout.session_level - ignore_missing: true -- rename: - field: json.BROWSER_TYPE - target_field: salesforce.logout.browser_type - ignore_missing: true -- rename: - field: json.PLATFORM_TYPE - target_field: salesforce.logout.platform_type - ignore_missing: true -- rename: - field: json.RESOLUTION_TYPE - target_field: salesforce.logout.resolution_type - ignore_missing: true -- rename: - field: json.APP_TYPE - target_field: salesforce.logout.app_type - ignore_missing: true -- rename: - field: json.CLIENT_VERSION - target_field: salesforce.logout.client_version - ignore_missing: true -- rename: - field: json.API_TYPE - target_field: salesforce.logout.api_type - ignore_missing: true -- rename: - field: json.API_VERSION - target_field: salesforce.logout.api_version - ignore_missing: true -- rename: - field: json.USER_INITIATED_LOGOUT - target_field: salesforce.logout.user_initiated_logout - ignore_missing: true -- rename: - field: json.LOGIN_KEY - target_field: salesforce.logout.login_key - ignore_missing: true -- rename: - field: json.USER_ID_DERIVED - target_field: salesforce.logout.user_id_derived - ignore_missing: true -- rename: - field: json.ORGANIZATION_ID - target_field: salesforce.logout.organization_by_id - ignore_missing: true - -####################### -## ECS Event Mapping ## -####################### - -- set: - field: event.type - value: "info" -- set: - field: event.kind - value: "event" -- set: - field: event.action - value: "logout" -- set: - field: event.category - value: "authentication" -- set: - field: event.dataset - value: "salesforce.logout" -- set: - field: event.module - value: "salesforce" -- rename: - field: json.REQUEST_ID - target_field: event.code - ignore_missing: true - -###################### -## ECS User Mapping ## -###################### - -- rename: - field: json.USER_TYPE - target_field: user.roles - ignore_missing: true -- rename: - field: json.USER_ID - target_field: user.id - ignore_missing: true - -######################## -## ECS Source Mapping ## -######################## - -# A Salesforce internal IP (such as a login from Salesforce Workbench or AppExchange) is shown as “Salesforce.com IP” -- rename: - field: json.CLIENT_IP - target_field: source.ip - ignore_missing: true - if: 'ctx?.json?.CLIENT_IP != "Salesforce.com IP" && ctx?.json?.CLIENT_IP != ""' - -############################ -## ECS Source.Geo Mapping ## -############################ - -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - -############################ -## ECS Related.ip Mapping ## -############################ - -- append: - field: related.ip - value: "{{{source.ip}}}" - if: ctx?.source?.ip != null - allow_duplicates: false - ignore_failure: true - -############# -## Cleanup ## -############# - -- script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -- remove: - field: - - json - ignore_missing: true -on_failure: -- set: - field: error.message - value: '{{_ingest.on_failure_message}}' diff --git a/x-pack/filebeat/module/salesforce/logout-rest/manifest.yml b/x-pack/filebeat/module/salesforce/logout-rest/manifest.yml deleted file mode 100644 index 775f5094a3d..00000000000 --- a/x-pack/filebeat/module/salesforce/logout-rest/manifest.yml +++ /dev/null @@ -1,19 +0,0 @@ -module_version: 1.0 - -var: - - name: input - default: httpjson - - name: interval - default: 1h - - name: tags - default: [salesforce-logout-rest, forwarded] - - name: proxy_url - - name: client_id - - name: client_secret - - name: token_url - - name: user - - name: password - - name: url - -ingest_pipeline: ingest/pipeline.yml -input: config/logout-rest.yml diff --git a/x-pack/filebeat/module/salesforce/logout-stream/_meta/fields.yml b/x-pack/filebeat/module/salesforce/logout-stream/_meta/fields.yml deleted file mode 100644 index fe1ade9745d..00000000000 --- a/x-pack/filebeat/module/salesforce/logout-stream/_meta/fields.yml +++ /dev/null @@ -1,22 +0,0 @@ -- name: salesforce.logout - type: group - release: beta - description: > - Fileset for parsing Salesforce Logout (Streaming) logs. - fields: - - name: created_by_id - type: keyword - description: > - Unavailable - - name: related_event_identifier - type: keyword - description: > - This field is populated only when the activity that this event monitors requires extra authentication, such as multi-factor authentication. In this case, Salesforce generates more events and sets the RelatedEventIdentifier field of the new events to the value of the EventIdentifier field of the original event. Use this field with the EventIdentifier field to correlate all the related events. If no extra authentication is required, this field is blank. - - name: replay_id - type: keyword - description: > - Represents an ID value that is populated by the system and refers to the position of the event in the event stream. Replay ID values aren’t guaranteed to be contiguous for consecutive events. A subscriber can store a replay ID value and use it on resubscription to retrieve missed events that are within the retention window. - - name: schema - type: keyword - description: > - Unavailable \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/logout-stream/config/logout-stream.yml b/x-pack/filebeat/module/salesforce/logout-stream/config/logout-stream.yml deleted file mode 100644 index d717f9bf4cb..00000000000 --- a/x-pack/filebeat/module/salesforce/logout-stream/config/logout-stream.yml +++ /dev/null @@ -1,44 +0,0 @@ -{{ if eq .input "cometd" }} - -type: cometd -channel_name: /event/LogoutEventStream -auth.oauth2: - {{ if .client_id }} - client.id: {{ .client_id }} - {{ end }} - {{ if .client_secret }} - client.secret: {{ .client_secret }} - {{ end }} - {{ if .token_url }} - token_url: {{ .token_url }} - {{ end }} - {{ if .user }} - user: {{ .user }} - {{ end }} - {{ if .password }} - password: {{ .password }} - {{ end }} - -{{ else if eq .input "file" }} - -type: log -paths: -{{ range $i, $path := .paths }} - - {{$path}} -{{ end }} -exclude_files: [".gz$"] - -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -processors: - - decode_json_fields: - fields: [message] - target: "json" - - add_fields: - target: '' - fields: - ecs.version: 1.12.0 - - add_locale: ~ diff --git a/x-pack/filebeat/module/salesforce/logout-stream/ingest/pipeline.yml b/x-pack/filebeat/module/salesforce/logout-stream/ingest/pipeline.yml deleted file mode 100644 index 3bc74b68e21..00000000000 --- a/x-pack/filebeat/module/salesforce/logout-stream/ingest/pipeline.yml +++ /dev/null @@ -1,147 +0,0 @@ ---- -description: Pipeline for parsing Salesforce Logout (Streaming) logs -processors: -- set: - field: event.ingested - value: '{{_ingest.timestamp}}' -- remove: - field: - - message - ignore_missing: true - -- set: - field: salesforce.access_mode - value: stream - ignore_failure: true - -- date: - field: json.EventDate - target_field: "@timestamp" - formats: - - ISO8601 - ignore_failure: true - -- rename: - field: json.schema - target_field: salesforce.logout.schema - ignore_missing: true -- rename: - field: json.CreatedById - target_field: salesforce.logout.created_by_id - ignore_missing: true -- rename: - field: json.RelatedEventIdentifier - target_field: salesforce.logout.related_event_identifier - ignore_missing: true -- rename: - field: json.LoginKey - target_field: salesforce.logout.login_key - ignore_missing: true -- rename: - field: json.SessionLevel - target_field: salesforce.logout.session_level - ignore_missing: true -- rename: - field: json.replayId - target_field: salesforce.logout.replay_id - ignore_missing: true - -####################### -## ECS Event Mapping ## -####################### - -- date: - field: json.CreatedDate - target_field: event.created - formats: ["yyyy-MM-ddTHH:mm:ssZ"] - ignore_failure: true -- set: - field: event.type - value: "info" -- set: - field: event.kind - value: "event" -- set: - field: event.action - value: "logout" -- set: - field: event.category - value: "authentication" -- set: - field: event.dataset - value: "salesforce.logout" -- set: - field: event.module - value: "salesforce" - -###################### -## ECS User Mapping ## -###################### - -- rename: - field: json.Username - target_field: user.email - ignore_missing: true -- rename: - field: json.UserId - target_field: user.id - ignore_missing: true - -######################## -## ECS Source Mapping ## -######################## - -- rename: - field: json.SourceIp - target_field: source.ip - ignore_missing: true - -############################ -## ECS Source.Geo Mapping ## -############################ - -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - -############################ -## ECS Related.ip Mapping ## -############################ - -- append: - field: related.ip - value: "{{{source.ip}}}" - if: ctx?.source?.ip != null - allow_duplicates: false - ignore_failure: true - -############# -## Cleanup ## -############# - -- script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -- remove: - field: - - json - ignore_missing: true -on_failure: -- set: - field: error.message - value: '{{_ingest.on_failure_message}}' diff --git a/x-pack/filebeat/module/salesforce/logout-stream/manifest.yml b/x-pack/filebeat/module/salesforce/logout-stream/manifest.yml deleted file mode 100644 index b8ffb130f56..00000000000 --- a/x-pack/filebeat/module/salesforce/logout-stream/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -module_version: 1.0 - -var: - - name: input - default: cometd - - name: tags - default: [salesforce-logout-stream, forwarded] - - name: client_id - - name: client_secret - - name: token_url - - name: user - - name: password - -ingest_pipeline: ingest/pipeline.yml -input: config/logout-stream.yml diff --git a/x-pack/filebeat/module/salesforce/logout/_meta/fields.yml b/x-pack/filebeat/module/salesforce/logout/_meta/fields.yml new file mode 100644 index 00000000000..9da3677f8c3 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/logout/_meta/fields.yml @@ -0,0 +1,92 @@ +- name: salesforce.logout + type: group + release: beta + description: > + Fileset for parsing Salesforce Logout (REST) logs. + fields: + - name: document_id + type: keyword + description: > + Unique Id. + - name: session + type: group + fields: + - name: key + type: keyword + description: > + The user's unique session ID. You can use this value to identify all user events within a session. When a user logs out and logs in again, a new session is started. + - name: level + type: text + description: > + The security level of the session that was used when logging out (e.g. Standard Session or High-Assurance Session). + - name: type + type: keyword + description: > + The session type that was used when logging out (e.g. API, Oauth2 or UI). + - name: login_key + type: keyword + description: > + The string that ties together all events in a given user's login session. It starts with a login event and ends with either a logout event or the user session expiring. + - name: api + type: group + fields: + - name: type + type: keyword + description: > + The type of Salesforce API request. + - name: version + type: keyword + description: > + The version of the Salesforce API that's being used. + - name: app_type + type: keyword + description: > + The application type that was in use upon logging out. + - name: browser_type + type: keyword + description: > + The identifier string returned by the browser used at login. + - name: client_version + type: keyword + description: > + The version of the client that was in use upon logging out. + - name: event_type + type: keyword + description: > + The type of event. The value is always Logout. + - name: organization_by_id + type: keyword + description: > + The 15-character ID of the organization. + - name: platform_type + type: keyword + description: > + The code for the client platform. If a timeout caused the logout, this field is null. + - name: resolution_type + type: keyword + description: > + The screen resolution of the client. If a timeout caused the logout, this field is null. + - name: user_id + type: keyword + description: > + The 15-character ID of the user who's using Salesforce services through the UI or the API. + - name: user_id_derived + type: keyword + description: > + The 18-character case-safe ID of the user who's using Salesforce services through the UI or the API. + - name: user_initiated_logout + type: keyword + description: > + The value is 1 if the user intentionally logged out of the organization by clicking the Logout button. If the user's session timed out due to inactivity or another implicit logout action, the value is 0. + - name: created_by_id + type: keyword + description: > + Unavailable + - name: event_identifier + type: keyword + description: > + This field is populated only when the activity that this event monitors requires extra authentication, such as multi-factor authentication. In this case, Salesforce generates more events and sets the RelatedEventIdentifier field of the new events to the value of the EventIdentifier field of the original event. Use this field with the EventIdentifier field to correlate all the related events. If no extra authentication is required, this field is blank. + - name: organization_id + type: keyword + description: > + The 15-character ID of the organization. diff --git a/x-pack/filebeat/module/salesforce/logout/config/logout.yml b/x-pack/filebeat/module/salesforce/logout/config/logout.yml new file mode 100644 index 00000000000..502fa247fbb --- /dev/null +++ b/x-pack/filebeat/module/salesforce/logout/config/logout.yml @@ -0,0 +1,71 @@ +{{ if eq .input "salesforce" }} + +id: logout +type: salesforce +enabled: true +{{ if .api_version }} +version: {{ .api_version }} +{{ end }} +auth.oauth2: {{ .authentication | tojson }} +url: {{ .url }} +event_monitoring_method: + event_log_file: + enabled: {{ if .event_log_file }}true{{ else }}false{{ end }} + interval: {{ .elf_interval }} + query: + default: SELECT CreatedDate,LogDate,LogFile FROM EventLogFile WHERE {{ if .initial_interval }}LogDate > [[ (formatTime (now.Add (parseDuration "-{{ .initial_interval }}")) "2006-01-02T15:04:05.000Z0700") ]] AND{{ end }} Interval = '{{ .log_file_interval }}' AND EventType = 'Logout' ORDER BY LogDate ASC NULLS FIRST + value: SELECT CreatedDate,LogDate,LogFile FROM EventLogFile WHERE Interval = '{{ .log_file_interval }}' AND EventType = 'Logout' AND CreatedDate > [[ .cursor.event_log_file.last_event_time ]] ORDER BY LogDate ASC NULLS FIRST + cursor: + field: "CreatedDate" + object: + enabled: {{ if .real_time }}true{{ else }}false{{ end }} + interval: {{ .real_time_interval }} + query: + default: SELECT FIELDS(STANDARD) FROM LogoutEvent{{ if .initial_interval }} WHERE EventDate > [[ (formatTime (now.Add (parseDuration "-{{ .initial_interval }}")) "2006-01-02T15:04:05.000Z0700") ]]{{ end }} + value: SELECT FIELDS(STANDARD) FROM LogoutEvent WHERE EventDate > [[ .cursor.object.first_event_time ]] + cursor: + field: "EventDate" + +processors: + - add_fields: + target: salesforce + fields: + instance_url: {{ .url }} + - add_locale: ~ + +{{ else if eq .input "file" }} + +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] + +processors: + - add_fields: + target: salesforce + fields: + instance_url: {{ .url }} + - decode_json_fields: + fields: ["message"] + target: "json" + - script: + lang: javascript + source: > + function process(event) { + if (event.Get("json.EVENT_TYPE") == "Logout") { + event.Put("event.provider", "EventLogFile"); + } else { + event.Put("event.provider", "Object"); + } + } + - drop_fields: + fields: json + ignore_missing: true + - add_locale: ~ + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} diff --git a/x-pack/filebeat/module/salesforce/logout/ingest/default.yml b/x-pack/filebeat/module/salesforce/logout/ingest/default.yml new file mode 100644 index 00000000000..90645868363 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/logout/ingest/default.yml @@ -0,0 +1,121 @@ +--- +description: Pipeline for parsing Salesforce Logout logs. +processors: + - json: + field: message + target_field: json + on_failure: + - append: + field: error.message + value: "Failed to parse JSON: {{{_ingest.on_failure_message}}}" + - set: + field: event.original + copy_from: message + ignore_empty_value: true + ignore_failure: true + if: "ctx.event?.original == null" + - set: + field: event.ingested + value: "{{_ingest.timestamp}}" + - set: + field: ecs.version + value: "8.11.0" + ignore_failure: true + ignore_empty_value: true + - set: + field: salesforce.login.document_id + copy_from: _id + ignore_empty_value: true + + - pipeline: + name: '{< IngestPipeline "object" >}' + if: ctx.event?.provider == "Object" + - pipeline: + name: '{< IngestPipeline "eventlogfile" >}' + if: ctx.event?.provider == "EventLogFile" + + - set: + field: event.type + value: ["info"] + ignore_failure: true + ignore_empty_value: true + - set: + field: event.kind + value: "event" + ignore_failure: true + ignore_empty_value: true + - set: + field: event.action + value: "logout" + ignore_failure: true + ignore_empty_value: true + - set: + field: event.category + value: ["authentication"] + ignore_failure: true + ignore_empty_value: true + - set: + field: event.dataset + value: "salesforce.logout" + ignore_failure: true + ignore_empty_value: true + - set: + field: event.module + value: "salesforce" + ignore_failure: true + ignore_empty_value: true + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + ignore_failure: true + - append: + field: related.ip + value: "{{{source.ip}}}" + if: ctx?.source?.ip != null + allow_duplicates: false + ignore_failure: true + + ############# + ## Cleanup ## + ############# + + # Drop empty fields + - script: + lang: painless + source: | + boolean dropEmptyFields(Object object) { + if (object == null || object == "") { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return ((Map) object).isEmpty(); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return ((List) object).isEmpty(); + } + return false; + } + dropEmptyFields(ctx); + - remove: + field: + - json + - message + ignore_failure: true + ignore_missing: true + - remove: + field: event.original + if: "ctx.tags == null || !ctx.tags.contains('preserve_original_event')" + ignore_failure: true + ignore_missing: true + +on_failure: + - set: + field: event.kind + value: pipeline_error + - set: + field: error.message + value: "{{{_ingest.on_failure_message}}}" + - set: + field: error.type + value: "{{{_ingest.on_failure_processor_type}}}" diff --git a/x-pack/filebeat/module/salesforce/logout/ingest/eventlogfile.yml b/x-pack/filebeat/module/salesforce/logout/ingest/eventlogfile.yml new file mode 100644 index 00000000000..699fa370219 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/logout/ingest/eventlogfile.yml @@ -0,0 +1,255 @@ +--- +description: Pipeline for parsing Salesforce Logout (EventLogFile) logs. +processors: + - date: + field: json.TIMESTAMP_DERIVED + target_field: "@timestamp" + formats: + - ISO8601 + on_failure: + - append: + field: error.message + value: "Failed to parse TIMESTAMP_DERIVED field: {{{_ingest.on_failure_message}}}" + - rename: + field: json.SESSION_TYPE + target_field: salesforce.logout.session.type + ignore_missing: true + ignore_failure: true + - script: + description: Set session type value from session type character. + lang: painless + source: | + def sessionTypes = [ + "A": "API", + "I": "APIOnlyUser", + "N": "ChatterNetworks", + "Z": "ChatterNetworksAPIOnly", + "C": "Content", + "P": "OauthApprovalUI", + "O": "Oauth2", + "T": "SiteStudio", + "R": "SitePreview", + "S": "SubstituteUser", + "B": "TempContentExchange", + "G": "TempOauthAccessTokenFrontdoor", + "Y": "TempVisualforceExchange", + "F": "TempUIFrontdoor", + "U": "UI", + "E": "UserSite", + "V": "Visualforce", + "W": "WDC_API" + ]; + def type = ctx.salesforce?.logout?.session?.type; + if (type != null && sessionTypes.containsKey(type)) { + ctx.salesforce.logout.session.type = sessionTypes.get(type); + } + on_failure: + - append: + field: error.message + value: "Failed to set salesforce.logout.session.type: {{{_ingest.on_failure_message}}}" + - rename: + field: json.EVENT_TYPE + target_field: salesforce.logout.event_type + ignore_missing: true + ignore_failure: true + - rename: + field: json.SESSION_LEVEL + target_field: salesforce.logout.session.level + ignore_missing: true + ignore_failure: true + - script: + description: Set session level value from session level integer. + lang: painless + source: | + def levels = ["1": "Standard Session", "2": "High-Assurance Session"]; + def level = ctx.salesforce?.logout?.session?.level; + if (level != null && levels.containsKey(level)) { + ctx.salesforce.logout.session.level = levels.get(level); + } + on_failure: + - append: + field: error.message + value: "Failed to set salesforce.logout.session.level: {{{_ingest.on_failure_message}}}" + - rename: + field: json.BROWSER_TYPE + target_field: salesforce.logout.browser_type + ignore_missing: true + ignore_failure: true + - rename: + field: json.PLATFORM_TYPE + target_field: salesforce.logout.platform_type + ignore_missing: true + ignore_failure: true + - script: + description: Set platform type value from platform type integers. + lang: painless + params: + platforms: + "1000": "Windows" + "1008": "Windows 2003" + "1013": "Windows 8.1" + "1015": "Windows 10" + "2003": "Macintosh/Apple OSX" + "4000": "Linux" + "5005": "Android" + "5006": "iPhone" + "5007": "iPad" + "5200": "Android 10.0" + source: | + def platform = ctx.salesforce?.logout?.platform_type; + if (platform != null && params.platforms.containsKey(platform)) { + ctx.salesforce.logout.platform_type = params.platforms.get(platform); + } + on_failure: + - append: + field: error.message + value: "Failed to set salesforce.logout.platform_type: {{{_ingest.on_failure_message}}}" + - rename: + field: json.RESOLUTION_TYPE + target_field: salesforce.logout.resolution_type + ignore_missing: true + ignore_failure: true + - rename: + field: json.APP_TYPE + target_field: salesforce.logout.app_type + ignore_missing: true + ignore_failure: true + - script: + description: Set application type value from application type integers. + lang: painless + params: + appTypes: + "1000": "Application" + "1007": "SFDC Application" + "1014": "Chat" + "2501": "CTI" + "2514": "OAuth" + "3475": "SFDC Partner Portal" + source: | + def type = ctx.salesforce?.logout?.app_type; + if (type != null && params.appTypes.containsKey(type)) { + ctx.salesforce.logout.app_type = params.appTypes.get(type); + } + on_failure: + - append: + field: error.message + value: "Failed to set salesforce.logout.app_type: {{{_ingest.on_failure_message}}}" + - rename: + field: json.CLIENT_VERSION + target_field: salesforce.logout.client_version + ignore_missing: true + ignore_failure: true + - rename: + field: json.API_TYPE + target_field: salesforce.logout.api.type + ignore_missing: true + ignore_failure: true + - script: + description: Set api type value from api type character. + lang: painless + params: + apiTypes: + "D": "Apex Class" + "E": "SOAP Enterprise" + "I": "SOAP Cross Instance" + "M": "SOAP Metadata" + "O": "Old SOAP" + "P": "SOAP Partner" + "S": "SOAP Apex" + "T": "SOAP Tooling" + "X": "XmlRPC" + "f": "Feed" + "l": "Live Agent" + "p": "SOAP ClientSync" + source: | + def type = ctx.salesforce?.logout?.api?.type; + if (type != null && params.apiTypes.containsKey(type)) { + ctx.salesforce.logout.api.type = params.apiTypes.get(type); + } + on_failure: + - append: + field: error.message + value: "Failed to set salesforce.logout.api.type: {{{_ingest.on_failure_message}}}" + - rename: + field: json.API_VERSION + target_field: salesforce.logout.api.version + ignore_missing: true + ignore_failure: true + - rename: + field: json.USER_INITIATED_LOGOUT + target_field: salesforce.logout.user_initiated_logout + ignore_missing: true + ignore_failure: true + - rename: + field: json.LOGIN_KEY + target_field: salesforce.logout.login_key + ignore_missing: true + ignore_failure: true + - rename: + field: json.USER_ID + target_field: salesforce.logout.user_id + ignore_missing: true + ignore_failure: true + - rename: + field: json.ORGANIZATION_ID + target_field: salesforce.logout.organization_id + ignore_missing: true + ignore_failure: true + - rename: + field: json.REQUEST_ID + target_field: event.code + ignore_missing: true + ignore_failure: true + - rename: + field: json.USER_TYPE + target_field: user.roles + ignore_missing: true + ignore_failure: true + - script: + description: Set user roles value from user roles character. + lang: painless + params: + userRoles: + "A": "Automated Process" + "b": "High Volume Portal" + "C": "Customer Portal User" + "D": "External Who" + "F": "Self-Service" + "G": "Guest" + "L": "Package License Manager" + "N": "Salesforce to Salesforce" + "n": "CSN Only" + "O": "Power Custom" + "o": "Custom" + "P": "Partner" + "p": "Customer Portal Manager" + "S": "Standard" + "X": "Salesforce Administrator" + source: | + def role = ctx.salesforce?.logout?.user?.roles; + if (role != null && params.userRoles.containsKey(role)) { + ctx.salesforce.logout.user.roles = [params.userRoles.get(role)]; + } + on_failure: + - append: + field: error.message + value: "Failed to set salesforce.logout.user.roles: {{{_ingest.on_failure_message}}}" + - rename: + field: json.USER_ID_DERIVED + target_field: user.id + ignore_missing: true + ignore_failure: true + - rename: + field: json.CLIENT_IP + target_field: source.ip + ignore_missing: true + if: ctx.json?.CLIENT_IP != 'Salesforce.com IP' && ctx.json?.CLIENT_IP != null + ignore_failure: true + +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: "{{{ _ingest.on_failure_message }}}" diff --git a/x-pack/filebeat/module/salesforce/logout/ingest/object.yml b/x-pack/filebeat/module/salesforce/logout/ingest/object.yml new file mode 100644 index 00000000000..059a8533751 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/logout/ingest/object.yml @@ -0,0 +1,68 @@ +--- +description: Pipeline for parsing Salesforce Logout (Object) logs. +processors: + - date: + field: json.EventDate + target_field: "@timestamp" + formats: + - ISO8601 + on_failure: + - append: + field: error.message + value: "Failed to parse EventDate field: {{{_ingest.on_failure_message}}}" + - rename: + field: json.RelatedEventIdentifier + target_field: salesforce.logout.related_event_identifier + ignore_missing: true + ignore_failure: true + - rename: + field: json.LoginKey + target_field: salesforce.logout.login_key + ignore_missing: true + ignore_failure: true + - rename: + field: json.SessionLevel + target_field: salesforce.logout.session.level + ignore_missing: true + ignore_failure: true + - rename: + field: json.SessionKey + target_field: salesforce.logout.session.key + ignore_missing: true + ignore_failure: true + - date: + field: json.CreatedDate + target_field: event.created + formats: + - ISO8601 + on_failure: + - append: + field: error.message + value: "Failed to parse CreatedDate field: {{{_ingest.on_failure_message}}}" + - rename: + field: json.Username + target_field: user.email + ignore_missing: true + ignore_failure: true + - rename: + field: json.UserId + target_field: user.id + ignore_missing: true + ignore_failure: true + - convert: + field: json.SourceIp + type: ip + target_field: source.ip + ignore_missing: true + on_failure: + - append: + field: error.message + value: "Failed to convert SourceIp to IP: {{{_ingest.on_failure_message}}}" + +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: "{{{ _ingest.on_failure_message }}}" diff --git a/x-pack/filebeat/module/salesforce/logout/manifest.yml b/x-pack/filebeat/module/salesforce/logout/manifest.yml new file mode 100644 index 00000000000..9aa36f11d15 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/logout/manifest.yml @@ -0,0 +1,25 @@ +module_version: 1.0 + +var: + - name: input + default: salesforce + - name: tags + default: [salesforce-logout, forwarded] + - name: api_version + - name: authentication + - name: url + - name: event_log_file + - name: elf_interval + default: 1h + - name: real_time + - name: real_time_interval + default: 5m + - name: initial_interval + - name: log_file_interval + default: Hourly + +ingest_pipeline: + - ingest/default.yml + - ingest/eventlogfile.yml + - ingest/object.yml +input: config/logout.yml diff --git a/x-pack/filebeat/module/salesforce/logout-rest/test/salesforce_logout.ndjson.log b/x-pack/filebeat/module/salesforce/logout/test/salesforce_logout_elf.ndjson.log similarity index 100% rename from x-pack/filebeat/module/salesforce/logout-rest/test/salesforce_logout.ndjson.log rename to x-pack/filebeat/module/salesforce/logout/test/salesforce_logout_elf.ndjson.log diff --git a/x-pack/filebeat/module/salesforce/logout-rest/test/salesforce_logout.ndjson.log-expected.json b/x-pack/filebeat/module/salesforce/logout/test/salesforce_logout_elf.ndjson.log-expected.json similarity index 67% rename from x-pack/filebeat/module/salesforce/logout-rest/test/salesforce_logout.ndjson.log-expected.json rename to x-pack/filebeat/module/salesforce/logout/test/salesforce_logout_elf.ndjson.log-expected.json index ea3b683e02a..fa603eb61f1 100644 --- a/x-pack/filebeat/module/salesforce/logout-rest/test/salesforce_logout.ndjson.log-expected.json +++ b/x-pack/filebeat/module/salesforce/logout/test/salesforce_logout_elf.ndjson.log-expected.json @@ -2,39 +2,44 @@ { "@timestamp": "2021-10-19T05:07:07.128Z", "event.action": "logout", - "event.category": "authentication", + "event.category": [ + "authentication" + ], "event.code": "4exLFFQZNa5xxFl1cJNwOV", "event.dataset": "salesforce.logout", "event.kind": "event", "event.module": "salesforce", + "event.provider": "EventLogFile", "event.timezone": "-02:00", - "event.type": "info", - "fileset.name": "logout-rest", + "event.type": [ + "info" + ], + "fileset.name": "logout", "input.type": "log", "log.offset": 0, "related.ip": [ "123.201.231.42" ], - "salesforce.access_mode": "rest", + "salesforce.instance_url": "", "salesforce.logout.app_type": 1000, "salesforce.logout.browser_type": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36", "salesforce.logout.client_version": 9998, "salesforce.logout.event_type": "Logout", "salesforce.logout.login_key": "OKyrFuSUIZVr9YzF", - "salesforce.logout.organization_by_id": "00D5j000000VI3n", + "salesforce.logout.organization_id": "00D5j000000VI3n", "salesforce.logout.platform_type": 1015, "salesforce.logout.resolution_type": 9999, - "salesforce.logout.session_level": "STANDARD(db=1,api=STANDARD)", - "salesforce.logout.session_type": "UI", - "salesforce.logout.user_id_derived": "0055j000000utlPAAQ", + "salesforce.logout.session.level": "STANDARD(db=1,api=STANDARD)", + "salesforce.logout.session.type": "UI", + "salesforce.logout.user_id": "0055j000000utlP", "salesforce.logout.user_initiated_logout": 1, "service.type": "salesforce", "source.ip": "123.201.231.42", "tags": [ "forwarded", - "salesforce-logout-rest" + "salesforce-logout" ], - "user.id": "0055j000000utlP", + "user.id": "0055j000000utlPAAQ", "user.roles": "Standard(db=S,api=Standard)" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/logout-stream/test/salesforce_logout.ndjson.log b/x-pack/filebeat/module/salesforce/logout/test/salesforce_logout_object.ndjson.log similarity index 100% rename from x-pack/filebeat/module/salesforce/logout-stream/test/salesforce_logout.ndjson.log rename to x-pack/filebeat/module/salesforce/logout/test/salesforce_logout_object.ndjson.log diff --git a/x-pack/filebeat/module/salesforce/logout-stream/test/salesforce_logout.ndjson.log-expected.json b/x-pack/filebeat/module/salesforce/logout/test/salesforce_logout_object.ndjson.log-expected.json similarity index 62% rename from x-pack/filebeat/module/salesforce/logout-stream/test/salesforce_logout.ndjson.log-expected.json rename to x-pack/filebeat/module/salesforce/logout/test/salesforce_logout_object.ndjson.log-expected.json index b4403515ffc..eed5058ac7a 100644 --- a/x-pack/filebeat/module/salesforce/logout-stream/test/salesforce_logout.ndjson.log-expected.json +++ b/x-pack/filebeat/module/salesforce/logout/test/salesforce_logout_object.ndjson.log-expected.json @@ -2,27 +2,32 @@ { "@timestamp": "2021-10-19T11:38:54.000Z", "event.action": "logout", - "event.category": "authentication", + "event.category": [ + "authentication" + ], "event.dataset": "salesforce.logout", "event.kind": "event", "event.module": "salesforce", + "event.provider": "Object", "event.timezone": "-02:00", - "event.type": "info", - "fileset.name": "logout-stream", + "event.type": [ + "info" + ], + "fileset.name": "logout", "input.type": "log", "log.offset": 0, "related.ip": [ "123.201.231.106" ], - "salesforce.access_mode": "stream", - "salesforce.logout.created_by_id": "0055j000000q9s7AAA", + "salesforce.instance_url": "", "salesforce.logout.login_key": "CuRVtbMjat6xxbTH", - "salesforce.logout.session_level": "STANDARD", + "salesforce.logout.session.key": "6/HAElgoPCwskqBU", + "salesforce.logout.session.level": "STANDARD", "service.type": "salesforce", "source.ip": "123.201.231.106", "tags": [ "forwarded", - "salesforce-logout-stream" + "salesforce-logout" ], "user.email": "kush.rana@elastic.co", "user.id": "0055j000000utlPAAQ" diff --git a/x-pack/filebeat/module/salesforce/module.yml b/x-pack/filebeat/module/salesforce/module.yml index bec0d7ed8b1..71e1ee55123 100644 --- a/x-pack/filebeat/module/salesforce/module.yml +++ b/x-pack/filebeat/module/salesforce/module.yml @@ -1,9 +1,9 @@ dashboards: -- id: salesforce-6c750440-5749-11ec-8f0b-05e8b06e1b10 - file: salesforce-6c750440-5749-11ec-8f0b-05e8b06e1b10.json -- id: salesforce-59ef0af0-5749-11ec-8f0b-05e8b06e1b10 - file: salesforce-59ef0af0-5749-11ec-8f0b-05e8b06e1b10.json -- id: salesforce-790da810-5749-11ec-8f0b-05e8b06e1b10 - file: salesforce-790da810-5749-11ec-8f0b-05e8b06e1b10.json -- id: salesforce-1659aef0-574c-11ec-8f0b-05e8b06e1b10 - file: salesforce-1659aef0-574c-11ec-8f0b-05e8b06e1b10.json +- id: 6e6bee90-f7e6-11ee-9088-0f36517484ce + file: 6e6bee90-f7e6-11ee-9088-0f36517484ce.json +- id: cb7b4a40-f7ff-11ee-9088-0f36517484ce + file: cb7b4a40-f7ff-11ee-9088-0f36517484ce.json +- id: 243e40b0-f891-11ee-9088-0f36517484ce + file: 243e40b0-f891-11ee-9088-0f36517484ce.json +- id: c66be450-f891-11ee-9088-0f36517484ce + file: c66be450-f891-11ee-9088-0f36517484ce.json diff --git a/x-pack/filebeat/module/salesforce/setupaudittrail-rest/config/setupaudittrail-rest.yml b/x-pack/filebeat/module/salesforce/setupaudittrail-rest/config/setupaudittrail-rest.yml deleted file mode 100644 index 34f8f694944..00000000000 --- a/x-pack/filebeat/module/salesforce/setupaudittrail-rest/config/setupaudittrail-rest.yml +++ /dev/null @@ -1,68 +0,0 @@ -{{ if eq .input "httpjson" }} - -type: httpjson -interval: {{ .interval }} -request.method: GET -auth.oauth2: - enabled: true - {{ if .client_id }} - client.id: {{ .client_id }} - {{ end }} - {{ if .client_secret }} - client.secret: {{ .client_secret }} - {{ end }} - {{ if .token_url }} - token_url: {{ .token_url }} - {{ end }} - {{ if .user }} - user: {{ .user }} - {{ end }} - {{ if .password }} - password: {{ .password }} - {{ end }} -# Query params will be overwritten by request.transforms from start of the input and -# it is to indicate that this url is for SetupAuditTratil type of events as cursor stores the url as source. -# Each filebeat input cursor source needs to be uniquely identified with a name. -request.url: {{ .url }}/services/data/v52.0/query?q=setupaudittrail+rest -{{ if .proxy_url }} -request.proxy_url: {{ .proxy_url }} -{{ end }} -request.transforms: - - set: - target: url.params.q - value: "SELECT Action,CreatedByContext,CreatedById,CreatedByIssuer,CreatedDate,DelegateUser,Display,Id,ResponsibleNamespacePrefix,Section FROM SetupAuditTrail WHERE CreatedDate > [[.cursor.last_published_setupaudittrail]] ORDER BY CreatedDate ASC NULLS FIRST" - default: "SELECT Action,CreatedByContext,CreatedById,CreatedByIssuer,CreatedDate,DelegateUser,Display,Id,ResponsibleNamespacePrefix,Section FROM SetupAuditTrail ORDER BY CreatedDate ASC NULLS FIRST" -response.split: - target: body.records -response.pagination: -- set: - target: url.value - value: '[[if (ne .last_response.body.done true)]]{{ .url }}[[.last_response.body.nextRecordsUrl]][[end]]' - fail_on_template_error: true -cursor: - last_published_setupaudittrail: - value: '[[.last_event.CreatedDate]]' - -{{ else if eq .input "file" }} - -type: log -paths: -{{ range $i, $path := .paths }} - - {{$path}} -{{ end }} -exclude_files: [".gz$"] - -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -processors: - - decode_json_fields: - fields: [message] - target: "json" - - add_fields: - target: '' - fields: - ecs.version: 1.12.0 - - add_locale: ~ diff --git a/x-pack/filebeat/module/salesforce/setupaudittrail-rest/ingest/pipeline.yml b/x-pack/filebeat/module/salesforce/setupaudittrail-rest/ingest/pipeline.yml deleted file mode 100644 index 2c86704d117..00000000000 --- a/x-pack/filebeat/module/salesforce/setupaudittrail-rest/ingest/pipeline.yml +++ /dev/null @@ -1,142 +0,0 @@ ---- -description: Pipeline for parsing Salesforce SetupAuditTrail logs -processors: -- set: - field: event.ingested - value: '{{_ingest.timestamp}}' -- rename: - field: message - target_field: event.original - ignore_missing: true -- remove: - field: - - message - ignore_missing: true - -- set: - field: salesforce.access_mode - value: rest - ignore_failure: true - -- date: - field: json.CreatedDate - target_field: "@timestamp" - formats: - - ISO8601 - ignore_failure: true - -- rename: - field: json.attributes.type - target_field: salesforce.setup_audit_trail.event_type - ignore_missing: true -- rename: - field: json.CreatedByContext - target_field: salesforce.setup_audit_trail.created_by_context - ignore_missing: true -- rename: - field: json.CreatedById - target_field: salesforce.setup_audit_trail.created_by_id - ignore_missing: true -- rename: - field: json.CreatedByIssuer - target_field: salesforce.setup_audit_trail.created_by_issuer - ignore_missing: true -- rename: - field: json.DelegateUser - target_field: salesforce.setup_audit_trail.delegate_user - ignore_missing: true -- rename: - field: json.Display - target_field: salesforce.setup_audit_trail.display - ignore_missing: true -- rename: - field: json.ResponsibleNamespacePrefix - target_field: salesforce.setup_audit_trail.responsible_namespace_prefix - ignore_missing: true -- rename: - field: json.Section - target_field: salesforce.setup_audit_trail.section - ignore_missing: true - -####################### -## ECS Event Mapping ## -####################### - -- rename: - field: json.Id - target_field: event.id - ignore_missing: true -- rename: - field: json.Action - target_field: event.action - ignore_missing: true -- rename: - field: json.attributes.url - target_field: event.url - ignore_missing: true -- date: - field: json.CreatedDate - target_field: event.created - formats: - - ISO8601 - ignore_failure: true -- set: - field: event.type - value: "admin" -- set: - field: event.kind - value: "event" -- set: - field: event.dataset - value: "salesforce.setupaudittrail" -- set: - field: event.module - value: "salesforce" - -###################### -## ECS User Mapping ## -###################### - -- set: - field: user.id - copy_from: salesforce.setup_audit_trail.created_by_id - ignore_failure: true -- set: - field: temp_setup_audit_trail_display - copy_from: salesforce.setup_audit_trail.display - ignore_failure: true -- dissect: - field: temp_setup_audit_trail_display - pattern: "For user %{user.name}, %{?}" - ignore_failure: true - -############# -## Cleanup ## -############# - -- script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -- remove: - field: - - json - - temp_setup_audit_trail_display - ignore_missing: true -on_failure: -- set: - field: error.message - value: '{{_ingest.on_failure_message}}' diff --git a/x-pack/filebeat/module/salesforce/setupaudittrail-rest/manifest.yml b/x-pack/filebeat/module/salesforce/setupaudittrail-rest/manifest.yml deleted file mode 100644 index 889bfe92569..00000000000 --- a/x-pack/filebeat/module/salesforce/setupaudittrail-rest/manifest.yml +++ /dev/null @@ -1,19 +0,0 @@ -module_version: 1.0 - -var: - - name: input - default: httpjson - - name: interval - default: 1h - - name: tags - default: [salesforce-setupaudittrail-rest, forwarded] - - name: proxy_url - - name: client_id - - name: client_secret - - name: token_url - - name: user - - name: password - - name: url - -ingest_pipeline: ingest/pipeline.yml -input: config/setupaudittrail-rest.yml diff --git a/x-pack/filebeat/module/salesforce/setupaudittrail-rest/test/salesforce_setupaudittrail.ndjson.log b/x-pack/filebeat/module/salesforce/setupaudittrail-rest/test/salesforce_setupaudittrail.ndjson.log deleted file mode 100644 index 7d725a8cfff..00000000000 --- a/x-pack/filebeat/module/salesforce/setupaudittrail-rest/test/salesforce_setupaudittrail.ndjson.log +++ /dev/null @@ -1 +0,0 @@ -{"attributes":{"type":"SetupAuditTrail","url":"/services/data/v52.0/sobjects/SetupAuditTrail/0Ym5j12345BJKvZCAX"},"Action":"changedUserEmailVerifiedStatusVerified","CreatedByContext":null,"CreatedById":"1234j000000q9s7ABC","CreatedByIssuer":null,"CreatedDate":"2021-10-06T07:13:07.000+0000","DelegateUser":null,"Display":"For user abc.def@mail.com, the User Verified Email status changed to verified","Id":"0Ym5j12345BJKvABCD","ResponsibleNamespacePrefix":null,"Section":"Manage Users"} diff --git a/x-pack/filebeat/module/salesforce/setupaudittrail-rest/test/salesforce_setupaudittrail.ndjson.log-expected.json b/x-pack/filebeat/module/salesforce/setupaudittrail-rest/test/salesforce_setupaudittrail.ndjson.log-expected.json deleted file mode 100644 index 2ff59c8b938..00000000000 --- a/x-pack/filebeat/module/salesforce/setupaudittrail-rest/test/salesforce_setupaudittrail.ndjson.log-expected.json +++ /dev/null @@ -1,29 +0,0 @@ -[ - { - "@timestamp": "2021-10-06T07:13:07.000Z", - "event.action": "changedUserEmailVerifiedStatusVerified", - "event.dataset": "salesforce.setupaudittrail", - "event.id": "0Ym5j12345BJKvABCD", - "event.kind": "event", - "event.module": "salesforce", - "event.original": "{\"attributes\":{\"type\":\"SetupAuditTrail\",\"url\":\"/services/data/v52.0/sobjects/SetupAuditTrail/0Ym5j12345BJKvZCAX\"},\"Action\":\"changedUserEmailVerifiedStatusVerified\",\"CreatedByContext\":null,\"CreatedById\":\"1234j000000q9s7ABC\",\"CreatedByIssuer\":null,\"CreatedDate\":\"2021-10-06T07:13:07.000+0000\",\"DelegateUser\":null,\"Display\":\"For user abc.def@mail.com, the User Verified Email status changed to verified\",\"Id\":\"0Ym5j12345BJKvABCD\",\"ResponsibleNamespacePrefix\":null,\"Section\":\"Manage Users\"}", - "event.timezone": "-02:00", - "event.type": "admin", - "event.url": "/services/data/v52.0/sobjects/SetupAuditTrail/0Ym5j12345BJKvZCAX", - "fileset.name": "setupaudittrail-rest", - "input.type": "log", - "log.offset": 0, - "salesforce.access_mode": "rest", - "salesforce.setup_audit_trail.created_by_id": "1234j000000q9s7ABC", - "salesforce.setup_audit_trail.display": "For user abc.def@mail.com, the User Verified Email status changed to verified", - "salesforce.setup_audit_trail.event_type": "SetupAuditTrail", - "salesforce.setup_audit_trail.section": "Manage Users", - "service.type": "salesforce", - "tags": [ - "forwarded", - "salesforce-setupaudittrail-rest" - ], - "user.id": "1234j000000q9s7ABC", - "user.name": "abc.def@mail.com" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/salesforce/setupaudittrail-rest/_meta/fields.yml b/x-pack/filebeat/module/salesforce/setupaudittrail/_meta/fields.yml similarity index 86% rename from x-pack/filebeat/module/salesforce/setupaudittrail-rest/_meta/fields.yml rename to x-pack/filebeat/module/salesforce/setupaudittrail/_meta/fields.yml index edd774250d1..d19dfb637ef 100644 --- a/x-pack/filebeat/module/salesforce/setupaudittrail-rest/_meta/fields.yml +++ b/x-pack/filebeat/module/salesforce/setupaudittrail/_meta/fields.yml @@ -4,10 +4,10 @@ description: > Fileset for ingesting Salesforce SetupAuditTrail logs. fields: - - name: event_type + - name: document_id type: keyword description: > - Event type + Unique Id. - name: created_by_context type: keyword description: > @@ -23,7 +23,7 @@ - name: delegate_user type: keyword description: > - The Login-As user who executed the action in Setup. If a Login-As user didn’t perform the action, this field is blank. This field is available in API version 35.0 and later. + The Login-As user who executed the action in Setup. If a Login-As user didn't perform the action, this field is blank. This field is available in API version 35.0 and later. - name: display type: keyword description: > diff --git a/x-pack/filebeat/module/salesforce/setupaudittrail/config/setupaudittrail.yml b/x-pack/filebeat/module/salesforce/setupaudittrail/config/setupaudittrail.yml new file mode 100644 index 00000000000..6814aa9298d --- /dev/null +++ b/x-pack/filebeat/module/salesforce/setupaudittrail/config/setupaudittrail.yml @@ -0,0 +1,40 @@ +{{ if eq .input "salesforce" }} + +id: setupaudittrail +type: salesforce +enabled: true +{{ if .api_version }} +version: {{ .api_version }} +{{ end }} +auth.oauth2: {{ .authentication | tojson }} +url: {{ .url }} +event_monitoring_method: + object: + enabled: {{ if .real_time }}true{{ else }}false{{ end }} + interval: {{ .real_time_interval }} + query: + default: SELECT FIELDS(STANDARD) FROM SetupAuditTrail{{ if .initial_interval }} WHERE CreatedDate > [[ (formatTime (now.Add (parseDuration "-{{ .initial_interval }}")) "2006-01-02T15:04:05.000Z0700") ]]{{ end }} ORDER BY CreatedDate ASC NULLS FIRST + value: SELECT FIELDS(STANDARD) FROM SetupAuditTrail WHERE CreatedDate > [[ .cursor.object.last_event_time ]] ORDER BY CreatedDate ASC NULLS FIRST + cursor: + field: "CreatedDate" + +{{ else if eq .input "file" }} + +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - add_fields: + target: salesforce + fields: + instance_url: {{ .url }} + - add_locale: ~ diff --git a/x-pack/filebeat/module/salesforce/setupaudittrail/ingest/pipeline.yml b/x-pack/filebeat/module/salesforce/setupaudittrail/ingest/pipeline.yml new file mode 100644 index 00000000000..1d61b6c0588 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/setupaudittrail/ingest/pipeline.yml @@ -0,0 +1,177 @@ +--- +description: Pipeline for parsing Salesforce SetupAuditTrail logs +processors: + - json: + field: message + target_field: json + on_failure: + - drop: {} + + - set: + field: event.ingested + value: "{{_ingest.timestamp}}" + - set: + field: event.original + copy_from: message + ignore_empty_value: true + ignore_failure: true + if: "ctx.event?.original == null" + - set: + field: salesforce.setup_audit_trail.document_id + copy_from: _id + ignore_empty_value: true + - fingerprint: + fields: + - json.Id + - json.CreatedDate + target_field: _id + ignore_failure: true + ignore_missing: true + + - date: + field: json.CreatedDate + target_field: "@timestamp" + formats: + - ISO8601 + on_failure: + - set: + field: "@timestamp" + value: "{{_ingest.timestamp}}" + - set: + field: error.message + value: "Failed to parse CreatedDate: {{json.CreatedDate}}" + + # Normalize field names + - rename: + field: json.CreatedByContext + target_field: salesforce.setup_audit_trail.created_by_context + ignore_failure: true + ignore_missing: true + - rename: + field: json.CreatedById + target_field: salesforce.setup_audit_trail.created_by_id + ignore_failure: true + ignore_missing: true + - rename: + field: json.CreatedByIssuer + target_field: salesforce.setup_audit_trail.created_by_issuer + ignore_failure: true + ignore_missing: true + - rename: + field: json.DelegateUser + target_field: salesforce.setup_audit_trail.delegate_user + ignore_failure: true + ignore_missing: true + - rename: + field: json.Display + target_field: salesforce.setup_audit_trail.display + ignore_failure: true + ignore_missing: true + - rename: + field: json.ResponsibleNamespacePrefix + target_field: salesforce.setup_audit_trail.responsible_namespace_prefix + ignore_failure: true + ignore_missing: true + - rename: + field: json.Section + target_field: salesforce.setup_audit_trail.section + ignore_failure: true + ignore_missing: true + + ####################### + ## ECS Event Mapping ## + ####################### + + - set: + field: ecs.version + value: "8.11.0" + ignore_failure: true + ignore_empty_value: true + - rename: + field: json.Id + target_field: event.id + ignore_failure: true + ignore_missing: true + - rename: + field: json.Action + target_field: event.action + ignore_failure: true + ignore_missing: true + - date: + field: json.CreatedDate + target_field: event.created + formats: + - ISO8601 + ignore_failure: true + - set: + field: event.type + value: ["admin"] + ignore_failure: true + ignore_empty_value: true + - set: + field: event.kind + value: "event" + ignore_failure: true + ignore_empty_value: true + - set: + field: event.dataset + value: "salesforce.setupaudittrail" + ignore_failure: true + ignore_empty_value: true + - set: + field: event.module + value: salesforce + ignore_failure: true + ignore_empty_value: true + + ###################### + ## ECS User Mapping ## + ###################### + + - set: + field: user.id + copy_from: salesforce.setup_audit_trail.created_by_id + ignore_failure: true + ignore_empty_value: true + - dissect: + field: salesforce.setup_audit_trail.display + pattern: "For user %{user.name}, %{?}" + ignore_failure: true + + ############# + ## Cleanup ## + ############# + + # Drop empty fields + - script: + lang: painless + source: | + boolean dropEmptyFields(Object object) { + if (object == null || object == "") { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return ((Map) object).isEmpty(); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return ((List) object).isEmpty(); + } + return false; + } + dropEmptyFields(ctx); + + - remove: + field: + - json + - message + ignore_missing: true + - remove: + field: event.original + if: "ctx.tags == null || !ctx.tags.contains('preserve_original_event')" + ignore_failure: true + ignore_missing: true + +on_failure: + - set: + field: error.message + value: "{{{ _ingest.on_failure_message }}}" diff --git a/x-pack/filebeat/module/salesforce/setupaudittrail/manifest.yml b/x-pack/filebeat/module/salesforce/setupaudittrail/manifest.yml new file mode 100644 index 00000000000..eb1eb02b96b --- /dev/null +++ b/x-pack/filebeat/module/salesforce/setupaudittrail/manifest.yml @@ -0,0 +1,19 @@ +module_version: 1.0 + +var: + - name: input + default: salesforce + - name: tags + default: [salesforce-setupaudittrail, forwarded] + - name: api_version + - name: authentication + - name: url + - name: real_time + - name: real_time_interval + default: 5m + - name: initial_interval + - name: log_file_interval + default: Hourly + +ingest_pipeline: ingest/pipeline.yml +input: config/setupaudittrail.yml diff --git a/x-pack/filebeat/module/salesforce/setupaudittrail/test/salesforce_setupaudittrail.ndjson.log b/x-pack/filebeat/module/salesforce/setupaudittrail/test/salesforce_setupaudittrail.ndjson.log new file mode 100644 index 00000000000..7a289a23a9d --- /dev/null +++ b/x-pack/filebeat/module/salesforce/setupaudittrail/test/salesforce_setupaudittrail.ndjson.log @@ -0,0 +1 @@ +{"Action":"changedUserEmailVerifiedStatusVerified","CreatedByContext":null,"CreatedById":"1234j000000q9s7ABC","CreatedByIssuer":null,"CreatedDate":"2021-10-06T07:13:07.000+0000","DelegateUser":null,"Display":"For user abc.def@mail.com, the User Verified Email status changed to verified","Id":"0Ym5j12345BJKvABCD","ResponsibleNamespacePrefix":null,"Section":"Manage Users"} diff --git a/x-pack/filebeat/module/salesforce/setupaudittrail/test/salesforce_setupaudittrail.ndjson.log-expected.json b/x-pack/filebeat/module/salesforce/setupaudittrail/test/salesforce_setupaudittrail.ndjson.log-expected.json new file mode 100644 index 00000000000..204f42a35d7 --- /dev/null +++ b/x-pack/filebeat/module/salesforce/setupaudittrail/test/salesforce_setupaudittrail.ndjson.log-expected.json @@ -0,0 +1,28 @@ +[ + { + "@timestamp": "2021-10-06T07:13:07.000Z", + "event.action": "changedUserEmailVerifiedStatusVerified", + "event.dataset": "salesforce.setupaudittrail", + "event.id": "0Ym5j12345BJKvABCD", + "event.kind": "event", + "event.module": "salesforce", + "event.timezone": "-02:00", + "event.type": [ + "admin" + ], + "fileset.name": "setupaudittrail", + "input.type": "log", + "log.offset": 0, + "salesforce.instance_url": "", + "salesforce.setup_audit_trail.created_by_id": "1234j000000q9s7ABC", + "salesforce.setup_audit_trail.display": "For user abc.def@mail.com, the User Verified Email status changed to verified", + "salesforce.setup_audit_trail.section": "Manage Users", + "service.type": "salesforce", + "tags": [ + "forwarded", + "salesforce-setupaudittrail" + ], + "user.id": "1234j000000q9s7ABC", + "user.name": "abc.def@mail.com" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/modules.d/salesforce.yml.disabled b/x-pack/filebeat/modules.d/salesforce.yml.disabled index 4931e8e006e..bd9b7b03bbf 100644 --- a/x-pack/filebeat/modules.d/salesforce.yml.disabled +++ b/x-pack/filebeat/modules.d/salesforce.yml.disabled @@ -1,133 +1,145 @@ # Module: salesforce # Docs: https://www.elastic.co/guide/en/beats/filebeat/main/filebeat-module-salesforce.html -- module: salesforce - - apex-rest: - enabled: false - - # Oauth Client ID - #var.client_id: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - - # Oauth Client Secret - #var.client_secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - - # Oauth Token URL - #var.token_url: "https://login.salesforce.com/services/oauth2/token" - - # Oauth User, should include the User mail - #var.user: "abc.xyz@mail.com" - - # Oauth password, should include the User password - #var.password: "P@$$W0₹D" - - # URL, should include the instance_url - #var.url: "https://instance_id.my.salesforce.com" - - login-rest: - enabled: false - - # Oauth Client ID - #var.client_id: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +# Configuration file for Salesforce module in Filebeat + +# Common Configurations: +# - enabled: Set to true to enable ingestion of Salesforce module fileset +# - initial_interval: Initial interval for log collection. This setting determines the time period for which the logs will be initially collected when the ingestion process starts, i.e. 1d/h/m/s +# - api_version: API version for Salesforce, version should be greater than 46.0 + +# Authentication Configurations: +# User-Password Authentication: +# - enabled: Set to true to enable user-password authentication +# - client.id: Client ID for user-password authentication +# - client.secret: Client secret for user-password authentication +# - token_url: Token URL for user-password authentication +# - username: Username for user-password authentication +# - password: Password for user-password authentication + +# JWT Authentication: +# - enabled: Set to true to enable JWT authentication +# - client.id: Client ID for JWT authentication +# - client.username: Username for JWT authentication +# - client.key_path: Path to client key for JWT authentication +# - url: Audience URL for JWT authentication + +# Event Monitoring: +# - real_time: Set to true to enable real-time logging using object type data collection +# - real_time_interval: Interval for real-time logging + +# Event Log File: +# - event_log_file: Set to true to enable event log file type data collection +# - elf_interval: Interval for event log file +# - log_file_interval: Interval type for log file collection, either Hourly or Daily - # Oauth Client Secret - #var.client_secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - - # Oauth Token URL - #var.token_url: "https://login.salesforce.com/services/oauth2/token" - - # Oauth User, should include the User mail - #var.user: "abc.xyz@mail.com" - - # Oauth password, should include the User password - #var.password: "P@$$W0₹D" - - # URL, should include the instance_url - #var.url: "https://instance_id.my.salesforce.com" +- module: salesforce - login-stream: + apex: enabled: false - - # Oauth Client ID - #var.client_id: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - - # Oauth Client Secret - #var.client_secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - - # Oauth Token URL - #var.token_url: "https://login.salesforce.com/services/oauth2/token" - - # Oauth User, should include the User mail - #var.user: "abc.xyz@mail.com" - - # Oauth password, should include the User password - #var.password: "P@$$W0₹D" - - # URL, should include the instance_url - #var.url: "https://instance_id.my.salesforce.com" - - logout-rest: + var.initial_interval: 1d + var.api_version: 56 + + var.authentication: + user_password_flow: + enabled: true + client.id: "" + client.secret: "" + token_url: "" + username: "" + password: "" + jwt_bearer_flow: + enabled: false + client.id: "" + client.username: "" + client.key_path: "" + url: "https://login.salesforce.com" + + var.url: "https://instance_id.my.salesforce.com" + + var.event_log_file: true + var.elf_interval: 1h + var.log_file_interval: "Hourly" + + login: enabled: false - - # Oauth Client ID - #var.client_id: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - - # Oauth Client Secret - #var.client_secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - - # Oauth Token URL - #var.token_url: "https://login.salesforce.com/services/oauth2/token" - - # Oauth User, should include the User mail - #var.user: "abc.xyz@mail.com" - - # Oauth password, should include the User password - #var.password: "P@$$W0₹D" - - # URL, should include the instance_url - #var.url: "https://instance_id.my.salesforce.com" - - logout-stream: + var.initial_interval: 1d + var.api_version: 56 + + var.authentication: + user_password_flow: + enabled: true + client.id: "" + client.secret: "client-secret" + token_url: "" + username: "" + password: "" + jwt_bearer_flow: + enabled: false + client.id: "" + client.username: "" + client.key_path: "" + url: "https://login.salesforce.com" + + var.url: "https://instance_id.my.salesforce.com" + + var.event_log_file: true + var.elf_interval: 1h + var.log_file_interval: "Hourly" + + var.real_time: true + var.real_time_interval: 5m + + logout: enabled: false - - # Oauth Client ID - #var.client_id: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - - # Oauth Client Secret - #var.client_secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - - # Oauth Token URL - #var.token_url: "https://login.salesforce.com/services/oauth2/token" - - # Oauth User, should include the User mail - #var.user: "abc.xyz@mail.com" - - # Oauth password, should include the User password - #var.password: "P@$$W0₹D" - - # URL, should include the instance_url - #var.url: "https://instance_id.my.salesforce.com" - - setupaudittrail-rest: + var.initial_interval: 1d + var.api_version: 56 + + var.authentication: + user_password_flow: + enabled: true + client.id: "" + client.secret: "client-secret" + token_url: "" + username: "" + password: "" + jwt_bearer_flow: + enabled: false + client.id: "" + client.username: "" + client.key_path: "" + url: "https://login.salesforce.com" + + var.url: "https://instance_id.my.salesforce.com" + + var.event_log_file: true + var.elf_interval: 1h + var.log_file_interval: "Hourly" + + var.real_time: true + var.real_time_interval: 5m + + setupaudittrail: enabled: false - - # Oauth Client ID - #var.client_id: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - - # Oauth Client Secret - #var.client_secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - - # Oauth Token URL - #var.token_url: "https://login.salesforce.com/services/oauth2/token" - - # Oauth User, should include the User mail - #var.user: "abc.xyz@mail.com" - - # Oauth password, should include the User password - #var.password: "P@$$W0₹D" - - # URL, should include the instance_url - #var.url: "https://instance_id.my.salesforce.com" - - # Interval, should include the time interval - #var.interval: 1h \ No newline at end of file + var.initial_interval: 1d + var.api_version: 56 + + var.authentication: + user_password_flow: + enabled: true + client.id: "" + client.secret: "client-secret" + token_url: "" + username: "" + password: "" + jwt_bearer_flow: + enabled: false + client.id: "" + client.username: "" + client.key_path: "" + url: "https://login.salesforce.com" + + var.url: "https://instance_id.my.salesforce.com" + + var.real_time: true + var.real_time_interval: 5m \ No newline at end of file