Update documentation to configure data view for dashboards

packages/beaconing/changelog.yml

@@ -1,3 +1,8 @@
+- version: "1.3.2"
+ changes:
+ - description: Update documentation on configuring data view for dashboards
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/15294
 - version: "1.3.1"
  changes:
  - description: Update platform support docs

packages/beaconing/docs/README.md

@@ -19,6 +19,10 @@ For more detailed information refer to the following blog:
  - Select **Show Advanced settings** and enable **Allow hidden and system indices**
  - Custom data view ID: `ml_beaconing`
 
+ _**Warning**_: When creating the data views for the dashboards, ensure that the `Custom data view ID` is set to the value specified above and is not left empty. Omitting or misconfiguring this field may result in broken visualizations, as illustrated by the error message below.
+ ![Dashboard Error](../img/dashboard-error-beaconing.png)
+1. **Enable detection rules**: You can also enable detection rules to alert on beaconing activity in your environment, based on events flagged by this package. These rules are available as part of the Detection Engine, and can be found using the tag `Use Case: C2 Beaconing Detection`. See this [documentation](https://www.elastic.co/guide/en/security/current/prebuilt-rules-management.html#load-prebuilt-rules) for more information on importing and enabling the rules.
+
 ![Data Exfiltration Detection Rules](../img/beaconingrules.png)
 *In Security > Rules, filtering with the “Use Case: C2 Beaconing Detection” tag*
 

packages/beaconing/elasticsearch/transform/pivot_transform/transform.yml

@@ -1,6 +1,6 @@
 dest:
- index: ml_beaconing-1.3.1
- pipeline: 1.3.1-ml_beaconing_ingest_pipeline
+ index: ml_beaconing-1.3.2
+ pipeline: 1.3.2-ml_beaconing_ingest_pipeline
  aliases:
  - alias: ml_beaconing.latest
  move_on_creation: true

packages/beaconing/manifest.yml

@@ -1,7 +1,7 @@
 format_version: 3.0.0
 name: beaconing
 title: "Network Beaconing Identification"
-version: 1.3.1
+version: 1.3.2
 source:
  license: "Elastic-2.0"
 description: "Package to identify beaconing activity in your network events."

packages/ded/changelog.yml

@@ -1,3 +1,8 @@
+- version: "2.3.5"
+ changes:
+ - description: Update documentation on configuring data view for dashboards
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/15294
 - version: "2.3.4"
  changes:
  - description: Update documentation on network and file data sources

packages/ded/docs/README.md

@@ -26,6 +26,9 @@ For more detailed information refer to the following blog:
  - Index pattern : `.ml-anomalies-shared`
  - Select **Show Advanced settings** enable **Allow hidden and system indices**
  - Custom data view ID: `.ml-anomalies-shared`
+
+ _**Warning**_: When creating the data views for the dashboards, ensure that the `Custom data view ID` is set to the value specified above and is not left empty. Omitting or misconfiguring this field may result in broken visualizations, as illustrated by the error message below.
+ ![Dashboard Error](../img/dashboard-ded-error.png)
 1. **Enable detection rules**: You can also enable detection rules to alert on Data Exfiltration activity in your environment, based on anomalies flagged by the above ML jobs. As of version 2.0.0 of this package, these rules are available as part of the Detection Engine, and can be found using the tag `Use Case: Data Exfiltration Detection`. See this [documentation](https://www.elastic.co/guide/en/security/current/prebuilt-rules-management.html#load-prebuilt-rules) for more information on importing and enabling the rules.
 
 ![Data Exfiltration Detection Rules](../img/dedrules.png)

packages/ded/elasticsearch/transform/pivot_transform/transform.yml

@@ -1,12 +1,12 @@
 
 dest:
- index: ml_network_ded-2.3.4
+ index: ml_network_ded-2.3.5
  aliases:
  - alias: ml_network_ded.latest
  move_on_creation: true
  - alias: ml_network_ded.all
  move_on_creation: false
- pipeline: 2.3.4-ml_ded_ingest_pipeline
+ pipeline: 2.3.5-ml_ded_ingest_pipeline
 description: This transform runs every 30 minutes and collects network logs to detect data exfiltration in your environment for the past month up to the runtime.
 frequency: 30m
 pivot:

packages/ded/manifest.yml

@@ -1,7 +1,7 @@
 format_version: 3.0.0
 name: ded
 title: "Data Exfiltration Detection"
-version: 2.3.4
+version: 2.3.5
 source:
  license: "Elastic-2.0"
 description: "ML package to detect data exfiltration in your network and file data."

packages/hta/changelog.yml

@@ -1,3 +1,8 @@
+- version: "1.0.1"
+ changes:
+ - description: Update documentation on configuring data view for dashboards
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/15294
 - version: "1.0.0"
  changes:
  - description: Initial release of the package

packages/hta/docs/README.md

@@ -11,4 +11,7 @@ The Host Traffic Anomalies package includes a dashboard that offers a high-level
  - Name: `.ml-anomalies-shared`
  - Index pattern : `.ml-anomalies-shared`
  - Select **Show Advanced settings** enable **Allow hidden and system indices**
- - Custom data view ID: `.ml-anomalies-shared`
+ - Custom data view ID: `.ml-anomalies-shared`
+
+ _**Warning**_: When creating the data views for the dashboards, ensure that the `Custom data view ID` is set to the value specified above and is not left empty. Omitting or misconfiguring this field may result in broken visualizations, as illustrated by the error message below.
+ ![Dashboard Error](../img/dashboard-hta-error.png)

packages/hta/manifest.yml

@@ -1,7 +1,7 @@
 format_version: 3.0.0
 name: hta
 title: "Host Traffic Anomalies"
-version: 1.0.0
+version: 1.0.1
 source:
  license: "Elastic-2.0"
 description: "Prebuilt dashboard for Machine Learning module Security: Host."

packages/lmd/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.5.3"
+ changes:
+ - description: Update documentation on configuring data view for dashboards
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/15294
 - version: "2.5.2"
  changes:
  - description: Update transform mappings to use ECS

packages/lmd/docs/README.md

@@ -27,6 +27,9 @@ For more detailed information refer to the following blogs:
  - Index pattern : `.ml-anomalies-shared`
  - Select **Show Advanced settings** enable **Allow hidden and system indices**
  - Custom data view ID: `.ml-anomalies-shared`
+
+ _**Warning**_: When creating the data views for the dashboards, ensure that the `Custom data view ID` is set to the value specified above and is not left empty. Omitting or misconfiguring this field may result in broken visualizations, as illustrated by the error message below.
+ ![Dashboard Error](../img/dashboard-lmd-error.png)
 1. **Enabling detection rules**: You can also enable detection rules to alert on Lateral Movement activity in your environment, based on anomalies flagged by the above ML jobs. As of version 2.0.0 of this package, these rules are available as part of the Detection Engine, and can be found using the tag `Use Case: Lateral Movement Detection`. See this [documentation](https://www.elastic.co/guide/en/security/current/prebuilt-rules-management.html#load-prebuilt-rules) for more information on importing and enabling the rules.
 1. **Use with Living off the Land Detection**: This integration package can be used along with Living off the Land detection, see the section Install Living off the Land package to detect malicious processes.
 

packages/lmd/manifest.yml

@@ -1,7 +1,7 @@
 format_version: 3.0.0
 name: lmd
 title: "Lateral Movement Detection"
-version: 2.5.2
+version: 2.5.3
 source:
  license: "Elastic-2.0"
 description: "ML package to detect lateral movement based on file transfer activity and Windows RDP events."

packages/pad/changelog.yml

@@ -1,3 +1,8 @@
+- version: "0.6.4"
+ changes:
+ - description: Update documentation on configuring data view for dashboards
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/15294
 - version: "0.6.3"
  changes:
  - description: Remove instructions to change the `default_pipeline` for an index

packages/pad/docs/README.md

@@ -76,6 +76,9 @@ The package transform supports data from Elastic Endpoint via Elastic Defend and
  - Index pattern : `.ml-anomalies-shared`
  - Select **Show Advanced settings** enable **Allow hidden and system indices**
  - Custom data view ID: `.ml-anomalies-shared`
+
+ _**Warning**_: When creating the data views for the dashboards, ensure that the `Custom data view ID` is set to the value specified above and is not left empty. Omitting or misconfiguring this field may result in broken visualizations, as illustrated by the error message below.
+ ![Dashboard Error](../img/dashboard-pad-error.png)
 1. **Enabling detection rules**: You can also enable detection rules to alert on Privileged Access activity in your environment, based on anomalies flagged by the above ML jobs. These rules are available as part of the Detection Engine, and can be found using the tag `Use Case: Privileged Access Detection`. See this [documentation](https://www.elastic.co/guide/en/security/current/prebuilt-rules-management.html#load-prebuilt-rules) for more information on importing and enabling the rules.
 
 ## Transform

packages/pad/manifest.yml

@@ -1,7 +1,7 @@
 format_version: 3.0.0
 name: pad
 title: "Privileged Access Detection"
-version: 0.6.3
+version: 0.6.4
 source:
  license: "Elastic-2.0"
 description: "ML package to detect anomalous privileged access activity in Windows, Linux and Okta logs"