diff --git a/packages/island_browser/_dev/build/docs/README.md b/packages/island_browser/_dev/build/docs/README.md index e06e5388bc1..54930d923fc 100644 --- a/packages/island_browser/_dev/build/docs/README.md +++ b/packages/island_browser/_dev/build/docs/README.md @@ -12,25 +12,24 @@ The Island Browser integration is compatible with `v1` version of Island Browser ### How it works -This integration periodically queries the Island Browser API to retrieve details for devices and users, and audit events. +This integration periodically queries the Island Browser API to retrieve details for devices, users and compromised credentials, and to log audit events. ## What data does this integration collect? This integration collects log messages of the following types: - `Audit`: Collects all timeline audits from the Island Browser via [Audit API endpoint](https://documentation.island.io/apidocs/get-all-timeline-audits-that-match-the-specified-simple-filter). +- `Compromised Credential`: Collects a list of all compromised credentials from the Island Browser via [Compromised Credential API endpoint](https://documentation.island.io/apidocs/get-a-list-of-all-compromised-credentials). - `Device`: Collects a list of all devices from the Island Browser via [Device API endpoint](https://documentation.island.io/apidocs/get-a-list-of-all-devices-1). - `User`: Collects all the users from the Island Browser via [User API endpoint](https://documentation.island.io/apidocs/get-all-browser-users-that-match-the-specified-simple-filter). ->**Note:** Device and user data streams currently do not have an ILM policy applied. A policy will be introduced in an upcoming release. Until then, full sync will be performed, which may result in higher storage costs. - ### Supported use cases -Integrating Island Browser User, Device, and Audit endpoint data with Elastic SIEM provides unified visibility into identity activity, device posture, and security events across the environment. +Integrating Island Browser User, Device, Audit, and Compromised Credential endpoint data with Elastic SIEM provides unified visibility into identity activity, device posture, account exposure, and security events across the environment. This integration enables analysts to correlate user behavior, device health, and credential risks within a single view, strengthening both detection and response capabilities. -Dashboards track total and active users, login trends, and group distributions, alongside device insights such as active, archived, and jailbroken states, OS platform distribution, policy updates, browser update status, Windows license status, and MDM provider compliance. +Dashboards track total and active users, login trends, and group distributions, alongside device insights such as active, archived, and jailbroken states, OS platform distribution, policy updates, browser update status, Windows license status, and MDM provider compliance. Compromised Credential visualizations highlight account risks with timelines of exposed records, unresolved credential counts, breach source breakdowns, and distributions by status. Additional charts surface top impacted domains and most affected users, enabling security teams to quickly assess exposure, prioritize remediation, and mitigate identity-based threats. -Audit visualizations further enhance oversight by showing event activity over time, verdicts and reasons, top rules, users, source IPs, event types, geographic distributions, and compatibility modes. Saved searches and tables consolidate essential attributes—including verified emails, device and host IDs, IPs, MACs, users, and organizations—adding valuable investigative context. Together, these insights enable analysts to monitor user behavior, track device health, analyze audit activity, detect anomalies, and strengthen compliance, identity management, and endpoint security oversight. +Audit dashboards further enhance oversight by showing event activity over time, verdicts and reasons, top rules, users, source IPs, event types, geographic distributions, and compatibility modes. Saved searches and tables consolidate essential attributes—including verified emails, device and host IDs, IPs, MACs, users, and organizations—adding valuable investigative context. Together, these insights allow organizations to monitor user behavior, track device health, detect compromised accounts, analyze audit activity, and strengthen compliance, identity management, and endpoint security oversight. ## What do I need to use this integration? @@ -123,6 +122,10 @@ For more information on architectures that can be used for scaling this integrat {{fields "audit"}} +#### Compromised Credential + +{{fields "compromised_credential"}} + ### Example event #### User @@ -137,6 +140,10 @@ For more information on architectures that can be used for scaling this integrat {{event "audit"}} +#### Compromised Credential + +{{event "compromised_credential"}} + ### Inputs used These inputs can be used in this integration: @@ -150,3 +157,8 @@ This integration dataset uses the following APIs: - `User`: [Island Browser API](https://documentation.island.io/apidocs/get-all-browser-users-that-match-the-specified-simple-filter). - `Device`: [Island Browser API](https://documentation.island.io/apidocs/get-a-list-of-all-devices-1). - `Audit`: [Island Browser API](https://documentation.island.io/apidocs/get-all-timeline-audits-that-match-the-specified-simple-filter). +- `Compromised Credential`: [Island Browser API](https://documentation.island.io/apidocs/get-a-list-of-all-compromised-credentials). + +#### ILM Policy + +To facilitate user and device data, source data stream-backed indices `.ds-logs-island_browser.user-*` and `.ds-logs-island_browser.device-*` are allowed to contain duplicates from each polling interval. ILM policy `logs-island_browser.user-default_policy` and `logs-island_browser.device-default_policy` is added to these source indices, so it doesn't lead to unbounded growth. This means that in these source indices data will be deleted after `30 days` from ingested date. diff --git a/packages/island_browser/_dev/deploy/docker/files/config.yml b/packages/island_browser/_dev/deploy/docker/files/config.yml index 3e151105633..da62fdcf72d 100644 --- a/packages/island_browser/_dev/deploy/docker/files/config.yml +++ b/packages/island_browser/_dev/deploy/docker/files/config.yml @@ -835,3 +835,130 @@ rules: "events": [] } `}} + - path: /api/external/v1/compromised-credentials + methods: ['POST'] + request_body: /.*"limit":2,"offset":0,"sortBy":"CompromisedDate","sortDirection":"Asc".*/ + request_headers: + Content-Type: + - "application/json" + Api-Key: + - "xxxx" + responses: + - status_code: 200 + body: | + {{ minify_json ` + { + "compromisedCredentials": [ + { + "breachSource": "Ransomware Attack - April 2025", + "compromisedDate": "2024-09-13T00:00:00Z", + "createdDate": "2024-09-21T09:46:00Z", + "email": "john.doe364@enterprise.io", + "id": "cc-10364-ae99d-20364", + "impactedDomain": "enterprise.io", + "status": "Unresolved", + "tenantId": "tenant-005-tech", + "updatedDate": "2024-09-21T14:40:00Z", + "username": "john.doe364" + }, + { + "breachSource": "Data Leak - January 2025", + "compromisedDate": "2024-09-14T00:00:00Z", + "createdDate": "2024-10-03T04:41:00Z", + "email": "emily.mitchell363@business.net", + "id": "cc-10363-edb53-20363", + "impactedDomain": "business.net", + "status": "Investigating", + "tenantId": "tenant-004-biz", + "updatedDate": "2024-10-03T09:25:00Z", + "username": "emily.mitchell363" + } + ] + } + `}} + - path: /api/external/v1/compromised-credentials + methods: ['POST'] + request_body: /.*"limit":2,"offset":2,"sortBy":"CompromisedDate","sortDirection":"Asc".*/ + request_headers: + Content-Type: + - "application/json" + Api-Key: + - "xxxx" + responses: + - status_code: 200 + body: | + {{ minify_json ` + { + "compromisedCredentials": [ + { + "breachSource": "Phishing Campaign - March 2025", + "compromisedDate": "2024-09-15T00:00:00Z", + "createdDate": "2024-09-18T15:36:00Z", + "email": "joseph.carter362@mycompany.org", + "id": "cc-10362-9cee6-20362", + "impactedDomain": "mycompany.org", + "status": "In Progress", + "tenantId": "tenant-003-corp", + "updatedDate": "2024-09-18T19:28:00Z", + "username": "joseph.carter362" + }, + { + "breachSource": "Corporate Breach - Q2 2025", + "compromisedDate": "2024-09-16T00:00:00Z", + "createdDate": "2024-10-12T03:43:00Z", + "email": "abigail.nelson361@testcorp.com", + "id": "cc-10361-1758b-20361", + "impactedDomain": "testcorp.com", + "status": "Resolved", + "tenantId": "tenant-002-secure", + "updatedDate": "2024-10-12T11:05:00Z", + "username": "abigail.nelson361" + } + ] + } + `}} + - path: /api/external/v1/compromised-credentials + methods: ['POST'] + request_body: /.*"limit":2,"offset":4,"sortBy":"CompromisedDate","sortDirection":"Asc".*/ + request_headers: + Content-Type: + - "application/json" + Api-Key: + - "xxxx" + responses: + - status_code: 200 + body: | + {{ minify_json ` + { + "compromisedCredentials": [ + { + "breachSource": "DarkWeb Dump - May 2025", + "compromisedDate": "2024-09-17T00:00:00Z", + "createdDate": "2024-09-23T16:47:00Z", + "email": "christopher.gonzalez360@example.com", + "id": "cc-10360-08b91-20360", + "impactedDomain": "example.com", + "status": "Unresolved", + "tenantId": "tenant-001-island", + "updatedDate": "2024-09-24T16:06:00Z", + "username": "christopher.gonzalez360" + } + ] + } + `}} + - path: /api/external/v1/compromised-credentials + methods: ['POST'] + request_body: /.*"limit":2,"offset":5,"sortBy":"CompromisedDate","sortDirection":"Asc".*/ + request_headers: + Content-Type: + - "application/json" + Api-Key: + - "xxxx" + responses: + - status_code: 200 + body: | + {{ minify_json ` + { + "compromisedCredentials": [] + } + `}} diff --git a/packages/island_browser/changelog.yml b/packages/island_browser/changelog.yml index 66b6d13ec17..573fa6b7bca 100644 --- a/packages/island_browser/changelog.yml +++ b/packages/island_browser/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: 0.4.0 + changes: + - description: Add compromised credential data stream and add ILM policy for user and device data streams. + type: enhancement + link: https://github.com/elastic/integrations/pull/15372 - version: 0.3.1 changes: - description: Remove ILM policy from user and device data streams. diff --git a/packages/island_browser/data_stream/compromised_credential/_dev/test/pipeline/test-common-config.yml b/packages/island_browser/data_stream/compromised_credential/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..37e8fa225fd --- /dev/null +++ b/packages/island_browser/data_stream/compromised_credential/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_duplicate_custom_fields diff --git a/packages/island_browser/data_stream/compromised_credential/_dev/test/pipeline/test-compromised-credential.log b/packages/island_browser/data_stream/compromised_credential/_dev/test/pipeline/test-compromised-credential.log new file mode 100644 index 00000000000..13c16d6ef36 --- /dev/null +++ b/packages/island_browser/data_stream/compromised_credential/_dev/test/pipeline/test-compromised-credential.log @@ -0,0 +1,5 @@ +{"breachSource":"Ransomware Attack - April 2025","compromisedDate":"2024-09-13T00:00:00Z","createdDate":"2024-09-21T09:46:00Z","email":"john.doe364@enterprise.io","id":"cc-10364-ae99d-20364","impactedDomain":"enterprise.io","status":"Unresolved","tenantId":"tenant-005-tech","updatedDate":"2024-09-21T14:40:00Z","username":"john.doe364"} +{"breachSource":"Data Leak - January 2025","compromisedDate":"2024-09-14T00:00:00Z","createdDate":"2024-10-03T04:41:00Z","email":"emily.mitchell363@business.net","id":"cc-10363-edb53-20363","impactedDomain":"business.net","status":"Investigating","tenantId":"tenant-004-biz","updatedDate":"2024-10-03T09:25:00Z","username":"emily.mitchell363"} +{"breachSource":"Phishing Campaign - March 2025","compromisedDate":"2024-09-15T00:00:00Z","createdDate":"2024-09-18T15:36:00Z","email":"joseph.carter362@mycompany.org","id":"cc-10362-9cee6-20362","impactedDomain":"mycompany.org","status":"In Progress","tenantId":"tenant-003-corp","updatedDate":"2024-09-18T19:28:00Z","username":"joseph.carter362"} +{"breachSource":"Corporate Breach - Q2 2025","compromisedDate":"2024-09-16T00:00:00Z","createdDate":"2024-10-12T03:43:00Z","email":"abigail.nelson361@testcorp.com","id":"cc-10361-1758b-20361","impactedDomain":"testcorp.com","status":"Resolved","tenantId":"tenant-002-secure","updatedDate":"2024-10-12T11:05:00Z","username":"abigail.nelson361"} +{"breachSource":"DarkWeb Dump - May 2025","compromisedDate":"2024-09-17T00:00:00Z","createdDate":"2024-09-23T16:47:00Z","email":"christopher.gonzalez360@example.com","id":"cc-10360-08b91-20360","impactedDomain":"example.com","status":"Unresolved","tenantId":"tenant-001-island","updatedDate":"2024-09-24T16:06:00Z","username":"christopher.gonzalez360"} diff --git a/packages/island_browser/data_stream/compromised_credential/_dev/test/pipeline/test-compromised-credential.log-expected.json b/packages/island_browser/data_stream/compromised_credential/_dev/test/pipeline/test-compromised-credential.log-expected.json new file mode 100644 index 00000000000..a4cdd8d5410 --- /dev/null +++ b/packages/island_browser/data_stream/compromised_credential/_dev/test/pipeline/test-compromised-credential.log-expected.json @@ -0,0 +1,229 @@ +{ + "expected": [ + { + "ecs": { + "version": "8.17.0" + }, + "event": { + "created": "2024-09-21T09:46:00.000Z", + "id": "cc-10364-ae99d-20364", + "kind": "event", + "original": "{\"breachSource\":\"Ransomware Attack - April 2025\",\"compromisedDate\":\"2024-09-13T00:00:00Z\",\"createdDate\":\"2024-09-21T09:46:00Z\",\"email\":\"john.doe364@enterprise.io\",\"id\":\"cc-10364-ae99d-20364\",\"impactedDomain\":\"enterprise.io\",\"status\":\"Unresolved\",\"tenantId\":\"tenant-005-tech\",\"updatedDate\":\"2024-09-21T14:40:00Z\",\"username\":\"john.doe364\"}" + }, + "island_browser": { + "compromised_credential": { + "breach_source": "Ransomware Attack - April 2025", + "compromised_date": "2024-09-13T00:00:00.000Z", + "created_date": "2024-09-21T09:46:00.000Z", + "email": "john.doe364@enterprise.io", + "id": "cc-10364-ae99d-20364", + "impacted_domain": "enterprise.io", + "status": "Unresolved", + "tenant_id": "tenant-005-tech", + "updated_date": "2024-09-21T14:40:00.000Z", + "username": "john.doe364" + } + }, + "organization": { + "id": "tenant-005-tech" + }, + "related": { + "user": [ + "john.doe364@enterprise.io", + "john.doe364" + ] + }, + "source": { + "registered_domain": "enterprise.io" + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "domain": "enterprise.io", + "email": "john.doe364@enterprise.io", + "name": "john.doe364" + } + }, + { + "ecs": { + "version": "8.17.0" + }, + "event": { + "created": "2024-10-03T04:41:00.000Z", + "id": "cc-10363-edb53-20363", + "kind": "event", + "original": "{\"breachSource\":\"Data Leak - January 2025\",\"compromisedDate\":\"2024-09-14T00:00:00Z\",\"createdDate\":\"2024-10-03T04:41:00Z\",\"email\":\"emily.mitchell363@business.net\",\"id\":\"cc-10363-edb53-20363\",\"impactedDomain\":\"business.net\",\"status\":\"Investigating\",\"tenantId\":\"tenant-004-biz\",\"updatedDate\":\"2024-10-03T09:25:00Z\",\"username\":\"emily.mitchell363\"}" + }, + "island_browser": { + "compromised_credential": { + "breach_source": "Data Leak - January 2025", + "compromised_date": "2024-09-14T00:00:00.000Z", + "created_date": "2024-10-03T04:41:00.000Z", + "email": "emily.mitchell363@business.net", + "id": "cc-10363-edb53-20363", + "impacted_domain": "business.net", + "status": "Investigating", + "tenant_id": "tenant-004-biz", + "updated_date": "2024-10-03T09:25:00.000Z", + "username": "emily.mitchell363" + } + }, + "organization": { + "id": "tenant-004-biz" + }, + "related": { + "user": [ + "emily.mitchell363@business.net", + "emily.mitchell363" + ] + }, + "source": { + "registered_domain": "business.net" + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "domain": "business.net", + "email": "emily.mitchell363@business.net", + "name": "emily.mitchell363" + } + }, + { + "ecs": { + "version": "8.17.0" + }, + "event": { + "created": "2024-09-18T15:36:00.000Z", + "id": "cc-10362-9cee6-20362", + "kind": "event", + "original": "{\"breachSource\":\"Phishing Campaign - March 2025\",\"compromisedDate\":\"2024-09-15T00:00:00Z\",\"createdDate\":\"2024-09-18T15:36:00Z\",\"email\":\"joseph.carter362@mycompany.org\",\"id\":\"cc-10362-9cee6-20362\",\"impactedDomain\":\"mycompany.org\",\"status\":\"In Progress\",\"tenantId\":\"tenant-003-corp\",\"updatedDate\":\"2024-09-18T19:28:00Z\",\"username\":\"joseph.carter362\"}" + }, + "island_browser": { + "compromised_credential": { + "breach_source": "Phishing Campaign - March 2025", + "compromised_date": "2024-09-15T00:00:00.000Z", + "created_date": "2024-09-18T15:36:00.000Z", + "email": "joseph.carter362@mycompany.org", + "id": "cc-10362-9cee6-20362", + "impacted_domain": "mycompany.org", + "status": "In Progress", + "tenant_id": "tenant-003-corp", + "updated_date": "2024-09-18T19:28:00.000Z", + "username": "joseph.carter362" + } + }, + "organization": { + "id": "tenant-003-corp" + }, + "related": { + "user": [ + "joseph.carter362@mycompany.org", + "joseph.carter362" + ] + }, + "source": { + "registered_domain": "mycompany.org" + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "domain": "mycompany.org", + "email": "joseph.carter362@mycompany.org", + "name": "joseph.carter362" + } + }, + { + "ecs": { + "version": "8.17.0" + }, + "event": { + "created": "2024-10-12T03:43:00.000Z", + "id": "cc-10361-1758b-20361", + "kind": "event", + "original": "{\"breachSource\":\"Corporate Breach - Q2 2025\",\"compromisedDate\":\"2024-09-16T00:00:00Z\",\"createdDate\":\"2024-10-12T03:43:00Z\",\"email\":\"abigail.nelson361@testcorp.com\",\"id\":\"cc-10361-1758b-20361\",\"impactedDomain\":\"testcorp.com\",\"status\":\"Resolved\",\"tenantId\":\"tenant-002-secure\",\"updatedDate\":\"2024-10-12T11:05:00Z\",\"username\":\"abigail.nelson361\"}" + }, + "island_browser": { + "compromised_credential": { + "breach_source": "Corporate Breach - Q2 2025", + "compromised_date": "2024-09-16T00:00:00.000Z", + "created_date": "2024-10-12T03:43:00.000Z", + "email": "abigail.nelson361@testcorp.com", + "id": "cc-10361-1758b-20361", + "impacted_domain": "testcorp.com", + "status": "Resolved", + "tenant_id": "tenant-002-secure", + "updated_date": "2024-10-12T11:05:00.000Z", + "username": "abigail.nelson361" + } + }, + "organization": { + "id": "tenant-002-secure" + }, + "related": { + "user": [ + "abigail.nelson361@testcorp.com", + "abigail.nelson361" + ] + }, + "source": { + "registered_domain": "testcorp.com" + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "domain": "testcorp.com", + "email": "abigail.nelson361@testcorp.com", + "name": "abigail.nelson361" + } + }, + { + "ecs": { + "version": "8.17.0" + }, + "event": { + "created": "2024-09-23T16:47:00.000Z", + "id": "cc-10360-08b91-20360", + "kind": "event", + "original": "{\"breachSource\":\"DarkWeb Dump - May 2025\",\"compromisedDate\":\"2024-09-17T00:00:00Z\",\"createdDate\":\"2024-09-23T16:47:00Z\",\"email\":\"christopher.gonzalez360@example.com\",\"id\":\"cc-10360-08b91-20360\",\"impactedDomain\":\"example.com\",\"status\":\"Unresolved\",\"tenantId\":\"tenant-001-island\",\"updatedDate\":\"2024-09-24T16:06:00Z\",\"username\":\"christopher.gonzalez360\"}" + }, + "island_browser": { + "compromised_credential": { + "breach_source": "DarkWeb Dump - May 2025", + "compromised_date": "2024-09-17T00:00:00.000Z", + "created_date": "2024-09-23T16:47:00.000Z", + "email": "christopher.gonzalez360@example.com", + "id": "cc-10360-08b91-20360", + "impacted_domain": "example.com", + "status": "Unresolved", + "tenant_id": "tenant-001-island", + "updated_date": "2024-09-24T16:06:00.000Z", + "username": "christopher.gonzalez360" + } + }, + "organization": { + "id": "tenant-001-island" + }, + "related": { + "user": [ + "christopher.gonzalez360@example.com", + "christopher.gonzalez360" + ] + }, + "source": { + "registered_domain": "example.com" + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "domain": "example.com", + "email": "christopher.gonzalez360@example.com", + "name": "christopher.gonzalez360" + } + } + ] +} diff --git a/packages/island_browser/data_stream/compromised_credential/_dev/test/system/test-default-config.yml b/packages/island_browser/data_stream/compromised_credential/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..821257be36f --- /dev/null +++ b/packages/island_browser/data_stream/compromised_credential/_dev/test/system/test-default-config.yml @@ -0,0 +1,13 @@ +input: cel +service: island_browser +vars: + url: http://{{Hostname}}:{{Port}} + api_key: xxxx +data_stream: + vars: + preserve_original_event: true + preserve_duplicate_custom_fields: true + batch_size: 2 + initial_interval: 24h +assert: + hit_count: 5 diff --git a/packages/island_browser/data_stream/compromised_credential/agent/stream/cel.yml.hbs b/packages/island_browser/data_stream/compromised_credential/agent/stream/cel.yml.hbs new file mode 100644 index 00000000000..77595b2f055 --- /dev/null +++ b/packages/island_browser/data_stream/compromised_credential/agent/stream/cel.yml.hbs @@ -0,0 +1,104 @@ +config_version: 2 +interval: {{interval}} +resource.tracer: + enabled: {{enable_request_tracer}} + filename: "../../logs/cel/http-request-trace-*.ndjson" + maxbackups: 5 +{{#if proxy_url}} +resource.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +resource.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +resource.timeout: {{http_client_timeout}} +{{/if}} +resource.url: {{url}} + +state: + batch_size: {{batch_size}} + offset: 0 + api_key: {{api_key}} + initial_interval: {{initial_interval}} +redact: + fields: + - api_key +program: | + ( + state.?want_more.orValue(false) ? + state + : + state.with({ + "start_time": state.?cursor.last_timestamp.orValue((now - duration(state.initial_interval)).format(time_layout.RFC3339)), + "end_time": now.format(time_layout.RFC3339), + }) + ).as(state, + state.url.trim_right("/").as(base_url, state.with( + post_request( + base_url + "/api/external/v1/compromised-credentials", + "application/json", + { + "limit": state.batch_size, + "offset": state.offset, + "start": state.start_time, + "end": state.end_time, + "sortBy": "CompromisedDate", + "sortDirection": "Asc" + }.encode_json() + ).with({ + "Header":{ + "Content-Type": ["application/json"], + "api-key": [state.api_key], + } + }).do_request().as(resp, resp.StatusCode == 200 ? + resp.Body.decode_json().as(body, { + "events": (size(body.compromisedCredentials) != 0) ? + body.compromisedCredentials.map(e,{ + "message": e.encode_json(), + }) + : + [{ + "message": "retry" + }], + "offset": body.?compromisedCredentials[0].hasValue() ? int(state.offset) + body.compromisedCredentials.size() : 0, + "want_more": body.?compromisedCredentials[0].hasValue(), + "cursor": { + "last_timestamp": state.end_time + }, + }) + : + { + "events": { + "error": { + "code": string(resp.StatusCode), + "id": string(resp.Status), + "message": "POST " + base_url + "/api/external/v1/compromised-credentials: " + ( + size(resp.Body) != 0 ? + string(resp.Body) + : + string(resp.Status) + ' (' + string(resp.StatusCode) + ')' + ), + }, + }, + "want_more": false, + } + ) + )) + ) +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/island_browser/data_stream/compromised_credential/elasticsearch/ingest_pipeline/default.yml b/packages/island_browser/data_stream/compromised_credential/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..ab8ed7d42db --- /dev/null +++ b/packages/island_browser/data_stream/compromised_credential/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,218 @@ +--- +description: Pipeline for processing compromised_credential logs. +processors: + - set: + field: ecs.version + tag: set_ecs_version + value: 8.17.0 + - terminate: + tag: data_collection_error + if: ctx.error?.message != null && ctx.message == null && ctx.event?.original == null + description: error message set and no data to process. + - drop: + if: ctx.message == 'retry' + tag: drop_retry_events + - rename: + field: message + tag: rename_message_to_event_original + target_field: event.original + ignore_missing: true + description: Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document. + if: ctx.event?.original == null + - remove: + field: message + tag: remove_message + ignore_missing: true + description: The `message` field is no longer required if the document has an `event.original` field. + if: ctx.event?.original != null + - set: + field: event.kind + tag: set_event_kind + value: event + - json: + field: event.original + tag: json_event_original + target_field: json + - rename: + field: json.breachSource + tag: rename_breachSource + target_field: island_browser.compromised_credential.breach_source + ignore_missing: true + - date: + field: json.compromisedDate + tag: date_compromisedDate + target_field: island_browser.compromised_credential.compromised_date + formats: + - ISO8601 + if: ctx.json?.compromisedDate != null && ctx.json.compromisedDate != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.createdDate + tag: date_createdDate + target_field: island_browser.compromised_credential.created_date + formats: + - ISO8601 + if: ctx.json?.createdDate != null && ctx.json.createdDate != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.created + tag: set_event_created_from_compromised_credential_created_date + copy_from: island_browser.compromised_credential.created_date + ignore_empty_value: true + - rename: + field: json.email + tag: rename_email + target_field: island_browser.compromised_credential.email + ignore_missing: true + - set: + field: user.email + tag: set_user_email_from_compromised_credential_email + copy_from: island_browser.compromised_credential.email + ignore_empty_value: true + - dissect: + if: ctx.user?.email != null && ctx.user.email.contains('@') + tag: dissect_user_email + field: user.email + pattern: '%{_temp}@%{user.domain}' + - append: + field: related.user + tag: append_compromised_credential_email_into_related_user + value: '{{{island_browser.compromised_credential.email}}}' + allow_duplicates: false + if: ctx.island_browser?.compromised_credential?.email != null + - rename: + field: json.id + tag: rename_id + target_field: island_browser.compromised_credential.id + ignore_missing: true + - set: + field: event.id + tag: set_event_id_from_compromised_credential_id + copy_from: island_browser.compromised_credential.id + ignore_empty_value: true + - rename: + field: json.impactedDomain + tag: rename_impactedDomain + target_field: island_browser.compromised_credential.impacted_domain + ignore_missing: true + - set: + field: source.registered_domain + tag: set_source_registered_domain_from_compromised_credential_impacted_domain + copy_from: island_browser.compromised_credential.impacted_domain + ignore_empty_value: true + - rename: + field: json.status + tag: rename_status + target_field: island_browser.compromised_credential.status + ignore_missing: true + - rename: + field: json.tenantId + tag: rename_tenantId + target_field: island_browser.compromised_credential.tenant_id + ignore_missing: true + - set: + field: organization.id + tag: set_organization_id_from_compromised_credential_tenant_id + copy_from: island_browser.compromised_credential.tenant_id + ignore_empty_value: true + - date: + field: json.updatedDate + tag: date_updatedDate + target_field: island_browser.compromised_credential.updated_date + formats: + - ISO8601 + if: ctx.json?.updatedDate != null && ctx.json.updatedDate != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.username + tag: rename_username + target_field: island_browser.compromised_credential.username + ignore_missing: true + - set: + field: user.name + tag: set_user_name_from_compromised_credential_username + copy_from: island_browser.compromised_credential.username + ignore_empty_value: true + - append: + field: related.user + tag: append_compromised_credential_username_into_related_user + value: '{{{island_browser.compromised_credential.username}}}' + allow_duplicates: false + if: ctx.island_browser?.compromised_credential?.username != null + - remove: + field: + - island_browser.compromised_credential.created_date + - island_browser.compromised_credential.email + - island_browser.compromised_credential.id + - island_browser.compromised_credential.impacted_domain + - island_browser.compromised_credential.tenant_id + - island_browser.compromised_credential.username + tag: remove_custom_duplicate_fields + ignore_missing: true + if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields') + - remove: + field: + - json + - _temp + tag: remove_json_and_temp + ignore_missing: true + - script: + tag: script_to_drop_null_values + lang: painless + description: This script processor iterates over the whole document to remove fields with null values. + source: |- + void handleMap(Map map) { + map.values().removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + void handleList(List list) { + list.removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + handleMap(ctx); + - set: + field: event.kind + tag: set_pipeline_error_into_event_kind + value: pipeline_error + if: ctx.error?.message != null + - append: + field: tags + value: preserve_original_event + allow_duplicates: false + if: ctx.error?.message != null +on_failure: + - append: + field: error.message + value: |- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/packages/island_browser/data_stream/compromised_credential/fields/base-fields.yml b/packages/island_browser/data_stream/compromised_credential/fields/base-fields.yml new file mode 100644 index 00000000000..0aa2eb308e6 --- /dev/null +++ b/packages/island_browser/data_stream/compromised_credential/fields/base-fields.yml @@ -0,0 +1,16 @@ +- name: data_stream.type + external: ecs +- name: data_stream.dataset + external: ecs +- name: data_stream.namespace + external: ecs +- name: event.module + type: constant_keyword + external: ecs + value: island_browser +- name: event.dataset + type: constant_keyword + external: ecs + value: island_browser.compromised_credential +- name: '@timestamp' + external: ecs diff --git a/packages/island_browser/data_stream/compromised_credential/fields/beats.yml b/packages/island_browser/data_stream/compromised_credential/fields/beats.yml new file mode 100644 index 00000000000..d5fd38748ba --- /dev/null +++ b/packages/island_browser/data_stream/compromised_credential/fields/beats.yml @@ -0,0 +1,6 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. +- name: log.offset + type: long + description: Log offset. diff --git a/packages/island_browser/data_stream/compromised_credential/fields/ecs.yml b/packages/island_browser/data_stream/compromised_credential/fields/ecs.yml new file mode 100644 index 00000000000..b7033ee453d --- /dev/null +++ b/packages/island_browser/data_stream/compromised_credential/fields/ecs.yml @@ -0,0 +1,9 @@ +# Define ECS constant fields as constant_keyword +- name: observer.product + external: ecs + type: constant_keyword + value: Island Enterprise Browser +- name: observer.vendor + external: ecs + type: constant_keyword + value: Island diff --git a/packages/island_browser/data_stream/compromised_credential/fields/fields.yml b/packages/island_browser/data_stream/compromised_credential/fields/fields.yml new file mode 100644 index 00000000000..c73609ee9f3 --- /dev/null +++ b/packages/island_browser/data_stream/compromised_credential/fields/fields.yml @@ -0,0 +1,26 @@ +- name: island_browser + type: group + fields: + - name: compromised_credential + type: group + fields: + - name: breach_source + type: keyword + - name: compromised_date + type: date + - name: created_date + type: date + - name: email + type: keyword + - name: id + type: keyword + - name: impacted_domain + type: keyword + - name: status + type: keyword + - name: tenant_id + type: keyword + - name: updated_date + type: date + - name: username + type: keyword diff --git a/packages/island_browser/data_stream/compromised_credential/fields/is-transform-source-true.yml b/packages/island_browser/data_stream/compromised_credential/fields/is-transform-source-true.yml new file mode 100644 index 00000000000..fd4766eacd5 --- /dev/null +++ b/packages/island_browser/data_stream/compromised_credential/fields/is-transform-source-true.yml @@ -0,0 +1,4 @@ +- name: labels.is_transform_source + type: constant_keyword + description: Distinguishes between documents that are a source for a transform and documents that are an output of a transform, to facilitate easier filtering. + value: "true" diff --git a/packages/island_browser/data_stream/compromised_credential/manifest.yml b/packages/island_browser/data_stream/compromised_credential/manifest.yml new file mode 100644 index 00000000000..bfbb52a0c7b --- /dev/null +++ b/packages/island_browser/data_stream/compromised_credential/manifest.yml @@ -0,0 +1,88 @@ +title: Collect Compromised Credential logs from Island Browser. +type: logs +streams: + - input: cel + title: Island Browser Compromised Credential Logs + description: Collect Island Browser Compromised Credential Logs. + template_path: cel.yml.hbs + enabled: false + vars: + - name: initial_interval + type: text + title: Initial Interval + multi: false + required: true + show_user: true + default: 24h + description: How far back to pull the Compromised Credential events from Island Browser API. Supported units for this parameter are h/m/s. + - name: interval + type: text + title: Interval + description: Duration between requests to the Island Browser API. Supported units for this parameter are h/m/s. + multi: false + required: true + show_user: true + default: 1h + - name: batch_size + type: integer + title: Batch Size + description: Page size for the response of the Island Browser API. + multi: false + required: true + show_user: false + default: 100 + - name: enable_request_tracer + type: bool + title: Enable request tracing + multi: false + default: false + required: false + show_user: false + description: >- + The request tracer logs requests and responses to the agent's local file-system for debugging configurations. + Enabling this request tracing compromises security and should only be used for debugging. Disabling the request + tracer will delete any stored traces. + See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) + for details. + - name: preserve_original_event + type: bool + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field event.original. + multi: false + required: false + show_user: true + default: false + - name: tags + type: text + title: Tags + description: Tags for the data-stream. + multi: true + required: true + show_user: false + default: + - forwarded + - island_browser-compromised_credential + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h. + multi: false + required: true + show_user: false + default: 30s + - name: preserve_duplicate_custom_fields + required: false + title: Preserve duplicate custom fields + description: Preserve island_browser.compromised_credential fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + show_user: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. diff --git a/packages/island_browser/data_stream/compromised_credential/sample_event.json b/packages/island_browser/data_stream/compromised_credential/sample_event.json new file mode 100644 index 00000000000..0e94dc0af5b --- /dev/null +++ b/packages/island_browser/data_stream/compromised_credential/sample_event.json @@ -0,0 +1,72 @@ +{ + "@timestamp": "2025-09-15T06:38:06.177Z", + "agent": { + "ephemeral_id": "1bc13c0a-9d03-40d6-8e50-5e78294c111e", + "id": "ad1d3c39-3a1c-4004-91f0-aa1d27fd6242", + "name": "elastic-agent-26694", + "type": "filebeat", + "version": "8.18.5" + }, + "data_stream": { + "dataset": "island_browser.compromised_credential", + "namespace": "40655", + "type": "logs" + }, + "ecs": { + "version": "8.17.0" + }, + "elastic_agent": { + "id": "ad1d3c39-3a1c-4004-91f0-aa1d27fd6242", + "snapshot": false, + "version": "8.18.5" + }, + "event": { + "agent_id_status": "verified", + "created": "2024-09-21T09:46:00.000Z", + "dataset": "island_browser.compromised_credential", + "id": "cc-10364-ae99d-20364", + "ingested": "2025-09-15T06:38:09Z", + "kind": "event", + "original": "{\"breachSource\":\"Ransomware Attack - April 2025\",\"compromisedDate\":\"2024-09-13T00:00:00Z\",\"createdDate\":\"2024-09-21T09:46:00Z\",\"email\":\"john.doe364@enterprise.io\",\"id\":\"cc-10364-ae99d-20364\",\"impactedDomain\":\"enterprise.io\",\"status\":\"Unresolved\",\"tenantId\":\"tenant-005-tech\",\"updatedDate\":\"2024-09-21T14:40:00Z\",\"username\":\"john.doe364\"}" + }, + "input": { + "type": "cel" + }, + "island_browser": { + "compromised_credential": { + "breach_source": "Ransomware Attack - April 2025", + "compromised_date": "2024-09-13T00:00:00.000Z", + "created_date": "2024-09-21T09:46:00.000Z", + "email": "john.doe364@enterprise.io", + "id": "cc-10364-ae99d-20364", + "impacted_domain": "enterprise.io", + "status": "Unresolved", + "tenant_id": "tenant-005-tech", + "updated_date": "2024-09-21T14:40:00.000Z", + "username": "john.doe364" + } + }, + "organization": { + "id": "tenant-005-tech" + }, + "related": { + "user": [ + "john.doe364@enterprise.io", + "john.doe364" + ] + }, + "source": { + "registered_domain": "enterprise.io" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "island_browser-compromised_credential" + ], + "user": { + "domain": "enterprise.io", + "email": "john.doe364@enterprise.io", + "name": "john.doe364" + } +} diff --git a/packages/island_browser/data_stream/device/elasticsearch/ilm/default_policy.json b/packages/island_browser/data_stream/device/elasticsearch/ilm/default_policy.json new file mode 100644 index 00000000000..24bbfc79405 --- /dev/null +++ b/packages/island_browser/data_stream/device/elasticsearch/ilm/default_policy.json @@ -0,0 +1,20 @@ +{ + "policy": { + "phases": { + "hot": { + "actions": { + "rollover": { + "max_age": "30d", + "max_primary_shard_size": "50gb" + } + } + }, + "delete": { + "min_age": "30d", + "actions": { + "delete": {} + } + } + } + } +} diff --git a/packages/island_browser/data_stream/device/lifecycle.yml b/packages/island_browser/data_stream/device/lifecycle.yml new file mode 100644 index 00000000000..f7b0d98d5aa --- /dev/null +++ b/packages/island_browser/data_stream/device/lifecycle.yml @@ -0,0 +1 @@ +data_retention: '30d' diff --git a/packages/island_browser/data_stream/device/manifest.yml b/packages/island_browser/data_stream/device/manifest.yml index 96bc770a24b..ffd0edc4fe2 100644 --- a/packages/island_browser/data_stream/device/manifest.yml +++ b/packages/island_browser/data_stream/device/manifest.yml @@ -1,5 +1,6 @@ title: Collect Device logs from Island Browser. type: logs +ilm_policy: logs-island_browser.device-default_policy streams: - input: cel title: Island Browser Device Logs diff --git a/packages/island_browser/data_stream/user/elasticsearch/ilm/default_policy.json b/packages/island_browser/data_stream/user/elasticsearch/ilm/default_policy.json new file mode 100644 index 00000000000..24bbfc79405 --- /dev/null +++ b/packages/island_browser/data_stream/user/elasticsearch/ilm/default_policy.json @@ -0,0 +1,20 @@ +{ + "policy": { + "phases": { + "hot": { + "actions": { + "rollover": { + "max_age": "30d", + "max_primary_shard_size": "50gb" + } + } + }, + "delete": { + "min_age": "30d", + "actions": { + "delete": {} + } + } + } + } +} diff --git a/packages/island_browser/data_stream/user/lifecycle.yml b/packages/island_browser/data_stream/user/lifecycle.yml new file mode 100644 index 00000000000..b56a81e81d7 --- /dev/null +++ b/packages/island_browser/data_stream/user/lifecycle.yml @@ -0,0 +1 @@ +data_retention: "30d" diff --git a/packages/island_browser/data_stream/user/manifest.yml b/packages/island_browser/data_stream/user/manifest.yml index 5bc9884ab07..1eb764a1c63 100644 --- a/packages/island_browser/data_stream/user/manifest.yml +++ b/packages/island_browser/data_stream/user/manifest.yml @@ -1,5 +1,6 @@ title: Collect User logs from Island Browser. type: logs +ilm_policy: logs-island_browser.user-default_policy streams: - input: cel title: Island Browser User Logs diff --git a/packages/island_browser/docs/README.md b/packages/island_browser/docs/README.md index 06ed107529a..89119c5f01f 100644 --- a/packages/island_browser/docs/README.md +++ b/packages/island_browser/docs/README.md @@ -12,25 +12,24 @@ The Island Browser integration is compatible with `v1` version of Island Browser ### How it works -This integration periodically queries the Island Browser API to retrieve details for devices and users, and audit events. +This integration periodically queries the Island Browser API to retrieve details for devices, users and compromised credentials, and to log audit events. ## What data does this integration collect? This integration collects log messages of the following types: - `Audit`: Collects all timeline audits from the Island Browser via [Audit API endpoint](https://documentation.island.io/apidocs/get-all-timeline-audits-that-match-the-specified-simple-filter). +- `Compromised Credential`: Collects a list of all compromised credentials from the Island Browser via [Compromised Credential API endpoint](https://documentation.island.io/apidocs/get-a-list-of-all-compromised-credentials). - `Device`: Collects a list of all devices from the Island Browser via [Device API endpoint](https://documentation.island.io/apidocs/get-a-list-of-all-devices-1). - `User`: Collects all the users from the Island Browser via [User API endpoint](https://documentation.island.io/apidocs/get-all-browser-users-that-match-the-specified-simple-filter). ->**Note:** Device and user data streams currently do not have an ILM policy applied. A policy will be introduced in an upcoming release. Until then, full sync will be performed, which may result in higher storage costs. - ### Supported use cases -Integrating Island Browser User, Device, and Audit endpoint data with Elastic SIEM provides unified visibility into identity activity, device posture, and security events across the environment. +Integrating Island Browser User, Device, Audit, and Compromised Credential endpoint data with Elastic SIEM provides unified visibility into identity activity, device posture, account exposure, and security events across the environment. This integration enables analysts to correlate user behavior, device health, and credential risks within a single view, strengthening both detection and response capabilities. -Dashboards track total and active users, login trends, and group distributions, alongside device insights such as active, archived, and jailbroken states, OS platform distribution, policy updates, browser update status, Windows license status, and MDM provider compliance. +Dashboards track total and active users, login trends, and group distributions, alongside device insights such as active, archived, and jailbroken states, OS platform distribution, policy updates, browser update status, Windows license status, and MDM provider compliance. Compromised Credential visualizations highlight account risks with timelines of exposed records, unresolved credential counts, breach source breakdowns, and distributions by status. Additional charts surface top impacted domains and most affected users, enabling security teams to quickly assess exposure, prioritize remediation, and mitigate identity-based threats. -Audit visualizations further enhance oversight by showing event activity over time, verdicts and reasons, top rules, users, source IPs, event types, geographic distributions, and compatibility modes. Saved searches and tables consolidate essential attributes—including verified emails, device and host IDs, IPs, MACs, users, and organizations—adding valuable investigative context. Together, these insights enable analysts to monitor user behavior, track device health, analyze audit activity, detect anomalies, and strengthen compliance, identity management, and endpoint security oversight. +Audit dashboards further enhance oversight by showing event activity over time, verdicts and reasons, top rules, users, source IPs, event types, geographic distributions, and compatibility modes. Saved searches and tables consolidate essential attributes—including verified emails, device and host IDs, IPs, MACs, users, and organizations—adding valuable investigative context. Together, these insights allow organizations to monitor user behavior, track device health, detect compromised accounts, analyze audit activity, and strengthen compliance, identity management, and endpoint security oversight. ## What do I need to use this integration? @@ -310,6 +309,35 @@ For more information on architectures that can be used for scaling this integrat | observer.vendor | Vendor name of the observer. | constant_keyword | +#### Compromised Credential + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword | +| input.type | Type of Filebeat input. | keyword | +| island_browser.compromised_credential.breach_source | | keyword | +| island_browser.compromised_credential.compromised_date | | date | +| island_browser.compromised_credential.created_date | | date | +| island_browser.compromised_credential.email | | keyword | +| island_browser.compromised_credential.id | | keyword | +| island_browser.compromised_credential.impacted_domain | | keyword | +| island_browser.compromised_credential.status | | keyword | +| island_browser.compromised_credential.tenant_id | | keyword | +| island_browser.compromised_credential.updated_date | | date | +| island_browser.compromised_credential.username | | keyword | +| labels.is_transform_source | Distinguishes between documents that are a source for a transform and documents that are an output of a transform, to facilitate easier filtering. | constant_keyword | +| log.offset | Log offset. | long | +| observer.product | The product name of the observer. | constant_keyword | +| observer.vendor | Vendor name of the observer. | constant_keyword | + + ### Example event #### User @@ -770,6 +798,85 @@ An example event for `audit` looks as following: } ``` +#### Compromised Credential + +An example event for `compromised_credential` looks as following: + +```json +{ + "@timestamp": "2025-09-15T06:38:06.177Z", + "agent": { + "ephemeral_id": "1bc13c0a-9d03-40d6-8e50-5e78294c111e", + "id": "ad1d3c39-3a1c-4004-91f0-aa1d27fd6242", + "name": "elastic-agent-26694", + "type": "filebeat", + "version": "8.18.5" + }, + "data_stream": { + "dataset": "island_browser.compromised_credential", + "namespace": "40655", + "type": "logs" + }, + "ecs": { + "version": "8.17.0" + }, + "elastic_agent": { + "id": "ad1d3c39-3a1c-4004-91f0-aa1d27fd6242", + "snapshot": false, + "version": "8.18.5" + }, + "event": { + "agent_id_status": "verified", + "created": "2024-09-21T09:46:00.000Z", + "dataset": "island_browser.compromised_credential", + "id": "cc-10364-ae99d-20364", + "ingested": "2025-09-15T06:38:09Z", + "kind": "event", + "original": "{\"breachSource\":\"Ransomware Attack - April 2025\",\"compromisedDate\":\"2024-09-13T00:00:00Z\",\"createdDate\":\"2024-09-21T09:46:00Z\",\"email\":\"john.doe364@enterprise.io\",\"id\":\"cc-10364-ae99d-20364\",\"impactedDomain\":\"enterprise.io\",\"status\":\"Unresolved\",\"tenantId\":\"tenant-005-tech\",\"updatedDate\":\"2024-09-21T14:40:00Z\",\"username\":\"john.doe364\"}" + }, + "input": { + "type": "cel" + }, + "island_browser": { + "compromised_credential": { + "breach_source": "Ransomware Attack - April 2025", + "compromised_date": "2024-09-13T00:00:00.000Z", + "created_date": "2024-09-21T09:46:00.000Z", + "email": "john.doe364@enterprise.io", + "id": "cc-10364-ae99d-20364", + "impacted_domain": "enterprise.io", + "status": "Unresolved", + "tenant_id": "tenant-005-tech", + "updated_date": "2024-09-21T14:40:00.000Z", + "username": "john.doe364" + } + }, + "organization": { + "id": "tenant-005-tech" + }, + "related": { + "user": [ + "john.doe364@enterprise.io", + "john.doe364" + ] + }, + "source": { + "registered_domain": "enterprise.io" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "island_browser-compromised_credential" + ], + "user": { + "domain": "enterprise.io", + "email": "john.doe364@enterprise.io", + "name": "john.doe364" + } +} +``` + ### Inputs used These inputs can be used in this integration: @@ -783,3 +890,8 @@ This integration dataset uses the following APIs: - `User`: [Island Browser API](https://documentation.island.io/apidocs/get-all-browser-users-that-match-the-specified-simple-filter). - `Device`: [Island Browser API](https://documentation.island.io/apidocs/get-a-list-of-all-devices-1). - `Audit`: [Island Browser API](https://documentation.island.io/apidocs/get-all-timeline-audits-that-match-the-specified-simple-filter). +- `Compromised Credential`: [Island Browser API](https://documentation.island.io/apidocs/get-a-list-of-all-compromised-credentials). + +#### ILM Policy + +To facilitate user and device data, source data stream-backed indices `.ds-logs-island_browser.user-*` and `.ds-logs-island_browser.device-*` are allowed to contain duplicates from each polling interval. ILM policy `logs-island_browser.user-default_policy` and `logs-island_browser.device-default_policy` is added to these source indices, so it doesn't lead to unbounded growth. This means that in these source indices data will be deleted after `30 days` from ingested date. diff --git a/packages/island_browser/elasticsearch/transform/latest_compromised_credential/fields/base-fields.yml b/packages/island_browser/elasticsearch/transform/latest_compromised_credential/fields/base-fields.yml new file mode 100644 index 00000000000..0aa2eb308e6 --- /dev/null +++ b/packages/island_browser/elasticsearch/transform/latest_compromised_credential/fields/base-fields.yml @@ -0,0 +1,16 @@ +- name: data_stream.type + external: ecs +- name: data_stream.dataset + external: ecs +- name: data_stream.namespace + external: ecs +- name: event.module + type: constant_keyword + external: ecs + value: island_browser +- name: event.dataset + type: constant_keyword + external: ecs + value: island_browser.compromised_credential +- name: '@timestamp' + external: ecs diff --git a/packages/island_browser/elasticsearch/transform/latest_compromised_credential/fields/beats.yml b/packages/island_browser/elasticsearch/transform/latest_compromised_credential/fields/beats.yml new file mode 100644 index 00000000000..d5fd38748ba --- /dev/null +++ b/packages/island_browser/elasticsearch/transform/latest_compromised_credential/fields/beats.yml @@ -0,0 +1,6 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. +- name: log.offset + type: long + description: Log offset. diff --git a/packages/island_browser/elasticsearch/transform/latest_compromised_credential/fields/ecs.yml b/packages/island_browser/elasticsearch/transform/latest_compromised_credential/fields/ecs.yml new file mode 100644 index 00000000000..5fb66459148 --- /dev/null +++ b/packages/island_browser/elasticsearch/transform/latest_compromised_credential/fields/ecs.yml @@ -0,0 +1,43 @@ +- external: ecs + name: agent.ephemeral_id +- external: ecs + name: agent.id +- external: ecs + name: agent.name +- external: ecs + name: agent.type +- external: ecs + name: agent.version +- external: ecs + name: ecs.version +- external: ecs + name: event.agent_id_status +- external: ecs + name: event.created +- external: ecs + name: event.id +- external: ecs + name: event.ingested + type: date +- external: ecs + name: event.kind +- external: ecs + name: observer.product + type: constant_keyword + value: Island Enterprise Browser +- external: ecs + name: observer.vendor + type: constant_keyword + value: Island +- external: ecs + name: organization.id +- external: ecs + name: related.user +- external: ecs + name: source.registered_domain +- external: ecs + name: user.domain +- external: ecs + name: user.email +- external: ecs + name: user.name diff --git a/packages/island_browser/elasticsearch/transform/latest_compromised_credential/fields/fields.yml b/packages/island_browser/elasticsearch/transform/latest_compromised_credential/fields/fields.yml new file mode 100644 index 00000000000..c73609ee9f3 --- /dev/null +++ b/packages/island_browser/elasticsearch/transform/latest_compromised_credential/fields/fields.yml @@ -0,0 +1,26 @@ +- name: island_browser + type: group + fields: + - name: compromised_credential + type: group + fields: + - name: breach_source + type: keyword + - name: compromised_date + type: date + - name: created_date + type: date + - name: email + type: keyword + - name: id + type: keyword + - name: impacted_domain + type: keyword + - name: status + type: keyword + - name: tenant_id + type: keyword + - name: updated_date + type: date + - name: username + type: keyword diff --git a/packages/island_browser/elasticsearch/transform/latest_compromised_credential/fields/is-transform-source-false.yml b/packages/island_browser/elasticsearch/transform/latest_compromised_credential/fields/is-transform-source-false.yml new file mode 100644 index 00000000000..490a079e7a7 --- /dev/null +++ b/packages/island_browser/elasticsearch/transform/latest_compromised_credential/fields/is-transform-source-false.yml @@ -0,0 +1,4 @@ +- name: labels.is_transform_source + type: constant_keyword + description: Distinguishes between documents that are a source for a transform and documents that are an output of a transform, to facilitate easier filtering. + value: "false" diff --git a/packages/island_browser/elasticsearch/transform/latest_compromised_credential/manifest.yml b/packages/island_browser/elasticsearch/transform/latest_compromised_credential/manifest.yml new file mode 100644 index 00000000000..24e9e926793 --- /dev/null +++ b/packages/island_browser/elasticsearch/transform/latest_compromised_credential/manifest.yml @@ -0,0 +1,11 @@ +start: true +destination_index_template: + mappings: + dynamic: true + dynamic_templates: + - strings_as_keyword: + match_mapping_type: string + mapping: + ignore_above: 1024 + type: keyword + date_detection: true diff --git a/packages/island_browser/elasticsearch/transform/latest_compromised_credential/transform.yml b/packages/island_browser/elasticsearch/transform/latest_compromised_credential/transform.yml new file mode 100644 index 00000000000..2dc49ed6f53 --- /dev/null +++ b/packages/island_browser/elasticsearch/transform/latest_compromised_credential/transform.yml @@ -0,0 +1,37 @@ +# Use of "*" to use all namespaces defined. +source: + index: + - "logs-island_browser.compromised_credential-*" +dest: + index: "logs-island_browser_latest.dest_compromised_credential-1" + aliases: + - alias: "logs-island_browser_latest.compromised_credential" + move_on_creation: true +latest: + unique_key: + - event.dataset + - event.id + sort: "@timestamp" +description: >- + Latest compromised credentials from Island Browser. As compromised credentials get updated, this transform stores only the latest state of each compromised credential inside the destination index. Thus the transform's destination index contains only the latest state of the compromised credential. +frequency: 30s +settings: + # This is required to prevent the transform from clobbering the Fleet-managed mappings. + deduce_mappings: false + unattended: true +sync: + time: + field: "event.ingested" + # Updated to 120s because of refresh delay in Serverless. With default 60s, + # sometimes transform wouldn't process all documents. + delay: 120s +retention_policy: + time: + field: "event.ingested" + max_age: 30d +_meta: + managed: false + # Bump this version to delete, reinstall, and restart the transform during + # package installation. + fleet_transform_version: 0.1.0 + run_as_kibana_system: false diff --git a/packages/island_browser/elasticsearch/transform/latest_device/fields/ecs.yml b/packages/island_browser/elasticsearch/transform/latest_device/fields/ecs.yml index 4bccaae98bb..5cf293b7fd3 100644 --- a/packages/island_browser/elasticsearch/transform/latest_device/fields/ecs.yml +++ b/packages/island_browser/elasticsearch/transform/latest_device/fields/ecs.yml @@ -51,8 +51,12 @@ name: host.type - external: ecs name: observer.product + type: constant_keyword + value: Island Enterprise Browser - external: ecs name: observer.vendor + type: constant_keyword + value: Island - external: ecs name: organization.id - external: ecs diff --git a/packages/island_browser/elasticsearch/transform/latest_device/transform.yml b/packages/island_browser/elasticsearch/transform/latest_device/transform.yml index 2becef74b32..ed97db5398d 100644 --- a/packages/island_browser/elasticsearch/transform/latest_device/transform.yml +++ b/packages/island_browser/elasticsearch/transform/latest_device/transform.yml @@ -3,7 +3,7 @@ source: index: - "logs-island_browser.device-*" dest: - index: "logs-island_browser_latest.dest_device-1" + index: "logs-island_browser_latest.dest_device-2" aliases: - alias: "logs-island_browser_latest.device" move_on_creation: true @@ -34,5 +34,5 @@ _meta: managed: false # Bump this version to delete, reinstall, and restart the transform during # package installation. - fleet_transform_version: 0.1.0 + fleet_transform_version: 0.2.0 run_as_kibana_system: false diff --git a/packages/island_browser/elasticsearch/transform/latest_user/fields/ecs.yml b/packages/island_browser/elasticsearch/transform/latest_user/fields/ecs.yml index 1879e0551a6..e7ffc8de393 100644 --- a/packages/island_browser/elasticsearch/transform/latest_user/fields/ecs.yml +++ b/packages/island_browser/elasticsearch/transform/latest_user/fields/ecs.yml @@ -27,8 +27,12 @@ name: event.type - external: ecs name: observer.product + type: constant_keyword + value: Island Enterprise Browser - external: ecs name: observer.vendor + type: constant_keyword + value: Island - external: ecs name: organization.id - external: ecs diff --git a/packages/island_browser/elasticsearch/transform/latest_user/transform.yml b/packages/island_browser/elasticsearch/transform/latest_user/transform.yml index 409345b31ef..69eb4d8c117 100644 --- a/packages/island_browser/elasticsearch/transform/latest_user/transform.yml +++ b/packages/island_browser/elasticsearch/transform/latest_user/transform.yml @@ -3,7 +3,7 @@ source: index: - "logs-island_browser.user-*" dest: - index: "logs-island_browser_latest.dest_user-1" + index: "logs-island_browser_latest.dest_user-2" aliases: - alias: "logs-island_browser_latest.user" move_on_creation: true @@ -34,5 +34,5 @@ _meta: managed: false # Bump this version to delete, reinstall, and restart the transform during # package installation. - fleet_transform_version: 0.1.0 + fleet_transform_version: 0.2.0 run_as_kibana_system: false diff --git a/packages/island_browser/img/island-browser-audit-dashboard.png b/packages/island_browser/img/island-browser-audit-dashboard.png index c4119cabbd5..ce4c16ce657 100644 Binary files a/packages/island_browser/img/island-browser-audit-dashboard.png and b/packages/island_browser/img/island-browser-audit-dashboard.png differ diff --git a/packages/island_browser/img/island-browser-compromised-credential-dashboard.png b/packages/island_browser/img/island-browser-compromised-credential-dashboard.png new file mode 100644 index 00000000000..f15242974b7 Binary files /dev/null and b/packages/island_browser/img/island-browser-compromised-credential-dashboard.png differ diff --git a/packages/island_browser/img/island-browser-device-dashboard.png b/packages/island_browser/img/island-browser-device-dashboard.png index 3e9dbd55971..78f665843c5 100644 Binary files a/packages/island_browser/img/island-browser-device-dashboard.png and b/packages/island_browser/img/island-browser-device-dashboard.png differ diff --git a/packages/island_browser/img/island-browser-user-dashboard.png b/packages/island_browser/img/island-browser-user-dashboard.png index 8fd28d3da37..3559bbc32c2 100644 Binary files a/packages/island_browser/img/island-browser-user-dashboard.png and b/packages/island_browser/img/island-browser-user-dashboard.png differ diff --git a/packages/island_browser/kibana/dashboard/island_browser-1bcda810-8ace-46ea-9a41-f9179ac63f36.json b/packages/island_browser/kibana/dashboard/island_browser-1bcda810-8ace-46ea-9a41-f9179ac63f36.json index 7ae9a20efef..f79483eb4b4 100644 --- a/packages/island_browser/kibana/dashboard/island_browser-1bcda810-8ace-46ea-9a41-f9179ac63f36.json +++ b/packages/island_browser/kibana/dashboard/island_browser-1bcda810-8ace-46ea-9a41-f9179ac63f36.json @@ -1437,6 +1437,18 @@ }, "order": 2, "type": "dashboardLink" + }, + { + "destinationRefName": "link_e235c58f-c130-4999-bf45-f102e990be95_dashboard", + "id": "e235c58f-c130-4999-bf45-f102e990be95", + "label": "Compromised Credential", + "options": { + "openInNewTab": false, + "useCurrentDateRange": false, + "useCurrentFilters": false + }, + "order": 3, + "type": "dashboardLink" } ] }, @@ -1499,7 +1511,7 @@ "version": 3 }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-09-16T13:02:35.646Z", + "created_at": "2025-09-19T09:03:41.130Z", "id": "island_browser-1bcda810-8ace-46ea-9a41-f9179ac63f36", "references": [ { @@ -1577,6 +1589,11 @@ "name": "a9776018-68c8-4157-ad82-e1e3818b0fe5:link_fe817f3f-26f4-495e-8efc-36c937f0597b_dashboard", "type": "dashboard" }, + { + "id": "island_browser-8a93ddf1-8cd3-4316-bf78-eaaa15af9e8c", + "name": "a9776018-68c8-4157-ad82-e1e3818b0fe5:link_e235c58f-c130-4999-bf45-f102e990be95_dashboard", + "type": "dashboard" + }, { "id": "logs-*", "name": "controlGroup_b36feb0d-2ba8-4dd2-9196-fc0f68c93ae1:optionsListDataView", diff --git a/packages/island_browser/kibana/dashboard/island_browser-86a8fe6b-5da7-4584-a376-ac52a9d4d7a2.json b/packages/island_browser/kibana/dashboard/island_browser-86a8fe6b-5da7-4584-a376-ac52a9d4d7a2.json index 308544a8b7a..0c46484e543 100644 --- a/packages/island_browser/kibana/dashboard/island_browser-86a8fe6b-5da7-4584-a376-ac52a9d4d7a2.json +++ b/packages/island_browser/kibana/dashboard/island_browser-86a8fe6b-5da7-4584-a376-ac52a9d4d7a2.json @@ -1549,6 +1549,18 @@ }, "order": 2, "type": "dashboardLink" + }, + { + "destinationRefName": "link_8279584e-5328-493d-8a9f-b4fce07c4f30_dashboard", + "id": "8279584e-5328-493d-8a9f-b4fce07c4f30", + "label": "Compromised Credential", + "options": { + "openInNewTab": false, + "useCurrentDateRange": false, + "useCurrentFilters": false + }, + "order": 3, + "type": "dashboardLink" } ] }, @@ -1754,7 +1766,7 @@ "version": 3 }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-09-16T13:02:34.634Z", + "created_at": "2025-09-19T09:03:40.107Z", "id": "island_browser-86a8fe6b-5da7-4584-a376-ac52a9d4d7a2", "references": [ { @@ -1842,6 +1854,11 @@ "name": "fea6befa-f4aa-4a46-b72f-1ab75a2dfb75:link_6e5549b0-2297-46c2-b4dd-c9d433ef1749_dashboard", "type": "dashboard" }, + { + "id": "island_browser-8a93ddf1-8cd3-4316-bf78-eaaa15af9e8c", + "name": "fea6befa-f4aa-4a46-b72f-1ab75a2dfb75:link_8279584e-5328-493d-8a9f-b4fce07c4f30_dashboard", + "type": "dashboard" + }, { "id": "logs-*", "name": "58145684-d40e-4559-ab50-63abc06701bd:indexpattern-datasource-layer-8e85fca7-8bea-480b-8e83-811d8d380ab4", diff --git a/packages/island_browser/kibana/dashboard/island_browser-8a93ddf1-8cd3-4316-bf78-eaaa15af9e8c.json b/packages/island_browser/kibana/dashboard/island_browser-8a93ddf1-8cd3-4316-bf78-eaaa15af9e8c.json new file mode 100644 index 00000000000..4615c43a392 --- /dev/null +++ b/packages/island_browser/kibana/dashboard/island_browser-8a93ddf1-8cd3-4316-bf78-eaaa15af9e8c.json @@ -0,0 +1,1179 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": { + "09914533-6b61-4645-96c5-efc4d0dac97e": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "island_browser.compromised_credential.status", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Status" + }, + "grow": true, + "order": 0, + "type": "optionsListControl", + "width": "large" + } + }, + "showApplySelections": false + }, + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "island_browser.compromised_credential" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "island_browser.compromised_credential" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_transform_source", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "labels.is_transform_source", + "negate": false, + "params": { + "query": "false" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "labels.is_transform_source": "false" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-b9facbc7-89a5-41e6-bf3c-ecc32ddadfb9", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "b9facbc7-89a5-41e6-bf3c-ecc32ddadfb9": { + "columnOrder": [ + "a7508a37-ab97-43fd-b7a9-9c58e10c1bc5", + "fb2a0b86-558e-4113-9d32-ad63afce5ea3" + ], + "columns": { + "a7508a37-ab97-43fd-b7a9-9c58e10c1bc5": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Breach Sources", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "fb2a0b86-558e-4113-9d32-ad63afce5ea3", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "island_browser.compromised_credential.breach_source" + }, + "fb2a0b86-558e-4113-9d32-ad63afce5ea3": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "a7508a37-ab97-43fd-b7a9-9c58e10c1bc5", + "isTransposed": false + }, + { + "columnId": "fb2a0b86-558e-4113-9d32-ad63afce5ea3", + "isTransposed": false + } + ], + "layerId": "b9facbc7-89a5-41e6-bf3c-ecc32ddadfb9", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "6dd5019c-e94d-4b50-92be-34990540cd5a", + "w": 24, + "x": 0, + "y": 30 + }, + "panelIndex": "6dd5019c-e94d-4b50-92be-34990540cd5a", + "title": "Top Breach Sources", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-b9facbc7-89a5-41e6-bf3c-ecc32ddadfb9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e50188b0-419e-4875-b917-a18ec8ceb891", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "b9facbc7-89a5-41e6-bf3c-ecc32ddadfb9": { + "columnOrder": [ + "a7508a37-ab97-43fd-b7a9-9c58e10c1bc5", + "fb2a0b86-558e-4113-9d32-ad63afce5ea3" + ], + "columns": { + "a7508a37-ab97-43fd-b7a9-9c58e10c1bc5": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Compromised Users", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "fb2a0b86-558e-4113-9d32-ad63afce5ea3", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "user.email" + }, + "fb2a0b86-558e-4113-9d32-ad63afce5ea3": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "island_browser.compromised_credential.status", + "index": "e50188b0-419e-4875-b917-a18ec8ceb891", + "key": "island_browser.compromised_credential.status", + "negate": false, + "params": { + "query": "Unresolved" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "island_browser.compromised_credential.status": "Unresolved" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "a7508a37-ab97-43fd-b7a9-9c58e10c1bc5", + "isTransposed": false + }, + { + "columnId": "fb2a0b86-558e-4113-9d32-ad63afce5ea3", + "isTransposed": false + } + ], + "layerId": "b9facbc7-89a5-41e6-bf3c-ecc32ddadfb9", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "island_browser.compromised_credential.status", + "index": "e50188b0-419e-4875-b917-a18ec8ceb891", + "key": "island_browser.compromised_credential.status", + "negate": false, + "params": { + "query": "Unresolved" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "island_browser.compromised_credential.status": "Unresolved" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "30ae7f1c-c4ba-4df1-b30a-38b6c29fcff7", + "w": 24, + "x": 24, + "y": 30 + }, + "panelIndex": "30ae7f1c-c4ba-4df1-b30a-38b6c29fcff7", + "title": "Top Compromised Users", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-734da7f8-e2ff-4892-8927-500a21c82456", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "734da7f8-e2ff-4892-8927-500a21c82456": { + "columnOrder": [ + "98356bb7-c8b7-4cc9-a23b-b8fbed6d21cc", + "eab2f123-dfe2-4f8c-ae7c-76937aa60dc4" + ], + "columns": { + "98356bb7-c8b7-4cc9-a23b-b8fbed6d21cc": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "eab2f123-dfe2-4f8c-ae7c-76937aa60dc4": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "eab2f123-dfe2-4f8c-ae7c-76937aa60dc4" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "734da7f8-e2ff-4892-8927-500a21c82456", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "98356bb7-c8b7-4cc9-a23b-b8fbed6d21cc" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "a8c542b2-35bc-4ac5-8aad-517f82e133ec", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "a8c542b2-35bc-4ac5-8aad-517f82e133ec", + "title": "Compromised Credentials over Time", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-445a2f89-2f27-42f2-845d-52515f40f05e", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "445a2f89-2f27-42f2-845d-52515f40f05e": { + "columnOrder": [ + "28395bc0-de56-47c8-ad0c-2a877f17c879" + ], + "columns": { + "28395bc0-de56-47c8-ad0c-2a877f17c879": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unresolved Compromised Credentials", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "initialContext": null, + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "island_browser.compromised_credential.status", + "index": "88e6bc65-c95b-46aa-95eb-fd228b18fc55", + "key": "island_browser.compromised_credential.status", + "negate": false, + "params": { + "query": "Unresolved" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "island_browser.compromised_credential.status": "Unresolved" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "445a2f89-2f27-42f2-845d-52515f40f05e", + "layerType": "data", + "metricAccessor": "28395bc0-de56-47c8-ad0c-2a877f17c879" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "island_browser.compromised_credential.status", + "index": "88e6bc65-c95b-46aa-95eb-fd228b18fc55", + "key": "island_browser.compromised_credential.status", + "negate": false, + "params": { + "query": "Unresolved" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "island_browser.compromised_credential.status": "Unresolved" + } + } + } + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "66867554-9609-4bcc-af2a-8c7f20f8ff85", + "w": 12, + "x": 12, + "y": 0 + }, + "panelIndex": "66867554-9609-4bcc-af2a-8c7f20f8ff85", + "title": "Total Unresolved Compromised Credentials", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "layout": "vertical", + "links": [ + { + "destinationRefName": "link_3d0d7a1f-d0d0-4312-879a-b2c09a949407_dashboard", + "id": "3d0d7a1f-d0d0-4312-879a-b2c09a949407", + "label": "Device", + "options": { + "openInNewTab": false, + "useCurrentDateRange": false, + "useCurrentFilters": false + }, + "order": 0, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_aaa0473e-63fd-40ed-8c71-ba56e65b4063_dashboard", + "id": "aaa0473e-63fd-40ed-8c71-ba56e65b4063", + "label": "User", + "options": { + "openInNewTab": false, + "useCurrentDateRange": false, + "useCurrentFilters": false + }, + "order": 1, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_372f3eb6-36b7-4c29-bcc8-862c0cdf7188_dashboard", + "id": "372f3eb6-36b7-4c29-bcc8-862c0cdf7188", + "label": "Audit", + "options": { + "openInNewTab": false, + "useCurrentDateRange": false, + "useCurrentFilters": false + }, + "order": 2, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_00df1916-c738-4200-bbc5-0cbb97c2bdfa_dashboard", + "id": "00df1916-c738-4200-bbc5-0cbb97c2bdfa", + "label": "Compromised Credential", + "options": { + "openInNewTab": false, + "useCurrentDateRange": false, + "useCurrentFilters": false + }, + "order": 3, + "type": "dashboardLink" + } + ] + }, + "enhancements": {} + }, + "gridData": { + "h": 7, + "i": "10c4d7f9-c99a-4cdb-af04-090f75606ae1", + "w": 12, + "x": 0, + "y": 0 + }, + "panelIndex": "10c4d7f9-c99a-4cdb-af04-090f75606ae1", + "title": "Navigation", + "type": "links" + }, + { + "embeddableConfig": { + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "#### Island Browser\n\n#### Overview\n\nThis dashboard provides comprehensive visibility into compromised credentials detected within the Island Browser platform.\n\nControl panel filters allow refinement by credential status, while a line chart visualizes compromised credentials over time to highlight trends. A key metric surfaces the total number of unresolved compromised credentials, helping prioritize remediation efforts.\n\nA pie chart illustrates the distribution of compromised credentials by status, while tables spotlight top breach sources, most impacted domains, and the users most frequently affected by unresolved exposures. Together, these insights support rapid detection, investigation, and response to credential-related risks.\n\n**[Integration Page](/app/integrations/detail/island_browser/overview)**\n", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 23, + "i": "985482e8-d65a-426b-b320-362fa688d893", + "w": 12, + "x": 0, + "y": 7 + }, + "panelIndex": "985482e8-d65a-426b-b320-362fa688d893", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-8fb39d8b-d913-4e06-a455-666b265f119e", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "8fb39d8b-d913-4e06-a455-666b265f119e": { + "columnOrder": [ + "6cc8fd96-16a9-436b-93b5-7a84ada7cf38", + "702f6b50-3191-4169-a073-765c1812d3fc" + ], + "columns": { + "6cc8fd96-16a9-436b-93b5-7a84ada7cf38": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Status", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "702f6b50-3191-4169-a073-765c1812d3fc", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "island_browser.compromised_credential.status" + }, + "702f6b50-3191-4169-a073-765c1812d3fc": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "8fb39d8b-d913-4e06-a455-666b265f119e", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "702f6b50-3191-4169-a073-765c1812d3fc" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "6cc8fd96-16a9-436b-93b5-7a84ada7cf38" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "0846f0aa-2a2b-415f-8091-76f30f57b958", + "w": 18, + "x": 12, + "y": 15 + }, + "panelIndex": "0846f0aa-2a2b-415f-8091-76f30f57b958", + "title": "Compromised Credentials by Status", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-b9facbc7-89a5-41e6-bf3c-ecc32ddadfb9", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "b9facbc7-89a5-41e6-bf3c-ecc32ddadfb9": { + "columnOrder": [ + "a7508a37-ab97-43fd-b7a9-9c58e10c1bc5", + "fb2a0b86-558e-4113-9d32-ad63afce5ea3" + ], + "columns": { + "a7508a37-ab97-43fd-b7a9-9c58e10c1bc5": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Impacted Domains", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "fb2a0b86-558e-4113-9d32-ad63afce5ea3", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "source.registered_domain" + }, + "fb2a0b86-558e-4113-9d32-ad63afce5ea3": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "a7508a37-ab97-43fd-b7a9-9c58e10c1bc5", + "isTransposed": false + }, + { + "columnId": "fb2a0b86-558e-4113-9d32-ad63afce5ea3", + "isTransposed": false + } + ], + "layerId": "b9facbc7-89a5-41e6-bf3c-ecc32ddadfb9", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "1d3c1e17-4e3c-440e-bcda-8b6fb806f69c", + "w": 18, + "x": 30, + "y": 15 + }, + "panelIndex": "1d3c1e17-4e3c-440e-bcda-8b6fb806f69c", + "title": "Top Impacted Domains", + "type": "lens" + } + ], + "timeRestore": false, + "title": "[Logs Island Browser] Compromised Credential", + "version": 3 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2025-09-19T09:03:39.093Z", + "id": "island_browser-8a93ddf1-8cd3-4316-bf78-eaaa15af9e8c", + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6dd5019c-e94d-4b50-92be-34990540cd5a:indexpattern-datasource-layer-b9facbc7-89a5-41e6-bf3c-ecc32ddadfb9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "30ae7f1c-c4ba-4df1-b30a-38b6c29fcff7:indexpattern-datasource-layer-b9facbc7-89a5-41e6-bf3c-ecc32ddadfb9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "30ae7f1c-c4ba-4df1-b30a-38b6c29fcff7:e50188b0-419e-4875-b917-a18ec8ceb891", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a8c542b2-35bc-4ac5-8aad-517f82e133ec:indexpattern-datasource-layer-734da7f8-e2ff-4892-8927-500a21c82456", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "66867554-9609-4bcc-af2a-8c7f20f8ff85:indexpattern-datasource-layer-445a2f89-2f27-42f2-845d-52515f40f05e", + "type": "index-pattern" + }, + { + "id": "island_browser-86a8fe6b-5da7-4584-a376-ac52a9d4d7a2", + "name": "10c4d7f9-c99a-4cdb-af04-090f75606ae1:link_3d0d7a1f-d0d0-4312-879a-b2c09a949407_dashboard", + "type": "dashboard" + }, + { + "id": "island_browser-1bcda810-8ace-46ea-9a41-f9179ac63f36", + "name": "10c4d7f9-c99a-4cdb-af04-090f75606ae1:link_aaa0473e-63fd-40ed-8c71-ba56e65b4063_dashboard", + "type": "dashboard" + }, + { + "id": "island_browser-de262ab3-5ed3-4735-baef-72cfb0a50d1d", + "name": "10c4d7f9-c99a-4cdb-af04-090f75606ae1:link_372f3eb6-36b7-4c29-bcc8-862c0cdf7188_dashboard", + "type": "dashboard" + }, + { + "id": "island_browser-8a93ddf1-8cd3-4316-bf78-eaaa15af9e8c", + "name": "10c4d7f9-c99a-4cdb-af04-090f75606ae1:link_00df1916-c738-4200-bbc5-0cbb97c2bdfa_dashboard", + "type": "dashboard" + }, + { + "id": "logs-*", + "name": "0846f0aa-2a2b-415f-8091-76f30f57b958:indexpattern-datasource-layer-8fb39d8b-d913-4e06-a455-666b265f119e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1d3c1e17-4e3c-440e-bcda-8b6fb806f69c:indexpattern-datasource-layer-b9facbc7-89a5-41e6-bf3c-ecc32ddadfb9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_09914533-6b61-4645-96c5-efc4d0dac97e:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "10.2.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" +} \ No newline at end of file diff --git a/packages/island_browser/kibana/dashboard/island_browser-de262ab3-5ed3-4735-baef-72cfb0a50d1d.json b/packages/island_browser/kibana/dashboard/island_browser-de262ab3-5ed3-4735-baef-72cfb0a50d1d.json index 968d419c8ac..23946bb5dfd 100644 --- a/packages/island_browser/kibana/dashboard/island_browser-de262ab3-5ed3-4735-baef-72cfb0a50d1d.json +++ b/packages/island_browser/kibana/dashboard/island_browser-de262ab3-5ed3-4735-baef-72cfb0a50d1d.json @@ -1392,6 +1392,18 @@ }, "order": 2, "type": "dashboardLink" + }, + { + "destinationRefName": "link_2a2c3193-fb04-4341-b3cc-308e96d67ea6_dashboard", + "id": "2a2c3193-fb04-4341-b3cc-308e96d67ea6", + "label": "Compromised Credential", + "options": { + "openInNewTab": false, + "useCurrentDateRange": false, + "useCurrentFilters": false + }, + "order": 3, + "type": "dashboardLink" } ] }, @@ -1759,7 +1771,7 @@ "version": 3 }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-09-16T13:02:34.192Z", + "created_at": "2025-09-19T09:03:38.781Z", "id": "island_browser-de262ab3-5ed3-4735-baef-72cfb0a50d1d", "references": [ { @@ -1827,6 +1839,11 @@ "name": "af599e78-d0bb-4d5a-ad14-11079678dcbc:link_62af94bc-0096-497b-9368-33556f726857_dashboard", "type": "dashboard" }, + { + "id": "island_browser-8a93ddf1-8cd3-4316-bf78-eaaa15af9e8c", + "name": "af599e78-d0bb-4d5a-ad14-11079678dcbc:link_2a2c3193-fb04-4341-b3cc-308e96d67ea6_dashboard", + "type": "dashboard" + }, { "id": "logs-*", "name": "311d75be-dcb3-4f70-9362-b8893768ab9a:indexpattern-datasource-layer-1612f3ee-fa28-497e-8fa4-a56faf8735ba", diff --git a/packages/island_browser/kibana/search/island_browser-6483b021-105e-40ce-8e13-8afb91123326.json b/packages/island_browser/kibana/search/island_browser-6483b021-105e-40ce-8e13-8afb91123326.json index 3907ce53731..f84b058ce50 100644 --- a/packages/island_browser/kibana/search/island_browser-6483b021-105e-40ce-8e13-8afb91123326.json +++ b/packages/island_browser/kibana/search/island_browser-6483b021-105e-40ce-8e13-8afb91123326.json @@ -54,7 +54,7 @@ "title": "Audit Essential Details" }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-09-16T12:50:49.461Z", + "created_at": "2025-09-19T08:47:19.866Z", "id": "island_browser-6483b021-105e-40ce-8e13-8afb91123326", "references": [ { diff --git a/packages/island_browser/kibana/search/island_browser-84eb0548-660b-42af-9af1-a762aaa6bb84.json b/packages/island_browser/kibana/search/island_browser-84eb0548-660b-42af-9af1-a762aaa6bb84.json index 039d41c16b2..acd0e2f82fd 100644 --- a/packages/island_browser/kibana/search/island_browser-84eb0548-660b-42af-9af1-a762aaa6bb84.json +++ b/packages/island_browser/kibana/search/island_browser-84eb0548-660b-42af-9af1-a762aaa6bb84.json @@ -54,7 +54,7 @@ "title": "Device Essential Details [Logs Island Browser]" }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-09-16T12:50:49.461Z", + "created_at": "2025-09-19T08:47:19.866Z", "id": "island_browser-84eb0548-660b-42af-9af1-a762aaa6bb84", "references": [ { diff --git a/packages/island_browser/kibana/search/island_browser-dc4eff97-2d93-4db7-b1c6-2e6e38699949.json b/packages/island_browser/kibana/search/island_browser-dc4eff97-2d93-4db7-b1c6-2e6e38699949.json index aa88a008c01..cf9a52eb2b2 100644 --- a/packages/island_browser/kibana/search/island_browser-dc4eff97-2d93-4db7-b1c6-2e6e38699949.json +++ b/packages/island_browser/kibana/search/island_browser-dc4eff97-2d93-4db7-b1c6-2e6e38699949.json @@ -56,7 +56,7 @@ "title": "User Essential Details" }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-09-16T12:50:49.461Z", + "created_at": "2025-09-19T08:47:19.866Z", "id": "island_browser-dc4eff97-2d93-4db7-b1c6-2e6e38699949", "references": [ { diff --git a/packages/island_browser/manifest.yml b/packages/island_browser/manifest.yml index f0174883587..75142cf5765 100644 --- a/packages/island_browser/manifest.yml +++ b/packages/island_browser/manifest.yml @@ -1,14 +1,14 @@ format_version: 3.3.2 name: island_browser title: Island Browser -version: 0.3.1 +version: 0.4.0 description: Collect logs from Island Browser with Elastic Agent. type: integration categories: - security conditions: kibana: - version: ^8.18.5 || ^8.19.2 || ^9.0.5 || ^9.1.2 + version: ^8.18.8 || ^8.19.5 || ^9.0.8 || ^9.1.5 elastic: subscription: basic icons: @@ -29,6 +29,10 @@ screenshots: title: User Dashboard size: 600x600 type: image/png + - src: /img/island-browser-compromised-credential-dashboard.png + title: Compromised Credential Dashboard + size: 600x600 + type: image/png policy_templates: - name: island_browser title: Island Browser