From 47c8ee7cae95300465be76be3fc600da04cd9d86 Mon Sep 17 00:00:00 2001
From: Adrian Serrano <adrisr83@gmail.com>
Date: Tue, 9 Jun 2020 10:05:10 +0200
Subject: [PATCH] Improve performance of PANW module dashboards (#19032)

A saved search was using `panw.panos: *` as to filter for data from the
dataset, instead of the more efficient `event.dataset: panw.panos`.

(cherry picked from commit 2dad8db4293418b8c2d7919997025eda68c834c3)
---
 CHANGELOG.next.asciidoc                                   | 8 ++++++++
 .../7/dashboard/Filebeat-panw-network-overview.json       | 2 +-
 .../kibana/7/dashboard/Filebeat-panw-threat-overview.json | 2 +-
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index b8db993c805..e4faa409fe3 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -262,6 +262,14 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add dashboard for Google Cloud Audit and AWS CloudTrail. {pull}17379[17379]
 - Add support for array parsing in azure-eventhub input. {pull}18585[18585]
 from being added to events by default. {pull}18159[18159]
+- Added `observer.vendor`, `observer.product`, and `observer.type` to PANW module events. {pull}18223[18223]
+- The `logstash` module can now automatically detect the log file format (JSON or plaintext) and process it accordingly. {issue}9964[9964] {pull}18095[18095]
+- Improve ECS categorization field mappings in envoyproxy module. {issue}16161[16161] {pull}18395[18395]
+- Improve ECS categorization field mappings in coredns module. {issue}16159[16159] {pull}18424[18424]
+- Improve ECS categorization field mappings in cisco module. {issue}16028[16028] {pull}18537[18537]
+- The s3 input can now automatically detect gzipped objects. {issue}18283[18283] {pull}18764[18764]
+- Add geoip AS lookup & improve ECS categorization in aws cloudtrail fileset. {issue}18644[18644] {pull}18958[18958]
+- Improved performance of PANW sample dashboards. {issue}19031[19031] {pull}19032[19032]
 
 *Heartbeat*
 
diff --git a/x-pack/filebeat/module/panw/_meta/kibana/7/dashboard/Filebeat-panw-network-overview.json b/x-pack/filebeat/module/panw/_meta/kibana/7/dashboard/Filebeat-panw-network-overview.json
index 7dd3fd7f17e..a348f151b30 100644
--- a/x-pack/filebeat/module/panw/_meta/kibana/7/dashboard/Filebeat-panw-network-overview.json
+++ b/x-pack/filebeat/module/panw/_meta/kibana/7/dashboard/Filebeat-panw-network-overview.json
@@ -1075,7 +1075,7 @@
             "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
             "query": {
               "language": "kuery",
-              "query": "panw.panos:* and event.category: \"network_traffic\""
+              "query": "event.dataset: \"panw.panos\" and event.category: \"network_traffic\""
             },
             "version": true
           }
diff --git a/x-pack/filebeat/module/panw/_meta/kibana/7/dashboard/Filebeat-panw-threat-overview.json b/x-pack/filebeat/module/panw/_meta/kibana/7/dashboard/Filebeat-panw-threat-overview.json
index c33b9e51027..834328c3469 100644
--- a/x-pack/filebeat/module/panw/_meta/kibana/7/dashboard/Filebeat-panw-threat-overview.json
+++ b/x-pack/filebeat/module/panw/_meta/kibana/7/dashboard/Filebeat-panw-threat-overview.json
@@ -764,7 +764,7 @@
             "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
             "query": {
               "language": "kuery",
-              "query": "panw.panos:* and event.category: \"security_threat\""
+              "query": "event.dataset: \"panw.panos\" and event.category: \"security_threat\""
             },
             "version": true
           }