├── NTFS..png
├── DFIR_logo.jpg
├── SANS_Find_Evil.png
├── iis.yml
├── kape.yml
├── winlog.yml
├── suricata.yml
├── timeline.yml
├── suricata_p.conf
├── filebeat.yml
├── IIS_exchange.conf
├── logstash_parser.conf
├── zeek.yml
├── memory.conf
├── README.md
└── Dashboards
    ├── ELK-home.ndjson
    ├── suricata_2.ndjson
    ├── MFT.ndjson
    ├── ICS_connection.ndjson
    ├── Kape_win_log.ndjson
    ├── NTFS_timeline.ndjson
    └── Memory_forensics.ndjson


/NTFS..png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Maboalenen/DFIR/HEAD/NTFS..png


--------------------------------------------------------------------------------
/DFIR_logo.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Maboalenen/DFIR/HEAD/DFIR_logo.jpg


--------------------------------------------------------------------------------
/SANS_Find_Evil.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Maboalenen/DFIR/HEAD/SANS_Find_Evil.png


--------------------------------------------------------------------------------
/iis.yml:
--------------------------------------------------------------------------------
 1 | # This file creates a filebeat iis 
 2 | 
 3 | - type: log
 4 |   paths:
 5 |     - /logstash/iis/*/*
 6 |     - /logstash/iis/*
 7 |   exclude_files: [ 'readme.txt', '\.gz$', '\.bz2$', '\.zip$' ]
 8 |   close_inactive: 5m
 9 |   fields_under_root: true
10 |   fields:
11 |     type: iis
12 | 


--------------------------------------------------------------------------------
/kape.yml:
--------------------------------------------------------------------------------
 1 | # This file creates a filebeat kape timeline
 2 | 
 3 | - type: log
 4 |   paths:
 5 |     - /logstash/kape/*/*
 6 |     - /logstash/kape/*
 7 |   exclude_files: [ 'readme.txt', '\.gz$', '\.bz2$', '\.zip$' ]
 8 |   close_inactive: 5m
 9 |   fields_under_root: true
10 |   fields:
11 |     type: kape
12 | 


--------------------------------------------------------------------------------
/winlog.yml:
--------------------------------------------------------------------------------
 1 | # This file creates a filebeat kape windows event_logs
 2 | 
 3 | - type: log
 4 |   paths:
 5 |     - /logstash/winlog/*/*
 6 |     - /logstash/winlog/*
 7 |   exclude_files: [ 'readme.txt', '\.gz$', '\.bz2$', '\.zip$' ]
 8 |   close_inactive: 5m
 9 |   fields_under_root: true
10 |   fields:
11 |     type: winlog


--------------------------------------------------------------------------------
/suricata.yml:
--------------------------------------------------------------------------------
 1 | # Module: suricata
 2 | # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.10/filebeat-module-suricata.html
 3 | 
 4 | - module: suricata
 5 |   # All logs
 6 |   eve:
 7 |     enabled: true
 8 | 
 9 |     # Set custom paths for the log files. If left empty,
10 |     # Filebeat will choose the paths depending on your OS.
11 |     var.paths: ["/logstash/suricata/*.json"]


--------------------------------------------------------------------------------
/timeline.yml:
--------------------------------------------------------------------------------
 1 | # This file creates a filebeat log2timeline CSV
 2 | 
 3 | - type: log
 4 |   paths:
 5 |     - /logstash/timeline/*/*/*/*/*
 6 |     - /logstash/timeline/*/*/*/*
 7 |     - /logstash/timeline/*/*/*
 8 |     - /logstash/timeline/*/*
 9 |     - /logstash/timeline/*
10 |   exclude_files: [ 'readme.txt', '\.gz$', '\.bz2$', '\.zip$' ]
11 |   close_inactive: 5m
12 |   fields_under_root: true
13 |   fields:
14 |     type: timeline
15 | 


--------------------------------------------------------------------------------
/suricata_p.conf:
--------------------------------------------------------------------------------
 1 | # @Maboalenen
 2 | # Mahmoud Aboalenen
 3 | # github.com/Maboalenen
 4 | # Basic Logstash configuration for suricata output  
 5 | 
 6 | input {
 7 |   beats {
 8 |     port => 5044
 9 |     }
10 | }
11 | 
12 | filter {
13 |  
14 |   if [type] == "suricata" {
15 | 
16 |   json {
17 |         source => "message"
18 |       }
19 |     }
20 | }
21 | 
22 | output {
23 |   elasticsearch {
24 |     hosts => ["192.168.60.133:9200"]
25 |     index => "suricata"
26 |     #user => "elastic"
27 |     #password => "changeme"
28 |   }
29 | }
30 | 


--------------------------------------------------------------------------------
/filebeat.yml:
--------------------------------------------------------------------------------
 1 | ######################## Filebeat Configuration ############################
 2 | 
 3 | # You can find the full configuration reference here:
 4 | # https://www.elastic.co/guide/en/beats/filebeat/index.html
 5 | 
 6 | # For more available modules and options, please see the filebeat.reference.yml sample
 7 | # configuration file.
 8 | 
 9 | filebeat.config.inputs:
10 |   enabled: true
11 |   path: /usr/local/lib/filebeats_inputs/*.yml
12 | 
13 | #============================= Filebeat modules ===============================
14 | 
15 | filebeat.config.modules:
16 |   # Glob pattern for configuration loading
17 |   path: ${path.config}/modules.d/*.yml
18 | 
19 |   # Set to true to enable config reloading
20 |   reload.enabled: false
21 | 
22 |   # Period on which files under path should be checked for changes
23 |   #reload.period: 10s
24 | #================================kibana======================================
25 | 
26 | setup.kibana.host: "http://192.168.60.133:5601"
27 | 
28 | #================================ Outputs =====================================
29 | 
30 | #----------------------------- Logstash output --------------------------------
31 | output.logstash:
32 |   # The Logstash hosts
33 |   hosts: ["localhost:5044"]


--------------------------------------------------------------------------------
/IIS_exchange.conf:
--------------------------------------------------------------------------------
 1 | # @Maboalenen
 2 | # Mahmoud Aboalenen
 3 | # github.com/Maboalenen
 4 | # Basic Logstash configuration 
 5 | # Ltype: IIS logs 
 6 | # Path %SystemDrive%\inetpub\logs\LogFiles 
 7 | # Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
 8 | 
 9 | input {
10 | 
11 |   file {
12 |         type => "iis"
13 |         path => "/logstash/iis/*.log"
14 |         
15 |       } 
16 | 
17 | }
18 | 
19 | filter {
20 |   if [type] == "iis" {
21 |    grok {
22 |      match => { "message" => "%{TIMESTAMP_ISO8601:log_timestamp} %{IPORHOST:S-IP} %{WORD:CS-Method} %{URIPATH:CS-URI-Stem} %{NOTSPACE:cs-uri-query} %{NUMBER:S-Port} %{NOTSPACE:CS-Username} %{IPORHOST:C-IP} %{NOTSPACE:CS-UserAgent} %{NOTSPACE:CS-Referer} %{NUMBER:SC-Status} %{NUMBER:SC-SubStatus} %{NUMBER:SC-Win32-Status} %{NUMBER:Time-Taken}"}
23 |   }
24 | 
25 |   date {
26 |       match => [ "TIMESTAMP_ISO8601", "yyyy-MM-dd HH:mm:ss,SSS" ]
27 |       target => "@timestamp"
28 |   }
29 |  }
30 | 
31 | }
32 | output {
33 |   elasticsearch {
34 |     hosts => ["192.168.60.133:9200"]
35 |     index => "exchange_iis"
36 |     #user => "elastic"
37 |     #password => "changeme"
38 |   }
39 | }
40 | 


--------------------------------------------------------------------------------
/logstash_parser.conf:
--------------------------------------------------------------------------------
 1 | # @Maboalenen
 2 | # Mahmoud Aboalenen
 3 | # github.com/Maboalenen
 4 | # Basic Logstash configuration for multiple different file type  
 5 | # 2- log2time output from log2time csv format 
 6 | # 3- kape output from kape with json format 
 7 | # 4- kape output windows-event logs with json format
 8 | 
 9 | input {
10 |   beats {
11 |     port => 5044
12 |     }
13 | }
14 | 
15 | filter {
16 |  
17 | 
18 |   if [type] == "timeline" {
19 |    grok { 
20 |       match => ["message","(?<date>(.*?)),(?<time>(.*?)),(?<timezone>(.*?)),(?<MACB>(.*?)),(?<source>(.*?)),(?<sourcetype>(.*?)),(?<type>(.*?)),(?<user>(.*?)),(?<host>(.*?)),(?<short>(.*?)),(?<desc>(.*?)),(?<version>(.*?)),(?<filename>(.*?)),(?<inode>(.*?)),(?<notes>(.*?)),(?<format>(.*?)),%{GREEDYDATA:extra}"]
21 |     }
22 |      mutate {
23 |     add_field => {
24 |       "timestamp" => "%{date} %{time}"
25 |     }
26 |   }
27 |   date {
28 |     match => ["timestamp", "yyyy-MM-dd HH:mm:ss,SSS"]
29 |   }
30 | 
31 |   }
32 |   if [type] == "kape" {
33 | 
34 |   json {
35 |         source => "message"
36 |       }
37 |     }
38 |   if [type] == "winlog" {
39 | 
40 |   json {
41 |         source => "message"
42 |       }
43 |     }
44 | }
45 | 
46 | output {
47 |   elasticsearch {
48 |     hosts => ["192.168.60.133:9200"]
49 |     index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
50 |     #user => "elastic"
51 |     #password => "changeme"
52 |   }
53 | }
54 | 


--------------------------------------------------------------------------------
/zeek.yml:
--------------------------------------------------------------------------------
  1 | # Module: zeek
  2 | # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.10/filebeat-module-zeek.html
  3 | 
  4 | - module: zeek
  5 |   capture_loss:
  6 |     enabled: true
  7 |     var.paths: ["/logstash/zeek/capture_loss.log"]
  8 |   connection:
  9 |     enabled: true
 10 |     var.paths: ["/logstash/zeek/conn.log"]
 11 |   dce_rpc:
 12 |     enabled: true
 13 |     var.paths: ["/logstash/zeek/dce_rpc.log"]
 14 |   dhcp:
 15 |     enabled: true
 16 |     var.paths: ["/logstash/zeek/dhcp.log"]
 17 |   dnp3:
 18 |     enabled: true
 19 |     var.paths: ["/logstash/zeek/dnp3.log"]
 20 |   dns:
 21 |     enabled: true
 22 |     var.paths: ["/logstash/zeek/dns.log"]
 23 |   dpd:
 24 |     enabled: true
 25 |     var.paths: ["/logstash/zeek/dpd.log"]
 26 |   files:
 27 |     enabled: true
 28 |     var.paths: ["/logstash/zeek/files.log"]
 29 |   ftp:
 30 |     enabled: true
 31 |     var.paths: ["/logstash/zeek/ftp.log"]
 32 |   http:
 33 |     enabled: true
 34 |     var.paths: ["/logstash/zeek/http.log"]
 35 |   intel:
 36 |     enabled: true
 37 |     var.paths: ["/logstash/zeek/intel.log"]    
 38 |   irc:
 39 |     enabled: true
 40 |     var.paths: ["/logstash/zeek/irc.log"]
 41 |   kerberos:
 42 |     enabled: true
 43 |     var.paths: ["/logstash/zeek/kerberos.log"]
 44 |   modbus:
 45 |     enabled: true
 46 |     var.paths: ["/logstash/zeek/modbus.log"]
 47 |   mysql:
 48 |     enabled: true
 49 |     var.paths: ["/logstash/zeek/mysql.log"]
 50 |   notice:
 51 |     enabled: true
 52 |     var.paths: ["/logstash/zeek/notice.log"]
 53 |   ntlm:
 54 |     enabled: true
 55 |     var.paths: ["/logstash/zeek/ntlm.log"]
 56 |   ocsp:
 57 |     enabled: true
 58 |     var.paths: ["/logstash/zeek/ocsp.log"]
 59 |   pe:
 60 |     enabled: true
 61 |     var.paths: ["/logstash/zeek/pe.log"]
 62 |   radius:
 63 |     enabled: true
 64 |     var.paths: ["/logstash/zeek/radius.log"]
 65 |   rdp:
 66 |     enabled: true
 67 |     var.paths: ["/logstash/zeek/rdp.log"]
 68 |   rfb:
 69 |     enabled: true
 70 |     var.paths: ["/logstash/zeek/rfp.log"]
 71 |   sip:
 72 |     enabled: true
 73 |     var.paths: ["/logstash/zeek/sip.log"]
 74 |   smb_cmd:
 75 |     enabled: true
 76 |     var.paths: ["/logstash/zeek/smb_cmd.log"]
 77 |   smb_files:
 78 |     enabled: true
 79 |     var.paths: ["/logstash/zeek/smb_files.log"]
 80 |   smb_mapping:
 81 |     enabled: true
 82 |     var.paths: ["/logstash/zeek/smb_mapping.log"]
 83 |   smtp:
 84 |     enabled: true
 85 |     var.paths: ["/logstash/zeek/smtp.log"]
 86 |   snmp:
 87 |     enabled: true
 88 |     var.paths: ["/logstash/zeek/snmp.log"]
 89 |   socks:
 90 |     enabled: true
 91 |     var.paths: ["/logstash/zeek/socks.log"]
 92 |   ssh:
 93 |     enabled: true
 94 |     var.paths: ["/logstash/zeek/ssh.log"]
 95 |   ssl:
 96 |     enabled: true
 97 |     var.paths: ["/logstash/zeek/ssl.log"]
 98 |   stats:
 99 |     enabled: true
100 |     var.paths: ["/logstash/zeek/stats.log"]
101 |   syslog:
102 |     enabled: true
103 |     var.paths: ["/logstash/zeek/syslog.log"]
104 |   traceroute:
105 |     enabled: true
106 |     var.paths: ["/logstash/zeek/traceroute.log"]
107 |   tunnel:
108 |     enabled: true
109 |     var.paths: ["/logstash/zeek/tunnel.log"]
110 |   weird:
111 |     enabled: true
112 |     var.paths: ["/logstash/zeek/weird.log"]
113 |   x509:
114 |     enabled: true
115 |     var.paths: ["/logstash/zeek/x509.log"]
116 | 
117 | 
118 |     # Set custom paths for the log files. If left empty,
119 |     # Filebeat will choose the paths depending on your OS.
120 |     #var.paths:
121 | 


--------------------------------------------------------------------------------
/memory.conf:
--------------------------------------------------------------------------------
  1 | # Memory Forensics 
  2 | # @Maboalenen
  3 | # Mahmoud Aboalenen
  4 | # volatility Output data  
  5 | # files [pslist, psscan, pstree, psxview, netscan, filescan]
  6 | 
  7 | input {
  8 |   file {
  9 |     type => "vol_pslist"
 10 |     path => "/logstash/memory/pslist.csv"
 11 |     start_position => "beginning"
 12 |     sincedb_path => "/dev/null"
 13 |   }
 14 |   file {
 15 | 	type => "vol_psscan"
 16 | 	path => "/logstash/memory/psscan.csv"
 17 | 	sincedb_path => "/dev/null"
 18 | 	start_position => "beginning"
 19 | 	}
 20 |   file {
 21 | 	type => "vol_pstree"
 22 | 	path => "/logstash/memory/pstree.csv"
 23 | 	sincedb_path => "/dev/null"
 24 | 	start_position => "beginning"
 25 | 	}
 26 |   file {
 27 | 	type => "vol_psxview"
 28 | 	path => "/logstash/memory/psxview.csv"
 29 | 	sincedb_path => "/dev/null"
 30 | 	start_position => "beginning"
 31 | 	}
 32 |   file {
 33 | 	type => "vol_filescan"
 34 | 	path => "/logstash/memory/filescan.csv"
 35 | 	sincedb_path => "/dev/null"
 36 | 	start_position => "beginning"
 37 | 	}
 38 |   file {
 39 | 	type => "vol_netscan"
 40 | 	path => "/logstash/memory/netscan.csv"
 41 | 	sincedb_path => "/dev/null"
 42 | 	start_position => "beginning"
 43 | 	}
 44 |   file {
 45 |   type => "vol_strings"
 46 |   path => "/logstash/memory/strings.csv"
 47 |   sincedb_path => "/dev/null"
 48 |   start_position => "beginning"
 49 |   }
 50 |  
 51 | }
 52 | 
 53 | filter {
 54 |  if [type] == "vol_pslist" {
 55 |       csv {
 56 |         columns => [ "Offset", "name", "pid", "ppid", "thds", "hnds", "sess", "wow64", "sdata", "stime", "szun", "edata", "etime", "ezone"]
 57 |         separator => " "
 58 |         skip_empty_columns => "true"
 59 |         skip_empty_rows => "true"
 60 |         skip_header => "true"
 61 |      }
 62 |     }
 63 | 
 64 |   if [type] == "vol_psscan" {
 65 |       csv {
 66 |         columns => ["Offset", "name", "pid", "ppid", "pdp", "dcreated", "tcreated", "zcreated", "exitdate", "exittime", "exitzone"]
 67 |         separator => " "
 68 |         skip_empty_columns => "true"
 69 |         skip_empty_rows => "true"
 70 |         skip_header => "true"
 71 |      }
 72 |     }
 73 | 
 74 |   if [type] == "vol_pstree" {
 75 |       csv {
 76 |         columns => ["dots", "name", "pid", "ppid", "thds", "hnds", "date", "time", "zone"]
 77 |         separator => " "
 78 |         skip_header => "true"
 79 |         remove_field => [ "dots" ]
 80 |      }
 81 |     }
 82 | 
 83 |   if [type] == "vol_psxview" {
 84 |       csv {
 85 |         columns => ["offset", "name", "pid", "pslist", "psscan", "thrdproc", "pspcid", "csrss", "session", "deskthrd", "exitdate", "exittime", "exitzone"]
 86 |         separator => " "
 87 |         skip_empty_columns => "true"
 88 |         skip_empty_rows => "true"
 89 |         skip_header => "true"
 90 |      }
 91 |     }
 92 |   if [type] == "vol_filescan" {
 93 |       csv {
 94 |         columns => ["Offset", "ptr", "hnd", "access", "name"]
 95 |         separator => " "
 96 |         skip_empty_columns => "true"
 97 |         skip_empty_rows => "true"
 98 |         skip_header => "true"
 99 |      }
100 |     }
101 |   if [type] == "vol_netscan" {
102 |       grok {
103 |       match => [ "message","%{BASE16FLOAT:offset} %{SPACE:} %{NOTSPACE:proto} %{SPACE} %{NOTSPACE:localaddress} %{SPACE} %{NOTSPACE:foreignaddress } %{SPACE} %{SPACE} %{DATA:State} %{SPACE} %{NUMBER:pid} %{SPACE} %{NOTSPACE:owner} %{SPACE} %{NOTSPACE:createddate}%{SPACE} %{NOTSPACE:createdtime}" ]
104 |      }
105 |     }
106 |   if [type] == "vol_strings" {
107 |       grok {
108 |       match => [ "message","%{BASE16FLOAT:offset} %{GREEDYDATA:string}" ]
109 |       }
110 | }
111 | }
112 | output {
113 |   elasticsearch {
114 |     hosts => ["192.168.60.133:9200"]
115 |     index => "memory_vol"
116 |     #user => "elastic"
117 |     #password => "changeme"
118 |   }
119 | }
120 | 
121 | 
122 | 
123 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | 
  2 | DFIR_ELK Project
  3 | ===========
  4 | 
  5 | Abstract
  6 | --------
  7 |      Incident Response Team usually working on the offline data, and analyze it with their own tools,
  8 |      DFIR_ELK project customized build of the open-source consisting of Elasticsearch, Logstash,
  9 |      Kibana dashboard, Filebeat, Suricata,Zeek,and Volatility,additionally parsing and visualizing 
 10 |      the critical output data for forensics tool “Kape by Eric Zimmerman” that help IR team 
 11 |      for investigating and analyzing the information security
 12 | 
 13 | ![alt text](https://github.com/Maboalenen/DFIR/blob/main/DFIR_logo.jpg?raw=true)
 14 | 
 15 | Get Starting 
 16 | -------
 17 |   > Building your own DFIR VM <a href='https://drive.google.com/file/d/1y512lcEYH_STG5CN4yU6gsTuK-J947jo/view?usp=sharing' target='_blank'>Doc_DFIR_Download_V1 </a>       
 18 |   > Memory Forensics DFIR VMv2 <a href='https://drive.google.com/file/d/1C42253EbtT7-l2oHHKGKWyexxHfrtFMr/view?usp=sharing' target='_blank'>Doc_DFIR_Download_V2 </a>        
 19 |   > DFIR_ELK_PROJECT using <a href='https://drive.google.com/file/d/1zNbEwEwbsBcsK0kOT58Hjg1jo-iuHF01/view?usp=sharing' target='_blank'>Doc_DFIR_Download_How to use </a>.   
 20 |   > Download DFIR VM <a href='https://drive.google.com/file/d/1TMpuZ8oiDX4vx2qovT5bGR8Qogb46NyE/view?usp=sharing' target='_blank'>DFIR_Download</a>       
 21 |   > VM_IP_Address: 192.168.60.133  
 22 |   > Kibana : 192.168.60.133:5601  
 23 |   > Elasticsearch : 192.168.60.133:9200   
 24 |   > User: elk   
 25 |   > Password: elk-dfir  
 26 | 
 27 | Type of indexing data 
 28 | --------------
 29 | |output_logs|Ext|
 30 | |--|--|
 31 | |IIS Exchange  |Log|
 32 | |Log2timeline |CSV|
 33 | |KAPE|JSON|
 34 | |KAPE Windows event logs |JSON|
 35 | | Windows Event Logs|EVTX|
 36 | |Volatility|CSV|
 37 | 
 38 | TOOLS
 39 | --------
 40 |  <a href='https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.10.0-amd64.deb' target='_blank'>Elasticsearch</a>  
 41 |  <a href='https://artifacts.elastic.co/downloads/kibana/kibana-7.10.0-amd64.deb' target='_blank'>Kibana</a>  
 42 |  <a href='https://artifacts.elastic.co/downloads/logstash/logstash-7.10.0-amd64.deb' target='_blank'>Logstash</a>    
 43 |  <a href='https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.10.0-amd64.deb' target='_blank'>Filebeat</a>  
 44 |  <a href='https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-7.10.0-windows-x86_64.zip' target='_blank'>Winlogbeat</a>   
 45 |  <a href='https://suricata-ids.org/download/' target='_blank'>Suricata</a>  
 46 |  <a href='https://docs.zeek.org/en/master/install/install.html#id1' target='_blank'>Zeek</a>  
 47 |  <a href='https://github.com/volatilityfoundation/volatility/wiki/Installation' target='_blank'>Volatility</a>
 48 |  
 49 | How to use 
 50 | -----------
 51 | 
 52 | Send kape output (JSON format)
 53 | ```bash
 54 |  $ scp kape.json elk@192.168.60.133:/logstash/kape/
 55 |  ```
 56 |  Send kape windows event Logs (JSON Format)
 57 |  ```bash
 58 | $ scp kape.json elk@192.168.60.133:logstash/winlog/
 59 | ```
 60 | 
 61 | Send output data log2timeline (CSV Format)
 62 | ```bash
 63 | $ scp timeline.csv elk@192.168.60.133:logstash/timeline/
 64 | ```
 65 | Send IIS exchange logs (Log Format)
 66 | ```bash
 67 | $ scp -r /path_to_logs/ elk@192.168.60.133:logstash/iis/
 68 | ```
 69 | Send Window event Logs to elasticsearch (EVTX) 
 70 | ```bash
 71 | PS C:\Program Files\Winlogbeat> .\winlogbeat.exe -c .\winlogbeat.yml -e
 72 | ``` 
 73 | Zeek read PCAP files and send data to elasticsearch. 
 74 | 
 75 | **Note**: zeek output must be at path: /logstash/zeek/
 76 | ```bash
 77 | $ /logstash/zeek$ zeek -r file.pcap
 78 | ```
 79 | Suricate read PCAP file and send data to elasticsearch 
 80 |  ```bash	            
 81 | $ suricata -c /etc/suricata/suricata.yaml   -r file.pcap -l  /logstash/suricata/
 82 | ```
 83 | Continuous reading any pcap files add on /logstash/suricata/
 84 | ```bash
 85 |  $ suricata   -c /etc/suricata/suricata.yaml  --pcap-file-continuous -r /logstash/suricata/    -l /logstash/suricata/
 86 | ```
 87 | ### Volatility plugins
 88 |  Pslist print all running processes with the EPROCESS doubly linked list
 89 |   ```bash
 90 | $ vol.py -f memdump.mem --profile=Win2016x64_14393 pslist  > /logstash/memory/pslist.csv
 91 | ```
 92 |  Psscan scan physical memory for Eprosses but it’s can identify the terminated processes with unlocaked
 93 |   ```bash
 94 | $ vol.py -f memdump.mem --profile=Win2016x64_14393 psscan  > /logstash/memory/pscan.csv
 95 | ```
 96 | Pstree print process list as tree collect the parent relationships (using Eprocess linked list) 
 97 |  ```bash
 98 | $ vol.py -f memdump.mem --profile=Win2016x64_14393 pstree  > /logstash/memory/pstree.csv
 99 | ```
100 | Psxview helps you detect hidden processes by comparing what PsActiveProcessHead contains with what is reported by various other sources of process listings.
101 |  ```bash
102 | $ vol.py -f memdump.mem --profile=Win2016x64_14393 psxview  > /logstash/memory/psxview.csv
103 | ```
104 | Netscan Network artifacts and socket. (it’s helps to discover suspicious network connections)
105 | ```bash
106 | $ vol.py -f memdump.mem --profile=Win2016x64_14393 netscan  > /logstash/memory/netscan.csv
107 | ```
108 | FileScan search for file object in memory and Identifies file in memory even if there are no handled (closed file) finds NTFS special files (such as $MFT) that are not present in VAD tree or process handles list.
109 | ```bash
110 | $ vol.py -f memdump.mem --profile=Win2016x64_14393 filescan  > /logstash/memory/filescan.csv
111 | ```
112 | Strings used to extract English ASCII and Unicode string from data stream
113 | ```bash
114 | $ strings -a -td -el  memdump.mem  >  /logstash/memory/strings.csv
115 | ```
116 | ### Troubleshooting. 
117 | -------------
118 |  - Make sure all the services are running and active  
119 |  ```bash
120 |  $ sudo service elasticsearch status
121 |  $ sudo service elasticsearch stop
122 |  $ sudo service elasticsearch start 
123 |  ```
124 |  if you restart elatsicsearch make sure to restart logstash after  
125 |  ```bash
126 |  $ sudo service logstash restart 
127 | ```
128 | 


--------------------------------------------------------------------------------
/Dashboards/ELK-home.ndjson:
--------------------------------------------------------------------------------
1 | {"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"title":"DFIR_ELK_Project","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"DFIR_ELK_Project\",\"type\":\"markdown\",\"aggs\":[],\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"### Welcome to DFIR_ELK Project  \\n\\nopen-source tools that help the Incident response teams to analyze the offline evidence.   \\n>   DFIR_ELK https://github.com/Maboalenen/DFIR  \\n> Winlogbeat  \\n> Volatility Output   \\n> KAPE    \\n> ZEEK   \\n> Souricat  \"}}"},"id":"832845a0-7dd6-11eb-8002-c73037b472f1","migrationVersion":{"visualization":"7.11.0"},"references":[],"type":"visualization","updated_at":"2021-03-05T17:16:24.186Z","version":"WzExODcxLDRd"}
2 | {"attributes":{"fieldAttrs":"{\"destination.address\":{\"count\":2},\"event.dataset\":{\"count\":17},\"zeek.ssh.auth.attempts\":{\"count\":3},\"zeek.ssh.auth.success\":{\"count\":3},\"destination.ip\":{\"count\":2},\"network.community_id\":{\"count\":2},\"source.geo.country_name\":{\"count\":3},\"source.ip\":{\"count\":2},\"type\":{\"count\":3}}","fields":"[]","timeFieldName":"@timestamp","title":"filebeat-*"},"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","migrationVersion":{"index-pattern":"7.11.0"},"references":[],"type":"index-pattern","updated_at":"2021-03-10T15:49:21.736Z","version":"WzE4NTAzLDhd"}
3 | {"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"bca137f0-5945-4ef1-973a-e4a87ad8b45e":{"columnOrder":["73e5bad3-d567-42ae-90dd-0d799a9a520e"],"columns":{"73e5bad3-d567-42ae-90dd-0d799a9a520e":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"log.file.path","negate":false,"params":{"query":"/logstash/winlog/*"},"type":"phrase"},"query":{"match_phrase":{"log.file.path":"/logstash/winlog/*"}}}],"query":{"language":"kuery","query":""},"visualization":{"accessor":"73e5bad3-d567-42ae-90dd-0d799a9a520e","layerId":"bca137f0-5945-4ef1-973a-e4a87ad8b45e"}},"title":"KAPE_Windows_event-logs","visualizationType":"lnsMetric"},"id":"e0800280-7dcf-11eb-8002-c73037b472f1","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-layer-bca137f0-5945-4ef1-973a-e4a87ad8b45e","type":"index-pattern"},{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"filter-index-pattern-0","type":"index-pattern"}],"type":"lens","updated_at":"2021-03-05T16:28:54.312Z","version":"WzExMzA5LDRd"}
4 | {"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"67129717-e463-4835-b902-ae42a9fb8001":{"columnOrder":["1332bedf-084f-485f-9582-c4f7d6706e3e","ed58a37c-a3f2-4e15-80a7-bd1c5fb13c18"],"columns":{"1332bedf-084f-485f-9582-c4f7d6706e3e":{"dataType":"string","isBucketed":true,"label":"Top values of alert.signature.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"ed58a37c-a3f2-4e15-80a7-bd1c5fb13c18","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"alert.signature.keyword"},"ed58a37c-a3f2-4e15-80a7-bd1c5fb13c18":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"log.file.path.keyword","negate":false,"params":{"query":"/logstash/suricata/eve.json"},"type":"phrase"},"query":{"match_phrase":{"log.file.path.keyword":"/logstash/suricata/eve.json"}}}],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"columns":["1332bedf-084f-485f-9582-c4f7d6706e3e","ed58a37c-a3f2-4e15-80a7-bd1c5fb13c18"],"layerId":"67129717-e463-4835-b902-ae42a9fb8001"}]}},"title":"Suricata.alert","visualizationType":"lnsDatatable"},"id":"2bfd9a80-81bb-11eb-8f89-e3407bab0c11","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-layer-67129717-e463-4835-b902-ae42a9fb8001","type":"index-pattern"},{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"filter-index-pattern-0","type":"index-pattern"}],"type":"lens","updated_at":"2021-03-10T16:10:46.184Z","version":"WzE4ODY4LDhd"}
5 | {"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"f2cc0f2e-331d-4803-9bf9-75652868bc06":{"columnOrder":["9bbd9b31-c980-43da-8406-d3e1bd663e9a","e27d51cf-cad5-439f-8ae1-1ed653bdae0f"],"columns":{"9bbd9b31-c980-43da-8406-d3e1bd663e9a":{"dataType":"string","isBucketed":true,"label":"Top values of event.dataset.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"e27d51cf-cad5-439f-8ae1-1ed653bdae0f","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"event.dataset.keyword"},"e27d51cf-cad5-439f-8ae1-1ed653bdae0f":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"log.file.path","negate":false,"params":{"query":"/logstash/zeek/*"},"type":"phrase"},"query":{"match_phrase":{"log.file.path":"/logstash/zeek/*"}}}],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"categoryDisplay":"default","groups":["9bbd9b31-c980-43da-8406-d3e1bd663e9a"],"layerId":"f2cc0f2e-331d-4803-9bf9-75652868bc06","legendDisplay":"show","metric":"e27d51cf-cad5-439f-8ae1-1ed653bdae0f","nestedLegend":false,"numberDisplay":"percent"}],"shape":"donut"}},"title":"Zeek","visualizationType":"lnsPie"},"id":"b11c05e0-7dd2-11eb-8002-c73037b472f1","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-layer-f2cc0f2e-331d-4803-9bf9-75652868bc06","type":"index-pattern"},{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"filter-index-pattern-0","type":"index-pattern"}],"type":"lens","updated_at":"2021-03-05T16:49:03.294Z","version":"WzExNjc2LDRd"}
6 | {"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"342f6ddb-9757-43eb-9a66-439c241b9f8e":{"columnOrder":["da56e2b4-8de7-4dde-957a-96faf53f9038","08f872b1-c4e6-46cc-9c6f-ee76fce77c81"],"columns":{"08f872b1-c4e6-46cc-9c6f-ee76fce77c81":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"da56e2b4-8de7-4dde-957a-96faf53f9038":{"dataType":"string","isBucketed":true,"label":"Top values of type.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"08f872b1-c4e6-46cc-9c6f-ee76fce77c81","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"type.keyword"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"log.file.path","negate":false,"params":{"query":"/logstash/memory/*"},"type":"phrase"},"query":{"match_phrase":{"log.file.path":"/logstash/memory/*"}}}],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"categoryDisplay":"default","groups":["da56e2b4-8de7-4dde-957a-96faf53f9038"],"layerId":"342f6ddb-9757-43eb-9a66-439c241b9f8e","legendDisplay":"show","metric":"08f872b1-c4e6-46cc-9c6f-ee76fce77c81","nestedLegend":false,"numberDisplay":"percent","percentDecimals":2}],"shape":"donut"}},"title":"Memory","visualizationType":"lnsPie"},"id":"897b51c0-81bb-11eb-8f89-e3407bab0c11","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-layer-342f6ddb-9757-43eb-9a66-439c241b9f8e","type":"index-pattern"},{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"filter-index-pattern-0","type":"index-pattern"}],"type":"lens","updated_at":"2021-03-10T16:13:23.036Z","version":"WzE5MDAzLDhd"}
7 | {"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"title":"Wiki_helper","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Wiki_helper\",\"type\":\"markdown\",\"aggs\":[],\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"Wiki-Helper Event IDs\\n--------------\\n\\n| Message | Event-ID |\\n|--|--|\\n| New Service was installed  | 7045 |\\n| A service was installed in the system  | 4697 |\\n| A user account was created | 4720 |\\n| The audit log was cleared | 1102 |\\n| the system log file was cleared | 104 |\\n| new process created | 4688 |\\n| user Deleted | 4726 |\\n| The Event log service was stopped |6006 |\\n| Shutdown Type: restart | 1074 |\\n| scheduled task was created | 4698 |\\n| Registry vakue was modified | 4657 |\\n| member was added to security enabled global group | 4732 |\\n| member was added to security enabled local group | 4728 |\\n| member was added to security enabled universal group | 4756 |\\n| the windows filtering platform has blocked a connection | 5157 |\\n| The Windows Filtering Platform has allowed a connection | 5156 |\\n| the system time was chnaged | 4616 |\\n| new exctrnal device was recognized | 6416 |\\n\\n\"}}"},"id":"aff43950-7f33-11eb-b646-df2842d173f7","migrationVersion":{"visualization":"7.11.0"},"references":[],"type":"visualization","updated_at":"2021-03-07T10:55:53.701Z","version":"WzE0NzI4LDVd"}
8 | {"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.11.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":24,\"h\":11,\"i\":\"7fbca4f3-d445-47e7-95f5-6b0296268934\"},\"panelIndex\":\"7fbca4f3-d445-47e7-95f5-6b0296268934\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.11.1\",\"gridData\":{\"x\":24,\"y\":0,\"w\":24,\"h\":11,\"i\":\"91338a05-0277-4d1a-afb8-813f6f44bc1e\"},\"panelIndex\":\"91338a05-0277-4d1a-afb8-813f6f44bc1e\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.11.1\",\"gridData\":{\"x\":0,\"y\":11,\"w\":24,\"h\":15,\"i\":\"eeacbe66-49bb-4c84-9da0-41d8af8b7221\"},\"panelIndex\":\"eeacbe66-49bb-4c84-9da0-41d8af8b7221\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.11.1\",\"gridData\":{\"x\":24,\"y\":11,\"w\":24,\"h\":15,\"i\":\"6a45cbb6-ec50-40cf-b082-4b9ed037e15b\"},\"panelIndex\":\"6a45cbb6-ec50-40cf-b082-4b9ed037e15b\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.11.1\",\"gridData\":{\"x\":0,\"y\":26,\"w\":24,\"h\":19,\"i\":\"768091dc-f048-41bb-b22a-f1fa5a173eae\"},\"panelIndex\":\"768091dc-f048-41bb-b22a-f1fa5a173eae\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.11.1\",\"gridData\":{\"x\":24,\"y\":26,\"w\":24,\"h\":19,\"i\":\"f265c8c5-1765-4bc1-baee-58a0bdaf5893\"},\"panelIndex\":\"f265c8c5-1765-4bc1-baee-58a0bdaf5893\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"}]","timeRestore":false,"title":"Elk-DFIR_Dashboard","version":1},"id":"10560ff0-7dcf-11eb-8002-c73037b472f1","migrationVersion":{"dashboard":"7.11.0"},"references":[{"id":"832845a0-7dd6-11eb-8002-c73037b472f1","name":"panel_0","type":"visualization"},{"id":"e0800280-7dcf-11eb-8002-c73037b472f1","name":"panel_1","type":"lens"},{"id":"2bfd9a80-81bb-11eb-8f89-e3407bab0c11","name":"panel_2","type":"lens"},{"id":"b11c05e0-7dd2-11eb-8002-c73037b472f1","name":"panel_3","type":"lens"},{"id":"897b51c0-81bb-11eb-8f89-e3407bab0c11","name":"panel_4","type":"lens"},{"id":"aff43950-7f33-11eb-b646-df2842d173f7","name":"panel_5","type":"visualization"}],"type":"dashboard","updated_at":"2021-03-10T16:14:04.113Z","version":"WzE5MDIyLDhd"}
9 | {"exportedCount":8,"missingRefCount":0,"missingReferences":[]}


--------------------------------------------------------------------------------
/Dashboards/suricata_2.ndjson:
--------------------------------------------------------------------------------
 1 | {"attributes":{"fieldAttrs":"{\"destination.address\":{\"count\":2},\"event.dataset\":{\"count\":17},\"zeek.ssh.auth.attempts\":{\"count\":3},\"zeek.ssh.auth.success\":{\"count\":3},\"destination.ip\":{\"count\":2},\"network.community_id\":{\"count\":2},\"source.geo.country_name\":{\"count\":3},\"source.ip\":{\"count\":2}}","fields":"[]","timeFieldName":"@timestamp","title":"filebeat-*"},"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","migrationVersion":{"index-pattern":"7.11.0"},"references":[],"type":"index-pattern","updated_at":"2021-03-12T14:36:58.775Z","version":"WzE5OTY0LDdd"}
 2 | {"attributes":{"description":null,"state":{"datasourceStates":{"indexpattern":{"layers":{"35244dcb-cb5f-4878-8674-cb0737578fa9":{"columnOrder":["84cce26c-d83d-498c-8b68-3f5ca4fb4507","9b07ccae-95ed-4d4d-a258-45a00e5daff3"],"columns":{"84cce26c-d83d-498c-8b68-3f5ca4fb4507":{"dataType":"string","isBucketed":true,"label":"Top values of alert.signature.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"9b07ccae-95ed-4d4d-a258-45a00e5daff3","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"alert.signature.keyword"},"9b07ccae-95ed-4d4d-a258-45a00e5daff3":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"}},"incompleteColumns":{}}}}},"filters":[],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"categoryDisplay":"default","groups":["84cce26c-d83d-498c-8b68-3f5ca4fb4507"],"layerId":"35244dcb-cb5f-4878-8674-cb0737578fa9","legendDisplay":"show","metric":"9b07ccae-95ed-4d4d-a258-45a00e5daff3","nestedLegend":false,"numberDisplay":"percent","percentDecimals":2}],"shape":"pie"}},"title":"Alert_signature","visualizationType":"lnsPie"},"id":"23ac7950-7f27-11eb-b646-df2842d173f7","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-layer-35244dcb-cb5f-4878-8674-cb0737578fa9","type":"index-pattern"}],"type":"lens","updated_at":"2021-03-12T14:38:28.869Z","version":"WzIwMDE4LDdd"}
 3 | {"attributes":{"fieldAttrs":"{}","fields":"[]","timeFieldName":"@timestamp","title":"filebeat*"},"id":"8f009ee0-8335-11eb-a744-3f309b56c443","migrationVersion":{"index-pattern":"7.11.0"},"references":[],"type":"index-pattern","updated_at":"2021-03-12T13:19:22.062Z","version":"WzE4NDEwLDdd"}
 4 | {"attributes":{"description":null,"state":{"datasourceStates":{"indexpattern":{"layers":{"8ea50cc8-8adb-4614-96ff-5022cfa21195":{"columnOrder":["4dbfe3bc-b755-49a6-afc6-bc0157fa6f1d","1e0315b9-0125-4c25-a97c-0a74bc56c809"],"columns":{"1e0315b9-0125-4c25-a97c-0a74bc56c809":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","params":{},"scale":"ratio","sourceField":"Records"},"4dbfe3bc-b755-49a6-afc6-bc0157fa6f1d":{"dataType":"string","isBucketed":true,"label":"Top values of app_proto.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"1e0315b9-0125-4c25-a97c-0a74bc56c809","type":"column"},"orderDirection":"desc","otherBucket":true,"size":5},"scale":"ordinal","sourceField":"app_proto.keyword"}},"incompleteColumns":{}}}}},"filters":[],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"categoryDisplay":"default","groups":["4dbfe3bc-b755-49a6-afc6-bc0157fa6f1d"],"layerId":"8ea50cc8-8adb-4614-96ff-5022cfa21195","legendDisplay":"show","metric":"1e0315b9-0125-4c25-a97c-0a74bc56c809","nestedLegend":false,"numberDisplay":"percent"}],"shape":"donut"}},"title":"Protocols","visualizationType":"lnsPie"},"id":"7f22b5e0-7f29-11eb-b646-df2842d173f7","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-layer-8ea50cc8-8adb-4614-96ff-5022cfa21195","type":"index-pattern"}],"type":"lens","updated_at":"2021-03-12T14:38:54.343Z","version":"WzIwMDcxLDdd"}
 5 | {"attributes":{"description":null,"state":{"datasourceStates":{"indexpattern":{"layers":{"a1e1e856-afd2-41a6-b399-9ad6867ec39e":{"columnOrder":["907c27ec-a5e9-4adb-b2b9-dd8d1f89ce66","0fd1ce31-b74b-4cee-9a7a-a12c5d69fd0f","e0be4534-7a39-4bbc-858a-f5a77280d556","4b1721b2-128d-43c8-b909-6f47b6c32692","362a77b8-dbb4-4d97-96c7-b30191a97bfc","aad28755-a22e-4436-ab77-73a04a163c30"],"columns":{"0fd1ce31-b74b-4cee-9a7a-a12c5d69fd0f":{"dataType":"string","isBucketed":true,"label":"Top values of src_ip.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"362a77b8-dbb4-4d97-96c7-b30191a97bfc","type":"column"},"orderDirection":"desc","otherBucket":true,"size":3},"scale":"ordinal","sourceField":"src_ip.keyword"},"362a77b8-dbb4-4d97-96c7-b30191a97bfc":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"4b1721b2-128d-43c8-b909-6f47b6c32692":{"dataType":"string","isBucketed":true,"label":"Top values of alert.signature.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"362a77b8-dbb4-4d97-96c7-b30191a97bfc","type":"column"},"orderDirection":"desc","otherBucket":true,"size":3},"scale":"ordinal","sourceField":"alert.signature.keyword"},"907c27ec-a5e9-4adb-b2b9-dd8d1f89ce66":{"dataType":"string","isBucketed":true,"label":"Top values of alert.category.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"362a77b8-dbb4-4d97-96c7-b30191a97bfc","type":"column"},"orderDirection":"desc","otherBucket":true,"size":5},"scale":"ordinal","sourceField":"alert.category.keyword"},"aad28755-a22e-4436-ab77-73a04a163c30":{"dataType":"number","isBucketed":false,"label":"Average of alert.severity","operationType":"avg","scale":"ratio","sourceField":"alert.severity"},"e0be4534-7a39-4bbc-858a-f5a77280d556":{"dataType":"string","isBucketed":true,"label":"Top values of dest_ip.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"362a77b8-dbb4-4d97-96c7-b30191a97bfc","type":"column"},"orderDirection":"desc","otherBucket":true,"size":3},"scale":"ordinal","sourceField":"dest_ip.keyword"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"log.file.path.keyword","negate":false,"params":{"query":"/logstash/suricata/eve.json"},"type":"phrase"},"query":{"match_phrase":{"log.file.path.keyword":"/logstash/suricata/eve.json"}}}],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"columns":["907c27ec-a5e9-4adb-b2b9-dd8d1f89ce66","0fd1ce31-b74b-4cee-9a7a-a12c5d69fd0f","e0be4534-7a39-4bbc-858a-f5a77280d556","4b1721b2-128d-43c8-b909-6f47b6c32692","362a77b8-dbb4-4d97-96c7-b30191a97bfc","aad28755-a22e-4436-ab77-73a04a163c30"],"layerId":"a1e1e856-afd2-41a6-b399-9ad6867ec39e"}]}},"title":"Aert_detetion","visualizationType":"lnsDatatable"},"id":"14d16a20-7f28-11eb-b646-df2842d173f7","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-layer-a1e1e856-afd2-41a6-b399-9ad6867ec39e","type":"index-pattern"},{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"filter-index-pattern-0","type":"index-pattern"}],"type":"lens","updated_at":"2021-03-12T14:39:19.020Z","version":"WzIwMTA3LDdd"}
 6 | {"attributes":{"fieldAttrs":"{}","fields":"[]","timeFieldName":"@timestamp","title":"suricata*"},"id":"ff8b8720-7f1f-11eb-b646-df2842d173f7","migrationVersion":{"index-pattern":"7.11.0"},"references":[],"type":"index-pattern","updated_at":"2021-03-12T14:36:58.775Z","version":"WzE5OTY1LDdd"}
 7 | {"attributes":{"description":null,"state":{"datasourceStates":{"indexpattern":{"layers":{"f9c5f70b-b0b0-49f0-ac00-5cf1c87b13ab":{"columnOrder":["247d0825-0afb-4eea-83dd-5b59b275d3a7","7f4e610f-30b5-4f7a-9845-789dce9d3f43","eabdf6c2-14b7-4733-a20d-3ed48a7912cf","e190e480-629c-420d-bd0f-d73d8258710c","b269c224-bb74-4cc8-b55a-f6e08331a8c0"],"columns":{"247d0825-0afb-4eea-83dd-5b59b275d3a7":{"dataType":"string","isBucketed":true,"label":"Top values of event_type.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"b269c224-bb74-4cc8-b55a-f6e08331a8c0","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"event_type.keyword"},"7f4e610f-30b5-4f7a-9845-789dce9d3f43":{"dataType":"string","isBucketed":true,"label":"Top values of src_ip.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"b269c224-bb74-4cc8-b55a-f6e08331a8c0","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"src_ip.keyword"},"b269c224-bb74-4cc8-b55a-f6e08331a8c0":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"e190e480-629c-420d-bd0f-d73d8258710c":{"dataType":"string","isBucketed":true,"label":"Top values of tx.geo.country_name.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"b269c224-bb74-4cc8-b55a-f6e08331a8c0","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"tx.geo.country_name.keyword"},"eabdf6c2-14b7-4733-a20d-3ed48a7912cf":{"dataType":"string","isBucketed":true,"label":"Top values of dest_ip.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"b269c224-bb74-4cc8-b55a-f6e08331a8c0","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"dest_ip.keyword"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":true,"indexRefName":"filter-index-pattern-0","key":"log.file.path.keyword","negate":false,"params":{"query":"/logstash/suricata/eve.json"},"type":"phrase"},"query":{"match_phrase":{"log.file.path.keyword":"/logstash/suricata/eve.json"}}}],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"columns":["247d0825-0afb-4eea-83dd-5b59b275d3a7","7f4e610f-30b5-4f7a-9845-789dce9d3f43","eabdf6c2-14b7-4733-a20d-3ed48a7912cf","e190e480-629c-420d-bd0f-d73d8258710c","b269c224-bb74-4cc8-b55a-f6e08331a8c0"],"layerId":"f9c5f70b-b0b0-49f0-ac00-5cf1c87b13ab"}]}},"title":"Event_type","visualizationType":"lnsDatatable"},"id":"b520ed00-7f2a-11eb-b646-df2842d173f7","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-layer-f9c5f70b-b0b0-49f0-ac00-5cf1c87b13ab","type":"index-pattern"},{"id":"ff8b8720-7f1f-11eb-b646-df2842d173f7","name":"filter-index-pattern-0","type":"index-pattern"}],"type":"lens","updated_at":"2021-03-12T14:39:38.584Z","version":"WzIwMTUzLDdd"}
 8 | {"attributes":{"description":null,"state":{"datasourceStates":{"indexpattern":{"layers":{"ca16b5b3-8332-4663-8f47-575bbacbb471":{"columnOrder":["9365bb52-a9a2-47d4-84ab-3cd80f39ae1c","d45e4022-b70c-4f80-af9e-1c260b9af999","cdffc8a5-75a4-45ff-9f4c-251c6b49b6d9","178a48bc-ccaf-43bc-81ee-d173f9247657","1b128bd9-839b-4339-8b7b-8027226d28dd"],"columns":{"178a48bc-ccaf-43bc-81ee-d173f9247657":{"dataType":"string","isBucketed":true,"label":"Top values of app_proto.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"1b128bd9-839b-4339-8b7b-8027226d28dd","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"app_proto.keyword"},"1b128bd9-839b-4339-8b7b-8027226d28dd":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"9365bb52-a9a2-47d4-84ab-3cd80f39ae1c":{"dataType":"string","isBucketed":true,"label":"Top values of fileinfo.filename.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"1b128bd9-839b-4339-8b7b-8027226d28dd","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"fileinfo.filename.keyword"},"cdffc8a5-75a4-45ff-9f4c-251c6b49b6d9":{"dataType":"string","isBucketed":true,"label":"Top values of dest_ip.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"1b128bd9-839b-4339-8b7b-8027226d28dd","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"dest_ip.keyword"},"d45e4022-b70c-4f80-af9e-1c260b9af999":{"dataType":"string","isBucketed":true,"label":"Top values of src_ip.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"1b128bd9-839b-4339-8b7b-8027226d28dd","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"src_ip.keyword"}},"incompleteColumns":{}}}}},"filters":[],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"columns":["9365bb52-a9a2-47d4-84ab-3cd80f39ae1c","d45e4022-b70c-4f80-af9e-1c260b9af999","cdffc8a5-75a4-45ff-9f4c-251c6b49b6d9","178a48bc-ccaf-43bc-81ee-d173f9247657","1b128bd9-839b-4339-8b7b-8027226d28dd"],"layerId":"ca16b5b3-8332-4663-8f47-575bbacbb471"}]}},"title":"file_name","visualizationType":"lnsDatatable"},"id":"a425f850-7f5d-11eb-a93e-91de047f57ab","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-layer-ca16b5b3-8332-4663-8f47-575bbacbb471","type":"index-pattern"}],"type":"lens","updated_at":"2021-03-12T14:40:07.070Z","version":"WzIwMjEwLDdd"}
 9 | {"attributes":{"description":null,"state":{"datasourceStates":{"indexpattern":{"layers":{"557f0e9a-860c-4aea-8950-d7592fdc3656":{"columnOrder":["311dc472-3102-45e1-9c2b-bdfa72f1a8e5","570ac3d0-69fb-40aa-a1d6-fbb14368e184","436d44eb-1b28-4517-8c85-a322e6edb60f","5af5756c-a8a8-4715-a06b-95cb26a816d2"],"columns":{"311dc472-3102-45e1-9c2b-bdfa72f1a8e5":{"dataType":"string","isBucketed":true,"label":"Top values of event_type.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"5af5756c-a8a8-4715-a06b-95cb26a816d2","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"event_type.keyword"},"436d44eb-1b28-4517-8c85-a322e6edb60f":{"dataType":"string","isBucketed":true,"label":"Top values of dest_ip.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"5af5756c-a8a8-4715-a06b-95cb26a816d2","type":"column"},"orderDirection":"desc","otherBucket":true,"size":3},"scale":"ordinal","sourceField":"dest_ip.keyword"},"570ac3d0-69fb-40aa-a1d6-fbb14368e184":{"dataType":"string","isBucketed":true,"label":"Top values of src_ip.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"5af5756c-a8a8-4715-a06b-95cb26a816d2","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"src_ip.keyword"},"5af5756c-a8a8-4715-a06b-95cb26a816d2":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":true,"indexRefName":"filter-index-pattern-0","key":"event_type.keyword","negate":false,"params":{"query":"dns"},"type":"phrase"},"query":{"match_phrase":{"event_type.keyword":"dns"}}},{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":true,"indexRefName":"filter-index-pattern-1","key":"log.file.path.keyword","negate":false,"params":{"query":"/logstash/suricata/eve.json"},"type":"phrase"},"query":{"match_phrase":{"log.file.path.keyword":"/logstash/suricata/eve.json"}}}],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"columns":["311dc472-3102-45e1-9c2b-bdfa72f1a8e5","570ac3d0-69fb-40aa-a1d6-fbb14368e184","436d44eb-1b28-4517-8c85-a322e6edb60f","5af5756c-a8a8-4715-a06b-95cb26a816d2"],"layerId":"557f0e9a-860c-4aea-8950-d7592fdc3656"}]}},"title":"Suricata_DNS","visualizationType":"lnsDatatable"},"id":"56d560d0-7f5e-11eb-a93e-91de047f57ab","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-layer-557f0e9a-860c-4aea-8950-d7592fdc3656","type":"index-pattern"},{"id":"ff8b8720-7f1f-11eb-b646-df2842d173f7","name":"filter-index-pattern-0","type":"index-pattern"},{"id":"ff8b8720-7f1f-11eb-b646-df2842d173f7","name":"filter-index-pattern-1","type":"index-pattern"}],"type":"lens","updated_at":"2021-03-12T14:40:35.532Z","version":"WzIwMjgwLDdd"}
10 | {"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.11.1\",\"gridData\":{\"h\":15,\"i\":\"0fb9085f-0009-4e92-a4d5-91224fe16d23\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"0fb9085f-0009-4e92-a4d5-91224fe16d23\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.11.1\",\"gridData\":{\"h\":15,\"i\":\"1fcc9dca-1d74-4da3-9e80-45ca5b9277b4\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"1fcc9dca-1d74-4da3-9e80-45ca5b9277b4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.11.1\",\"gridData\":{\"h\":15,\"i\":\"1c7c081b-7da6-4106-9122-9107126f2bb5\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"1c7c081b-7da6-4106-9122-9107126f2bb5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.11.1\",\"gridData\":{\"h\":15,\"i\":\"4d2fdc4e-079e-4c95-bafe-5ef3aa67f04c\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"4d2fdc4e-079e-4c95-bafe-5ef3aa67f04c\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.11.1\",\"gridData\":{\"h\":15,\"i\":\"ecf1ffa0-0ea6-4b88-9469-0388399e6a16\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"ecf1ffa0-0ea6-4b88-9469-0388399e6a16\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.11.1\",\"gridData\":{\"h\":15,\"i\":\"704fa4b4-9449-4e0b-9592-af7a3ddd461e\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"704fa4b4-9449-4e0b-9592-af7a3ddd461e\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"}]","timeRestore":false,"title":"Suricata_dashboard","version":1},"id":"34312460-7f27-11eb-b646-df2842d173f7","migrationVersion":{"dashboard":"7.11.0"},"references":[{"id":"23ac7950-7f27-11eb-b646-df2842d173f7","name":"panel_0","type":"lens"},{"id":"7f22b5e0-7f29-11eb-b646-df2842d173f7","name":"panel_1","type":"lens"},{"id":"14d16a20-7f28-11eb-b646-df2842d173f7","name":"panel_2","type":"lens"},{"id":"b520ed00-7f2a-11eb-b646-df2842d173f7","name":"panel_3","type":"lens"},{"id":"a425f850-7f5d-11eb-a93e-91de047f57ab","name":"panel_4","type":"lens"},{"id":"56d560d0-7f5e-11eb-a93e-91de047f57ab","name":"panel_5","type":"lens"}],"type":"dashboard","updated_at":"2021-03-12T14:40:47.010Z","version":"WzIwMzI5LDdd"}
11 | {"exportedCount":10,"missingRefCount":0,"missingReferences":[]}


--------------------------------------------------------------------------------
/Dashboards/MFT.ndjson:
--------------------------------------------------------------------------------
 1 | {"attributes":{"fieldAttrs":"{\"MACB\":{\"count\":15}}","fields":"[]","timeFieldName":"@timestamp","title":"filebeat*"},"id":"8f009ee0-8335-11eb-a744-3f309b56c443","migrationVersion":{"index-pattern":"7.11.0"},"references":[],"type":"index-pattern","updated_at":"2021-05-08T19:18:18.484Z","version":"WzI3NDcsNl0="}
 2 | {"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"bc8368f3-600a-4d17-ad53-94929d3bb394":{"columnOrder":["cd68d9fe-219b-4211-9875-a32fef0c50c0","3b9fe1fd-2abb-430f-a1fc-dede97eebd6c"],"columns":{"3b9fe1fd-2abb-430f-a1fc-dede97eebd6c":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"cd68d9fe-219b-4211-9875-a32fef0c50c0":{"dataType":"date","isBucketed":true,"label":"Created0x10","operationType":"date_histogram","params":{"interval":"auto"},"scale":"interval","sourceField":"Created0x10"}},"incompleteColumns":{}}}}},"filters":[],"query":{"language":"kuery","query":""},"visualization":{"axisTitlesVisibilitySettings":{"x":true,"yLeft":true,"yRight":true},"fittingFunction":"None","gridlinesVisibilitySettings":{"x":true,"yLeft":true,"yRight":true},"layers":[{"accessors":["3b9fe1fd-2abb-430f-a1fc-dede97eebd6c"],"layerId":"bc8368f3-600a-4d17-ad53-94929d3bb394","position":"top","seriesType":"area_stacked","showGridlines":false,"xAccessor":"cd68d9fe-219b-4211-9875-a32fef0c50c0"}],"legend":{"isVisible":true,"position":"right"},"preferredSeriesType":"area_stacked","tickLabelsVisibilitySettings":{"x":true,"yLeft":true,"yRight":true},"valueLabels":"hide"}},"title":"MFT_Creation_timeline","visualizationType":"lnsXY"},"id":"77fe49b0-b02e-11eb-b86f-23c5c99a3109","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-layer-bc8368f3-600a-4d17-ad53-94929d3bb394","type":"index-pattern"}],"type":"lens","updated_at":"2021-05-08T18:51:59.307Z","version":"WzIzMDUsNl0="}
 3 | {"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"title":"SANS  Find Evil","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SANS  Find Evil\",\"type\":\"markdown\",\"aggs\":[],\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"\\n\\n![alt text](https://github.com/Maboalenen/DFIR/blob/main/SANS_Find_Evil.png?raw=true)\"}}"},"id":"31abb790-b033-11eb-b86f-23c5c99a3109","migrationVersion":{"visualization":"7.11.0"},"references":[],"type":"visualization","updated_at":"2021-05-08T19:25:48.809Z","version":"WzI4MDYsNl0="}
 4 | {"attributes":{"description":null,"state":{"datasourceStates":{"indexpattern":{"layers":{"1eee65a4-4587-44bb-8868-052e67f5ba28":{"columnOrder":["6d9a2639-79dc-4e7b-99f8-71cec9c868cd","c02fdce2-dbb3-4f70-b675-b4f5e25e7400","4e3cbe94-eb77-419b-9e4d-b5904397a364","80fdbfc4-6201-4d27-a212-0121087d2781"],"columns":{"4e3cbe94-eb77-419b-9e4d-b5904397a364":{"dataType":"date","isBucketed":true,"label":"Created0x10","operationType":"date_histogram","params":{"interval":"1h"},"scale":"interval","sourceField":"Created0x10"},"6d9a2639-79dc-4e7b-99f8-71cec9c868cd":{"dataType":"string","isBucketed":true,"label":"Top values of ParentPath.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"80fdbfc4-6201-4d27-a212-0121087d2781","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"ParentPath.keyword"},"80fdbfc4-6201-4d27-a212-0121087d2781":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"c02fdce2-dbb3-4f70-b675-b4f5e25e7400":{"dataType":"string","isBucketed":true,"label":"Top values of FileName.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"80fdbfc4-6201-4d27-a212-0121087d2781","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"FileName.keyword"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"log.file.path","negate":false,"params":{"query":"/logstash/kape/*"},"type":"phrase"},"query":{"match_phrase":{"log.file.path":"/logstash/kape/*"}}}],"query":{"language":"kuery","query":"ParentPath.keyword :\".\\inetpub\\wwwroot\""},"visualization":{"layers":[{"columns":["6d9a2639-79dc-4e7b-99f8-71cec9c868cd","c02fdce2-dbb3-4f70-b675-b4f5e25e7400","4e3cbe94-eb77-419b-9e4d-b5904397a364","80fdbfc4-6201-4d27-a212-0121087d2781"],"layerId":"1eee65a4-4587-44bb-8868-052e67f5ba28"}],"sorting":{"columnId":"4e3cbe94-eb77-419b-9e4d-b5904397a364","direction":"desc"}}},"title":"MFT-Inetpub","visualizationType":"lnsDatatable"},"id":"8735a9b0-b02d-11eb-b86f-23c5c99a3109","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-layer-1eee65a4-4587-44bb-8868-052e67f5ba28","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"filter-index-pattern-0","type":"index-pattern"}],"type":"lens","updated_at":"2021-05-08T19:03:40.919Z","version":"WzI1MTQsNl0="}
 5 | {"attributes":{"description":"MFT File Extenation","state":{"datasourceStates":{"indexpattern":{"layers":{"39796cc7-c7e1-41c3-9275-d8b525076cea":{"columnOrder":["e743fe1c-f897-437f-88bd-6e68faa46472","7a855ca6-e4ed-4cce-99f0-5d9c67eff0ac"],"columns":{"7a855ca6-e4ed-4cce-99f0-5d9c67eff0ac":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"e743fe1c-f897-437f-88bd-6e68faa46472":{"dataType":"string","isBucketed":true,"label":"Top values of Extension.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"7a855ca6-e4ed-4cce-99f0-5d9c67eff0ac","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"Extension.keyword"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"log.file.path","negate":false,"params":{"query":"/logstash/kape/"},"type":"phrase"},"query":{"match_phrase":{"log.file.path":"/logstash/kape/"}}}],"query":{"language":"kuery","query":""},"visualization":{"axisTitlesVisibilitySettings":{"x":true,"yLeft":true,"yRight":true},"fittingFunction":"None","gridlinesVisibilitySettings":{"x":true,"yLeft":true,"yRight":true},"layers":[{"accessors":["7a855ca6-e4ed-4cce-99f0-5d9c67eff0ac"],"layerId":"39796cc7-c7e1-41c3-9275-d8b525076cea","seriesType":"bar_horizontal_stacked","xAccessor":"e743fe1c-f897-437f-88bd-6e68faa46472"}],"legend":{"isVisible":true,"position":"right"},"preferredSeriesType":"bar_horizontal_stacked","tickLabelsVisibilitySettings":{"x":true,"yLeft":true,"yRight":true},"valueLabels":"hide"}},"title":"MFT_Extension","visualizationType":"lnsXY"},"id":"a73507e0-b043-11eb-b86f-23c5c99a3109","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-layer-39796cc7-c7e1-41c3-9275-d8b525076cea","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"filter-index-pattern-0","type":"index-pattern"}],"type":"lens","updated_at":"2021-05-08T21:23:37.950Z","version":"WzMyMjIsNl0="}
 6 | {"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"af6ef151-b62b-4fbb-8d16-2f37c8cded29":{"columnOrder":["88f8fc42-1f17-4180-ab9b-37adb8d1ce6b","2e71b0bb-5064-401b-ae0c-98e97c56f3cb","e3560ade-2a46-4690-a4d4-a1128d01621c","efd01da5-4347-47ea-8560-6e46cb461e2a","8835b258-90c4-4eea-8160-a3f35fc1d8ad"],"columns":{"2e71b0bb-5064-401b-ae0c-98e97c56f3cb":{"dataType":"string","isBucketed":true,"label":"Top values of ZoneIdContents.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"8835b258-90c4-4eea-8160-a3f35fc1d8ad","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"ZoneIdContents.keyword"},"8835b258-90c4-4eea-8160-a3f35fc1d8ad":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"88f8fc42-1f17-4180-ab9b-37adb8d1ce6b":{"dataType":"string","isBucketed":true,"label":"Top values of FileName.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"8835b258-90c4-4eea-8160-a3f35fc1d8ad","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"FileName.keyword"},"e3560ade-2a46-4690-a4d4-a1128d01621c":{"dataType":"string","isBucketed":true,"label":"Top values of ParentPath.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"8835b258-90c4-4eea-8160-a3f35fc1d8ad","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"ParentPath.keyword"},"efd01da5-4347-47ea-8560-6e46cb461e2a":{"dataType":"date","isBucketed":true,"label":"Created0x10","operationType":"date_histogram","params":{"interval":"1h"},"scale":"interval","sourceField":"Created0x10"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"Extension.keyword","negate":false,"params":{"query":".Identifier"},"type":"phrase"},"query":{"match_phrase":{"Extension.keyword":".Identifier"}}}],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"columns":["88f8fc42-1f17-4180-ab9b-37adb8d1ce6b","2e71b0bb-5064-401b-ae0c-98e97c56f3cb","e3560ade-2a46-4690-a4d4-a1128d01621c","efd01da5-4347-47ea-8560-6e46cb461e2a","8835b258-90c4-4eea-8160-a3f35fc1d8ad"],"layerId":"af6ef151-b62b-4fbb-8d16-2f37c8cded29"}],"sorting":{"columnId":"efd01da5-4347-47ea-8560-6e46cb461e2a","direction":"asc"}}},"title":"MFT-Zone.Identifier","visualizationType":"lnsDatatable"},"id":"e5bb6b00-b041-11eb-b86f-23c5c99a3109","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-layer-af6ef151-b62b-4fbb-8d16-2f37c8cded29","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"filter-index-pattern-0","type":"index-pattern"}],"type":"lens","updated_at":"2021-05-08T21:11:03.857Z","version":"WzMwMjcsNl0="}
 7 | {"attributes":{"description":null,"state":{"datasourceStates":{"indexpattern":{"layers":{"93e70666-628b-4e70-97ae-6ce361e7b79d":{"columnOrder":["d99cc5cc-aa03-40b0-af7c-63f9cba3a78d","76bb440d-0e39-4124-92c4-facd15777f3c","33b14e19-6cd1-445c-8645-d1d551fbe512","9dffec1b-56a6-454d-b258-34b8cb6d030d"],"columns":{"33b14e19-6cd1-445c-8645-d1d551fbe512":{"dataType":"date","isBucketed":true,"label":"Created0x10","operationType":"date_histogram","params":{"interval":"1h"},"scale":"interval","sourceField":"Created0x10"},"76bb440d-0e39-4124-92c4-facd15777f3c":{"dataType":"string","isBucketed":true,"label":"Top values of FileName.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"9dffec1b-56a6-454d-b258-34b8cb6d030d","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"FileName.keyword"},"9dffec1b-56a6-454d-b258-34b8cb6d030d":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"d99cc5cc-aa03-40b0-af7c-63f9cba3a78d":{"dataType":"string","isBucketed":true,"label":"Top values of ParentPath.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"9dffec1b-56a6-454d-b258-34b8cb6d030d","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"ParentPath.keyword"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"log.file.path","negate":false,"params":{"query":"/logstash/kape/*"},"type":"phrase"},"query":{"match_phrase":{"log.file.path":"/logstash/kape/*"}}},{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-1","key":"ParentPath.keyword","negate":false,"params":{"query":".\\Windows\\System32\\inetsrv"},"type":"phrase"},"query":{"match_phrase":{"ParentPath.keyword":".\\Windows\\System32\\inetsrv"}}}],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"columns":["d99cc5cc-aa03-40b0-af7c-63f9cba3a78d","76bb440d-0e39-4124-92c4-facd15777f3c","33b14e19-6cd1-445c-8645-d1d551fbe512","9dffec1b-56a6-454d-b258-34b8cb6d030d"],"layerId":"93e70666-628b-4e70-97ae-6ce361e7b79d"}],"sorting":{"columnId":"33b14e19-6cd1-445c-8645-d1d551fbe512","direction":"desc"}}},"title":"MFT_inetsrv","visualizationType":"lnsDatatable"},"id":"04b28820-b030-11eb-b86f-23c5c99a3109","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-layer-93e70666-628b-4e70-97ae-6ce361e7b79d","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"filter-index-pattern-0","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"filter-index-pattern-1","type":"index-pattern"}],"type":"lens","updated_at":"2021-05-08T19:07:46.737Z","version":"WzI1OTIsNl0="}
 8 | {"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"9c4aead3-976b-4a8a-84c1-e656f7b3bbae":{"columnOrder":["e33233bf-6f07-417a-9040-98d281c35029","4739a0a2-bb81-49cc-87b5-93e057c88014","ffd4d0bc-3e02-4e85-ba9a-aa74856f956d","8b6f627f-438f-4aa6-a6a9-a87c665546fa"],"columns":{"4739a0a2-bb81-49cc-87b5-93e057c88014":{"dataType":"date","isBucketed":true,"label":"Created0x10","operationType":"date_histogram","params":{"interval":"1h"},"scale":"interval","sourceField":"Created0x10"},"8b6f627f-438f-4aa6-a6a9-a87c665546fa":{"dataType":"number","isBucketed":false,"label":"Average of EntryNumber","operationType":"avg","scale":"ratio","sourceField":"EntryNumber"},"e33233bf-6f07-417a-9040-98d281c35029":{"dataType":"string","isBucketed":true,"label":"Top values of FileName.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"ffd4d0bc-3e02-4e85-ba9a-aa74856f956d","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"FileName.keyword"},"ffd4d0bc-3e02-4e85-ba9a-aa74856f956d":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"log.file.path","negate":false,"params":{"query":"/logstash/kape/"},"type":"phrase"},"query":{"match_phrase":{"log.file.path":"/logstash/kape/"}}},{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-1","key":"Extension.keyword","negate":false,"params":{"query":".compiled"},"type":"phrase"},"query":{"match_phrase":{"Extension.keyword":".compiled"}}}],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"columns":["e33233bf-6f07-417a-9040-98d281c35029","4739a0a2-bb81-49cc-87b5-93e057c88014","ffd4d0bc-3e02-4e85-ba9a-aa74856f956d","8b6f627f-438f-4aa6-a6a9-a87c665546fa"],"layerId":"9c4aead3-976b-4a8a-84c1-e656f7b3bbae"}]}},"title":"MFT-File Compiled","visualizationType":"lnsDatatable"},"id":"d56346d0-b044-11eb-b86f-23c5c99a3109","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-layer-9c4aead3-976b-4a8a-84c1-e656f7b3bbae","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"filter-index-pattern-0","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"filter-index-pattern-1","type":"index-pattern"}],"type":"lens","updated_at":"2021-05-08T21:32:04.925Z","version":"WzMzNzYsNl0="}
 9 | {"attributes":{"description":"Shortcut (LNK) Files\nAutomatically created by Windows \nOpening local or remote data file and document will generate a shortcut file (.lnk)\n","state":{"datasourceStates":{"indexpattern":{"layers":{"cf8c5796-885b-480b-ba4a-a8288e690546":{"columnOrder":["0d587e23-597a-459c-851d-89231210d04d","86495f49-585d-4ce6-8462-385d5721a943","3ca0ca20-2fa7-4dd5-b30c-34143222ca59"],"columns":{"0d587e23-597a-459c-851d-89231210d04d":{"dataType":"string","isBucketed":true,"label":"Top values of FileName.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"3ca0ca20-2fa7-4dd5-b30c-34143222ca59","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"FileName.keyword"},"3ca0ca20-2fa7-4dd5-b30c-34143222ca59":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"86495f49-585d-4ce6-8462-385d5721a943":{"dataType":"date","isBucketed":true,"label":"Created0x10","operationType":"date_histogram","params":{"interval":"1h"},"scale":"interval","sourceField":"Created0x10"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"log.file.path","negate":false,"params":{"query":"/logstash/kape/"},"type":"phrase"},"query":{"match_phrase":{"log.file.path":"/logstash/kape/"}}},{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-1","key":"Extension.keyword","negate":false,"params":{"query":".lnk"},"type":"phrase"},"query":{"match_phrase":{"Extension.keyword":".lnk"}}}],"query":{"language":"kuery","query":"*.aspx* OR *.exe* OR *.txt* OR .zip OR .rar OR *mimi*"},"visualization":{"layers":[{"columns":["0d587e23-597a-459c-851d-89231210d04d","86495f49-585d-4ce6-8462-385d5721a943","3ca0ca20-2fa7-4dd5-b30c-34143222ca59"],"layerId":"cf8c5796-885b-480b-ba4a-a8288e690546"}],"sorting":{"columnId":"86495f49-585d-4ce6-8462-385d5721a943","direction":"asc"}}},"title":"MFT-.lnk ","visualizationType":"lnsDatatable"},"id":"1a2067b0-b047-11eb-b86f-23c5c99a3109","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-layer-cf8c5796-885b-480b-ba4a-a8288e690546","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"filter-index-pattern-0","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"filter-index-pattern-1","type":"index-pattern"}],"type":"lens","updated_at":"2021-05-08T21:48:19.243Z","version":"WzM3NDcsNl0="}
10 | {"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"key\":\"log.file.path\",\"negate\":false,\"params\":{\"query\":\"/logstash/kape/*\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"log.file.path\":\"/logstash/kape/*\"}}}]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.11.2\",\"gridData\":{\"h\":15,\"i\":\"fb7c0e4a-00ee-4445-8b96-cf13d7ff70f8\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"fb7c0e4a-00ee-4445-8b96-cf13d7ff70f8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.11.2\",\"gridData\":{\"h\":24,\"i\":\"e2e5d253-31e7-4c24-8e66-66f4c5351318\",\"w\":23,\"x\":24,\"y\":15},\"panelIndex\":\"e2e5d253-31e7-4c24-8e66-66f4c5351318\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.11.2\",\"gridData\":{\"h\":15,\"i\":\"fa06350e-ab70-4362-bcd0-9d5fa48077a5\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"fa06350e-ab70-4362-bcd0-9d5fa48077a5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.11.2\",\"gridData\":{\"h\":15,\"i\":\"9f1fd957-ecd6-4e1b-bf3c-ad3e4f5cc82b\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"9f1fd957-ecd6-4e1b-bf3c-ad3e4f5cc82b\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.11.2\",\"gridData\":{\"h\":15,\"i\":\"053400c8-ccc7-4dd5-a550-a1da00396478\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"053400c8-ccc7-4dd5-a550-a1da00396478\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.11.2\",\"gridData\":{\"h\":15,\"i\":\"e4f9ad72-a1c5-4450-b742-c7bd8afda38c\",\"w\":24,\"x\":24,\"y\":39},\"panelIndex\":\"e4f9ad72-a1c5-4450-b742-c7bd8afda38c\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.11.2\",\"gridData\":{\"h\":15,\"i\":\"36d62721-1392-47ad-bb8d-5101a7b4d123\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"36d62721-1392-47ad-bb8d-5101a7b4d123\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.11.2\",\"gridData\":{\"x\":24,\"y\":54,\"w\":24,\"h\":15,\"i\":\"c5e8ce6c-e612-4ff0-bd0f-bd5a4632dd8f\"},\"panelIndex\":\"c5e8ce6c-e612-4ff0-bd0f-bd5a4632dd8f\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"MFT_parser","version":1},"id":"946fe4b0-b02d-11eb-b86f-23c5c99a3109","migrationVersion":{"dashboard":"7.11.0"},"references":[{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"},{"id":"77fe49b0-b02e-11eb-b86f-23c5c99a3109","name":"panel_0","type":"lens"},{"id":"31abb790-b033-11eb-b86f-23c5c99a3109","name":"panel_1","type":"visualization"},{"id":"8735a9b0-b02d-11eb-b86f-23c5c99a3109","name":"panel_2","type":"lens"},{"id":"a73507e0-b043-11eb-b86f-23c5c99a3109","name":"panel_3","type":"lens"},{"id":"e5bb6b00-b041-11eb-b86f-23c5c99a3109","name":"panel_4","type":"lens"},{"id":"04b28820-b030-11eb-b86f-23c5c99a3109","name":"panel_5","type":"lens"},{"id":"d56346d0-b044-11eb-b86f-23c5c99a3109","name":"panel_6","type":"lens"},{"id":"1a2067b0-b047-11eb-b86f-23c5c99a3109","name":"panel_7","type":"lens"}],"type":"dashboard","updated_at":"2021-05-08T21:48:54.268Z","version":"WzM3NzEsNl0="}
11 | {"exportedCount":10,"missingRefCount":0,"missingReferences":[]}


--------------------------------------------------------------------------------
/Dashboards/ICS_connection.ndjson:
--------------------------------------------------------------------------------
 1 | {"attributes":{"fieldAttrs":"{\"destination.address\":{\"count\":2},\"event.dataset\":{\"count\":17},\"zeek.ssh.auth.attempts\":{\"count\":3},\"zeek.ssh.auth.success\":{\"count\":3},\"destination.ip\":{\"count\":2},\"network.community_id\":{\"count\":2},\"source.geo.country_name\":{\"count\":3},\"source.ip\":{\"count\":2}}","fields":"[]","timeFieldName":"@timestamp","title":"filebeat-*"},"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","migrationVersion":{"index-pattern":"7.11.0"},"references":[],"type":"index-pattern","updated_at":"2021-03-05T16:32:25.313Z","version":"WzExNDk0LDRd"}
 2 | {"attributes":{"description":null,"state":{"datasourceStates":{"indexpattern":{"layers":{"2f8a5dce-919b-4ebb-a9b2-72803ac526f1":{"columnOrder":["6cfda4c1-33f4-46d2-a867-b2695a3d3ced","80e92b00-6bb5-4e1f-bd67-8ff57a21c61a"],"columns":{"6cfda4c1-33f4-46d2-a867-b2695a3d3ced":{"dataType":"string","isBucketed":true,"label":"Top values of event.dataset.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"80e92b00-6bb5-4e1f-bd67-8ff57a21c61a","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"event.dataset.keyword"},"80e92b00-6bb5-4e1f-bd67-8ff57a21c61a":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"}},"incompleteColumns":{}}}}},"filters":[],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"categoryDisplay":"default","groups":["6cfda4c1-33f4-46d2-a867-b2695a3d3ced"],"layerId":"2f8a5dce-919b-4ebb-a9b2-72803ac526f1","legendDisplay":"show","metric":"80e92b00-6bb5-4e1f-bd67-8ff57a21c61a","nestedLegend":false,"numberDisplay":"percent"}],"shape":"donut"}},"title":"ICS_Overview","visualizationType":"lnsPie"},"id":"96236e20-71d1-11eb-9d0d-ff7b69da9dfe","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-layer-2f8a5dce-919b-4ebb-a9b2-72803ac526f1","type":"index-pattern"}],"type":"lens","updated_at":"2021-02-18T10:24:10.752Z","version":"WzIzMzUsMV0="}
 3 | {"attributes":{"description":null,"state":{"datasourceStates":{"indexpattern":{"layers":{"6c3d5820-5773-4a19-8509-618d160b23e9":{"columnOrder":["e2d0fd82-aa0f-4a6c-9578-3b4f5d365f9f","766028e5-1887-4379-85bb-32eac0d43e9b","82de62fe-b3c3-4a66-b27c-0f3f7f2f61ed","76657569-0edd-4677-8663-1704121ba8a7","03a0a304-a83a-4703-8aed-31550eef9250","2da3619c-09d2-482e-8378-5fcd7368d3f1","80b3749d-d56a-40dc-ba37-28327b73066f"],"columns":{"03a0a304-a83a-4703-8aed-31550eef9250":{"dataType":"string","isBucketed":true,"label":"Top values of event.outcome.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"2da3619c-09d2-482e-8378-5fcd7368d3f1","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"event.outcome.keyword"},"2da3619c-09d2-482e-8378-5fcd7368d3f1":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"766028e5-1887-4379-85bb-32eac0d43e9b":{"dataType":"string","isBucketed":true,"label":"Top values of source.ip.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"2da3619c-09d2-482e-8378-5fcd7368d3f1","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"source.ip.keyword"},"76657569-0edd-4677-8663-1704121ba8a7":{"dataType":"string","isBucketed":true,"label":"Top values of event.action.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"2da3619c-09d2-482e-8378-5fcd7368d3f1","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"event.action.keyword"},"80b3749d-d56a-40dc-ba37-28327b73066f":{"dataType":"number","isBucketed":false,"label":"Average of destination.port","operationType":"avg","scale":"ratio","sourceField":"destination.port"},"82de62fe-b3c3-4a66-b27c-0f3f7f2f61ed":{"dataType":"string","isBucketed":true,"label":"Top values of destination.ip.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"2da3619c-09d2-482e-8378-5fcd7368d3f1","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"destination.ip.keyword"},"e2d0fd82-aa0f-4a6c-9578-3b4f5d365f9f":{"dataType":"string","isBucketed":true,"label":"Top values of fileset.name.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"2da3619c-09d2-482e-8378-5fcd7368d3f1","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"fileset.name.keyword"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"event.dataset.keyword","negate":false,"params":{"query":"zeek.modbus"},"type":"phrase"},"query":{"match_phrase":{"event.dataset.keyword":"zeek.modbus"}}}],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"columns":["e2d0fd82-aa0f-4a6c-9578-3b4f5d365f9f","766028e5-1887-4379-85bb-32eac0d43e9b","82de62fe-b3c3-4a66-b27c-0f3f7f2f61ed","76657569-0edd-4677-8663-1704121ba8a7","03a0a304-a83a-4703-8aed-31550eef9250","2da3619c-09d2-482e-8378-5fcd7368d3f1","80b3749d-d56a-40dc-ba37-28327b73066f"],"layerId":"6c3d5820-5773-4a19-8509-618d160b23e9"}]}},"title":"Modbus","visualizationType":"lnsDatatable"},"id":"20f6b790-71d3-11eb-9d0d-ff7b69da9dfe","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-layer-6c3d5820-5773-4a19-8509-618d160b23e9","type":"index-pattern"},{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"filter-index-pattern-0","type":"index-pattern"}],"type":"lens","updated_at":"2021-02-22T17:51:26.643Z","version":"Wzk5MTYsNF0="}
 4 | {"attributes":{"description":null,"state":{"datasourceStates":{"indexpattern":{"layers":{"5c9cc72b-6e71-480c-ac3c-78b3636fcdbe":{"columnOrder":["26eaf958-be26-41f0-9dc1-79efc3577817","bcf38647-226b-4237-8958-a3abd5ae6a62","4d6eb300-be97-428d-8c76-e8c43d892185","a3d24cfb-b7ad-414c-b50b-bcd079d08213","2757bb75-3b54-4b1c-b0f0-99392679b3ff"],"columns":{"26eaf958-be26-41f0-9dc1-79efc3577817":{"dataType":"string","isBucketed":true,"label":"Top values of fileset.name.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"2757bb75-3b54-4b1c-b0f0-99392679b3ff","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"fileset.name.keyword"},"2757bb75-3b54-4b1c-b0f0-99392679b3ff":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"4d6eb300-be97-428d-8c76-e8c43d892185":{"dataType":"string","isBucketed":true,"label":"Top values of destination.ip.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"2757bb75-3b54-4b1c-b0f0-99392679b3ff","type":"column"},"orderDirection":"desc","otherBucket":true,"size":3},"scale":"ordinal","sourceField":"destination.ip.keyword"},"a3d24cfb-b7ad-414c-b50b-bcd079d08213":{"dataType":"string","isBucketed":true,"label":"Top values of zeek.dnp3.function.request.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"2757bb75-3b54-4b1c-b0f0-99392679b3ff","type":"column"},"orderDirection":"desc","otherBucket":true,"size":3},"scale":"ordinal","sourceField":"zeek.dnp3.function.request.keyword"},"bcf38647-226b-4237-8958-a3abd5ae6a62":{"dataType":"string","isBucketed":true,"label":"Top values of source.ip.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"2757bb75-3b54-4b1c-b0f0-99392679b3ff","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"source.ip.keyword"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"event.dataset.keyword","negate":false,"params":{"query":"zeek.dnp3"},"type":"phrase"},"query":{"match_phrase":{"event.dataset.keyword":"zeek.dnp3"}}}],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"columns":["26eaf958-be26-41f0-9dc1-79efc3577817","bcf38647-226b-4237-8958-a3abd5ae6a62","4d6eb300-be97-428d-8c76-e8c43d892185","a3d24cfb-b7ad-414c-b50b-bcd079d08213","2757bb75-3b54-4b1c-b0f0-99392679b3ff"],"layerId":"5c9cc72b-6e71-480c-ac3c-78b3636fcdbe"}]}},"title":"dnp3","visualizationType":"lnsDatatable"},"id":"351c61b0-71d4-11eb-9d0d-ff7b69da9dfe","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-layer-5c9cc72b-6e71-480c-ac3c-78b3636fcdbe","type":"index-pattern"},{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"filter-index-pattern-0","type":"index-pattern"}],"type":"lens","updated_at":"2021-02-22T17:52:00.071Z","version":"Wzk5NzMsNF0="}
 5 | {"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"4a806507-31ed-4758-97e9-767e414c537c":{"columnOrder":["f2dc04da-dee6-432f-bb3c-fca5fef49582","1623457d-19c9-493f-afa2-beade107819a","d5ef25f5-d670-4cbf-a03a-7badf62c409d","928e6258-9826-4cc3-b876-b2337a8a23c4","82e266a6-508f-41d4-a234-bddfa8082efb"],"columns":{"1623457d-19c9-493f-afa2-beade107819a":{"dataType":"string","isBucketed":true,"label":"Top values of source.ip.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"82e266a6-508f-41d4-a234-bddfa8082efb","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"source.ip.keyword"},"82e266a6-508f-41d4-a234-bddfa8082efb":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"928e6258-9826-4cc3-b876-b2337a8a23c4":{"dataType":"boolean","isBucketed":true,"label":"Top values of zeek.ssh.auth.success","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"82e266a6-508f-41d4-a234-bddfa8082efb","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"zeek.ssh.auth.success"},"d5ef25f5-d670-4cbf-a03a-7badf62c409d":{"dataType":"string","isBucketed":true,"label":"Top values of destination.ip.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"82e266a6-508f-41d4-a234-bddfa8082efb","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"destination.ip.keyword"},"f2dc04da-dee6-432f-bb3c-fca5fef49582":{"dataType":"string","isBucketed":true,"label":"Top values of network.protocol.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"82e266a6-508f-41d4-a234-bddfa8082efb","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"network.protocol.keyword"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"event.dataset.keyword","negate":false,"params":{"query":"zeek.ssh"},"type":"phrase"},"query":{"match_phrase":{"event.dataset.keyword":"zeek.ssh"}}}],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"columns":["f2dc04da-dee6-432f-bb3c-fca5fef49582","1623457d-19c9-493f-afa2-beade107819a","d5ef25f5-d670-4cbf-a03a-7badf62c409d","928e6258-9826-4cc3-b876-b2337a8a23c4","82e266a6-508f-41d4-a234-bddfa8082efb"],"layerId":"4a806507-31ed-4758-97e9-767e414c537c"}]}},"title":"SSH_auth_success","visualizationType":"lnsDatatable"},"id":"16e56df0-72af-11eb-b523-61a1ce23c93c","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-layer-4a806507-31ed-4758-97e9-767e414c537c","type":"index-pattern"},{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"filter-index-pattern-0","type":"index-pattern"}],"type":"lens","updated_at":"2021-02-19T12:36:29.391Z","version":"WzQ1NzgsMl0="}
 6 | {"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"b5579db1-5ca4-480f-800c-7621bbd72310":{"columnOrder":["e761435b-7180-438b-8934-de5c1f3b37d1","075ffc62-dc97-48c3-8fe3-151abcaf4726","b9ff3ba7-4f79-4625-968b-246d4340ce59","3758a821-ab23-4a31-919e-251c40d6f4ee","4c5118d4-9695-440e-954d-9e2caae2122e"],"columns":{"075ffc62-dc97-48c3-8fe3-151abcaf4726":{"dataType":"string","isBucketed":true,"label":"Top values of source.ip.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"4c5118d4-9695-440e-954d-9e2caae2122e","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"source.ip.keyword"},"3758a821-ab23-4a31-919e-251c40d6f4ee":{"dataType":"string","isBucketed":true,"label":"Top values of zeek.ssh.server.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"4c5118d4-9695-440e-954d-9e2caae2122e","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"zeek.ssh.server.keyword"},"4c5118d4-9695-440e-954d-9e2caae2122e":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"b9ff3ba7-4f79-4625-968b-246d4340ce59":{"dataType":"string","isBucketed":true,"label":"Top values of destination.ip.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"4c5118d4-9695-440e-954d-9e2caae2122e","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"destination.ip.keyword"},"e761435b-7180-438b-8934-de5c1f3b37d1":{"dataType":"string","isBucketed":true,"label":"Top values of network.protocol.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"4c5118d4-9695-440e-954d-9e2caae2122e","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"network.protocol.keyword"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"event.dataset.keyword","negate":false,"params":{"query":"zeek.ssh"},"type":"phrase"},"query":{"match_phrase":{"event.dataset.keyword":"zeek.ssh"}}}],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"columns":["e761435b-7180-438b-8934-de5c1f3b37d1","075ffc62-dc97-48c3-8fe3-151abcaf4726","b9ff3ba7-4f79-4625-968b-246d4340ce59","3758a821-ab23-4a31-919e-251c40d6f4ee","4c5118d4-9695-440e-954d-9e2caae2122e"],"layerId":"b5579db1-5ca4-480f-800c-7621bbd72310"}]}},"title":"SSH_connection","visualizationType":"lnsDatatable"},"id":"e134a8a0-72af-11eb-b523-61a1ce23c93c","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-layer-b5579db1-5ca4-480f-800c-7621bbd72310","type":"index-pattern"},{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"filter-index-pattern-0","type":"index-pattern"}],"type":"lens","updated_at":"2021-02-19T12:42:08.810Z","version":"WzQ4NTAsMl0="}
 7 | {"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"7b6f2cf1-76d3-492d-a3a2-f9819370a8ba":{"columnOrder":["39c9efda-38cc-414e-880a-69cad6a49825","d8b2029c-842b-4af6-bb20-3b5d6887d6f8","02a87918-46ca-4290-925b-ac4d87591336","5f53ca04-6420-48e8-ba3b-cc56f02a1e8b","1a7a1163-1dac-44f6-a248-860270e4065d","b6fac220-dd76-4c3b-8670-3cd20930e1f9","d218b4c2-a72b-4eab-a59e-8ad21a03743d","9f2bf233-2b5f-4eb0-816f-bfd15da507a2"],"columns":{"02a87918-46ca-4290-925b-ac4d87591336":{"dataType":"string","isBucketed":true,"label":"Top values of destination.ip.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"d218b4c2-a72b-4eab-a59e-8ad21a03743d","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"destination.ip.keyword"},"1a7a1163-1dac-44f6-a248-860270e4065d":{"dataType":"string","isBucketed":true,"label":"Top values of zeek.ftp.password.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"d218b4c2-a72b-4eab-a59e-8ad21a03743d","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"zeek.ftp.password.keyword"},"39c9efda-38cc-414e-880a-69cad6a49825":{"dataType":"string","isBucketed":true,"label":"Top values of network.protocol.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"d218b4c2-a72b-4eab-a59e-8ad21a03743d","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"network.protocol.keyword"},"5f53ca04-6420-48e8-ba3b-cc56f02a1e8b":{"dataType":"string","isBucketed":true,"label":"Top values of user.name.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"d218b4c2-a72b-4eab-a59e-8ad21a03743d","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"user.name.keyword"},"9f2bf233-2b5f-4eb0-816f-bfd15da507a2":{"dataType":"number","isBucketed":false,"label":"Average of zeek.ftp.reply.code","operationType":"avg","scale":"ratio","sourceField":"zeek.ftp.reply.code"},"b6fac220-dd76-4c3b-8670-3cd20930e1f9":{"dataType":"string","isBucketed":true,"label":"Top values of zeek.ftp.reply.msg.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"d218b4c2-a72b-4eab-a59e-8ad21a03743d","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"zeek.ftp.reply.msg.keyword"},"d218b4c2-a72b-4eab-a59e-8ad21a03743d":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"d8b2029c-842b-4af6-bb20-3b5d6887d6f8":{"dataType":"string","isBucketed":true,"label":"Top values of source.address.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"d218b4c2-a72b-4eab-a59e-8ad21a03743d","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"source.address.keyword"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"event.dataset.keyword","negate":false,"params":{"query":"zeek.ftp"},"type":"phrase"},"query":{"match_phrase":{"event.dataset.keyword":"zeek.ftp"}}}],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"columns":["39c9efda-38cc-414e-880a-69cad6a49825","d8b2029c-842b-4af6-bb20-3b5d6887d6f8","02a87918-46ca-4290-925b-ac4d87591336","5f53ca04-6420-48e8-ba3b-cc56f02a1e8b","1a7a1163-1dac-44f6-a248-860270e4065d","b6fac220-dd76-4c3b-8670-3cd20930e1f9","d218b4c2-a72b-4eab-a59e-8ad21a03743d","9f2bf233-2b5f-4eb0-816f-bfd15da507a2"],"layerId":"7b6f2cf1-76d3-492d-a3a2-f9819370a8ba"}]}},"title":"FTP_Connections","visualizationType":"lnsDatatable"},"id":"ad3c9a60-72b1-11eb-b523-61a1ce23c93c","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-layer-7b6f2cf1-76d3-492d-a3a2-f9819370a8ba","type":"index-pattern"},{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"filter-index-pattern-0","type":"index-pattern"}],"type":"lens","updated_at":"2021-02-19T12:55:00.614Z","version":"WzUzODcsMl0="}
 8 | {"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"61dcebc3-b142-4467-aba1-328c6f85ad5c":{"columnOrder":["619fcfb3-515d-4d46-91b1-180e6eb20707","7627e286-be1b-45a4-b5e0-489275fb0363","0e0eebca-a16b-4e7b-a965-a993f9e28fd2","f2a00ef4-bdde-4d5f-a256-51d68d8b1b70","c6fde411-1a4b-4043-b524-ed9206751def"],"columns":{"0e0eebca-a16b-4e7b-a965-a993f9e28fd2":{"dataType":"string","isBucketed":true,"label":"Top values of dns.question.name.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"c6fde411-1a4b-4043-b524-ed9206751def","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"dns.question.name.keyword"},"619fcfb3-515d-4d46-91b1-180e6eb20707":{"dataType":"string","isBucketed":true,"label":"Top values of source.address.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"c6fde411-1a4b-4043-b524-ed9206751def","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"source.address.keyword"},"7627e286-be1b-45a4-b5e0-489275fb0363":{"dataType":"string","isBucketed":true,"label":"Top values of destination.address.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"c6fde411-1a4b-4043-b524-ed9206751def","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"destination.address.keyword"},"c6fde411-1a4b-4043-b524-ed9206751def":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"f2a00ef4-bdde-4d5f-a256-51d68d8b1b70":{"dataType":"string","isBucketed":true,"label":"Top values of dns.response_code.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"c6fde411-1a4b-4043-b524-ed9206751def","type":"column"},"orderDirection":"desc","otherBucket":true,"size":3},"scale":"ordinal","sourceField":"dns.response_code.keyword"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"event.dataset.keyword","negate":false,"params":{"query":"zeek.dns"},"type":"phrase"},"query":{"match_phrase":{"event.dataset.keyword":"zeek.dns"}}}],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"columns":["619fcfb3-515d-4d46-91b1-180e6eb20707","7627e286-be1b-45a4-b5e0-489275fb0363","0e0eebca-a16b-4e7b-a965-a993f9e28fd2","f2a00ef4-bdde-4d5f-a256-51d68d8b1b70","c6fde411-1a4b-4043-b524-ed9206751def"],"layerId":"61dcebc3-b142-4467-aba1-328c6f85ad5c"}]}},"title":"DNS_Connection ","visualizationType":"lnsDatatable"},"id":"2a25af60-72d7-11eb-b523-61a1ce23c93c","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-layer-61dcebc3-b142-4467-aba1-328c6f85ad5c","type":"index-pattern"},{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"filter-index-pattern-0","type":"index-pattern"}],"type":"lens","updated_at":"2021-02-19T17:23:21.558Z","version":"WzYyNDQsMl0="}
 9 | {"attributes":{"description":"PLC ","state":{"datasourceStates":{"indexpattern":{"layers":{"e44779a2-31e7-403f-8567-d0166ad67e8b":{"columnOrder":["58d4b82d-b0e7-4257-ad86-5b40347e25d8","6eb9017c-4490-4525-ab9c-e5b7fa17d532","778e6a08-4099-4f74-833b-ce8443593401","9fe9685d-99c1-49e1-a9e3-465d004c780a","d4c02b3e-3374-4e23-ab1e-b17adc46d66f"],"columns":{"58d4b82d-b0e7-4257-ad86-5b40347e25d8":{"dataType":"string","isBucketed":true,"label":"Top values of source.ip.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"9fe9685d-99c1-49e1-a9e3-465d004c780a","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"source.ip.keyword"},"6eb9017c-4490-4525-ab9c-e5b7fa17d532":{"dataType":"string","isBucketed":true,"label":"Top values of destination.ip.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"9fe9685d-99c1-49e1-a9e3-465d004c780a","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"destination.ip.keyword"},"778e6a08-4099-4f74-833b-ce8443593401":{"dataType":"string","isBucketed":true,"label":"Top values of zeek.snmp.display_string.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"9fe9685d-99c1-49e1-a9e3-465d004c780a","type":"column"},"orderDirection":"desc","otherBucket":true,"size":3},"scale":"ordinal","sourceField":"zeek.snmp.display_string.keyword"},"9fe9685d-99c1-49e1-a9e3-465d004c780a":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"d4c02b3e-3374-4e23-ab1e-b17adc46d66f":{"dataType":"number","isBucketed":false,"label":"Average of destination.port","operationType":"avg","scale":"ratio","sourceField":"destination.port"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"event.dataset.keyword","negate":false,"params":{"query":"zeek.snmp"},"type":"phrase"},"query":{"match_phrase":{"event.dataset.keyword":"zeek.snmp"}}}],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"columns":["58d4b82d-b0e7-4257-ad86-5b40347e25d8","6eb9017c-4490-4525-ab9c-e5b7fa17d532","778e6a08-4099-4f74-833b-ce8443593401","9fe9685d-99c1-49e1-a9e3-465d004c780a","d4c02b3e-3374-4e23-ab1e-b17adc46d66f"],"layerId":"e44779a2-31e7-403f-8567-d0166ad67e8b"}]}},"title":"snmp_connection PLC","visualizationType":"lnsDatatable"},"id":"e4c77c70-72e8-11eb-b523-61a1ce23c93c","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-layer-e44779a2-31e7-403f-8567-d0166ad67e8b","type":"index-pattern"},{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"filter-index-pattern-0","type":"index-pattern"}],"type":"lens","updated_at":"2021-02-19T19:30:16.119Z","version":"Wzg5MjIsMl0="}
10 | {"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"71b14e34-90c8-43e4-ba0f-74e7887c83cf":{"columnOrder":["1157048d-1fa2-488d-ae99-f54a02c03086","97c23432-2cda-4533-bc87-1becd9f3cb32","a12b5af2-cc7c-4080-869d-d6e3d611d57d","bd0c0ffd-3c32-4a2e-ab80-36dcf1ab9876"],"columns":{"1157048d-1fa2-488d-ae99-f54a02c03086":{"dataType":"string","isBucketed":true,"label":"Top values of source.ip.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"bd0c0ffd-3c32-4a2e-ab80-36dcf1ab9876","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"source.ip.keyword"},"97c23432-2cda-4533-bc87-1becd9f3cb32":{"dataType":"string","isBucketed":true,"label":"Top values of destination.ip.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"bd0c0ffd-3c32-4a2e-ab80-36dcf1ab9876","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"destination.ip.keyword"},"a12b5af2-cc7c-4080-869d-d6e3d611d57d":{"dataType":"string","isBucketed":true,"label":"Top values of zeek.ssl.subject.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"bd0c0ffd-3c32-4a2e-ab80-36dcf1ab9876","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"zeek.ssl.subject.keyword"},"bd0c0ffd-3c32-4a2e-ab80-36dcf1ab9876":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"event.dataset.keyword","negate":false,"params":{"query":"zeek.ssl"},"type":"phrase"},"query":{"match_phrase":{"event.dataset.keyword":"zeek.ssl"}}}],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"columns":["1157048d-1fa2-488d-ae99-f54a02c03086","97c23432-2cda-4533-bc87-1becd9f3cb32","a12b5af2-cc7c-4080-869d-d6e3d611d57d","bd0c0ffd-3c32-4a2e-ab80-36dcf1ab9876"],"layerId":"71b14e34-90c8-43e4-ba0f-74e7887c83cf"}]}},"title":"SSL_connection","visualizationType":"lnsDatatable"},"id":"4e06aa00-72ec-11eb-b523-61a1ce23c93c","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-layer-71b14e34-90c8-43e4-ba0f-74e7887c83cf","type":"index-pattern"},{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"filter-index-pattern-0","type":"index-pattern"}],"type":"lens","updated_at":"2021-02-19T19:54:41.184Z","version":"Wzk0NjMsMl0="}
11 | {"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"a105171e-b6b8-4396-8076-5564f9b94977":{"columnOrder":["1542d07e-8237-41d6-9e3f-da96a97abdd9","6c5b30f3-359c-4c71-b0c3-96a06107fa10","d79aeb59-9a1f-4f73-b3fe-7e533c4d0054","8587d756-48e2-4f57-9441-da54efc7796a"],"columns":{"1542d07e-8237-41d6-9e3f-da96a97abdd9":{"dataType":"string","isBucketed":true,"label":"Top values of source.address.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"8587d756-48e2-4f57-9441-da54efc7796a","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"source.address.keyword"},"6c5b30f3-359c-4c71-b0c3-96a06107fa10":{"dataType":"string","isBucketed":true,"label":"Top values of destination.address.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"8587d756-48e2-4f57-9441-da54efc7796a","type":"column"},"orderDirection":"desc","otherBucket":true,"size":3},"scale":"ordinal","sourceField":"destination.address.keyword"},"8587d756-48e2-4f57-9441-da54efc7796a":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"d79aeb59-9a1f-4f73-b3fe-7e533c4d0054":{"dataType":"string","isBucketed":true,"label":"Top values of network.transport.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"8587d756-48e2-4f57-9441-da54efc7796a","type":"column"},"orderDirection":"desc","otherBucket":true,"size":3},"scale":"ordinal","sourceField":"network.transport.keyword"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"event.dataset.keyword","negate":false,"params":{"query":"zeek.connection"},"type":"phrase"},"query":{"match_phrase":{"event.dataset.keyword":"zeek.connection"}}}],"query":{"language":"kuery","query":"icmp"},"visualization":{"layers":[{"columns":["1542d07e-8237-41d6-9e3f-da96a97abdd9","6c5b30f3-359c-4c71-b0c3-96a06107fa10","d79aeb59-9a1f-4f73-b3fe-7e533c4d0054","8587d756-48e2-4f57-9441-da54efc7796a"],"layerId":"a105171e-b6b8-4396-8076-5564f9b94977"}]}},"title":"ICMP-Connection","visualizationType":"lnsDatatable"},"id":"39cf9000-7536-11eb-8002-c73037b472f1","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-layer-a105171e-b6b8-4396-8076-5564f9b94977","type":"index-pattern"},{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"filter-index-pattern-0","type":"index-pattern"}],"type":"lens","updated_at":"2021-02-22T17:48:52.352Z","version":"Wzk4NDQsNF0="}
12 | {"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.11.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":19,\"h\":17,\"i\":\"036501c1-1c5d-413c-a44c-dcc896a2a2ee\"},\"panelIndex\":\"036501c1-1c5d-413c-a44c-dcc896a2a2ee\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.11.1\",\"gridData\":{\"x\":19,\"y\":0,\"w\":29,\"h\":17,\"i\":\"4e0e7f20-7176-44f9-a61a-e07890dc1da4\"},\"panelIndex\":\"4e0e7f20-7176-44f9-a61a-e07890dc1da4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.11.1\",\"gridData\":{\"x\":0,\"y\":17,\"w\":24,\"h\":8,\"i\":\"bcdfa764-18f1-45f1-a8e2-268016e3c90d\"},\"panelIndex\":\"bcdfa764-18f1-45f1-a8e2-268016e3c90d\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.11.1\",\"gridData\":{\"x\":24,\"y\":17,\"w\":24,\"h\":8,\"i\":\"4e3682c4-77fe-4cae-832b-7a4ef174e0a8\"},\"panelIndex\":\"4e3682c4-77fe-4cae-832b-7a4ef174e0a8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.11.1\",\"gridData\":{\"x\":0,\"y\":25,\"w\":24,\"h\":15,\"i\":\"62f63fb6-ef1c-47b5-8a70-0a5134224aac\"},\"panelIndex\":\"62f63fb6-ef1c-47b5-8a70-0a5134224aac\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.11.1\",\"gridData\":{\"x\":24,\"y\":25,\"w\":24,\"h\":7,\"i\":\"c9765ed1-0e12-419d-a23d-cc237cb56152\"},\"panelIndex\":\"c9765ed1-0e12-419d-a23d-cc237cb56152\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.11.1\",\"gridData\":{\"x\":24,\"y\":32,\"w\":24,\"h\":15,\"i\":\"19435ca7-0bb2-45d5-bf0f-482df4f99621\"},\"panelIndex\":\"19435ca7-0bb2-45d5-bf0f-482df4f99621\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.11.1\",\"gridData\":{\"x\":0,\"y\":40,\"w\":24,\"h\":7,\"i\":\"efc12583-2064-4bdd-8e78-85c98034dee0\"},\"panelIndex\":\"efc12583-2064-4bdd-8e78-85c98034dee0\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.11.1\",\"gridData\":{\"x\":0,\"y\":47,\"w\":24,\"h\":15,\"i\":\"26e20a48-2703-47dd-8a1c-ff7367a9a88a\"},\"panelIndex\":\"26e20a48-2703-47dd-8a1c-ff7367a9a88a\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.11.1\",\"gridData\":{\"x\":24,\"y\":47,\"w\":24,\"h\":15,\"i\":\"e4d6e276-cb7f-4fa8-84f7-b7091d4f2201\"},\"panelIndex\":\"e4d6e276-cb7f-4fa8-84f7-b7091d4f2201\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"ICS_Connection_overview","version":1},"id":"adecc150-71d1-11eb-9d0d-ff7b69da9dfe","migrationVersion":{"dashboard":"7.11.0"},"references":[{"id":"96236e20-71d1-11eb-9d0d-ff7b69da9dfe","name":"panel_0","type":"lens"},{"id":"20f6b790-71d3-11eb-9d0d-ff7b69da9dfe","name":"panel_1","type":"lens"},{"id":"351c61b0-71d4-11eb-9d0d-ff7b69da9dfe","name":"panel_2","type":"lens"},{"id":"16e56df0-72af-11eb-b523-61a1ce23c93c","name":"panel_3","type":"lens"},{"id":"e134a8a0-72af-11eb-b523-61a1ce23c93c","name":"panel_4","type":"lens"},{"id":"ad3c9a60-72b1-11eb-b523-61a1ce23c93c","name":"panel_5","type":"lens"},{"id":"2a25af60-72d7-11eb-b523-61a1ce23c93c","name":"panel_6","type":"lens"},{"id":"e4c77c70-72e8-11eb-b523-61a1ce23c93c","name":"panel_7","type":"lens"},{"id":"4e06aa00-72ec-11eb-b523-61a1ce23c93c","name":"panel_8","type":"lens"},{"id":"39cf9000-7536-11eb-8002-c73037b472f1","name":"panel_9","type":"lens"}],"type":"dashboard","updated_at":"2021-02-22T18:35:19.728Z","version":"WzEwNDYyLDRd"}
13 | {"exportedCount":12,"missingRefCount":0,"missingReferences":[]}


--------------------------------------------------------------------------------
/Dashboards/Kape_win_log.ndjson:
--------------------------------------------------------------------------------
 1 | {"attributes":{"fieldAttrs":"{\"destination.address\":{\"count\":2},\"event.dataset\":{\"count\":17},\"zeek.ssh.auth.attempts\":{\"count\":3},\"zeek.ssh.auth.success\":{\"count\":3},\"destination.ip\":{\"count\":2},\"network.community_id\":{\"count\":2},\"source.geo.country_name\":{\"count\":3},\"source.ip\":{\"count\":2}}","fields":"[]","timeFieldName":"@timestamp","title":"filebeat-*"},"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","migrationVersion":{"index-pattern":"7.11.0"},"references":[],"type":"index-pattern","updated_at":"2021-03-05T16:32:25.313Z","version":"WzExNDk0LDRd"}
 2 | {"attributes":{"fields":"[{\"count\":0,\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"@version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"@version\"}}},{\"count\":31,\"name\":\"Channel\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"Channel.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"Channel\"}}},{\"count\":0,\"name\":\"ChunkNumber\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"Computer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"Computer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"Computer\"}}},{\"count\":9,\"name\":\"EventId\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"EventRecordId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"EventRecordId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"EventRecordId\"}}},{\"count\":0,\"name\":\"ExecutableInfo\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"ExecutableInfo.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ExecutableInfo\"}}},{\"count\":0,\"name\":\"Level\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":4,\"name\":\"MapDescription\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"MapDescription.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"MapDescription\"}}},{\"count\":2,\"name\":\"Payload\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"Payload.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"Payload\"}}},{\"count\":0,\"name\":\"PayloadData1\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"PayloadData1.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"PayloadData1\"}}},{\"count\":0,\"name\":\"PayloadData2\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"PayloadData2.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"PayloadData2\"}}},{\"count\":0,\"name\":\"PayloadData3\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"PayloadData3.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"PayloadData3\"}}},{\"count\":0,\"name\":\"PayloadData4\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"PayloadData4.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"PayloadData4\"}}},{\"count\":0,\"name\":\"PayloadData5\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"PayloadData5.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"PayloadData5\"}}},{\"count\":0,\"name\":\"ProcessId\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"Provider\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"Provider.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"Provider\"}}},{\"count\":0,\"name\":\"RecordNumber\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":2,\"name\":\"RemoteHost\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"RemoteHost.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"RemoteHost\"}}},{\"count\":0,\"name\":\"SourceFile\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"SourceFile.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"SourceFile\"}}},{\"count\":0,\"name\":\"ThreadId\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"TimeCreated\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"UserId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"UserId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"UserId\"}}},{\"count\":0,\"name\":\"UserName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"UserName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"UserName\"}}},{\"count\":0,\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_score\",\"type\":\"number\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"agent.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"agent.ephemeral_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.ephemeral_id\"}}},{\"count\":0,\"name\":\"agent.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"agent.hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.hostname\"}}},{\"count\":4,\"name\":\"agent.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"agent.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.id\"}}},{\"count\":0,\"name\":\"agent.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"agent.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.name\"}}},{\"count\":0,\"name\":\"agent.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"agent.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.type\"}}},{\"count\":0,\"name\":\"agent.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"agent.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.version\"}}},{\"count\":0,\"name\":\"ecs.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"ecs.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ecs.version\"}}},{\"count\":0,\"name\":\"host.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"host.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.name\"}}},{\"count\":0,\"name\":\"input.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"input.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"input.type\"}}},{\"count\":0,\"name\":\"log.file.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"log.file.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.file.path\"}}},{\"count\":0,\"name\":\"log.offset\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"message\"}}},{\"count\":0,\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"tags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"tags\"}}},{\"count\":0,\"name\":\"type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"type\"}}}]","timeFieldName":"TimeCreated","title":"filebeat-7.10.1-2021.01.29"},"id":"18fad5a0-6236-11eb-b17f-e364fcb47ac1","migrationVersion":{"index-pattern":"7.11.0"},"references":[],"type":"index-pattern","updated_at":"2021-01-29T19:59:47.008Z","version":"WzE0NjcsMV0="}
 3 | {"attributes":{"description":null,"state":{"datasourceStates":{"indexpattern":{"layers":{"b50b99e1-c1a5-4b43-86c8-c58a9ea6e1de":{"columnOrder":["024748de-d7c4-4326-ac2f-92e89c9f3ebf","5dd0056c-a1d5-4a8a-bf1b-bd57259b05a6"],"columns":{"024748de-d7c4-4326-ac2f-92e89c9f3ebf":{"dataType":"string","isBucketed":true,"label":"Top values of Channel.keyword","operationType":"terms","params":{"orderBy":{"columnId":"5dd0056c-a1d5-4a8a-bf1b-bd57259b05a6","type":"column"},"orderDirection":"desc","size":100},"scale":"ordinal","sourceField":"Channel.keyword"},"5dd0056c-a1d5-4a8a-bf1b-bd57259b05a6":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"}}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"log.file.path","negate":false,"params":{"query":"/logstash/winlog/*"},"type":"phrase"},"query":{"match_phrase":{"log.file.path":"/logstash/winlog/*"}}}],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"categoryDisplay":"default","groups":["024748de-d7c4-4326-ac2f-92e89c9f3ebf"],"layerId":"b50b99e1-c1a5-4b43-86c8-c58a9ea6e1de","legendDisplay":"show","metric":"5dd0056c-a1d5-4a8a-bf1b-bd57259b05a6","nestedLegend":false,"numberDisplay":"percent","percentDecimals":2}],"shape":"pie"}},"title":"KAPE-Win_Logs","visualizationType":"lnsPie"},"id":"018d1a80-6237-11eb-b17f-e364fcb47ac1","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-layer-b50b99e1-c1a5-4b43-86c8-c58a9ea6e1de","type":"index-pattern"},{"id":"18fad5a0-6236-11eb-b17f-e364fcb47ac1","name":"filter-index-pattern-0","type":"index-pattern"}],"type":"lens","updated_at":"2021-03-10T16:46:35.513Z","version":"WzE4MTY4LDZd"}
 4 | {"attributes":{"description":null,"state":{"datasourceStates":{"indexpattern":{"layers":{"2bd8f4a5-8d59-4edb-a160-eb23bb878d07":{"columnOrder":["a002bade-71ab-4815-b853-c5f99c307873","8cac971f-424a-4956-a1b4-78c21dbd448c"],"columns":{"8cac971f-424a-4956-a1b4-78c21dbd448c":{"customLabel":true,"dataType":"number","isBucketed":false,"label":"EventId","operationType":"avg","scale":"ratio","sourceField":"EventId"},"a002bade-71ab-4815-b853-c5f99c307873":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"MapDescription","operationType":"terms","params":{"orderBy":{"columnId":"8cac971f-424a-4956-a1b4-78c21dbd448c","type":"column"},"orderDirection":"desc","size":100},"scale":"ordinal","sourceField":"MapDescription.keyword"}}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"log.file.path","negate":false,"params":{"query":"/logstash/winlog/*"},"type":"phrase"},"query":{"match_phrase":{"log.file.path":"/logstash/winlog/*"}}}],"query":{"language":"kuery","query":"EventId: 4688 or EventId: 7045 or EventId: 4697 or EventId: 4720 or EventId: 6006 or EventId: 4726 or EventId: 1074 or EventId: 4657 or EventId:  4732 or  EventId:4728   or  EventId:4616  or  EventId:6416 or  EventId:1102 or  EventId:25 or    EventId:24 or EventId:4624   or EventId:4625 or  EventId:4634 or  EventId:4648 or  EventId:4719"},"visualization":{"layers":[{"columns":["a002bade-71ab-4815-b853-c5f99c307873","8cac971f-424a-4956-a1b4-78c21dbd448c"],"layerId":"2bd8f4a5-8d59-4edb-a160-eb23bb878d07"}]}},"title":"Interesting_Event","visualizationType":"lnsDatatable"},"id":"db03fcf0-6266-11eb-b17f-e364fcb47ac1","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-layer-2bd8f4a5-8d59-4edb-a160-eb23bb878d07","type":"index-pattern"},{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"filter-index-pattern-0","type":"index-pattern"}],"type":"lens","updated_at":"2021-03-10T16:46:44.739Z","version":"WzE4MTk5LDZd"}
 5 | {"attributes":{"description":null,"state":{"datasourceStates":{"indexpattern":{"layers":{"9fa322a6-64ca-4112-a717-7fbd15c83526":{"columnOrder":["c4e97f65-d02d-4772-a1ad-ae40870a08c0","40852f67-4da2-48d0-b58c-e5ad37aa3cbd"],"columns":{"40852f67-4da2-48d0-b58c-e5ad37aa3cbd":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"c4e97f65-d02d-4772-a1ad-ae40870a08c0":{"dataType":"string","isBucketed":true,"label":"Top values of PayloadData1.keyword","operationType":"terms","params":{"orderBy":{"columnId":"40852f67-4da2-48d0-b58c-e5ad37aa3cbd","type":"column"},"orderDirection":"desc","size":100},"scale":"ordinal","sourceField":"PayloadData1.keyword"}}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"Channel.keyword","negate":false,"params":{"query":"Windows PowerShell"},"type":"phrase"},"query":{"match_phrase":{"Channel.keyword":"Windows PowerShell"}}},{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-1","key":"log.file.path","negate":false,"params":{"query":"/logstash/winlog/*"},"type":"phrase"},"query":{"match_phrase":{"log.file.path":"/logstash/winlog/*"}}}],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"columns":["c4e97f65-d02d-4772-a1ad-ae40870a08c0","40852f67-4da2-48d0-b58c-e5ad37aa3cbd"],"layerId":"9fa322a6-64ca-4112-a717-7fbd15c83526"}]}},"title":"Powershell","visualizationType":"lnsDatatable"},"id":"c6f98450-6257-11eb-b17f-e364fcb47ac1","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-layer-9fa322a6-64ca-4112-a717-7fbd15c83526","type":"index-pattern"},{"id":"18fad5a0-6236-11eb-b17f-e364fcb47ac1","name":"filter-index-pattern-0","type":"index-pattern"},{"id":"18fad5a0-6236-11eb-b17f-e364fcb47ac1","name":"filter-index-pattern-1","type":"index-pattern"}],"type":"lens","updated_at":"2021-03-10T16:46:54.549Z","version":"WzE4MjI5LDZd"}
 6 | {"attributes":{"description":null,"state":{"datasourceStates":{"indexpattern":{"layers":{"ebcfcef2-f402-483d-a84b-4db4da603b43":{"columnOrder":["3a7662d4-d037-45b7-a7c1-f78302b06f5b","f08bafe4-a628-41af-b05b-9ad695ed6bf7"],"columns":{"3a7662d4-d037-45b7-a7c1-f78302b06f5b":{"dataType":"string","isBucketed":true,"label":"Top values of MapDescription.keyword","operationType":"terms","params":{"orderBy":{"columnId":"f08bafe4-a628-41af-b05b-9ad695ed6bf7","type":"column"},"orderDirection":"desc","size":100},"scale":"ordinal","sourceField":"MapDescription.keyword"},"f08bafe4-a628-41af-b05b-9ad695ed6bf7":{"dataType":"number","isBucketed":false,"label":"Average of EventId","operationType":"avg","scale":"ratio","sourceField":"EventId"}}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"Channel.keyword","negate":false,"params":{"query":"Security"},"type":"phrase"},"query":{"match_phrase":{"Channel.keyword":"Security"}}},{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-1","key":"log.file.path","negate":false,"params":{"query":"/logstash/winlog/*"},"type":"phrase"},"query":{"match_phrase":{"log.file.path":"/logstash/winlog/*"}}}],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"columns":["3a7662d4-d037-45b7-a7c1-f78302b06f5b","f08bafe4-a628-41af-b05b-9ad695ed6bf7"],"layerId":"ebcfcef2-f402-483d-a84b-4db4da603b43"}]}},"title":"Event_Description","visualizationType":"lnsDatatable"},"id":"b5824dd0-6255-11eb-b17f-e364fcb47ac1","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-layer-ebcfcef2-f402-483d-a84b-4db4da603b43","type":"index-pattern"},{"id":"18fad5a0-6236-11eb-b17f-e364fcb47ac1","name":"filter-index-pattern-0","type":"index-pattern"},{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"filter-index-pattern-1","type":"index-pattern"}],"type":"lens","updated_at":"2021-03-10T16:47:02.235Z","version":"WzE4MjU0LDZd"}
 7 | {"attributes":{"description":null,"state":{"datasourceStates":{"indexpattern":{"layers":{"c19bb447-3316-49d1-98c2-55864282f288":{"columnOrder":["6c6c97df-182c-46f4-9d12-94b10f3669e0","95980733-d6f9-429c-95df-d1d478e7522e"],"columns":{"6c6c97df-182c-46f4-9d12-94b10f3669e0":{"dataType":"string","isBucketed":true,"label":"Top values of MapDescription.keyword","operationType":"terms","params":{"orderBy":{"columnId":"95980733-d6f9-429c-95df-d1d478e7522e","type":"column"},"orderDirection":"desc","size":100},"scale":"ordinal","sourceField":"MapDescription.keyword"},"95980733-d6f9-429c-95df-d1d478e7522e":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"}}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"Channel.keyword","negate":false,"params":{"query":"Microsoft-Windows-Windows Defender/Operational"},"type":"phrase"},"query":{"match_phrase":{"Channel.keyword":"Microsoft-Windows-Windows Defender/Operational"}}},{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-1","key":"log.file.path","negate":false,"params":{"query":"/logstash/winlog/*"},"type":"phrase"},"query":{"match_phrase":{"log.file.path":"/logstash/winlog/*"}}}],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"categoryDisplay":"default","groups":["6c6c97df-182c-46f4-9d12-94b10f3669e0"],"layerId":"c19bb447-3316-49d1-98c2-55864282f288","legendDisplay":"show","metric":"95980733-d6f9-429c-95df-d1d478e7522e","nestedLegend":false,"numberDisplay":"percent"}],"shape":"donut"}},"title":"Windows Defender","visualizationType":"lnsPie"},"id":"5756b110-625a-11eb-b17f-e364fcb47ac1","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-layer-c19bb447-3316-49d1-98c2-55864282f288","type":"index-pattern"},{"id":"18fad5a0-6236-11eb-b17f-e364fcb47ac1","name":"filter-index-pattern-0","type":"index-pattern"},{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"filter-index-pattern-1","type":"index-pattern"}],"type":"lens","updated_at":"2021-03-10T16:47:29.531Z","version":"WzE4MzAxLDZd"}
 8 | {"attributes":{"description":null,"state":{"datasourceStates":{"indexpattern":{"layers":{"44d403ee-5733-4c82-abc5-eb601b0c4b19":{"columnOrder":["09fc7f8c-b6e0-4f5b-87cf-2531c1270d5a","7abdb44d-396b-4f27-a443-e5caf1c024c9"],"columns":{"09fc7f8c-b6e0-4f5b-87cf-2531c1270d5a":{"dataType":"string","isBucketed":true,"label":"Top values of PayloadData1.keyword","operationType":"terms","params":{"orderBy":{"columnId":"7abdb44d-396b-4f27-a443-e5caf1c024c9","type":"column"},"orderDirection":"desc","size":100},"scale":"ordinal","sourceField":"PayloadData1.keyword"},"7abdb44d-396b-4f27-a443-e5caf1c024c9":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"}}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"Channel.keyword","negate":false,"params":{"query":"Microsoft-Windows-Windows Defender/Operational"},"type":"phrase"},"query":{"match_phrase":{"Channel.keyword":"Microsoft-Windows-Windows Defender/Operational"}}},{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-1","key":"log.file.path","negate":false,"params":{"query":"/logstash/winlog/*"},"type":"phrase"},"query":{"match_phrase":{"log.file.path":"/logstash/winlog/*"}}}],"query":{"language":"kuery","query":""},"visualization":{"axisTitlesVisibilitySettings":{"x":true,"yLeft":true,"yRight":true},"fittingFunction":"None","gridlinesVisibilitySettings":{"x":true,"yLeft":false,"yRight":true},"layers":[{"accessors":["7abdb44d-396b-4f27-a443-e5caf1c024c9"],"layerId":"44d403ee-5733-4c82-abc5-eb601b0c4b19","seriesType":"bar_horizontal","xAccessor":"09fc7f8c-b6e0-4f5b-87cf-2531c1270d5a"}],"legend":{"isVisible":true,"position":"right","showSingleSeries":false},"preferredSeriesType":"bar_horizontal","tickLabelsVisibilitySettings":{"x":true,"yLeft":false,"yRight":true}}},"title":"Defender_data_payload","visualizationType":"lnsXY"},"id":"eb96b2c0-625b-11eb-b17f-e364fcb47ac1","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-layer-44d403ee-5733-4c82-abc5-eb601b0c4b19","type":"index-pattern"},{"id":"18fad5a0-6236-11eb-b17f-e364fcb47ac1","name":"filter-index-pattern-0","type":"index-pattern"},{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"filter-index-pattern-1","type":"index-pattern"}],"type":"lens","updated_at":"2021-03-10T16:47:54.514Z","version":"WzE4MzM4LDZd"}
 9 | {"attributes":{"description":null,"state":{"datasourceStates":{"indexpattern":{"layers":{"3e817f4c-23db-4000-be25-5d36142e41c7":{"columnOrder":["f14e5d8b-c7a9-4c48-a9dd-97db683e18da","10513981-d54c-4dab-bae9-3c325ac37a10"],"columns":{"10513981-d54c-4dab-bae9-3c325ac37a10":{"dataType":"number","isBucketed":false,"label":"Average of EventId","operationType":"avg","scale":"ratio","sourceField":"EventId"},"f14e5d8b-c7a9-4c48-a9dd-97db683e18da":{"dataType":"string","isBucketed":true,"label":"Top values of MapDescription.keyword","operationType":"terms","params":{"orderBy":{"columnId":"10513981-d54c-4dab-bae9-3c325ac37a10","type":"column"},"orderDirection":"desc","size":100},"scale":"ordinal","sourceField":"MapDescription.keyword"}}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"Channel.keyword","negate":false,"params":{"query":"System"},"type":"phrase"},"query":{"match_phrase":{"Channel.keyword":"System"}}},{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-1","key":"log.file.path","negate":false,"params":{"query":"/logstash/winlog/*"},"type":"phrase"},"query":{"match_phrase":{"log.file.path":"/logstash/winlog/*"}}}],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"columns":["f14e5d8b-c7a9-4c48-a9dd-97db683e18da","10513981-d54c-4dab-bae9-3c325ac37a10"],"layerId":"3e817f4c-23db-4000-be25-5d36142e41c7"}]}},"title":"System_logs","visualizationType":"lnsDatatable"},"id":"8a10b580-6262-11eb-b17f-e364fcb47ac1","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-layer-3e817f4c-23db-4000-be25-5d36142e41c7","type":"index-pattern"},{"id":"18fad5a0-6236-11eb-b17f-e364fcb47ac1","name":"filter-index-pattern-0","type":"index-pattern"},{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"filter-index-pattern-1","type":"index-pattern"}],"type":"lens","updated_at":"2021-03-10T16:48:20.765Z","version":"WzE4Mzc5LDZd"}
10 | {"attributes":{"description":null,"state":{"datasourceStates":{"indexpattern":{"layers":{"d29d81af-c349-49f6-94ab-87ad720798b9":{"columnOrder":["7303768f-e3fd-486e-9328-0ae7e7c3929e","a826148b-b8ee-41c8-934a-ed03122a62a0","6027ca24-8d10-4edd-b692-fa5baf5b6308"],"columns":{"6027ca24-8d10-4edd-b692-fa5baf5b6308":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"7303768f-e3fd-486e-9328-0ae7e7c3929e":{"dataType":"string","isBucketed":true,"label":"Top values of RemoteHost.keyword","operationType":"terms","params":{"orderBy":{"columnId":"6027ca24-8d10-4edd-b692-fa5baf5b6308","type":"column"},"orderDirection":"desc","size":100},"scale":"ordinal","sourceField":"RemoteHost.keyword"},"a826148b-b8ee-41c8-934a-ed03122a62a0":{"dataType":"string","isBucketed":true,"label":"Top values of MapDescription.keyword","operationType":"terms","params":{"orderBy":{"type":"alphabetical"},"orderDirection":"desc","size":100},"scale":"ordinal","sourceField":"MapDescription.keyword"}}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"Channel.keyword","negate":true,"params":{"query":"Microsoft-Windows-Sysmon/Operational"},"type":"phrase"},"query":{"match_phrase":{"Channel.keyword":"Microsoft-Windows-Sysmon/Operational"}}},{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-1","key":"log.file.path","negate":false,"params":{"query":"/logstash/winlog/*"},"type":"phrase"},"query":{"match_phrase":{"log.file.path":"/logstash/winlog/*"}}}],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"columns":["7303768f-e3fd-486e-9328-0ae7e7c3929e","a826148b-b8ee-41c8-934a-ed03122a62a0","6027ca24-8d10-4edd-b692-fa5baf5b6308"],"layerId":"d29d81af-c349-49f6-94ab-87ad720798b9"}]}},"title":"Index_data","visualizationType":"lnsDatatable"},"id":"0f0f3750-6260-11eb-b17f-e364fcb47ac1","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-layer-d29d81af-c349-49f6-94ab-87ad720798b9","type":"index-pattern"},{"id":"18fad5a0-6236-11eb-b17f-e364fcb47ac1","name":"filter-index-pattern-0","type":"index-pattern"},{"id":"18fad5a0-6236-11eb-b17f-e364fcb47ac1","name":"filter-index-pattern-1","type":"index-pattern"}],"type":"lens","updated_at":"2021-03-10T16:48:48.260Z","version":"WzE4NDE1LDZd"}
11 | {"attributes":{"description":null,"state":{"datasourceStates":{"indexpattern":{"layers":{"bb904e6a-95c7-4dd6-96f6-1fa4ed4c6317":{"columnOrder":["73ecd30c-1ac1-4d32-bf24-c815654ec9f3"],"columns":{"73ecd30c-1ac1-4d32-bf24-c815654ec9f3":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"}}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"log.file.path","negate":false,"params":{"query":"/logstash/winlog/*"},"type":"phrase"},"query":{"match_phrase":{"log.file.path":"/logstash/winlog/*"}}}],"query":{"language":"kuery","query":""},"visualization":{"accessor":"73ecd30c-1ac1-4d32-bf24-c815654ec9f3","layerId":"bb904e6a-95c7-4dd6-96f6-1fa4ed4c6317"}},"title":"Event_Count","visualizationType":"lnsMetric"},"id":"493b74d0-626e-11eb-b17f-e364fcb47ac1","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"b5f39d70-71d0-11eb-9d0d-ff7b69da9dfe","name":"indexpattern-datasource-layer-bb904e6a-95c7-4dd6-96f6-1fa4ed4c6317","type":"index-pattern"},{"id":"18fad5a0-6236-11eb-b17f-e364fcb47ac1","name":"filter-index-pattern-0","type":"index-pattern"}],"type":"lens","updated_at":"2021-03-10T16:46:24.696Z","version":"WzE4MTM5LDZd"}
12 | {"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.11.1\",\"gridData\":{\"h\":16,\"i\":\"54173abb-0f32-4e90-946e-2e26413c0d2b\",\"w\":21,\"x\":0,\"y\":0},\"panelIndex\":\"54173abb-0f32-4e90-946e-2e26413c0d2b\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.11.1\",\"gridData\":{\"h\":16,\"i\":\"84db820b-00eb-4082-bf3b-10b7a9923c9a\",\"w\":17,\"x\":31,\"y\":0},\"panelIndex\":\"84db820b-00eb-4082-bf3b-10b7a9923c9a\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.11.1\",\"gridData\":{\"h\":16,\"i\":\"c619833d-6482-494f-9d44-383b63dcf0c8\",\"w\":21,\"x\":0,\"y\":16},\"panelIndex\":\"c619833d-6482-494f-9d44-383b63dcf0c8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.11.1\",\"gridData\":{\"h\":16,\"i\":\"097d25c0-f807-4402-837b-4d4e0b89d9a5\",\"w\":27,\"x\":21,\"y\":16},\"panelIndex\":\"097d25c0-f807-4402-837b-4d4e0b89d9a5\",\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Sec_event_Description\",\"panelRefName\":\"panel_3\"},{\"version\":\"7.11.1\",\"gridData\":{\"h\":17,\"i\":\"9fa87fc2-3c1a-47bd-acdb-63c71e666b16\",\"w\":21,\"x\":0,\"y\":32},\"panelIndex\":\"9fa87fc2-3c1a-47bd-acdb-63c71e666b16\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.11.1\",\"gridData\":{\"h\":17,\"i\":\"d1fb97d8-f158-42a9-870f-35931cd6789f\",\"w\":27,\"x\":21,\"y\":32},\"panelIndex\":\"d1fb97d8-f158-42a9-870f-35931cd6789f\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.11.1\",\"gridData\":{\"h\":15,\"i\":\"85c6c9a2-dea8-4595-9e62-65a3452673a9\",\"w\":21,\"x\":0,\"y\":49},\"panelIndex\":\"85c6c9a2-dea8-4595-9e62-65a3452673a9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.11.1\",\"gridData\":{\"h\":15,\"i\":\"ce2c77a9-1bfe-4a55-8d09-ee55f7e0be69\",\"w\":27,\"x\":21,\"y\":49},\"panelIndex\":\"ce2c77a9-1bfe-4a55-8d09-ee55f7e0be69\",\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Remote_Host\",\"panelRefName\":\"panel_7\"},{\"version\":\"7.11.1\",\"gridData\":{\"h\":16,\"i\":\"ad050438-ca8a-4b44-b330-b9ae5a77df8c\",\"w\":10,\"x\":21,\"y\":0},\"panelIndex\":\"ad050438-ca8a-4b44-b330-b9ae5a77df8c\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"KAPE-Win_Logs","version":1},"id":"75d92320-6237-11eb-b17f-e364fcb47ac1","migrationVersion":{"dashboard":"7.11.0"},"references":[{"id":"018d1a80-6237-11eb-b17f-e364fcb47ac1","name":"panel_0","type":"lens"},{"id":"db03fcf0-6266-11eb-b17f-e364fcb47ac1","name":"panel_1","type":"lens"},{"id":"c6f98450-6257-11eb-b17f-e364fcb47ac1","name":"panel_2","type":"lens"},{"id":"b5824dd0-6255-11eb-b17f-e364fcb47ac1","name":"panel_3","type":"lens"},{"id":"5756b110-625a-11eb-b17f-e364fcb47ac1","name":"panel_4","type":"lens"},{"id":"eb96b2c0-625b-11eb-b17f-e364fcb47ac1","name":"panel_5","type":"lens"},{"id":"8a10b580-6262-11eb-b17f-e364fcb47ac1","name":"panel_6","type":"lens"},{"id":"0f0f3750-6260-11eb-b17f-e364fcb47ac1","name":"panel_7","type":"lens"},{"id":"493b74d0-626e-11eb-b17f-e364fcb47ac1","name":"panel_8","type":"lens"}],"type":"dashboard","updated_at":"2021-03-10T16:48:57.543Z","version":"WzE4NDM0LDZd"}
13 | {"exportedCount":12,"missingRefCount":0,"missingReferences":[]}


--------------------------------------------------------------------------------
/Dashboards/NTFS_timeline.ndjson:
--------------------------------------------------------------------------------
 1 | {"attributes":{"fieldAttrs":"{\"MACB\":{\"count\":15}}","fields":"[]","timeFieldName":"@timestamp","title":"filebeat*"},"id":"8f009ee0-8335-11eb-a744-3f309b56c443","migrationVersion":{"index-pattern":"7.11.0"},"references":[],"type":"index-pattern","updated_at":"2021-03-27T15:14:00.039Z","version":"WzQ4NzYsN10="}
 2 | {"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"03a48b1d-f5ad-42c8-81a3-cb171a2859f2":{"columnOrder":["59e8f841-6d78-4da6-a056-63dabeb5297b","bfdebade-f945-4d2a-b57a-208b2c7634c0"],"columns":{"59e8f841-6d78-4da6-a056-63dabeb5297b":{"dataType":"string","isBucketed":true,"label":"Top values of timestamp.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"bfdebade-f945-4d2a-b57a-208b2c7634c0","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"timestamp.keyword"},"bfdebade-f945-4d2a-b57a-208b2c7634c0":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","params":{},"scale":"ratio","sourceField":"Records"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"log.file.path","negate":false,"params":{"query":"/logstash/timeline/*"},"type":"phrase"},"query":{"match_phrase":{"log.file.path":"/logstash/timeline/*"}}}],"query":{"language":"kuery","query":""},"visualization":{"axisTitlesVisibilitySettings":{"x":true,"yLeft":true,"yRight":true},"fittingFunction":"None","gridlinesVisibilitySettings":{"x":true,"yLeft":true,"yRight":true},"layers":[{"accessors":["bfdebade-f945-4d2a-b57a-208b2c7634c0"],"layerId":"03a48b1d-f5ad-42c8-81a3-cb171a2859f2","position":"top","seriesType":"bar_stacked","showGridlines":false,"xAccessor":"59e8f841-6d78-4da6-a056-63dabeb5297b"}],"legend":{"isVisible":true,"position":"right"},"preferredSeriesType":"bar_stacked","tickLabelsVisibilitySettings":{"x":true,"yLeft":true,"yRight":true},"valueLabels":"hide"}},"title":"Timeline","visualizationType":"lnsXY"},"id":"914416f0-8f01-11eb-ac1a-9b73012977ea","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-layer-03a48b1d-f5ad-42c8-81a3-cb171a2859f2","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"filter-index-pattern-0","type":"index-pattern"}],"type":"lens","updated_at":"2021-03-27T13:37:25.983Z","version":"WzI4NTMsN10="}
 3 | {"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"df6f408f-8bb8-4334-8456-084094f3ddbb":{"columnOrder":["36c59d5c-0b3c-446d-b236-d914270a3c75"],"columns":{"36c59d5c-0b3c-446d-b236-d914270a3c75":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"log.file.path","negate":false,"params":{"query":"/logstash/timeline/*"},"type":"phrase"},"query":{"match_phrase":{"log.file.path":"/logstash/timeline/*"}}}],"query":{"language":"kuery","query":"*"},"visualization":{"accessor":"36c59d5c-0b3c-446d-b236-d914270a3c75","layerId":"df6f408f-8bb8-4334-8456-084094f3ddbb"}},"title":"Total_Count","visualizationType":"lnsMetric"},"id":"ef2aacb0-8f02-11eb-ac1a-9b73012977ea","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-layer-df6f408f-8bb8-4334-8456-084094f3ddbb","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"filter-index-pattern-0","type":"index-pattern"}],"type":"lens","updated_at":"2021-03-27T13:47:13.019Z","version":"WzI5MzYsN10="}
 4 | {"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"title":"NTFS_Timestamp","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"NTFS_Timestamp\",\"type\":\"markdown\",\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"## NTFS Timestamp\\n| MACB | Definition|\\n|--|--|\\n|M| Data content change time  (Time the data content of a file was last modified) | \\n|A| Data Last Access Time         (Approximate time when the file data was last accessed) |\\n|C| metadata change Time          (file size change)|\\n|B| Metadata Creation Time          (file creation) |\\n\\n![alt text](https://github.com/Maboalenen/DFIR/blob/main/NTFS..png?raw=true)\",\"openLinksInNewTab\":false}}"},"id":"ceb1dd20-8f0a-11eb-ac1a-9b73012977ea","migrationVersion":{"visualization":"7.11.0"},"references":[],"type":"visualization","updated_at":"2021-03-27T14:54:18.736Z","version":"WzM5NjMsN10="}
 5 | {"attributes":{"description":null,"state":{"datasourceStates":{"indexpattern":{"layers":{"41a13ee9-7744-4853-a71c-7dbc99476eec":{"columnOrder":["c9bb61aa-cf01-4ec7-b62b-d3ca4a3694d8","acb24030-f475-44d1-a76e-588660599a9d"],"columns":{"acb24030-f475-44d1-a76e-588660599a9d":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"c9bb61aa-cf01-4ec7-b62b-d3ca4a3694d8":{"dataType":"string","isBucketed":true,"label":"Top values of MACB.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"acb24030-f475-44d1-a76e-588660599a9d","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"MACB.keyword"}},"incompleteColumns":{}}}}},"filters":[],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"categoryDisplay":"default","groups":["c9bb61aa-cf01-4ec7-b62b-d3ca4a3694d8"],"layerId":"41a13ee9-7744-4853-a71c-7dbc99476eec","legendDisplay":"show","metric":"acb24030-f475-44d1-a76e-588660599a9d","nestedLegend":false,"numberDisplay":"percent","percentDecimals":2}],"palette":{"name":"kibana_palette","type":"palette"},"shape":"donut"}},"title":"MACB","visualizationType":"lnsPie"},"id":"ee146fd0-8f04-11eb-ac1a-9b73012977ea","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-layer-41a13ee9-7744-4853-a71c-7dbc99476eec","type":"index-pattern"}],"type":"lens","updated_at":"2021-03-27T14:58:47.294Z","version":"WzQwNzMsN10="}
 6 | {"attributes":{"description":"Approximate time when the file data was last accessed ","state":{"datasourceStates":{"indexpattern":{"layers":{"add01a57-ec1e-4349-a162-e7d3f48f4ffc":{"columnOrder":["93df26a8-09e8-48a4-9607-c2714b03a51b","0befaa59-424a-42e9-8754-39f45a91c358","ea6abec8-389d-4a47-aa77-a664020ed6b4"],"columns":{"0befaa59-424a-42e9-8754-39f45a91c358":{"dataType":"string","isBucketed":true,"label":"Top values of desc.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"ea6abec8-389d-4a47-aa77-a664020ed6b4","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"desc.keyword"},"93df26a8-09e8-48a4-9607-c2714b03a51b":{"dataType":"string","isBucketed":true,"label":"Top values of MACB.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"ea6abec8-389d-4a47-aa77-a664020ed6b4","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"MACB.keyword"},"ea6abec8-389d-4a47-aa77-a664020ed6b4":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"log.file.path","negate":false,"params":{"query":"/logstash/timeline/*"},"type":"phrase"},"query":{"match_phrase":{"log.file.path":"/logstash/timeline/*"}}},{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-1","key":"MACB.keyword","negate":false,"params":{"query":".A.."},"type":"phrase"},"query":{"match_phrase":{"MACB.keyword":".A.."}}}],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"columns":["93df26a8-09e8-48a4-9607-c2714b03a51b","0befaa59-424a-42e9-8754-39f45a91c358","ea6abec8-389d-4a47-aa77-a664020ed6b4"],"layerId":"add01a57-ec1e-4349-a162-e7d3f48f4ffc"}]}},"title":"Data_Last_Access","visualizationType":"lnsDatatable"},"id":"aeb70da0-8f06-11eb-ac1a-9b73012977ea","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-layer-add01a57-ec1e-4349-a162-e7d3f48f4ffc","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"filter-index-pattern-0","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"filter-index-pattern-1","type":"index-pattern"}],"type":"lens","updated_at":"2021-03-27T14:14:02.874Z","version":"WzMzNjksN10="}
 7 | {"attributes":{"description":null,"state":{"datasourceStates":{"indexpattern":{"layers":{"a7c72f6d-b490-4f6b-819e-3ac57157a88d":{"columnOrder":["4ed05265-f9ae-4e63-a939-d882fbad378c","bc12f45d-7bcc-471e-adaa-7d8ec80e3342","f9e44b22-d58a-4156-8a24-78ee9096f057"],"columns":{"4ed05265-f9ae-4e63-a939-d882fbad378c":{"dataType":"string","isBucketed":true,"label":"Top values of MACB.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"f9e44b22-d58a-4156-8a24-78ee9096f057","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"MACB.keyword"},"bc12f45d-7bcc-471e-adaa-7d8ec80e3342":{"dataType":"string","isBucketed":true,"label":"Top values of desc.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"f9e44b22-d58a-4156-8a24-78ee9096f057","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"desc.keyword"},"f9e44b22-d58a-4156-8a24-78ee9096f057":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"log.file.path","negate":false,"params":{"query":"/logstash/timeline/*"},"type":"phrase"},"query":{"match_phrase":{"log.file.path":"/logstash/timeline/*"}}},{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-1","key":"MACB.keyword","negate":false,"params":{"query":"..C."},"type":"phrase"},"query":{"match_phrase":{"MACB.keyword":"..C."}}}],"query":{"language":"kuery","query":"*.exe OR *.aspx OR *.txt OR *.dll"},"visualization":{"layers":[{"columns":["4ed05265-f9ae-4e63-a939-d882fbad378c","bc12f45d-7bcc-471e-adaa-7d8ec80e3342","f9e44b22-d58a-4156-8a24-78ee9096f057"],"layerId":"a7c72f6d-b490-4f6b-819e-3ac57157a88d"}]}},"title":"Metadata_Change_Time  ","visualizationType":"lnsDatatable"},"id":"134e21d0-8f08-11eb-ac1a-9b73012977ea","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-layer-a7c72f6d-b490-4f6b-819e-3ac57157a88d","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"filter-index-pattern-0","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"filter-index-pattern-1","type":"index-pattern"}],"type":"lens","updated_at":"2021-03-27T16:05:56.610Z","version":"WzY2OTAsN10="}
 8 | {"attributes":{"description":"Time the data content of a file was last modified","state":{"datasourceStates":{"indexpattern":{"layers":{"70f76b86-9bd5-4975-9f1d-ea229a79baae":{"columnOrder":["82645622-5ffa-4d54-a507-1129f59339a3","4e68e64d-ddf8-4fa9-8a2d-2021537c1de7","84d42e11-2785-44fa-9566-e68be6b3980e"],"columns":{"4e68e64d-ddf8-4fa9-8a2d-2021537c1de7":{"dataType":"string","isBucketed":true,"label":"Top values of desc.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"84d42e11-2785-44fa-9566-e68be6b3980e","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"desc.keyword"},"82645622-5ffa-4d54-a507-1129f59339a3":{"dataType":"string","isBucketed":true,"label":"Top values of MACB.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"84d42e11-2785-44fa-9566-e68be6b3980e","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"MACB.keyword"},"84d42e11-2785-44fa-9566-e68be6b3980e":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"log.file.path","negate":false,"params":{"query":"/logstash/timeline/*"},"type":"phrase"},"query":{"match_phrase":{"log.file.path":"/logstash/timeline/*"}}},{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-1","key":"MACB.keyword","negate":false,"params":{"query":"M..."},"type":"phrase"},"query":{"match_phrase":{"MACB.keyword":"M..."}}}],"query":{"language":"kuery","query":"wwwroot*"},"visualization":{"layers":[{"columns":["82645622-5ffa-4d54-a507-1129f59339a3","4e68e64d-ddf8-4fa9-8a2d-2021537c1de7","84d42e11-2785-44fa-9566-e68be6b3980e"],"layerId":"70f76b86-9bd5-4975-9f1d-ea229a79baae"}]}},"title":"M_Data_content_change_time","visualizationType":"lnsDatatable"},"id":"14a474f0-8f06-11eb-ac1a-9b73012977ea","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-layer-70f76b86-9bd5-4975-9f1d-ea229a79baae","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"filter-index-pattern-0","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"filter-index-pattern-1","type":"index-pattern"}],"type":"lens","updated_at":"2021-03-27T14:09:44.383Z","version":"WzMyNjQsN10="}
 9 | {"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"0b354db7-b741-4d28-b864-abad6a1c6c3e":{"columnOrder":["0e3d4f72-f495-412e-9280-2e1ad5af0ba9","f2b3b7d7-7680-4f29-affd-9cbc63b7dd0d","6ea298ca-53fe-4b0f-8d85-f54dd27b067e"],"columns":{"0e3d4f72-f495-412e-9280-2e1ad5af0ba9":{"dataType":"string","isBucketed":true,"label":"Top values of MACB.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"6ea298ca-53fe-4b0f-8d85-f54dd27b067e","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"MACB.keyword"},"6ea298ca-53fe-4b0f-8d85-f54dd27b067e":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"f2b3b7d7-7680-4f29-affd-9cbc63b7dd0d":{"dataType":"string","isBucketed":true,"label":"Top values of desc.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"6ea298ca-53fe-4b0f-8d85-f54dd27b067e","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"desc.keyword"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"log.file.path","negate":false,"params":{"query":"/logstash/timeline/*"},"type":"phrase"},"query":{"match_phrase":{"log.file.path":"/logstash/timeline/*"}}},{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-1","key":"MACB.keyword","negate":false,"params":{"query":"MA.."},"type":"phrase"},"query":{"match_phrase":{"MACB.keyword":"MA.."}}}],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"columns":["0e3d4f72-f495-412e-9280-2e1ad5af0ba9","f2b3b7d7-7680-4f29-affd-9cbc63b7dd0d","6ea298ca-53fe-4b0f-8d85-f54dd27b067e"],"layerId":"0b354db7-b741-4d28-b864-abad6a1c6c3e"}]}},"title":"MA","visualizationType":"lnsDatatable"},"id":"c1f0c260-8f0d-11eb-ac1a-9b73012977ea","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-layer-0b354db7-b741-4d28-b864-abad6a1c6c3e","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"filter-index-pattern-0","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"filter-index-pattern-1","type":"index-pattern"}],"type":"lens","updated_at":"2021-03-27T15:04:41.606Z","version":"WzQzMTEsN10="}
10 | {"attributes":{"description":"B- Metadata Creation Time  (file creation)\nTime file was created in the volume/directory \n","state":{"datasourceStates":{"indexpattern":{"layers":{"7cc47b50-a7a1-4dc7-ac84-7b54158c0c9e":{"columnOrder":["ac8a4dd6-71b4-402f-83a5-5553bd50d54e","e68d6943-c99c-4317-b985-1a22c0428483","65058c31-9178-4b9e-9d70-ce4245423733"],"columns":{"65058c31-9178-4b9e-9d70-ce4245423733":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"ac8a4dd6-71b4-402f-83a5-5553bd50d54e":{"dataType":"string","isBucketed":true,"label":"Top values of MACB.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"65058c31-9178-4b9e-9d70-ce4245423733","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"MACB.keyword"},"e68d6943-c99c-4317-b985-1a22c0428483":{"dataType":"string","isBucketed":true,"label":"Top values of desc.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"65058c31-9178-4b9e-9d70-ce4245423733","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"desc.keyword"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"log.file.path","negate":false,"params":{"query":"/logstash/timeline/*"},"type":"phrase"},"query":{"match_phrase":{"log.file.path":"/logstash/timeline/*"}}},{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-1","key":"MACB.keyword","negate":false,"params":{"query":"...B"},"type":"phrase"},"query":{"match_phrase":{"MACB.keyword":"...B"}}}],"query":{"language":"kuery","query":"*"},"visualization":{"layers":[{"columns":["ac8a4dd6-71b4-402f-83a5-5553bd50d54e","e68d6943-c99c-4317-b985-1a22c0428483","65058c31-9178-4b9e-9d70-ce4245423733"],"layerId":"7cc47b50-a7a1-4dc7-ac84-7b54158c0c9e"}]}},"title":"B-file creation","visualizationType":"lnsDatatable"},"id":"60b26860-8f07-11eb-ac1a-9b73012977ea","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-layer-7cc47b50-a7a1-4dc7-ac84-7b54158c0c9e","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"filter-index-pattern-0","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"filter-index-pattern-1","type":"index-pattern"}],"type":"lens","updated_at":"2021-03-27T14:19:01.478Z","version":"WzM1MzIsN10="}
11 | {"attributes":{"description":null,"state":{"datasourceStates":{"indexpattern":{"layers":{"2c36ec72-3cb4-4ffb-9be7-6f977e482233":{"columnOrder":["f8c2795e-5c65-446a-9540-08e50320ce09","78a590ab-6f9a-4d34-abab-b4c412aacd84","b6a1e3ea-a1cb-4837-a4f1-1a0e769e673c"],"columns":{"78a590ab-6f9a-4d34-abab-b4c412aacd84":{"dataType":"string","isBucketed":true,"label":"Top values of desc.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"b6a1e3ea-a1cb-4837-a4f1-1a0e769e673c","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"desc.keyword"},"b6a1e3ea-a1cb-4837-a4f1-1a0e769e673c":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"f8c2795e-5c65-446a-9540-08e50320ce09":{"dataType":"string","isBucketed":true,"label":"Top values of MACB.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"b6a1e3ea-a1cb-4837-a4f1-1a0e769e673c","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"MACB.keyword"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"log.file.path","negate":false,"params":{"query":"/logstash/timeline/*"},"type":"phrase"},"query":{"match_phrase":{"log.file.path":"/logstash/timeline/*"}}},{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-1","key":"MACB.keyword","negate":false,"params":{"query":"MA.B"},"type":"phrase"},"query":{"match_phrase":{"MACB.keyword":"MA.B"}}}],"query":{"language":"kuery","query":"*exe OR *.aspx "},"visualization":{"layers":[{"columns":["f8c2795e-5c65-446a-9540-08e50320ce09","78a590ab-6f9a-4d34-abab-b4c412aacd84","b6a1e3ea-a1cb-4837-a4f1-1a0e769e673c"],"layerId":"2c36ec72-3cb4-4ffb-9be7-6f977e482233"}]}},"title":"MA.B","visualizationType":"lnsDatatable"},"id":"9cb84c10-8f0e-11eb-ac1a-9b73012977ea","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-layer-2c36ec72-3cb4-4ffb-9be7-6f977e482233","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"filter-index-pattern-0","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"filter-index-pattern-1","type":"index-pattern"}],"type":"lens","updated_at":"2021-03-27T16:08:07.232Z","version":"WzY4NTUsN10="}
12 | {"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"9573f45d-105f-4a93-bd9b-94e9e2814152":{"columnOrder":["0a4c1792-c8d2-4dec-b2ae-7a7270b6c137","d460152e-7b28-4219-83bf-003a7a671850","ba3c46cd-98bc-442d-9a1b-e6ede22e74b1"],"columns":{"0a4c1792-c8d2-4dec-b2ae-7a7270b6c137":{"dataType":"string","isBucketed":true,"label":"Top values of MACB.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"ba3c46cd-98bc-442d-9a1b-e6ede22e74b1","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"MACB.keyword"},"ba3c46cd-98bc-442d-9a1b-e6ede22e74b1":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"d460152e-7b28-4219-83bf-003a7a671850":{"dataType":"string","isBucketed":true,"label":"Top values of desc.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"ba3c46cd-98bc-442d-9a1b-e6ede22e74b1","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"desc.keyword"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"log.file.path","negate":false,"params":{"query":"/logstash/timeline/*"},"type":"phrase"},"query":{"match_phrase":{"log.file.path":"/logstash/timeline/*"}}},{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-1","key":"MACB.keyword","negate":false,"params":{"query":"M..B"},"type":"phrase"},"query":{"match_phrase":{"MACB.keyword":"M..B"}}}],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"columns":["0a4c1792-c8d2-4dec-b2ae-7a7270b6c137","d460152e-7b28-4219-83bf-003a7a671850","ba3c46cd-98bc-442d-9a1b-e6ede22e74b1"],"layerId":"9573f45d-105f-4a93-bd9b-94e9e2814152"}]}},"title":"AB","visualizationType":"lnsDatatable"},"id":"147d1d30-8f0e-11eb-ac1a-9b73012977ea","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-layer-9573f45d-105f-4a93-bd9b-94e9e2814152","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"filter-index-pattern-0","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"filter-index-pattern-1","type":"index-pattern"}],"type":"lens","updated_at":"2021-03-27T15:07:00.099Z","version":"WzQ0NTQsN10="}
13 | {"attributes":{"description":null,"state":{"datasourceStates":{"indexpattern":{"layers":{"7e2f7585-97d8-401c-8190-c3390d7fd548":{"columnOrder":["86e4ee9a-2475-4be0-892d-297d4256b7d9","90c3fb35-a45e-45e5-ab3e-aacd82d8bb81","f583c0f9-c110-4431-a068-4db0460ba3af"],"columns":{"86e4ee9a-2475-4be0-892d-297d4256b7d9":{"dataType":"string","isBucketed":true,"label":"Top values of MACB.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"f583c0f9-c110-4431-a068-4db0460ba3af","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"MACB.keyword"},"90c3fb35-a45e-45e5-ab3e-aacd82d8bb81":{"dataType":"string","isBucketed":true,"label":"Top values of desc.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"f583c0f9-c110-4431-a068-4db0460ba3af","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"desc.keyword"},"f583c0f9-c110-4431-a068-4db0460ba3af":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"log.file.path","negate":false,"params":{"query":"/logstash/timeline/*"},"type":"phrase"},"query":{"match_phrase":{"log.file.path":"/logstash/timeline/*"}}},{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-1","key":"MACB","negate":false,"params":{"query":"M.C."},"type":"phrase"},"query":{"match_phrase":{"MACB":"M.C."}}}],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"columns":["86e4ee9a-2475-4be0-892d-297d4256b7d9","90c3fb35-a45e-45e5-ab3e-aacd82d8bb81","f583c0f9-c110-4431-a068-4db0460ba3af"],"layerId":"7e2f7585-97d8-401c-8190-c3390d7fd548"}]}},"title":"MAC.","visualizationType":"lnsDatatable"},"id":"bdce7e00-8f0f-11eb-ac1a-9b73012977ea","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-layer-7e2f7585-97d8-401c-8190-c3390d7fd548","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"filter-index-pattern-0","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"filter-index-pattern-1","type":"index-pattern"}],"type":"lens","updated_at":"2021-03-27T15:22:44.776Z","version":"WzUzMDAsN10="}
14 | {"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"f7b7cb87-074d-4c73-9556-abfefd11f797":{"columnOrder":["b6e375c1-987a-45ea-8758-595ab56b3844","26e0e134-9bbd-49d1-9ad5-3a4fd42e5f6c","6823a099-6b10-4d27-b2c8-c1764fe9cab4"],"columns":{"26e0e134-9bbd-49d1-9ad5-3a4fd42e5f6c":{"dataType":"string","isBucketed":true,"label":"Top values of desc.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"6823a099-6b10-4d27-b2c8-c1764fe9cab4","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"desc.keyword"},"6823a099-6b10-4d27-b2c8-c1764fe9cab4":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"b6e375c1-987a-45ea-8758-595ab56b3844":{"dataType":"string","isBucketed":true,"label":"Top values of MACB.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"6823a099-6b10-4d27-b2c8-c1764fe9cab4","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"MACB.keyword"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"log.file.path","negate":false,"params":{"query":"/logstash/timeline/*"},"type":"phrase"},"query":{"match_phrase":{"log.file.path":"/logstash/timeline/*"}}},{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-1","key":"MACB","negate":false,"params":{"query":"MAC."},"type":"phrase"},"query":{"match_phrase":{"MACB":"MAC."}}}],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"columns":["b6e375c1-987a-45ea-8758-595ab56b3844","26e0e134-9bbd-49d1-9ad5-3a4fd42e5f6c","6823a099-6b10-4d27-b2c8-c1764fe9cab4"],"layerId":"f7b7cb87-074d-4c73-9556-abfefd11f797"}]}},"title":"MAC.","visualizationType":"lnsDatatable"},"id":"032fd580-8f0f-11eb-ac1a-9b73012977ea","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-layer-f7b7cb87-074d-4c73-9556-abfefd11f797","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"filter-index-pattern-0","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"filter-index-pattern-1","type":"index-pattern"}],"type":"lens","updated_at":"2021-03-27T15:13:40.568Z","version":"WzQ4MzgsN10="}
15 | {"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"dd730255-4863-43f3-8bc8-b661bac06d10":{"columnOrder":["0423eb85-5dca-4910-b852-6dfaae53e984","aa37023b-ea80-4710-9ada-15280c7218eb","51b2ea7c-8df5-4c85-9b3e-775a97fc257a"],"columns":{"0423eb85-5dca-4910-b852-6dfaae53e984":{"dataType":"string","isBucketed":true,"label":"Top values of MACB.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"51b2ea7c-8df5-4c85-9b3e-775a97fc257a","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"MACB.keyword"},"51b2ea7c-8df5-4c85-9b3e-775a97fc257a":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"aa37023b-ea80-4710-9ada-15280c7218eb":{"dataType":"string","isBucketed":true,"label":"Top values of desc.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"51b2ea7c-8df5-4c85-9b3e-775a97fc257a","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"desc.keyword"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"log.file.path","negate":false,"params":{"query":"/logstash/timeline/*"},"type":"phrase"},"query":{"match_phrase":{"log.file.path":"/logstash/timeline/*"}}},{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-1","key":"MACB","negate":false,"params":{"query":"MACB"},"type":"phrase"},"query":{"match_phrase":{"MACB":"MACB"}}}],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"columns":["0423eb85-5dca-4910-b852-6dfaae53e984","aa37023b-ea80-4710-9ada-15280c7218eb","51b2ea7c-8df5-4c85-9b3e-775a97fc257a"],"layerId":"dd730255-4863-43f3-8bc8-b661bac06d10"}]}},"title":"MACB","visualizationType":"lnsDatatable"},"id":"af937f60-8f10-11eb-ac1a-9b73012977ea","migrationVersion":{"lens":"7.11.0"},"references":[{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"indexpattern-datasource-layer-dd730255-4863-43f3-8bc8-b661bac06d10","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"filter-index-pattern-0","type":"index-pattern"},{"id":"8f009ee0-8335-11eb-a744-3f309b56c443","name":"filter-index-pattern-1","type":"index-pattern"}],"type":"lens","updated_at":"2021-03-27T15:25:39.286Z","version":"WzU0OTIsN10="}
16 | {"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.11.2\",\"gridData\":{\"h\":10,\"i\":\"98d4f135-8d33-41f9-9abd-547c7a526a95\",\"w\":19,\"x\":0,\"y\":0},\"panelIndex\":\"98d4f135-8d33-41f9-9abd-547c7a526a95\",\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"NTFS_Timeline\",\"panelRefName\":\"panel_0\"},{\"version\":\"7.11.2\",\"gridData\":{\"h\":10,\"i\":\"75053996-c705-4937-809e-cce03a821dcc\",\"w\":5,\"x\":19,\"y\":0},\"panelIndex\":\"75053996-c705-4937-809e-cce03a821dcc\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.11.2\",\"gridData\":{\"h\":37,\"i\":\"72c9786a-3157-4f71-b7d1-92531e14be3e\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"72c9786a-3157-4f71-b7d1-92531e14be3e\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.11.2\",\"gridData\":{\"h\":14,\"i\":\"a285264b-7cb3-423b-b1b0-3e8143348f4b\",\"w\":24,\"x\":0,\"y\":10},\"panelIndex\":\"a285264b-7cb3-423b-b1b0-3e8143348f4b\",\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"NTFS_MACB\",\"panelRefName\":\"panel_3\"},{\"version\":\"7.11.2\",\"gridData\":{\"h\":13,\"i\":\"edbb3f31-8449-4709-9732-8fb14f7991b6\",\"w\":24,\"x\":0,\"y\":24},\"panelIndex\":\"edbb3f31-8449-4709-9732-8fb14f7991b6\",\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"NTFS_.A..\",\"panelRefName\":\"panel_4\"},{\"version\":\"7.11.2\",\"gridData\":{\"h\":15,\"i\":\"0df435cd-d2c4-4508-b24a-492baf02f609\",\"w\":24,\"x\":0,\"y\":37},\"panelIndex\":\"0df435cd-d2c4-4508-b24a-492baf02f609\",\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"NTFS_..C.\",\"panelRefName\":\"panel_5\"},{\"version\":\"7.11.2\",\"gridData\":{\"h\":15,\"i\":\"6519efec-e26c-4eea-8478-c544279e321c\",\"w\":24,\"x\":24,\"y\":37},\"panelIndex\":\"6519efec-e26c-4eea-8478-c544279e321c\",\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"NTFS_M...\",\"panelRefName\":\"panel_6\"},{\"version\":\"7.11.2\",\"gridData\":{\"h\":15,\"i\":\"bc28b810-abff-418d-99ae-0b8c3a489467\",\"w\":24,\"x\":0,\"y\":52},\"panelIndex\":\"bc28b810-abff-418d-99ae-0b8c3a489467\",\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"NTFS_MA..\",\"panelRefName\":\"panel_7\"},{\"version\":\"7.11.2\",\"gridData\":{\"h\":15,\"i\":\"fa80ee3f-e6be-46ee-b86c-cbd222bef932\",\"w\":24,\"x\":24,\"y\":52},\"panelIndex\":\"fa80ee3f-e6be-46ee-b86c-cbd222bef932\",\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"NTFS_...B\",\"panelRefName\":\"panel_8\"},{\"version\":\"7.11.2\",\"gridData\":{\"h\":15,\"i\":\"dc1c559b-1921-411c-8793-b8dcf42d1516\",\"w\":24,\"x\":0,\"y\":67},\"panelIndex\":\"dc1c559b-1921-411c-8793-b8dcf42d1516\",\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"NTFS_MA.B\",\"panelRefName\":\"panel_9\"},{\"version\":\"7.11.2\",\"gridData\":{\"h\":15,\"i\":\"6c1f9ff3-7798-40dc-80bb-282139c294e4\",\"w\":24,\"x\":24,\"y\":67},\"panelIndex\":\"6c1f9ff3-7798-40dc-80bb-282139c294e4\",\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"NTFS_M..B\",\"panelRefName\":\"panel_10\"},{\"version\":\"7.11.2\",\"gridData\":{\"h\":15,\"i\":\"b6abb863-4bdd-46f7-b19d-415ae4b6aa2e\",\"w\":24,\"x\":0,\"y\":82},\"panelIndex\":\"b6abb863-4bdd-46f7-b19d-415ae4b6aa2e\",\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"NTFS_M.C.\",\"panelRefName\":\"panel_11\"},{\"version\":\"7.11.2\",\"gridData\":{\"h\":10,\"i\":\"b6daba10-d9c5-4547-9a0b-77af7041fe82\",\"w\":24,\"x\":24,\"y\":82},\"panelIndex\":\"b6daba10-d9c5-4547-9a0b-77af7041fe82\",\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"NTFS_MAC.\",\"panelRefName\":\"panel_12\"},{\"version\":\"7.11.2\",\"gridData\":{\"h\":5,\"i\":\"4978472b-d247-41a5-a0e4-8838e7177bd2\",\"w\":24,\"x\":24,\"y\":92},\"panelIndex\":\"4978472b-d247-41a5-a0e4-8838e7177bd2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_13\"}]","timeRestore":false,"title":"NTFS_SuperTimeLine","version":1},"id":"b4f13ce0-8f01-11eb-ac1a-9b73012977ea","migrationVersion":{"dashboard":"7.11.0"},"references":[{"id":"914416f0-8f01-11eb-ac1a-9b73012977ea","name":"panel_0","type":"lens"},{"id":"ef2aacb0-8f02-11eb-ac1a-9b73012977ea","name":"panel_1","type":"lens"},{"id":"ceb1dd20-8f0a-11eb-ac1a-9b73012977ea","name":"panel_2","type":"visualization"},{"id":"ee146fd0-8f04-11eb-ac1a-9b73012977ea","name":"panel_3","type":"lens"},{"id":"aeb70da0-8f06-11eb-ac1a-9b73012977ea","name":"panel_4","type":"lens"},{"id":"134e21d0-8f08-11eb-ac1a-9b73012977ea","name":"panel_5","type":"lens"},{"id":"14a474f0-8f06-11eb-ac1a-9b73012977ea","name":"panel_6","type":"lens"},{"id":"c1f0c260-8f0d-11eb-ac1a-9b73012977ea","name":"panel_7","type":"lens"},{"id":"60b26860-8f07-11eb-ac1a-9b73012977ea","name":"panel_8","type":"lens"},{"id":"9cb84c10-8f0e-11eb-ac1a-9b73012977ea","name":"panel_9","type":"lens"},{"id":"147d1d30-8f0e-11eb-ac1a-9b73012977ea","name":"panel_10","type":"lens"},{"id":"bdce7e00-8f0f-11eb-ac1a-9b73012977ea","name":"panel_11","type":"lens"},{"id":"032fd580-8f0f-11eb-ac1a-9b73012977ea","name":"panel_12","type":"lens"},{"id":"af937f60-8f10-11eb-ac1a-9b73012977ea","name":"panel_13","type":"lens"}],"type":"dashboard","updated_at":"2021-03-27T16:26:26.107Z","version":"WzcyMzQsN10="}
17 | {"exportedCount":16,"missingRefCount":0,"missingReferences":[]}


--------------------------------------------------------------------------------
/Dashboards/Memory_forensics.ndjson:
--------------------------------------------------------------------------------
 1 | {"attributes":{"fields":"[{\"count\":0,\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"@version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"@version\"}}},{\"count\":0,\"name\":\"Offset\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"Offset.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"Offset\"}}},{\"count\":0,\"name\":\"State\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"State.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"State\"}}},{\"count\":0,\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_score\",\"type\":\"number\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"access\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"access.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"access\"}}},{\"count\":0,\"name\":\"column10\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"column10.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"column10\"}}},{\"count\":0,\"name\":\"column6\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"column6.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"column6\"}}},{\"count\":0,\"name\":\"column7\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"column7.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"column7\"}}},{\"count\":0,\"name\":\"column8\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"column8.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"column8\"}}},{\"count\":0,\"name\":\"column9\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"column9.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"column9\"}}},{\"count\":0,\"name\":\"createddate\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"createdtime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"createdtime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"createdtime\"}}},{\"count\":0,\"name\":\"csrss\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"csrss.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"csrss\"}}},{\"count\":0,\"name\":\"date\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"date.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"date\"}}},{\"count\":0,\"name\":\"dcreated\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"deskthrd\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"deskthrd.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"deskthrd\"}}},{\"count\":0,\"name\":\"edata\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"edata.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"edata\"}}},{\"count\":0,\"name\":\"exitdate\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"exitdate.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"exitdate\"}}},{\"count\":0,\"name\":\"foreignaddress\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"foreignaddress.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"foreignaddress\"}}},{\"count\":0,\"name\":\"hnd\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"hnd.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hnd\"}}},{\"count\":0,\"name\":\"hnds\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"hnds.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hnds\"}}},{\"count\":0,\"name\":\"host\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"host.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host\"}}},{\"count\":0,\"name\":\"localaddress\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"localaddress.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"localaddress\"}}},{\"count\":0,\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"message\"}}},{\"count\":0,\"name\":\"name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"name\"}}},{\"count\":0,\"name\":\"offset\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"offset.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"offset\"}}},{\"count\":0,\"name\":\"owner\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"owner.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"owner\"}}},{\"count\":0,\"name\":\"path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"path\"}}},{\"count\":0,\"name\":\"pdp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"pdp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"pdp\"}}},{\"count\":0,\"name\":\"pid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"pid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"pid\"}}},{\"count\":0,\"name\":\"ppid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"ppid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ppid\"}}},{\"count\":0,\"name\":\"proto\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"proto.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"proto\"}}},{\"count\":0,\"name\":\"pslist\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"pslist.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"pslist\"}}},{\"count\":0,\"name\":\"pspcid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"pspcid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"pspcid\"}}},{\"count\":0,\"name\":\"psscan\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"psscan.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"psscan\"}}},{\"count\":0,\"name\":\"ptr\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"ptr.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ptr\"}}},{\"count\":0,\"name\":\"sdata\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"sdata.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sdata\"}}},{\"count\":0,\"name\":\"sess\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"sess.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sess\"}}},{\"count\":0,\"name\":\"session\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"session.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"session\"}}},{\"count\":0,\"name\":\"stime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"stime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"stime\"}}},{\"count\":0,\"name\":\"string\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"string.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"string\"}}},{\"count\":0,\"name\":\"szun\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"szun.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"szun\"}}},{\"count\":0,\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"tags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"tags\"}}},{\"count\":0,\"name\":\"tcreated\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"tcreated.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"tcreated\"}}},{\"count\":0,\"name\":\"thds\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"thds.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"thds\"}}},{\"count\":0,\"name\":\"thrdproc\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"thrdproc.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"thrdproc\"}}},{\"count\":0,\"name\":\"time\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"time.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"time\"}}},{\"count\":3,\"name\":\"type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"type\"}}},{\"count\":0,\"name\":\"wow64\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"wow64.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"wow64\"}}},{\"count\":0,\"name\":\"zcreated\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"zcreated.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"zcreated\"}}},{\"count\":0,\"name\":\"zone\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"zone.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"zone\"}}}]","timeFieldName":"@timestamp","title":"memory_vol"},"id":"c0313710-5962-11eb-b17f-e364fcb47ac1","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2021-01-18T07:58:38.779Z","version":"WzUzNTksMTJd"}
 2 | {"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"786c0e28-3c17-4667-b87a-914f76a04e80":{"columnOrder":["6dfa3148-e9d6-4158-8a6f-bde9c30de8d0","a0abd192-8a7d-47f7-9934-e9f6217d3006"],"columns":{"6dfa3148-e9d6-4158-8a6f-bde9c30de8d0":{"dataType":"string","isBucketed":true,"label":"Top values of type.keyword","operationType":"terms","params":{"orderBy":{"columnId":"a0abd192-8a7d-47f7-9934-e9f6217d3006","type":"column"},"orderDirection":"desc","size":100},"scale":"ordinal","sourceField":"type.keyword"},"a0abd192-8a7d-47f7-9934-e9f6217d3006":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"}}}}}},"filters":[],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"categoryDisplay":"default","groups":["6dfa3148-e9d6-4158-8a6f-bde9c30de8d0"],"layerId":"786c0e28-3c17-4667-b87a-914f76a04e80","legendDisplay":"show","metric":"a0abd192-8a7d-47f7-9934-e9f6217d3006","nestedLegend":false,"numberDisplay":"percent"}],"shape":"pie"}},"title":"Vol_Plugins","visualizationType":"lnsPie"},"id":"c624e9a0-596c-11eb-b17f-e364fcb47ac1","migrationVersion":{"lens":"7.10.0"},"references":[{"id":"c0313710-5962-11eb-b17f-e364fcb47ac1","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"c0313710-5962-11eb-b17f-e364fcb47ac1","name":"indexpattern-datasource-layer-786c0e28-3c17-4667-b87a-914f76a04e80","type":"index-pattern"}],"type":"lens","updated_at":"2021-01-18T09:08:48.058Z","version":"WzU5ODksMTJd"}
 3 | {"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"1732ba8d-93ba-445d-ab02-dd5d7d8292f4":{"columnOrder":["232dc123-e245-45a5-bbe9-9bbf1d4b6257","a938dad6-c379-44b1-9f90-9e9b33f2fbe7"],"columns":{"232dc123-e245-45a5-bbe9-9bbf1d4b6257":{"dataType":"string","isBucketed":true,"label":"Top values of name.keyword","operationType":"terms","params":{"orderBy":{"columnId":"a938dad6-c379-44b1-9f90-9e9b33f2fbe7","type":"column"},"orderDirection":"desc","size":100},"scale":"ordinal","sourceField":"name.keyword"},"a938dad6-c379-44b1-9f90-9e9b33f2fbe7":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"}}}}}},"filters":[],"query":{"language":"kuery","query":""},"visualization":{"axisTitlesVisibilitySettings":{"x":true,"yLeft":true,"yRight":true},"fittingFunction":"None","gridlinesVisibilitySettings":{"x":true,"yLeft":true,"yRight":true},"layers":[{"accessors":["a938dad6-c379-44b1-9f90-9e9b33f2fbe7"],"layerId":"1732ba8d-93ba-445d-ab02-dd5d7d8292f4","position":"top","seriesType":"bar_horizontal","showGridlines":false,"xAccessor":"232dc123-e245-45a5-bbe9-9bbf1d4b6257"}],"legend":{"isVisible":true,"position":"right"},"preferredSeriesType":"bar_horizontal","tickLabelsVisibilitySettings":{"x":true,"yLeft":true,"yRight":true}}},"title":"Vol_Process","visualizationType":"lnsXY"},"id":"1aee1510-596d-11eb-b17f-e364fcb47ac1","migrationVersion":{"lens":"7.10.0"},"references":[{"id":"c0313710-5962-11eb-b17f-e364fcb47ac1","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"c0313710-5962-11eb-b17f-e364fcb47ac1","name":"indexpattern-datasource-layer-1732ba8d-93ba-445d-ab02-dd5d7d8292f4","type":"index-pattern"}],"type":"lens","updated_at":"2021-01-18T09:11:10.305Z","version":"WzYwNTEsMTJd"}
 4 | {"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"103d1362-093f-4fea-935a-680936eb9ce3":{"columnOrder":["71cfd005-353a-401d-903b-f235b4404b7d","e897ab32-5f28-46a3-90cc-99a12889af35","f96aefb2-809f-4a5e-bd1e-d43f204eb538","58d5ee4f-fde7-4ec1-bfc3-b51723d55dfc","9097205a-dab4-4b34-a0bd-b086874f29b0"],"columns":{"58d5ee4f-fde7-4ec1-bfc3-b51723d55dfc":{"dataType":"string","isBucketed":true,"label":"Top values of ppid.keyword","operationType":"terms","params":{"orderBy":{"columnId":"9097205a-dab4-4b34-a0bd-b086874f29b0","type":"column"},"orderDirection":"desc","size":100},"scale":"ordinal","sourceField":"ppid.keyword"},"71cfd005-353a-401d-903b-f235b4404b7d":{"dataType":"string","isBucketed":true,"label":"Top values of Offset.keyword","operationType":"terms","params":{"orderBy":{"columnId":"9097205a-dab4-4b34-a0bd-b086874f29b0","type":"column"},"orderDirection":"desc","size":100},"scale":"ordinal","sourceField":"Offset.keyword"},"9097205a-dab4-4b34-a0bd-b086874f29b0":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"e897ab32-5f28-46a3-90cc-99a12889af35":{"dataType":"string","isBucketed":true,"label":"Top values of name.keyword","operationType":"terms","params":{"orderBy":{"columnId":"9097205a-dab4-4b34-a0bd-b086874f29b0","type":"column"},"orderDirection":"desc","size":100},"scale":"ordinal","sourceField":"name.keyword"},"f96aefb2-809f-4a5e-bd1e-d43f204eb538":{"dataType":"string","isBucketed":true,"label":"Top values of pid.keyword","operationType":"terms","params":{"orderBy":{"columnId":"9097205a-dab4-4b34-a0bd-b086874f29b0","type":"column"},"orderDirection":"desc","size":100},"scale":"ordinal","sourceField":"pid.keyword"}}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"type.keyword","negate":false,"params":{"query":"vol_pslist"},"type":"phrase"},"query":{"match_phrase":{"type.keyword":"vol_pslist"}}}],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"columns":["71cfd005-353a-401d-903b-f235b4404b7d","e897ab32-5f28-46a3-90cc-99a12889af35","f96aefb2-809f-4a5e-bd1e-d43f204eb538","58d5ee4f-fde7-4ec1-bfc3-b51723d55dfc","9097205a-dab4-4b34-a0bd-b086874f29b0"],"layerId":"103d1362-093f-4fea-935a-680936eb9ce3"}]}},"title":"vol_pslist","visualizationType":"lnsDatatable"},"id":"64a73cb0-5966-11eb-b17f-e364fcb47ac1","migrationVersion":{"lens":"7.10.0"},"references":[{"id":"c0313710-5962-11eb-b17f-e364fcb47ac1","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"c0313710-5962-11eb-b17f-e364fcb47ac1","name":"indexpattern-datasource-layer-103d1362-093f-4fea-935a-680936eb9ce3","type":"index-pattern"},{"id":"c0313710-5962-11eb-b17f-e364fcb47ac1","name":"filter-index-pattern-0","type":"index-pattern"}],"type":"lens","updated_at":"2021-01-18T08:23:07.515Z","version":"WzU1MjEsMTJd"}
 5 | {"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"5da32202-b029-4a1b-b3f2-bc3ff166349a":{"columnOrder":["81e5ceb6-3df2-4ec8-9f05-329cbc6d624c","5914554e-6ac2-451d-b67f-35877d8779e2","49771327-80d2-4163-817c-71059dce4c8f","874e3a81-b005-4446-aa9a-6176640e6f12","27e1c6e9-8ca6-4bf2-ba1f-d0d8925b8987"],"columns":{"27e1c6e9-8ca6-4bf2-ba1f-d0d8925b8987":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"49771327-80d2-4163-817c-71059dce4c8f":{"dataType":"string","isBucketed":true,"label":"Top values of pid.keyword","operationType":"terms","params":{"orderBy":{"columnId":"27e1c6e9-8ca6-4bf2-ba1f-d0d8925b8987","type":"column"},"orderDirection":"desc","size":3},"scale":"ordinal","sourceField":"pid.keyword"},"5914554e-6ac2-451d-b67f-35877d8779e2":{"dataType":"string","isBucketed":true,"label":"Top values of name.keyword","operationType":"terms","params":{"orderBy":{"columnId":"27e1c6e9-8ca6-4bf2-ba1f-d0d8925b8987","type":"column"},"orderDirection":"desc","size":100},"scale":"ordinal","sourceField":"name.keyword"},"81e5ceb6-3df2-4ec8-9f05-329cbc6d624c":{"dataType":"string","isBucketed":true,"label":"Top values of Offset.keyword","operationType":"terms","params":{"orderBy":{"columnId":"27e1c6e9-8ca6-4bf2-ba1f-d0d8925b8987","type":"column"},"orderDirection":"desc","size":100},"scale":"ordinal","sourceField":"Offset.keyword"},"874e3a81-b005-4446-aa9a-6176640e6f12":{"dataType":"string","isBucketed":true,"label":"Top values of ppid.keyword","operationType":"terms","params":{"orderBy":{"columnId":"27e1c6e9-8ca6-4bf2-ba1f-d0d8925b8987","type":"column"},"orderDirection":"desc","size":3},"scale":"ordinal","sourceField":"ppid.keyword"}}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"type.keyword","negate":false,"params":{"query":"vol_psscan"},"type":"phrase"},"query":{"match_phrase":{"type.keyword":"vol_psscan"}}}],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"columns":["81e5ceb6-3df2-4ec8-9f05-329cbc6d624c","5914554e-6ac2-451d-b67f-35877d8779e2","49771327-80d2-4163-817c-71059dce4c8f","874e3a81-b005-4446-aa9a-6176640e6f12","27e1c6e9-8ca6-4bf2-ba1f-d0d8925b8987"],"layerId":"5da32202-b029-4a1b-b3f2-bc3ff166349a"}]}},"title":"vol_psscan","visualizationType":"lnsDatatable"},"id":"bd4cbb20-596a-11eb-b17f-e364fcb47ac1","migrationVersion":{"lens":"7.10.0"},"references":[{"id":"c0313710-5962-11eb-b17f-e364fcb47ac1","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"c0313710-5962-11eb-b17f-e364fcb47ac1","name":"indexpattern-datasource-layer-5da32202-b029-4a1b-b3f2-bc3ff166349a","type":"index-pattern"},{"id":"c0313710-5962-11eb-b17f-e364fcb47ac1","name":"filter-index-pattern-0","type":"index-pattern"}],"type":"lens","updated_at":"2021-01-18T08:54:14.225Z","version":"WzU2NjEsMTJd"}
 6 | {"attributes":{"description":null,"state":{"datasourceStates":{"indexpattern":{"layers":{"ca2a3b22-8cb1-47a6-84fe-aa686a3e41d2":{"columnOrder":["7e45c655-ce67-43ab-b5a2-7a6d4a41fead","438afb23-7bbb-4902-bc8e-2e6443ad4173","337862ad-2c18-4aff-a929-79d2a6b28db2"],"columns":{"337862ad-2c18-4aff-a929-79d2a6b28db2":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"438afb23-7bbb-4902-bc8e-2e6443ad4173":{"dataType":"string","isBucketed":true,"label":"Top values of string.keyword","operationType":"terms","params":{"orderBy":{"columnId":"337862ad-2c18-4aff-a929-79d2a6b28db2","type":"column"},"orderDirection":"desc","size":100},"scale":"ordinal","sourceField":"string.keyword"},"7e45c655-ce67-43ab-b5a2-7a6d4a41fead":{"dataType":"string","isBucketed":true,"label":"Top values of offset.keyword","operationType":"terms","params":{"orderBy":{"columnId":"337862ad-2c18-4aff-a929-79d2a6b28db2","type":"column"},"orderDirection":"desc","size":100},"scale":"ordinal","sourceField":"offset.keyword"}}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"type.keyword","negate":false,"params":{"query":"vol_strings"},"type":"phrase"},"query":{"match_phrase":{"type.keyword":"vol_strings"}}}],"query":{"language":"kuery","query":"*.txt or mimi*"},"visualization":{"layers":[{"columns":["7e45c655-ce67-43ab-b5a2-7a6d4a41fead","438afb23-7bbb-4902-bc8e-2e6443ad4173","337862ad-2c18-4aff-a929-79d2a6b28db2"],"layerId":"ca2a3b22-8cb1-47a6-84fe-aa686a3e41d2"}]}},"title":"memory forensics","visualizationType":"lnsDatatable"},"id":"fe8f06c0-5964-11eb-b17f-e364fcb47ac1","migrationVersion":{"lens":"7.10.0"},"references":[{"id":"c0313710-5962-11eb-b17f-e364fcb47ac1","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"c0313710-5962-11eb-b17f-e364fcb47ac1","name":"indexpattern-datasource-layer-ca2a3b22-8cb1-47a6-84fe-aa686a3e41d2","type":"index-pattern"},{"id":"c0313710-5962-11eb-b17f-e364fcb47ac1","name":"filter-index-pattern-0","type":"index-pattern"}],"type":"lens","updated_at":"2021-01-18T08:13:21.929Z","version":"WzU0NjYsMTJd"}
 7 | {"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"b30c1b85-e5ba-45bb-a35e-7671696f45a7":{"columnOrder":["b812472b-b3a5-41a9-ab7e-6cc5b4c528b5","6e1cef23-8cf8-4e21-9556-d36174325a37","dbe94f7e-b4a9-4d41-be08-6d5a601602e5","58ecdf5d-df60-45a0-aee8-91a23b000c35"],"columns":{"58ecdf5d-df60-45a0-aee8-91a23b000c35":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"6e1cef23-8cf8-4e21-9556-d36174325a37":{"dataType":"string","isBucketed":true,"label":"Top values of access.keyword","operationType":"terms","params":{"orderBy":{"columnId":"58ecdf5d-df60-45a0-aee8-91a23b000c35","type":"column"},"orderDirection":"desc","size":100},"scale":"ordinal","sourceField":"access.keyword"},"b812472b-b3a5-41a9-ab7e-6cc5b4c528b5":{"dataType":"string","isBucketed":true,"label":"Top values of Offset.keyword","operationType":"terms","params":{"orderBy":{"columnId":"58ecdf5d-df60-45a0-aee8-91a23b000c35","type":"column"},"orderDirection":"desc","size":100},"scale":"ordinal","sourceField":"Offset.keyword"},"dbe94f7e-b4a9-4d41-be08-6d5a601602e5":{"dataType":"string","isBucketed":true,"label":"Top values of name.keyword","operationType":"terms","params":{"orderBy":{"columnId":"58ecdf5d-df60-45a0-aee8-91a23b000c35","type":"column"},"orderDirection":"desc","size":3},"scale":"ordinal","sourceField":"name.keyword"}}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"type.keyword","negate":false,"params":{"query":"vol_filescan"},"type":"phrase"},"query":{"match_phrase":{"type.keyword":"vol_filescan"}}}],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"columns":["b812472b-b3a5-41a9-ab7e-6cc5b4c528b5","6e1cef23-8cf8-4e21-9556-d36174325a37","dbe94f7e-b4a9-4d41-be08-6d5a601602e5","58ecdf5d-df60-45a0-aee8-91a23b000c35"],"layerId":"b30c1b85-e5ba-45bb-a35e-7671696f45a7"}]}},"title":"vol_filescan","visualizationType":"lnsDatatable"},"id":"1485b8a0-596c-11eb-b17f-e364fcb47ac1","migrationVersion":{"lens":"7.10.0"},"references":[{"id":"c0313710-5962-11eb-b17f-e364fcb47ac1","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"c0313710-5962-11eb-b17f-e364fcb47ac1","name":"indexpattern-datasource-layer-b30c1b85-e5ba-45bb-a35e-7671696f45a7","type":"index-pattern"},{"id":"c0313710-5962-11eb-b17f-e364fcb47ac1","name":"filter-index-pattern-0","type":"index-pattern"}],"type":"lens","updated_at":"2021-01-18T09:03:50.057Z","version":"WzU4NDgsMTJd"}
 8 | {"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"42a413e0-2f42-4d67-b206-feed77f09962":{"columnOrder":["75438865-178f-4f1f-9d9a-9c25207e0afc","5bcba0c7-03c9-4617-b4f6-5e0a39d76f60","62ecf187-bae5-45df-98a0-7b93d2206a1c","23955716-dd8c-4166-b06a-b2853a1dd99c"],"columns":{"23955716-dd8c-4166-b06a-b2853a1dd99c":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"5bcba0c7-03c9-4617-b4f6-5e0a39d76f60":{"dataType":"string","isBucketed":true,"label":"Top values of pid.keyword","operationType":"terms","params":{"orderBy":{"columnId":"23955716-dd8c-4166-b06a-b2853a1dd99c","type":"column"},"orderDirection":"desc","size":100},"scale":"ordinal","sourceField":"pid.keyword"},"62ecf187-bae5-45df-98a0-7b93d2206a1c":{"dataType":"string","isBucketed":true,"label":"Top values of ppid.keyword","operationType":"terms","params":{"orderBy":{"columnId":"23955716-dd8c-4166-b06a-b2853a1dd99c","type":"column"},"orderDirection":"desc","size":100},"scale":"ordinal","sourceField":"ppid.keyword"},"75438865-178f-4f1f-9d9a-9c25207e0afc":{"dataType":"string","isBucketed":true,"label":"Top values of name.keyword","operationType":"terms","params":{"orderBy":{"columnId":"23955716-dd8c-4166-b06a-b2853a1dd99c","type":"column"},"orderDirection":"desc","size":100},"scale":"ordinal","sourceField":"name.keyword"}}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"type.keyword","negate":false,"params":{"query":"vol_pstree"},"type":"phrase"},"query":{"match_phrase":{"type.keyword":"vol_pstree"}}}],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"columns":["75438865-178f-4f1f-9d9a-9c25207e0afc","5bcba0c7-03c9-4617-b4f6-5e0a39d76f60","62ecf187-bae5-45df-98a0-7b93d2206a1c","23955716-dd8c-4166-b06a-b2853a1dd99c"],"layerId":"42a413e0-2f42-4d67-b206-feed77f09962"}]}},"title":"vol_pstree","visualizationType":"lnsDatatable"},"id":"74507f10-596a-11eb-b17f-e364fcb47ac1","migrationVersion":{"lens":"7.10.0"},"references":[{"id":"c0313710-5962-11eb-b17f-e364fcb47ac1","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"c0313710-5962-11eb-b17f-e364fcb47ac1","name":"indexpattern-datasource-layer-42a413e0-2f42-4d67-b206-feed77f09962","type":"index-pattern"},{"id":"c0313710-5962-11eb-b17f-e364fcb47ac1","name":"filter-index-pattern-0","type":"index-pattern"}],"type":"lens","updated_at":"2021-01-18T08:52:11.776Z","version":"WzU2MTEsMTJd"}
 9 | {"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"f7334120-2a35-481c-9fe5-89a70393e5b9":{"columnOrder":["21c7a16f-468f-426e-a9ce-dd8045c4a5e6","5cee0afc-b32b-41d9-972b-834ecda651de","44ad645e-9a5f-422f-8aa9-7e7f749cabb6","8f2b3843-10ab-4a0c-8aa6-ba3e2fed49a2","2c86ba1f-0f78-4032-9794-1021e5a2f33b"],"columns":{"21c7a16f-468f-426e-a9ce-dd8045c4a5e6":{"dataType":"string","isBucketed":true,"label":"Top values of localaddress.keyword","operationType":"terms","params":{"orderBy":{"columnId":"2c86ba1f-0f78-4032-9794-1021e5a2f33b","type":"column"},"orderDirection":"desc","size":100},"scale":"ordinal","sourceField":"localaddress.keyword"},"2c86ba1f-0f78-4032-9794-1021e5a2f33b":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"44ad645e-9a5f-422f-8aa9-7e7f749cabb6":{"dataType":"string","isBucketed":true,"label":"Top values of State.keyword","operationType":"terms","params":{"orderBy":{"columnId":"2c86ba1f-0f78-4032-9794-1021e5a2f33b","type":"column"},"orderDirection":"desc","size":100},"scale":"ordinal","sourceField":"State.keyword"},"5cee0afc-b32b-41d9-972b-834ecda651de":{"dataType":"string","isBucketed":true,"label":"Top values of foreignaddress.keyword","operationType":"terms","params":{"orderBy":{"columnId":"2c86ba1f-0f78-4032-9794-1021e5a2f33b","type":"column"},"orderDirection":"desc","size":100},"scale":"ordinal","sourceField":"foreignaddress.keyword"},"8f2b3843-10ab-4a0c-8aa6-ba3e2fed49a2":{"dataType":"string","isBucketed":true,"label":"Top values of owner.keyword","operationType":"terms","params":{"orderBy":{"columnId":"2c86ba1f-0f78-4032-9794-1021e5a2f33b","type":"column"},"orderDirection":"desc","size":100},"scale":"ordinal","sourceField":"owner.keyword"}}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"type.keyword","negate":false,"params":{"query":"vol_netscan"},"type":"phrase"},"query":{"match_phrase":{"type.keyword":"vol_netscan"}}}],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"columns":["21c7a16f-468f-426e-a9ce-dd8045c4a5e6","5cee0afc-b32b-41d9-972b-834ecda651de","44ad645e-9a5f-422f-8aa9-7e7f749cabb6","8f2b3843-10ab-4a0c-8aa6-ba3e2fed49a2","2c86ba1f-0f78-4032-9794-1021e5a2f33b"],"layerId":"f7334120-2a35-481c-9fe5-89a70393e5b9"}]}},"title":"vol_netscan","visualizationType":"lnsDatatable"},"id":"471f79f0-596b-11eb-b17f-e364fcb47ac1","migrationVersion":{"lens":"7.10.0"},"references":[{"id":"c0313710-5962-11eb-b17f-e364fcb47ac1","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"c0313710-5962-11eb-b17f-e364fcb47ac1","name":"indexpattern-datasource-layer-f7334120-2a35-481c-9fe5-89a70393e5b9","type":"index-pattern"},{"id":"c0313710-5962-11eb-b17f-e364fcb47ac1","name":"filter-index-pattern-0","type":"index-pattern"}],"type":"lens","updated_at":"2021-01-18T08:58:05.455Z","version":"WzU3MjMsMTJd"}
10 | {"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"9954a4f0-ea4d-41c5-b97c-a0c46c704262":{"columnOrder":["cf8e1e00-1fce-4e7f-888f-c45a6b1fca99","92384971-45a4-4ac8-b17d-270a9f83fc12","95f4d418-bd01-4079-a11f-a567355d1b32","cd854962-591e-4e7a-acc6-6064d7f943d3","a6c70009-c818-4d48-94d1-5f66cf87bf07","b8671475-c611-4b51-b0f0-923b2e4f9c43","1779ce0b-dc7c-4713-b587-36dd2d10f87e","d94c2b39-d4ba-4ba7-89cf-a838ceff98bf","5fcc97cc-894d-4c62-a019-b1d4f52ff86d","84c43392-7d41-49a1-ae95-a251ca10d9f6","7509de03-9699-410b-9192-2e0e594b5569"],"columns":{"1779ce0b-dc7c-4713-b587-36dd2d10f87e":{"dataType":"string","isBucketed":true,"label":"Top values of pspcid.keyword","operationType":"terms","params":{"orderBy":{"columnId":"7509de03-9699-410b-9192-2e0e594b5569","type":"column"},"orderDirection":"desc","size":3},"scale":"ordinal","sourceField":"pspcid.keyword"},"5fcc97cc-894d-4c62-a019-b1d4f52ff86d":{"dataType":"string","isBucketed":true,"label":"Top values of session.keyword","operationType":"terms","params":{"orderBy":{"columnId":"7509de03-9699-410b-9192-2e0e594b5569","type":"column"},"orderDirection":"desc","size":3},"scale":"ordinal","sourceField":"session.keyword"},"7509de03-9699-410b-9192-2e0e594b5569":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"84c43392-7d41-49a1-ae95-a251ca10d9f6":{"dataType":"string","isBucketed":true,"label":"Top values of deskthrd.keyword","operationType":"terms","params":{"orderBy":{"columnId":"7509de03-9699-410b-9192-2e0e594b5569","type":"column"},"orderDirection":"desc","size":3},"scale":"ordinal","sourceField":"deskthrd.keyword"},"92384971-45a4-4ac8-b17d-270a9f83fc12":{"dataType":"string","isBucketed":true,"label":"Top values of name.keyword","operationType":"terms","params":{"orderBy":{"columnId":"7509de03-9699-410b-9192-2e0e594b5569","type":"column"},"orderDirection":"desc","size":3},"scale":"ordinal","sourceField":"name.keyword"},"95f4d418-bd01-4079-a11f-a567355d1b32":{"dataType":"string","isBucketed":true,"label":"Top values of pid.keyword","operationType":"terms","params":{"orderBy":{"columnId":"7509de03-9699-410b-9192-2e0e594b5569","type":"column"},"orderDirection":"desc","size":3},"scale":"ordinal","sourceField":"pid.keyword"},"a6c70009-c818-4d48-94d1-5f66cf87bf07":{"dataType":"string","isBucketed":true,"label":"Top values of psscan.keyword","operationType":"terms","params":{"orderBy":{"columnId":"7509de03-9699-410b-9192-2e0e594b5569","type":"column"},"orderDirection":"desc","size":3},"scale":"ordinal","sourceField":"psscan.keyword"},"b8671475-c611-4b51-b0f0-923b2e4f9c43":{"dataType":"string","isBucketed":true,"label":"Top values of thrdproc.keyword","operationType":"terms","params":{"orderBy":{"columnId":"7509de03-9699-410b-9192-2e0e594b5569","type":"column"},"orderDirection":"desc","size":3},"scale":"ordinal","sourceField":"thrdproc.keyword"},"cd854962-591e-4e7a-acc6-6064d7f943d3":{"dataType":"string","isBucketed":true,"label":"Top values of pslist.keyword","operationType":"terms","params":{"orderBy":{"columnId":"7509de03-9699-410b-9192-2e0e594b5569","type":"column"},"orderDirection":"desc","size":3},"scale":"ordinal","sourceField":"pslist.keyword"},"cf8e1e00-1fce-4e7f-888f-c45a6b1fca99":{"dataType":"string","isBucketed":true,"label":"Top values of offset.keyword","operationType":"terms","params":{"orderBy":{"columnId":"7509de03-9699-410b-9192-2e0e594b5569","type":"column"},"orderDirection":"desc","size":100},"scale":"ordinal","sourceField":"offset.keyword"},"d94c2b39-d4ba-4ba7-89cf-a838ceff98bf":{"dataType":"string","isBucketed":true,"label":"Top values of csrss.keyword","operationType":"terms","params":{"orderBy":{"columnId":"7509de03-9699-410b-9192-2e0e594b5569","type":"column"},"orderDirection":"desc","size":3},"scale":"ordinal","sourceField":"csrss.keyword"}}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"type.keyword","negate":false,"params":{"query":"vol_psxview"},"type":"phrase"},"query":{"match_phrase":{"type.keyword":"vol_psxview"}}}],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"columns":["cf8e1e00-1fce-4e7f-888f-c45a6b1fca99","92384971-45a4-4ac8-b17d-270a9f83fc12","95f4d418-bd01-4079-a11f-a567355d1b32","cd854962-591e-4e7a-acc6-6064d7f943d3","a6c70009-c818-4d48-94d1-5f66cf87bf07","b8671475-c611-4b51-b0f0-923b2e4f9c43","1779ce0b-dc7c-4713-b587-36dd2d10f87e","d94c2b39-d4ba-4ba7-89cf-a838ceff98bf","5fcc97cc-894d-4c62-a019-b1d4f52ff86d","84c43392-7d41-49a1-ae95-a251ca10d9f6","7509de03-9699-410b-9192-2e0e594b5569"],"layerId":"9954a4f0-ea4d-41c5-b97c-a0c46c704262"}]}},"title":"vol_psxview","visualizationType":"lnsDatatable"},"id":"849b91a0-596c-11eb-b17f-e364fcb47ac1","migrationVersion":{"lens":"7.10.0"},"references":[{"id":"c0313710-5962-11eb-b17f-e364fcb47ac1","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"c0313710-5962-11eb-b17f-e364fcb47ac1","name":"indexpattern-datasource-layer-9954a4f0-ea4d-41c5-b97c-a0c46c704262","type":"index-pattern"},{"id":"c0313710-5962-11eb-b17f-e364fcb47ac1","name":"filter-index-pattern-0","type":"index-pattern"}],"type":"lens","updated_at":"2021-01-18T09:06:58.105Z","version":"WzU5MzQsMTJd"}
11 | {"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.10.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":24,\"h\":15,\"i\":\"c12ccc34-a371-4e72-829f-99ed478dad61\"},\"panelIndex\":\"c12ccc34-a371-4e72-829f-99ed478dad61\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.10.1\",\"gridData\":{\"x\":24,\"y\":0,\"w\":24,\"h\":15,\"i\":\"bb5c5a33-858e-4ede-94fe-ad3c9bedd52e\"},\"panelIndex\":\"bb5c5a33-858e-4ede-94fe-ad3c9bedd52e\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.10.1\",\"gridData\":{\"x\":0,\"y\":15,\"w\":24,\"h\":15,\"i\":\"284ad86a-7a3f-4cfe-8cf9-d739f92b0832\"},\"panelIndex\":\"284ad86a-7a3f-4cfe-8cf9-d739f92b0832\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.10.1\",\"gridData\":{\"x\":24,\"y\":15,\"w\":24,\"h\":15,\"i\":\"b4a92cb5-dff4-4edf-8167-ffcc467dbf0d\"},\"panelIndex\":\"b4a92cb5-dff4-4edf-8167-ffcc467dbf0d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.10.1\",\"gridData\":{\"x\":0,\"y\":30,\"w\":24,\"h\":15,\"i\":\"c62a587c-077d-46ca-968b-7761aa8bc0bd\"},\"panelIndex\":\"c62a587c-077d-46ca-968b-7761aa8bc0bd\",\"embeddableConfig\":{\"title\":\"Vol_strings\",\"hidePanelTitles\":false},\"title\":\"Vol_strings\",\"panelRefName\":\"panel_4\"},{\"version\":\"7.10.1\",\"gridData\":{\"x\":24,\"y\":30,\"w\":24,\"h\":15,\"i\":\"9e5f004f-a6b7-4cb1-b6e3-f65446a63c4d\"},\"panelIndex\":\"9e5f004f-a6b7-4cb1-b6e3-f65446a63c4d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.10.1\",\"gridData\":{\"x\":0,\"y\":45,\"w\":24,\"h\":15,\"i\":\"6bf18e55-3967-484d-9fb6-2bb3142ebab4\"},\"panelIndex\":\"6bf18e55-3967-484d-9fb6-2bb3142ebab4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.10.1\",\"gridData\":{\"x\":24,\"y\":45,\"w\":24,\"h\":15,\"i\":\"7a855c41-6a26-4f0f-be91-e4e8610e97de\"},\"panelIndex\":\"7a855c41-6a26-4f0f-be91-e4e8610e97de\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.10.1\",\"gridData\":{\"x\":0,\"y\":60,\"w\":48,\"h\":20,\"i\":\"cfd88e57-a4f6-40bd-b1da-1f5e510ad59c\"},\"panelIndex\":\"cfd88e57-a4f6-40bd-b1da-1f5e510ad59c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"memory_forensics","version":1},"id":"91b52970-5965-11eb-b17f-e364fcb47ac1","migrationVersion":{"dashboard":"7.9.3"},"references":[{"id":"c624e9a0-596c-11eb-b17f-e364fcb47ac1","name":"panel_0","type":"lens"},{"id":"1aee1510-596d-11eb-b17f-e364fcb47ac1","name":"panel_1","type":"lens"},{"id":"64a73cb0-5966-11eb-b17f-e364fcb47ac1","name":"panel_2","type":"lens"},{"id":"bd4cbb20-596a-11eb-b17f-e364fcb47ac1","name":"panel_3","type":"lens"},{"id":"fe8f06c0-5964-11eb-b17f-e364fcb47ac1","name":"panel_4","type":"lens"},{"id":"1485b8a0-596c-11eb-b17f-e364fcb47ac1","name":"panel_5","type":"lens"},{"id":"74507f10-596a-11eb-b17f-e364fcb47ac1","name":"panel_6","type":"lens"},{"id":"471f79f0-596b-11eb-b17f-e364fcb47ac1","name":"panel_7","type":"lens"},{"id":"849b91a0-596c-11eb-b17f-e364fcb47ac1","name":"panel_8","type":"lens"}],"type":"dashboard","updated_at":"2021-01-18T09:12:59.271Z","version":"WzYwNjQsMTJd"}
12 | {"exportedCount":11,"missingRefCount":0,"missingReferences":[]}


--------------------------------------------------------------------------------