├── .gitattributes ├── README.md ├── The Elastic Stack as a SIEM.pptx ├── dashboard.json ├── docker-compose.yaml ├── sample_logstash_config.conf └── ufw.log /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Philly Security Shell Meetup Elastic Stack Demo 2 | 3 | ## Prerequisites: 4 | 5 | To run this lab you will need both the docker engine and docker compose installed. If you can run "docker -v" and "docker-compose -v" and get a version number back, you should be good to go. If you see errors when you run the docker-compose file, you may just need to reboot. 6 | 7 | --- 8 | 9 | ## Starting up the Elastic Stack 10 | 11 | To bring up Elasticsearch, Kibana, and Cerebro (a 3rd party management framework for the Elastic stack) navigate to the folder where you have cloned this respository. At the command line type 12 | 13 | `docker-compose up` 14 | 15 | and press enter. You should see a bunch of text scrolling as the the containers start up. After 30 seconds or so you should be able to access Kibana at http://localhost:5601 as well as the Cerebro management tool at http://localhost:9000. To connect Cerebro to the running Elasticsearch container type 16 | 17 | `http://elasticsearch:9200` 18 | 19 | in the Node address box on the main page, then press the Connect button. You should see a dashboard showing a single row with your running Elasticsearch node. 20 | 21 | To shut down services, press control+C on the window where docker-compose was started. You can also type `docker-compose stop` from inside the repo folder in another terminal. To remove all the containers type `docker rm elasticsearch kibana cerebro` once the services are stopped. 22 | 23 | Note: This docker compose file will write all data into folders in the /tmp directory on your machine so that if you bring the containers down and back up, the data will still be there. If you wish to save the data somewhere else, edit the docker-compose.yml file under the volumes section of the elasticsearch service. You must choose a location where docker will have permissions to write. 24 | 25 | --- 26 | 27 | ## Data Import 28 | 29 | For this demonstration we will use a firewall log that was recorded from a VPS located on digital ocean. The data is present for the timeframe of roughly 2019-02-12 to 2019-02-18. To keep attackers interested, low-interaction honeypot services were set up for multiple ports. Traffic to port 2222 should be ignored as the honeypot was administered through that port. Also note that outbound traffic from the honeypot itself is present in the data, if you do want to filter outbound traffic remove `source_ip:104.248.50.195` from your searches and visualizations. 30 | 31 | To import the ufw.log data into Kibana follow these steps: 32 | 33 | 1. Go to Kibana in your virtual machine by opening a browser and going to http://localhost:5601. Select the machine learning plugin on the left side of Kibana, then select the Data Visualizer tab at the top of the screen. 34 | 2. Click the button to "Select or drag and drop a file" and pick the ufw.log filefrom the repo. If you see an error at this stage just try it again, there seems to be a potential bug with the 7.0.0beta1 of Elasticsearch that may cause it to error out if analysis takes too long. 35 | 3. After "Analyzing data" the next screen will show some information, but it does not fully detect the fields correctly, so we must fix it. Select the "Override settings" button in the Summary section and in the Grok pattern window clear out what is there and paste the below statement, then press Apply. Paste the following in the grok pattern window: 36 | 37 | ```%{SYSLOGBASE} \[%{DATA}\] \[%{DATA:action}\] IN=(%{WORD:in})? OUT=(%{WORD:out})?( MAC=%{DATA:mac})? SRC=%{IP:source_ip} DST=%{IP:destination_ip} %{DATA} PROTO=%{WORD:protocol}( SPT=%{INT:source_port} DPT=%{INT:destination_port})?``` 38 | 39 | 4. Kibana will now re-analyze the data with the fields parsed correctly. You should now see the file stats display with data parsed out cleanly. Hit the blue import button in the lower left of the screen to go to the next page. 40 | 5. In the Import data section on the next page, select the Advanced tab. 41 | 6. Type the name `ufw_logs` in the "Index name" field, ensuring the "Create index pattern" box is checked. This will be the name of the index the data is imported into. 42 | 7. You will need to replace the contents of the **Mappings** and **Ingest pipeline** window in its entirety with the code below. The Index settings window can be left as-is. (This code is only making 3 small adjustments from the default. In the ingest section we are adding "processors" to resolve the geoIP location and ASN from the data in the source_ip field, and in the mappings where are defining a geoip object with a nested field called location of type "geo_point" where the resolved geoIP location data can be stored.) 43 | 44 | Place the following in the **mappings** window: 45 | 46 | ``` 47 | { 48 | "@timestamp": { 49 | "type": "date" 50 | }, 51 | "action": { 52 | "type": "keyword" 53 | }, 54 | "destination_ip": { 55 | "type": "ip" 56 | }, 57 | "destination_port": { 58 | "type": "long" 59 | }, 60 | "in": { 61 | "type": "keyword" 62 | }, 63 | "geoip": { 64 | "properties": { 65 | "location": { "type": "geo_point" } 66 | } 67 | }, 68 | "length": { 69 | "type": "long" 70 | }, 71 | "logsource": { 72 | "type": "keyword" 73 | }, 74 | "mac": { 75 | "type": "keyword" 76 | }, 77 | "message": { 78 | "type": "text" 79 | }, 80 | "out": { 81 | "type": "keyword" 82 | }, 83 | "program": { 84 | "type": "keyword" 85 | }, 86 | "protocol": { 87 | "type": "keyword" 88 | }, 89 | "source_ip": { 90 | "type": "ip" 91 | }, 92 | "source_port": { 93 | "type": "long" 94 | } 95 | } 96 | ``` 97 | 98 | 99 | Place the following in the ingest pipeline window: 100 | ``` 101 | { 102 | "description": "Ingest pipeline created by file structure finder", 103 | "processors": [ 104 | { 105 | "grok": { 106 | "field": "message", 107 | "patterns": [ 108 | "%{SYSLOGBASE} \\[%{DATA}\\] \\[%{DATA:action}\\] IN=(%{WORD:in})? OUT=(%{WORD:out})?( MAC=%{DATA:mac})? SRC=%{IP:source_ip} DST=%{IP:destination_ip} LEN=%{INT:length} %{DATA} PROTO=%{WORD:protocol}( SPT=%{INT:source_port} DPT=%{INT:destination_port})?" 109 | ] 110 | } 111 | }, 112 | { 113 | "date": { 114 | "field": "timestamp", 115 | "timezone": "UTC", 116 | "formats": [ 117 | "MMM dd HH:mm:ss", 118 | "MMM d HH:mm:ss" 119 | ] 120 | } 121 | }, 122 | { 123 | "remove": { 124 | "field": "timestamp" 125 | } 126 | }, 127 | { 128 | "geoip": { 129 | "field" : "source_ip" 130 | } 131 | }, 132 | { 133 | "geoip": { 134 | "field" : "source_ip", 135 | "database_file": "GeoLite2-ASN.mmdb" 136 | } 137 | } 138 | ] 139 | } 140 | ``` 141 | 142 | 8. Once this is complete, click the blue **import** button and your data should be cleanly ingested. You will be able to view it by going to the Discover tab and selecting the name of the index (ufw_logs) you chose in the previous steps. You also need to select the correct timeframe in the time picker at the upper right of the window in the Discover tab. Select Feb 12th, 2019 to Feb 18th, 2019 inclusive, and the data should show up on the page once you hit the Refresh button. 143 | 9. To import the premade visualizations and dashboards, use the `dashboard.json` file included with this repo. Click on the management tab on the left side of Kibana, then choose **Saved Objects**. On the next screen click the import button then choose the text file you saved the JSON as to import it. *(You may receive a warning message in a yellow box saying "The following saved objects use index patterns that do not exist. Please select the index patterns you'd like re-associated with them. You can create a new index pattern if necessary." Use the drop-down under **new index pattern** to select the `ufw_logs` index and hit **confirm all changes**.)* 144 | 145 | The data, visualizations, and dashboards should be imported with the prefix [Shell] and you can access them through the related tabs on the left side of the screen. 146 | -------------------------------------------------------------------------------- /The Elastic Stack as a SIEM.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecHubb/SecShell_Demo/c92ccd5de1656b2384377cbe8a0e842e38538952/The Elastic Stack as a SIEM.pptx -------------------------------------------------------------------------------- /dashboard.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "_id": "b7b8a350-3062-11e9-a22b-f101349ec9c3", 4 | "_type": "dashboard", 5 | "_source": { 6 | "title": "[Shell] UFW", 7 | "hits": 0, 8 | "description": "", 9 | "panelsJSON": "[{\"embeddableConfig\":{\"mapCenter\":[18.646245142670608,1.7578125000000002],\"mapZoom\":2},\"gridData\":{\"x\":10,\"y\":0,\"w\":23,\"h\":15,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"6.6.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":33,\"y\":0,\"w\":15,\"h\":15,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"6.6.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":24,\"y\":28,\"w\":24,\"h\":21,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"6.6.0\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":40,\"w\":24,\"h\":24,\"i\":\"4\"},\"panelIndex\":\"4\",\"version\":\"6.6.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":28,\"w\":24,\"h\":12,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"6.6.0\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":24,\"y\":49,\"w\":24,\"h\":30,\"i\":\"6\"},\"panelIndex\":\"6\",\"version\":\"6.6.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":15,\"w\":48,\"h\":13,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"6.6.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":64,\"w\":24,\"h\":15,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"6.6.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":79,\"w\":48,\"h\":14,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"6.6.0\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":0,\"w\":10,\"h\":15,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"6.6.0\",\"panelRefName\":\"panel_9\"}]", 10 | "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", 11 | "version": 1, 12 | "timeRestore": false, 13 | "kibanaSavedObjectMeta": { 14 | "searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"key\":\"source_ip\",\"negate\":true,\"params\":{\"query\":\"104.248.50.195\"},\"type\":\"phrase\",\"value\":\"104.248.50.195\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"source_ip\":{\"query\":\"104.248.50.195\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"key\":\"destination_port\",\"negate\":true,\"params\":{\"query\":\"2222\"},\"type\":\"phrase\",\"value\":\"2,222\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"query\":{\"match\":{\"destination_port\":{\"query\":\"2222\",\"type\":\"phrase\"}}}}]}" 15 | } 16 | }, 17 | "_migrationVersion": { 18 | "dashboard": "7.0.0" 19 | }, 20 | "_references": [ 21 | { 22 | "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", 23 | "type": "index-pattern", 24 | "id": "d4ad8a00-305f-11e9-a22b-f101349ec9c3" 25 | }, 26 | { 27 | "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", 28 | "type": "index-pattern", 29 | "id": "4be97470-3372-11e9-997e-839d37c3a8b5" 30 | }, 31 | { 32 | "name": "panel_0", 33 | "type": "visualization", 34 | "id": "35d8b8e0-3060-11e9-a22b-f101349ec9c3" 35 | }, 36 | { 37 | "name": "panel_1", 38 | "type": "visualization", 39 | "id": "351222a0-3062-11e9-a22b-f101349ec9c3" 40 | }, 41 | { 42 | "name": "panel_2", 43 | "type": "visualization", 44 | "id": "15662f10-3061-11e9-a22b-f101349ec9c3" 45 | }, 46 | { 47 | "name": "panel_3", 48 | "type": "visualization", 49 | "id": "ab35bc50-3060-11e9-a22b-f101349ec9c3" 50 | }, 51 | { 52 | "name": "panel_4", 53 | "type": "visualization", 54 | "id": "bb8d8b00-3060-11e9-a22b-f101349ec9c3" 55 | }, 56 | { 57 | "name": "panel_5", 58 | "type": "search", 59 | "id": "5f642e40-3062-11e9-a22b-f101349ec9c3" 60 | }, 61 | { 62 | "name": "panel_6", 63 | "type": "visualization", 64 | "id": "25e1ee90-3063-11e9-a22b-f101349ec9c3" 65 | }, 66 | { 67 | "name": "panel_7", 68 | "type": "visualization", 69 | "id": "36b2c860-3064-11e9-a22b-f101349ec9c3" 70 | }, 71 | { 72 | "name": "panel_8", 73 | "type": "visualization", 74 | "id": "956cdac0-3065-11e9-a22b-f101349ec9c3" 75 | }, 76 | { 77 | "name": "panel_9", 78 | "type": "visualization", 79 | "id": "27648500-3065-11e9-a22b-f101349ec9c3" 80 | } 81 | ] 82 | }, 83 | { 84 | "_id": "4be97470-3372-11e9-997e-839d37c3a8b5", 85 | "_type": "index-pattern", 86 | "_source": { 87 | "title": "ufw_logs", 88 | "timeFieldName": "@timestamp", 89 | "fields": "[{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.city_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.continent_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.country_iso_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.organization_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.organization_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.region_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.region_iso_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.region_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"in\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logsource\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mac\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"out\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"program\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]" 90 | }, 91 | "_migrationVersion": { 92 | "index-pattern": "6.5.0" 93 | }, 94 | "_references": [] 95 | }, 96 | { 97 | "_id": "5f642e40-3062-11e9-a22b-f101349ec9c3", 98 | "_type": "search", 99 | "_source": { 100 | "title": "[Shell] IP, Port, Protocol, Message", 101 | "description": "", 102 | "hits": 0, 103 | "columns": [ 104 | "source_ip", 105 | "destination_port", 106 | "protocol", 107 | "message" 108 | ], 109 | "sort": [ 110 | "@timestamp", 111 | "desc" 112 | ], 113 | "version": 1, 114 | "kibanaSavedObjectMeta": { 115 | "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" 116 | } 117 | }, 118 | "_migrationVersion": { 119 | "search": "7.0.0" 120 | }, 121 | "_references": [ 122 | { 123 | "name": "kibanaSavedObjectMeta.searchSourceJSON.index", 124 | "type": "index-pattern", 125 | "id": "4be97470-3372-11e9-997e-839d37c3a8b5" 126 | } 127 | ] 128 | }, 129 | { 130 | "_id": "351222a0-3062-11e9-a22b-f101349ec9c3", 131 | "_type": "visualization", 132 | "_source": { 133 | "title": "[Shell] Count by country and ports", 134 | "visState": "{\"title\":\"[Shell] Count by country and ports\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.country_iso_code.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_port\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", 135 | "uiStateJSON": "{}", 136 | "description": "", 137 | "version": 1, 138 | "kibanaSavedObjectMeta": { 139 | "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" 140 | } 141 | }, 142 | "_migrationVersion": { 143 | "visualization": "7.0.0" 144 | }, 145 | "_references": [ 146 | { 147 | "name": "kibanaSavedObjectMeta.searchSourceJSON.index", 148 | "type": "index-pattern", 149 | "id": "4be97470-3372-11e9-997e-839d37c3a8b5" 150 | } 151 | ] 152 | }, 153 | { 154 | "_id": "35d8b8e0-3060-11e9-a22b-f101349ec9c3", 155 | "_type": "visualization", 156 | "_source": { 157 | "title": "[Shell] Pew Pew!", 158 | "visState": "{\"title\":\"[Shell] Pew Pew!\",\"type\":\"tile_map\",\"params\":{\"colorSchema\":\"Yellow to Red\",\"mapType\":\"Shaded Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatClusterSize\":1.5,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"origin\":\"elastic_maps_service\",\"id\":\"road_map\",\"minZoom\":0,\"maxZoom\":18,\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.location\",\"autoPrecision\":true,\"isFilteredByCollar\":true,\"useGeocentroid\":true,\"mapZoom\":2,\"mapCenter\":[0,0],\"precision\":2}}]}", 159 | "uiStateJSON": "{}", 160 | "description": "", 161 | "version": 1, 162 | "kibanaSavedObjectMeta": { 163 | "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" 164 | } 165 | }, 166 | "_migrationVersion": { 167 | "visualization": "7.0.0" 168 | }, 169 | "_references": [ 170 | { 171 | "name": "kibanaSavedObjectMeta.searchSourceJSON.index", 172 | "type": "index-pattern", 173 | "id": "4be97470-3372-11e9-997e-839d37c3a8b5" 174 | } 175 | ] 176 | }, 177 | { 178 | "_id": "25e1ee90-3063-11e9-a22b-f101349ec9c3", 179 | "_type": "visualization", 180 | "_source": { 181 | "title": "[Shell] Count by Port, SSH Logins Annot.", 182 | "visState": "{\"title\":\"[Shell] Count by Port, SSH Logins Annot.\",\"type\":\"metrics\",\"params\":{\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\",\"series\":[{\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"color\":\"rgba(0,135,188,1)\",\"split_mode\":\"terms\",\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"separate_axis\":0,\"axis_position\":\"right\",\"formatter\":\"number\",\"chart_type\":\"line\",\"line_width\":1,\"point_size\":1,\"fill\":0.5,\"stacked\":\"none\",\"terms_field\":\"destination_port\"}],\"time_field\":\"@timestamp\",\"index_pattern\":\"ufw_logs\",\"interval\":\"auto\",\"axis_position\":\"left\",\"axis_formatter\":\"number\",\"axis_scale\":\"normal\",\"show_legend\":1,\"show_grid\":1,\"annotations\":[{\"fields\":\"source_ip\",\"template\":\"SSH connection attempt from {{source_ip}}\",\"index_pattern\":\"ufw_logs\",\"query_string\":\"destination_port:22\",\"id\":\"cd1deed0-3062-11e9-9a67-4b3685c07a8c\",\"color\":\"#F00\",\"time_field\":\"@timestamp\",\"icon\":\"fa-asterisk\",\"ignore_global_filters\":1,\"ignore_panel_filters\":1}]},\"aggs\":[]}", 183 | "uiStateJSON": "{}", 184 | "description": "", 185 | "version": 1, 186 | "kibanaSavedObjectMeta": { 187 | "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" 188 | } 189 | }, 190 | "_migrationVersion": { 191 | "visualization": "7.0.0" 192 | }, 193 | "_references": [] 194 | }, 195 | { 196 | "_id": "27648500-3065-11e9-a22b-f101349ec9c3", 197 | "_type": "visualization", 198 | "_source": { 199 | "title": "[Shell] Metric - Count", 200 | "visState": "{\"title\":\"[Shell] Metric - Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Log Count\"}}]}", 201 | "uiStateJSON": "{}", 202 | "description": "", 203 | "version": 1, 204 | "kibanaSavedObjectMeta": { 205 | "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" 206 | } 207 | }, 208 | "_migrationVersion": { 209 | "visualization": "7.0.0" 210 | }, 211 | "_references": [ 212 | { 213 | "name": "kibanaSavedObjectMeta.searchSourceJSON.index", 214 | "type": "index-pattern", 215 | "id": "4be97470-3372-11e9-997e-839d37c3a8b5" 216 | } 217 | ] 218 | }, 219 | { 220 | "_id": "ab35bc50-3060-11e9-a22b-f101349ec9c3", 221 | "_type": "visualization", 222 | "_source": { 223 | "title": "[Shell] Port scan Heatmap", 224 | "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"destination_port\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":25},\"schema\":\"group\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customInterval\":\"2h\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"m\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"2019-02-12T20:54:39.255Z\",\"to\":\"2019-02-18T12:05:37.500Z\"},\"time_zone\":\"America/New_York\",\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"colorsNumber\":10,\"colorsRange\":[],\"dimensions\":{\"series\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"x\":{\"accessor\":1,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"params\":{\"bounds\":{\"max\":{\"_a\":[2019,1,18,12,5,37,500],\"_d\":\"2019-02-18T12:05:37.500Z\",\"_f\":\"YYYY-MM-DDTHH:mm:ss.SSSSZ\",\"_i\":\"2019-02-18T12:05:37.500Z\",\"_isAMomentObject\":true,\"_isUTC\":false,\"_isValid\":true,\"_locale\":{\"_abbr\":\"en\",\"_calendar\":{\"lastDay\":\"[Yesterday at] LT\",\"lastWeek\":\"[Last] dddd [at] LT\",\"nextDay\":\"[Tomorrow at] LT\",\"nextWeek\":\"dddd [at] LT\",\"sameDay\":\"[Today at] LT\",\"sameElse\":\"L\"},\"_config\":{\"abbr\":\"en\",\"calendar\":{\"lastDay\":\"[Yesterday at] LT\",\"lastWeek\":\"[Last] dddd [at] LT\",\"nextDay\":\"[Tomorrow at] LT\",\"nextWeek\":\"dddd [at] LT\",\"sameDay\":\"[Today at] LT\",\"sameElse\":\"L\"},\"dayOfMonthOrdinalParse\":{},\"invalidDate\":\"Invalid date\",\"longDateFormat\":{\"L\":\"MM/DD/YYYY\",\"LL\":\"MMMM D, YYYY\",\"LLL\":\"MMMM D, YYYY h:mm A\",\"LLLL\":\"dddd, MMMM D, YYYY h:mm A\",\"LT\":\"h:mm A\",\"LTS\":\"h:mm:ss A\",\"lll\":\"MMM D, YYYY h:mm A\"},\"meridiemParse\":{},\"months\":[\"January\",\"February\",\"March\",\"April\",\"May\",\"June\",\"July\",\"August\",\"September\",\"October\",\"November\",\"December\"],\"monthsShort\":[\"Jan\",\"Feb\",\"Mar\",\"Apr\",\"May\",\"Jun\",\"Jul\",\"Aug\",\"Sep\",\"Oct\",\"Nov\",\"Dec\"],\"relativeTime\":{\"M\":\"a month\",\"MM\":\"%d months\",\"d\":\"a day\",\"dd\":\"%d days\",\"future\":\"in %s\",\"h\":\"an hour\",\"hh\":\"%d hours\",\"m\":\"a minute\",\"mm\":\"%d minutes\",\"past\":\"%s ago\",\"s\":\"a few seconds\",\"ss\":\"%d seconds\",\"y\":\"a year\",\"yy\":\"%d years\"},\"week\":{\"dow\":0,\"doy\":6},\"weekdays\":[\"Sunday\",\"Monday\",\"Tuesday\",\"Wednesday\",\"Thursday\",\"Friday\",\"Saturday\"],\"weekdaysMin\":[\"Su\",\"Mo\",\"Tu\",\"We\",\"Th\",\"Fr\",\"Sa\"],\"weekdaysShort\":[\"Sun\",\"Mon\",\"Tue\",\"Wed\",\"Thu\",\"Fri\",\"Sat\"]},\"_dayOfMonthOrdinalParse\":{},\"_dayOfMonthOrdinalParseLenient\":{},\"_invalidDate\":\"Invalid date\",\"_longDateFormat\":{\"L\":\"MM/DD/YYYY\",\"LL\":\"MMMM D, YYYY\",\"LLL\":\"MMMM D, YYYY h:mm A\",\"LLLL\":\"dddd, MMMM D, YYYY h:mm A\",\"LT\":\"h:mm A\",\"LTS\":\"h:mm:ss A\",\"lll\":\"MMM D, YYYY h:mm A\"},\"_meridiemParse\":{},\"_months\":[\"January\",\"February\",\"March\",\"April\",\"May\",\"June\",\"July\",\"August\",\"September\",\"October\",\"November\",\"December\"],\"_monthsShort\":[\"Jan\",\"Feb\",\"Mar\",\"Apr\",\"May\",\"Jun\",\"Jul\",\"Aug\",\"Sep\",\"Oct\",\"Nov\",\"Dec\"],\"_relativeTime\":{\"M\":\"a month\",\"MM\":\"%d months\",\"d\":\"a day\",\"dd\":\"%d days\",\"future\":\"in %s\",\"h\":\"an hour\",\"hh\":\"%d hours\",\"m\":\"a minute\",\"mm\":\"%d minutes\",\"past\":\"%s ago\",\"s\":\"a few seconds\",\"ss\":\"%d seconds\",\"y\":\"a year\",\"yy\":\"%d years\"},\"_week\":{\"dow\":0,\"doy\":6},\"_weekdays\":[\"Sunday\",\"Monday\",\"Tuesday\",\"Wednesday\",\"Thursday\",\"Friday\",\"Saturday\"],\"_weekdaysMin\":[\"Su\",\"Mo\",\"Tu\",\"We\",\"Th\",\"Fr\",\"Sa\"],\"_weekdaysShort\":[\"Sun\",\"Mon\",\"Tue\",\"Wed\",\"Thu\",\"Fri\",\"Sat\"],\"parentLocale\":{\"_abbr\":\"en\",\"_calendar\":{\"lastDay\":\"[Yesterday at] LT\",\"lastWeek\":\"[Last] dddd [at] LT\",\"nextDay\":\"[Tomorrow at] LT\",\"nextWeek\":\"dddd [at] LT\",\"sameDay\":\"[Today at] LT\",\"sameElse\":\"L\"},\"_config\":{\"abbr\":\"en\",\"calendar\":{\"lastDay\":\"[Yesterday at] LT\",\"lastWeek\":\"[Last] dddd [at] LT\",\"nextDay\":\"[Tomorrow at] LT\",\"nextWeek\":\"dddd [at] LT\",\"sameDay\":\"[Today at] LT\",\"sameElse\":\"L\"},\"dayOfMonthOrdinalParse\":{},\"invalidDate\":\"Invalid date\",\"longDateFormat\":{\"L\":\"MM/DD/YYYY\",\"LL\":\"MMMM D, YYYY\",\"LLL\":\"MMMM D, YYYY h:mm A\",\"LLLL\":\"dddd, MMMM D, YYYY h:mm A\",\"LT\":\"h:mm A\",\"LTS\":\"h:mm:ss A\"},\"meridiemParse\":{},\"months\":[\"January\",\"February\",\"March\",\"April\",\"May\",\"June\",\"July\",\"August\",\"September\",\"October\",\"November\",\"December\"],\"monthsShort\":[\"Jan\",\"Feb\",\"Mar\",\"Apr\",\"May\",\"Jun\",\"Jul\",\"Aug\",\"Sep\",\"Oct\",\"Nov\",\"Dec\"],\"relativeTime\":{\"M\":\"a month\",\"MM\":\"%d months\",\"d\":\"a day\",\"dd\":\"%d days\",\"future\":\"in %s\",\"h\":\"an hour\",\"hh\":\"%d hours\",\"m\":\"a minute\",\"mm\":\"%d minutes\",\"past\":\"%s ago\",\"s\":\"a few seconds\",\"ss\":\"%d seconds\",\"y\":\"a year\",\"yy\":\"%d years\"},\"week\":{\"dow\":0,\"doy\":6},\"weekdays\":[\"Sunday\",\"Monday\",\"Tuesday\",\"Wednesday\",\"Thursday\",\"Friday\",\"Saturday\"],\"weekdaysMin\":[\"Su\",\"Mo\",\"Tu\",\"We\",\"Th\",\"Fr\",\"Sa\"],\"weekdaysShort\":[\"Sun\",\"Mon\",\"Tue\",\"Wed\",\"Thu\",\"Fri\",\"Sat\"]},\"_dayOfMonthOrdinalParse\":{},\"_dayOfMonthOrdinalParseLenient\":{},\"_invalidDate\":\"Invalid date\",\"_longDateFormat\":{\"L\":\"MM/DD/YYYY\",\"LL\":\"MMMM D, YYYY\",\"LLL\":\"MMMM D, YYYY h:mm A\",\"LLLL\":\"dddd, MMMM D, YYYY h:mm A\",\"LT\":\"h:mm A\",\"LTS\":\"h:mm:ss A\"},\"_meridiemParse\":{},\"_months\":[\"January\",\"February\",\"March\",\"April\",\"May\",\"June\",\"July\",\"August\",\"September\",\"October\",\"November\",\"December\"],\"_monthsShort\":[\"Jan\",\"Feb\",\"Mar\",\"Apr\",\"May\",\"Jun\",\"Jul\",\"Aug\",\"Sep\",\"Oct\",\"Nov\",\"Dec\"],\"_relativeTime\":{\"M\":\"a month\",\"MM\":\"%d months\",\"d\":\"a day\",\"dd\":\"%d days\",\"future\":\"in %s\",\"h\":\"an hour\",\"hh\":\"%d hours\",\"m\":\"a minute\",\"mm\":\"%d minutes\",\"past\":\"%s ago\",\"s\":\"a few seconds\",\"ss\":\"%d seconds\",\"y\":\"a year\",\"yy\":\"%d years\"},\"_week\":{\"dow\":0,\"doy\":6},\"_weekdays\":[\"Sunday\",\"Monday\",\"Tuesday\",\"Wednesday\",\"Thursday\",\"Friday\",\"Saturday\"],\"_weekdaysMin\":[\"Su\",\"Mo\",\"Tu\",\"We\",\"Th\",\"Fr\",\"Sa\"],\"_weekdaysShort\":[\"Sun\",\"Mon\",\"Tue\",\"Wed\",\"Thu\",\"Fri\",\"Sat\"]}},\"_pf\":{\"charsLeftOver\":0,\"empty\":false,\"invalidFormat\":false,\"invalidMonth\":null,\"iso\":true,\"nullInput\":false,\"overflow\":-1,\"parsedDateParts\":[2019,1,18,12,5,37,500],\"rfc2822\":false,\"unusedInput\":[],\"unusedTokens\":[],\"userInvalidated\":false,\"weekdayMismatch\":false},\"_tzm\":0,\"_z\":null},\"min\":{\"_a\":[2019,1,12,20,54,39,255],\"_d\":\"2019-02-12T20:54:39.255Z\",\"_f\":\"YYYY-MM-DDTHH:mm:ss.SSSSZ\",\"_i\":\"2019-02-12T20:54:39.255Z\",\"_isAMomentObject\":true,\"_isUTC\":false,\"_isValid\":true,\"_locale\":{\"_abbr\":\"en\",\"_calendar\":{\"lastDay\":\"[Yesterday at] LT\",\"lastWeek\":\"[Last] dddd [at] LT\",\"nextDay\":\"[Tomorrow at] LT\",\"nextWeek\":\"dddd [at] LT\",\"sameDay\":\"[Today at] LT\",\"sameElse\":\"L\"},\"_config\":{\"abbr\":\"en\",\"calendar\":{\"lastDay\":\"[Yesterday at] LT\",\"lastWeek\":\"[Last] dddd [at] LT\",\"nextDay\":\"[Tomorrow at] LT\",\"nextWeek\":\"dddd [at] LT\",\"sameDay\":\"[Today at] LT\",\"sameElse\":\"L\"},\"dayOfMonthOrdinalParse\":{},\"invalidDate\":\"Invalid date\",\"longDateFormat\":{\"L\":\"MM/DD/YYYY\",\"LL\":\"MMMM D, YYYY\",\"LLL\":\"MMMM D, YYYY h:mm A\",\"LLLL\":\"dddd, MMMM D, YYYY h:mm A\",\"LT\":\"h:mm A\",\"LTS\":\"h:mm:ss A\",\"lll\":\"MMM D, YYYY h:mm A\"},\"meridiemParse\":{},\"months\":[\"January\",\"February\",\"March\",\"April\",\"May\",\"June\",\"July\",\"August\",\"September\",\"October\",\"November\",\"December\"],\"monthsShort\":[\"Jan\",\"Feb\",\"Mar\",\"Apr\",\"May\",\"Jun\",\"Jul\",\"Aug\",\"Sep\",\"Oct\",\"Nov\",\"Dec\"],\"relativeTime\":{\"M\":\"a month\",\"MM\":\"%d months\",\"d\":\"a day\",\"dd\":\"%d days\",\"future\":\"in %s\",\"h\":\"an hour\",\"hh\":\"%d hours\",\"m\":\"a minute\",\"mm\":\"%d minutes\",\"past\":\"%s ago\",\"s\":\"a few seconds\",\"ss\":\"%d seconds\",\"y\":\"a year\",\"yy\":\"%d years\"},\"week\":{\"dow\":0,\"doy\":6},\"weekdays\":[\"Sunday\",\"Monday\",\"Tuesday\",\"Wednesday\",\"Thursday\",\"Friday\",\"Saturday\"],\"weekdaysMin\":[\"Su\",\"Mo\",\"Tu\",\"We\",\"Th\",\"Fr\",\"Sa\"],\"weekdaysShort\":[\"Sun\",\"Mon\",\"Tue\",\"Wed\",\"Thu\",\"Fri\",\"Sat\"]},\"_dayOfMonthOrdinalParse\":{},\"_dayOfMonthOrdinalParseLenient\":{},\"_invalidDate\":\"Invalid date\",\"_longDateFormat\":{\"L\":\"MM/DD/YYYY\",\"LL\":\"MMMM D, YYYY\",\"LLL\":\"MMMM D, YYYY h:mm A\",\"LLLL\":\"dddd, MMMM D, YYYY h:mm A\",\"LT\":\"h:mm A\",\"LTS\":\"h:mm:ss A\",\"lll\":\"MMM D, YYYY h:mm A\"},\"_meridiemParse\":{},\"_months\":[\"January\",\"February\",\"March\",\"April\",\"May\",\"June\",\"July\",\"August\",\"September\",\"October\",\"November\",\"December\"],\"_monthsShort\":[\"Jan\",\"Feb\",\"Mar\",\"Apr\",\"May\",\"Jun\",\"Jul\",\"Aug\",\"Sep\",\"Oct\",\"Nov\",\"Dec\"],\"_relativeTime\":{\"M\":\"a month\",\"MM\":\"%d months\",\"d\":\"a day\",\"dd\":\"%d days\",\"future\":\"in %s\",\"h\":\"an hour\",\"hh\":\"%d hours\",\"m\":\"a minute\",\"mm\":\"%d minutes\",\"past\":\"%s ago\",\"s\":\"a few seconds\",\"ss\":\"%d seconds\",\"y\":\"a year\",\"yy\":\"%d years\"},\"_week\":{\"dow\":0,\"doy\":6},\"_weekdays\":[\"Sunday\",\"Monday\",\"Tuesday\",\"Wednesday\",\"Thursday\",\"Friday\",\"Saturday\"],\"_weekdaysMin\":[\"Su\",\"Mo\",\"Tu\",\"We\",\"Th\",\"Fr\",\"Sa\"],\"_weekdaysShort\":[\"Sun\",\"Mon\",\"Tue\",\"Wed\",\"Thu\",\"Fri\",\"Sat\"],\"parentLocale\":{\"_abbr\":\"en\",\"_calendar\":{\"lastDay\":\"[Yesterday at] LT\",\"lastWeek\":\"[Last] dddd [at] LT\",\"nextDay\":\"[Tomorrow at] LT\",\"nextWeek\":\"dddd [at] LT\",\"sameDay\":\"[Today at] LT\",\"sameElse\":\"L\"},\"_config\":{\"abbr\":\"en\",\"calendar\":{\"lastDay\":\"[Yesterday at] LT\",\"lastWeek\":\"[Last] dddd [at] LT\",\"nextDay\":\"[Tomorrow at] LT\",\"nextWeek\":\"dddd [at] LT\",\"sameDay\":\"[Today at] LT\",\"sameElse\":\"L\"},\"dayOfMonthOrdinalParse\":{},\"invalidDate\":\"Invalid date\",\"longDateFormat\":{\"L\":\"MM/DD/YYYY\",\"LL\":\"MMMM D, YYYY\",\"LLL\":\"MMMM D, YYYY h:mm A\",\"LLLL\":\"dddd, MMMM D, YYYY h:mm A\",\"LT\":\"h:mm A\",\"LTS\":\"h:mm:ss A\"},\"meridiemParse\":{},\"months\":[\"January\",\"February\",\"March\",\"April\",\"May\",\"June\",\"July\",\"August\",\"September\",\"October\",\"November\",\"December\"],\"monthsShort\":[\"Jan\",\"Feb\",\"Mar\",\"Apr\",\"May\",\"Jun\",\"Jul\",\"Aug\",\"Sep\",\"Oct\",\"Nov\",\"Dec\"],\"relativeTime\":{\"M\":\"a month\",\"MM\":\"%d months\",\"d\":\"a day\",\"dd\":\"%d days\",\"future\":\"in %s\",\"h\":\"an hour\",\"hh\":\"%d hours\",\"m\":\"a minute\",\"mm\":\"%d minutes\",\"past\":\"%s ago\",\"s\":\"a few seconds\",\"ss\":\"%d seconds\",\"y\":\"a year\",\"yy\":\"%d years\"},\"week\":{\"dow\":0,\"doy\":6},\"weekdays\":[\"Sunday\",\"Monday\",\"Tuesday\",\"Wednesday\",\"Thursday\",\"Friday\",\"Saturday\"],\"weekdaysMin\":[\"Su\",\"Mo\",\"Tu\",\"We\",\"Th\",\"Fr\",\"Sa\"],\"weekdaysShort\":[\"Sun\",\"Mon\",\"Tue\",\"Wed\",\"Thu\",\"Fri\",\"Sat\"]},\"_dayOfMonthOrdinalParse\":{},\"_dayOfMonthOrdinalParseLenient\":{},\"_invalidDate\":\"Invalid date\",\"_longDateFormat\":{\"L\":\"MM/DD/YYYY\",\"LL\":\"MMMM D, YYYY\",\"LLL\":\"MMMM D, YYYY h:mm A\",\"LLLL\":\"dddd, MMMM D, YYYY h:mm A\",\"LT\":\"h:mm A\",\"LTS\":\"h:mm:ss A\"},\"_meridiemParse\":{},\"_months\":[\"January\",\"February\",\"March\",\"April\",\"May\",\"June\",\"July\",\"August\",\"September\",\"October\",\"November\",\"December\"],\"_monthsShort\":[\"Jan\",\"Feb\",\"Mar\",\"Apr\",\"May\",\"Jun\",\"Jul\",\"Aug\",\"Sep\",\"Oct\",\"Nov\",\"Dec\"],\"_relativeTime\":{\"M\":\"a month\",\"MM\":\"%d months\",\"d\":\"a day\",\"dd\":\"%d days\",\"future\":\"in %s\",\"h\":\"an hour\",\"hh\":\"%d hours\",\"m\":\"a minute\",\"mm\":\"%d minutes\",\"past\":\"%s ago\",\"s\":\"a few seconds\",\"ss\":\"%d seconds\",\"y\":\"a year\",\"yy\":\"%d years\"},\"_week\":{\"dow\":0,\"doy\":6},\"_weekdays\":[\"Sunday\",\"Monday\",\"Tuesday\",\"Wednesday\",\"Thursday\",\"Friday\",\"Saturday\"],\"_weekdaysMin\":[\"Su\",\"Mo\",\"Tu\",\"We\",\"Th\",\"Fr\",\"Sa\"],\"_weekdaysShort\":[\"Sun\",\"Mon\",\"Tue\",\"Wed\",\"Thu\",\"Fri\",\"Sat\"]}},\"_pf\":{\"charsLeftOver\":0,\"empty\":false,\"invalidFormat\":false,\"invalidMonth\":null,\"iso\":true,\"nullInput\":false,\"overflow\":-1,\"parsedDateParts\":[2019,1,12,20,54,39,255],\"rfc2822\":false,\"unusedInput\":[],\"unusedTokens\":[],\"userInvalidated\":false,\"weekdayMismatch\":false},\"_tzm\":0,\"_z\":null}},\"date\":true,\"format\":\"YYYY-MM-DD HH:mm\",\"interval\":3600000}},\"y\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"enableHover\":false,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"#555\",\"overwriteColor\":false,\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"[Shell] Port scan Heatmap\",\"type\":\"heatmap\"}", 225 | "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 0.45\":\"rgb(255,255,204)\",\"0.45 - 0.9\":\"rgb(255,241,170)\",\"0.9 - 1.35\":\"rgb(254,225,135)\",\"1.35 - 1.8\":\"rgb(254,201,101)\",\"1.8 - 2.25\":\"rgb(254,171,73)\",\"2.25 - 2.7\":\"rgb(253,141,60)\",\"2.7 - 3.15\":\"rgb(252,91,46)\",\"3.15 - 3.6\":\"rgb(237,47,34)\",\"3.6 - 4.05\":\"rgb(212,16,32)\",\"4.05 - 4.5\":\"rgb(176,0,38)\"}}}", 226 | "description": "", 227 | "version": 1, 228 | "kibanaSavedObjectMeta": { 229 | "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" 230 | } 231 | }, 232 | "_migrationVersion": { 233 | "visualization": "7.0.0" 234 | }, 235 | "_references": [ 236 | { 237 | "name": "kibanaSavedObjectMeta.searchSourceJSON.index", 238 | "type": "index-pattern", 239 | "id": "4be97470-3372-11e9-997e-839d37c3a8b5" 240 | } 241 | ] 242 | }, 243 | { 244 | "_id": "36b2c860-3064-11e9-a22b-f101349ec9c3", 245 | "_type": "visualization", 246 | "_source": { 247 | "title": "[Shell] Top Scanners by IP", 248 | "visState": "{\"title\":\"[Shell] Top Scanners by IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}", 249 | "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", 250 | "description": "", 251 | "version": 1, 252 | "kibanaSavedObjectMeta": { 253 | "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" 254 | } 255 | }, 256 | "_migrationVersion": { 257 | "visualization": "7.0.0" 258 | }, 259 | "_references": [ 260 | { 261 | "name": "kibanaSavedObjectMeta.searchSourceJSON.index", 262 | "type": "index-pattern", 263 | "id": "4be97470-3372-11e9-997e-839d37c3a8b5" 264 | } 265 | ] 266 | }, 267 | { 268 | "_id": "bb8d8b00-3060-11e9-a22b-f101349ec9c3", 269 | "_type": "visualization", 270 | "_source": { 271 | "title": "[Shell] Heatmap by Source IP", 272 | "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"source_ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"group\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customInterval\":\"2h\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"m\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"2019-02-12T20:54:39.255Z\",\"to\":\"2019-02-18T12:05:37.500Z\"},\"time_zone\":\"America/New_York\",\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Greens\",\"colorsNumber\":4,\"colorsRange\":[],\"dimensions\":{\"series\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"x\":{\"accessor\":1,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"params\":{\"bounds\":{\"max\":{\"_a\":[2019,1,18,12,5,37,500],\"_d\":\"2019-02-18T12:05:37.500Z\",\"_f\":\"YYYY-MM-DDTHH:mm:ss.SSSSZ\",\"_i\":\"2019-02-18T12:05:37.500Z\",\"_isAMomentObject\":true,\"_isUTC\":false,\"_isValid\":true,\"_locale\":{\"_abbr\":\"en\",\"_calendar\":{\"lastDay\":\"[Yesterday at] LT\",\"lastWeek\":\"[Last] dddd [at] LT\",\"nextDay\":\"[Tomorrow at] LT\",\"nextWeek\":\"dddd [at] LT\",\"sameDay\":\"[Today at] LT\",\"sameElse\":\"L\"},\"_config\":{\"abbr\":\"en\",\"calendar\":{\"lastDay\":\"[Yesterday at] LT\",\"lastWeek\":\"[Last] dddd [at] LT\",\"nextDay\":\"[Tomorrow at] LT\",\"nextWeek\":\"dddd [at] LT\",\"sameDay\":\"[Today at] LT\",\"sameElse\":\"L\"},\"dayOfMonthOrdinalParse\":{},\"invalidDate\":\"Invalid date\",\"longDateFormat\":{\"L\":\"MM/DD/YYYY\",\"LL\":\"MMMM D, YYYY\",\"LLL\":\"MMMM D, YYYY h:mm A\",\"LLLL\":\"dddd, MMMM D, YYYY h:mm A\",\"LT\":\"h:mm A\",\"LTS\":\"h:mm:ss A\",\"lll\":\"MMM D, YYYY h:mm A\"},\"meridiemParse\":{},\"months\":[\"January\",\"February\",\"March\",\"April\",\"May\",\"June\",\"July\",\"August\",\"September\",\"October\",\"November\",\"December\"],\"monthsShort\":[\"Jan\",\"Feb\",\"Mar\",\"Apr\",\"May\",\"Jun\",\"Jul\",\"Aug\",\"Sep\",\"Oct\",\"Nov\",\"Dec\"],\"relativeTime\":{\"M\":\"a month\",\"MM\":\"%d months\",\"d\":\"a day\",\"dd\":\"%d days\",\"future\":\"in %s\",\"h\":\"an hour\",\"hh\":\"%d hours\",\"m\":\"a minute\",\"mm\":\"%d minutes\",\"past\":\"%s ago\",\"s\":\"a few seconds\",\"ss\":\"%d seconds\",\"y\":\"a year\",\"yy\":\"%d years\"},\"week\":{\"dow\":0,\"doy\":6},\"weekdays\":[\"Sunday\",\"Monday\",\"Tuesday\",\"Wednesday\",\"Thursday\",\"Friday\",\"Saturday\"],\"weekdaysMin\":[\"Su\",\"Mo\",\"Tu\",\"We\",\"Th\",\"Fr\",\"Sa\"],\"weekdaysShort\":[\"Sun\",\"Mon\",\"Tue\",\"Wed\",\"Thu\",\"Fri\",\"Sat\"]},\"_dayOfMonthOrdinalParse\":{},\"_dayOfMonthOrdinalParseLenient\":{},\"_invalidDate\":\"Invalid date\",\"_longDateFormat\":{\"L\":\"MM/DD/YYYY\",\"LL\":\"MMMM D, YYYY\",\"LLL\":\"MMMM D, YYYY h:mm A\",\"LLLL\":\"dddd, MMMM D, YYYY h:mm A\",\"LT\":\"h:mm A\",\"LTS\":\"h:mm:ss A\",\"lll\":\"MMM D, YYYY h:mm A\"},\"_meridiemParse\":{},\"_months\":[\"January\",\"February\",\"March\",\"April\",\"May\",\"June\",\"July\",\"August\",\"September\",\"October\",\"November\",\"December\"],\"_monthsShort\":[\"Jan\",\"Feb\",\"Mar\",\"Apr\",\"May\",\"Jun\",\"Jul\",\"Aug\",\"Sep\",\"Oct\",\"Nov\",\"Dec\"],\"_relativeTime\":{\"M\":\"a month\",\"MM\":\"%d months\",\"d\":\"a day\",\"dd\":\"%d days\",\"future\":\"in %s\",\"h\":\"an hour\",\"hh\":\"%d hours\",\"m\":\"a minute\",\"mm\":\"%d minutes\",\"past\":\"%s ago\",\"s\":\"a few seconds\",\"ss\":\"%d seconds\",\"y\":\"a year\",\"yy\":\"%d years\"},\"_week\":{\"dow\":0,\"doy\":6},\"_weekdays\":[\"Sunday\",\"Monday\",\"Tuesday\",\"Wednesday\",\"Thursday\",\"Friday\",\"Saturday\"],\"_weekdaysMin\":[\"Su\",\"Mo\",\"Tu\",\"We\",\"Th\",\"Fr\",\"Sa\"],\"_weekdaysShort\":[\"Sun\",\"Mon\",\"Tue\",\"Wed\",\"Thu\",\"Fri\",\"Sat\"],\"parentLocale\":{\"_abbr\":\"en\",\"_calendar\":{\"lastDay\":\"[Yesterday at] LT\",\"lastWeek\":\"[Last] dddd [at] LT\",\"nextDay\":\"[Tomorrow at] LT\",\"nextWeek\":\"dddd [at] LT\",\"sameDay\":\"[Today at] LT\",\"sameElse\":\"L\"},\"_config\":{\"abbr\":\"en\",\"calendar\":{\"lastDay\":\"[Yesterday at] LT\",\"lastWeek\":\"[Last] dddd [at] LT\",\"nextDay\":\"[Tomorrow at] LT\",\"nextWeek\":\"dddd [at] LT\",\"sameDay\":\"[Today at] LT\",\"sameElse\":\"L\"},\"dayOfMonthOrdinalParse\":{},\"invalidDate\":\"Invalid date\",\"longDateFormat\":{\"L\":\"MM/DD/YYYY\",\"LL\":\"MMMM D, YYYY\",\"LLL\":\"MMMM D, YYYY h:mm A\",\"LLLL\":\"dddd, MMMM D, YYYY h:mm A\",\"LT\":\"h:mm A\",\"LTS\":\"h:mm:ss A\"},\"meridiemParse\":{},\"months\":[\"January\",\"February\",\"March\",\"April\",\"May\",\"June\",\"July\",\"August\",\"September\",\"October\",\"November\",\"December\"],\"monthsShort\":[\"Jan\",\"Feb\",\"Mar\",\"Apr\",\"May\",\"Jun\",\"Jul\",\"Aug\",\"Sep\",\"Oct\",\"Nov\",\"Dec\"],\"relativeTime\":{\"M\":\"a month\",\"MM\":\"%d months\",\"d\":\"a day\",\"dd\":\"%d days\",\"future\":\"in %s\",\"h\":\"an hour\",\"hh\":\"%d hours\",\"m\":\"a minute\",\"mm\":\"%d minutes\",\"past\":\"%s ago\",\"s\":\"a few seconds\",\"ss\":\"%d seconds\",\"y\":\"a year\",\"yy\":\"%d years\"},\"week\":{\"dow\":0,\"doy\":6},\"weekdays\":[\"Sunday\",\"Monday\",\"Tuesday\",\"Wednesday\",\"Thursday\",\"Friday\",\"Saturday\"],\"weekdaysMin\":[\"Su\",\"Mo\",\"Tu\",\"We\",\"Th\",\"Fr\",\"Sa\"],\"weekdaysShort\":[\"Sun\",\"Mon\",\"Tue\",\"Wed\",\"Thu\",\"Fri\",\"Sat\"]},\"_dayOfMonthOrdinalParse\":{},\"_dayOfMonthOrdinalParseLenient\":{},\"_invalidDate\":\"Invalid date\",\"_longDateFormat\":{\"L\":\"MM/DD/YYYY\",\"LL\":\"MMMM D, YYYY\",\"LLL\":\"MMMM D, YYYY h:mm A\",\"LLLL\":\"dddd, MMMM D, YYYY h:mm A\",\"LT\":\"h:mm A\",\"LTS\":\"h:mm:ss A\"},\"_meridiemParse\":{},\"_months\":[\"January\",\"February\",\"March\",\"April\",\"May\",\"June\",\"July\",\"August\",\"September\",\"October\",\"November\",\"December\"],\"_monthsShort\":[\"Jan\",\"Feb\",\"Mar\",\"Apr\",\"May\",\"Jun\",\"Jul\",\"Aug\",\"Sep\",\"Oct\",\"Nov\",\"Dec\"],\"_relativeTime\":{\"M\":\"a month\",\"MM\":\"%d months\",\"d\":\"a day\",\"dd\":\"%d days\",\"future\":\"in %s\",\"h\":\"an hour\",\"hh\":\"%d hours\",\"m\":\"a minute\",\"mm\":\"%d minutes\",\"past\":\"%s ago\",\"s\":\"a few seconds\",\"ss\":\"%d seconds\",\"y\":\"a year\",\"yy\":\"%d years\"},\"_week\":{\"dow\":0,\"doy\":6},\"_weekdays\":[\"Sunday\",\"Monday\",\"Tuesday\",\"Wednesday\",\"Thursday\",\"Friday\",\"Saturday\"],\"_weekdaysMin\":[\"Su\",\"Mo\",\"Tu\",\"We\",\"Th\",\"Fr\",\"Sa\"],\"_weekdaysShort\":[\"Sun\",\"Mon\",\"Tue\",\"Wed\",\"Thu\",\"Fri\",\"Sat\"]}},\"_pf\":{\"charsLeftOver\":0,\"empty\":false,\"invalidFormat\":false,\"invalidMonth\":null,\"iso\":true,\"nullInput\":false,\"overflow\":-1,\"parsedDateParts\":[2019,1,18,12,5,37,500],\"rfc2822\":false,\"unusedInput\":[],\"unusedTokens\":[],\"userInvalidated\":false,\"weekdayMismatch\":false},\"_tzm\":0,\"_z\":null},\"min\":{\"_a\":[2019,1,12,20,54,39,255],\"_d\":\"2019-02-12T20:54:39.255Z\",\"_f\":\"YYYY-MM-DDTHH:mm:ss.SSSSZ\",\"_i\":\"2019-02-12T20:54:39.255Z\",\"_isAMomentObject\":true,\"_isUTC\":false,\"_isValid\":true,\"_locale\":{\"_abbr\":\"en\",\"_calendar\":{\"lastDay\":\"[Yesterday at] LT\",\"lastWeek\":\"[Last] dddd [at] LT\",\"nextDay\":\"[Tomorrow at] LT\",\"nextWeek\":\"dddd [at] LT\",\"sameDay\":\"[Today at] LT\",\"sameElse\":\"L\"},\"_config\":{\"abbr\":\"en\",\"calendar\":{\"lastDay\":\"[Yesterday at] LT\",\"lastWeek\":\"[Last] dddd [at] LT\",\"nextDay\":\"[Tomorrow at] LT\",\"nextWeek\":\"dddd [at] LT\",\"sameDay\":\"[Today at] LT\",\"sameElse\":\"L\"},\"dayOfMonthOrdinalParse\":{},\"invalidDate\":\"Invalid date\",\"longDateFormat\":{\"L\":\"MM/DD/YYYY\",\"LL\":\"MMMM D, YYYY\",\"LLL\":\"MMMM D, YYYY h:mm A\",\"LLLL\":\"dddd, MMMM D, YYYY h:mm A\",\"LT\":\"h:mm A\",\"LTS\":\"h:mm:ss A\",\"lll\":\"MMM D, YYYY h:mm A\"},\"meridiemParse\":{},\"months\":[\"January\",\"February\",\"March\",\"April\",\"May\",\"June\",\"July\",\"August\",\"September\",\"October\",\"November\",\"December\"],\"monthsShort\":[\"Jan\",\"Feb\",\"Mar\",\"Apr\",\"May\",\"Jun\",\"Jul\",\"Aug\",\"Sep\",\"Oct\",\"Nov\",\"Dec\"],\"relativeTime\":{\"M\":\"a month\",\"MM\":\"%d months\",\"d\":\"a day\",\"dd\":\"%d days\",\"future\":\"in %s\",\"h\":\"an hour\",\"hh\":\"%d hours\",\"m\":\"a minute\",\"mm\":\"%d minutes\",\"past\":\"%s ago\",\"s\":\"a few seconds\",\"ss\":\"%d seconds\",\"y\":\"a year\",\"yy\":\"%d years\"},\"week\":{\"dow\":0,\"doy\":6},\"weekdays\":[\"Sunday\",\"Monday\",\"Tuesday\",\"Wednesday\",\"Thursday\",\"Friday\",\"Saturday\"],\"weekdaysMin\":[\"Su\",\"Mo\",\"Tu\",\"We\",\"Th\",\"Fr\",\"Sa\"],\"weekdaysShort\":[\"Sun\",\"Mon\",\"Tue\",\"Wed\",\"Thu\",\"Fri\",\"Sat\"]},\"_dayOfMonthOrdinalParse\":{},\"_dayOfMonthOrdinalParseLenient\":{},\"_invalidDate\":\"Invalid date\",\"_longDateFormat\":{\"L\":\"MM/DD/YYYY\",\"LL\":\"MMMM D, YYYY\",\"LLL\":\"MMMM D, YYYY h:mm A\",\"LLLL\":\"dddd, MMMM D, YYYY h:mm A\",\"LT\":\"h:mm A\",\"LTS\":\"h:mm:ss A\",\"lll\":\"MMM D, YYYY h:mm A\"},\"_meridiemParse\":{},\"_months\":[\"January\",\"February\",\"March\",\"April\",\"May\",\"June\",\"July\",\"August\",\"September\",\"October\",\"November\",\"December\"],\"_monthsShort\":[\"Jan\",\"Feb\",\"Mar\",\"Apr\",\"May\",\"Jun\",\"Jul\",\"Aug\",\"Sep\",\"Oct\",\"Nov\",\"Dec\"],\"_relativeTime\":{\"M\":\"a month\",\"MM\":\"%d months\",\"d\":\"a day\",\"dd\":\"%d days\",\"future\":\"in %s\",\"h\":\"an hour\",\"hh\":\"%d hours\",\"m\":\"a minute\",\"mm\":\"%d minutes\",\"past\":\"%s ago\",\"s\":\"a few seconds\",\"ss\":\"%d seconds\",\"y\":\"a year\",\"yy\":\"%d years\"},\"_week\":{\"dow\":0,\"doy\":6},\"_weekdays\":[\"Sunday\",\"Monday\",\"Tuesday\",\"Wednesday\",\"Thursday\",\"Friday\",\"Saturday\"],\"_weekdaysMin\":[\"Su\",\"Mo\",\"Tu\",\"We\",\"Th\",\"Fr\",\"Sa\"],\"_weekdaysShort\":[\"Sun\",\"Mon\",\"Tue\",\"Wed\",\"Thu\",\"Fri\",\"Sat\"],\"parentLocale\":{\"_abbr\":\"en\",\"_calendar\":{\"lastDay\":\"[Yesterday at] LT\",\"lastWeek\":\"[Last] dddd [at] LT\",\"nextDay\":\"[Tomorrow at] LT\",\"nextWeek\":\"dddd [at] LT\",\"sameDay\":\"[Today at] LT\",\"sameElse\":\"L\"},\"_config\":{\"abbr\":\"en\",\"calendar\":{\"lastDay\":\"[Yesterday at] LT\",\"lastWeek\":\"[Last] dddd [at] LT\",\"nextDay\":\"[Tomorrow at] LT\",\"nextWeek\":\"dddd [at] LT\",\"sameDay\":\"[Today at] LT\",\"sameElse\":\"L\"},\"dayOfMonthOrdinalParse\":{},\"invalidDate\":\"Invalid date\",\"longDateFormat\":{\"L\":\"MM/DD/YYYY\",\"LL\":\"MMMM D, YYYY\",\"LLL\":\"MMMM D, YYYY h:mm A\",\"LLLL\":\"dddd, MMMM D, YYYY h:mm A\",\"LT\":\"h:mm A\",\"LTS\":\"h:mm:ss A\"},\"meridiemParse\":{},\"months\":[\"January\",\"February\",\"March\",\"April\",\"May\",\"June\",\"July\",\"August\",\"September\",\"October\",\"November\",\"December\"],\"monthsShort\":[\"Jan\",\"Feb\",\"Mar\",\"Apr\",\"May\",\"Jun\",\"Jul\",\"Aug\",\"Sep\",\"Oct\",\"Nov\",\"Dec\"],\"relativeTime\":{\"M\":\"a month\",\"MM\":\"%d months\",\"d\":\"a day\",\"dd\":\"%d days\",\"future\":\"in %s\",\"h\":\"an hour\",\"hh\":\"%d hours\",\"m\":\"a minute\",\"mm\":\"%d minutes\",\"past\":\"%s ago\",\"s\":\"a few seconds\",\"ss\":\"%d seconds\",\"y\":\"a year\",\"yy\":\"%d years\"},\"week\":{\"dow\":0,\"doy\":6},\"weekdays\":[\"Sunday\",\"Monday\",\"Tuesday\",\"Wednesday\",\"Thursday\",\"Friday\",\"Saturday\"],\"weekdaysMin\":[\"Su\",\"Mo\",\"Tu\",\"We\",\"Th\",\"Fr\",\"Sa\"],\"weekdaysShort\":[\"Sun\",\"Mon\",\"Tue\",\"Wed\",\"Thu\",\"Fri\",\"Sat\"]},\"_dayOfMonthOrdinalParse\":{},\"_dayOfMonthOrdinalParseLenient\":{},\"_invalidDate\":\"Invalid date\",\"_longDateFormat\":{\"L\":\"MM/DD/YYYY\",\"LL\":\"MMMM D, YYYY\",\"LLL\":\"MMMM D, YYYY h:mm A\",\"LLLL\":\"dddd, MMMM D, YYYY h:mm A\",\"LT\":\"h:mm A\",\"LTS\":\"h:mm:ss A\"},\"_meridiemParse\":{},\"_months\":[\"January\",\"February\",\"March\",\"April\",\"May\",\"June\",\"July\",\"August\",\"September\",\"October\",\"November\",\"December\"],\"_monthsShort\":[\"Jan\",\"Feb\",\"Mar\",\"Apr\",\"May\",\"Jun\",\"Jul\",\"Aug\",\"Sep\",\"Oct\",\"Nov\",\"Dec\"],\"_relativeTime\":{\"M\":\"a month\",\"MM\":\"%d months\",\"d\":\"a day\",\"dd\":\"%d days\",\"future\":\"in %s\",\"h\":\"an hour\",\"hh\":\"%d hours\",\"m\":\"a minute\",\"mm\":\"%d minutes\",\"past\":\"%s ago\",\"s\":\"a few seconds\",\"ss\":\"%d seconds\",\"y\":\"a year\",\"yy\":\"%d years\"},\"_week\":{\"dow\":0,\"doy\":6},\"_weekdays\":[\"Sunday\",\"Monday\",\"Tuesday\",\"Wednesday\",\"Thursday\",\"Friday\",\"Saturday\"],\"_weekdaysMin\":[\"Su\",\"Mo\",\"Tu\",\"We\",\"Th\",\"Fr\",\"Sa\"],\"_weekdaysShort\":[\"Sun\",\"Mon\",\"Tue\",\"Wed\",\"Thu\",\"Fri\",\"Sat\"]}},\"_pf\":{\"charsLeftOver\":0,\"empty\":false,\"invalidFormat\":false,\"invalidMonth\":null,\"iso\":true,\"nullInput\":false,\"overflow\":-1,\"parsedDateParts\":[2019,1,12,20,54,39,255],\"rfc2822\":false,\"unusedInput\":[],\"unusedTokens\":[],\"userInvalidated\":false,\"weekdayMismatch\":false},\"_tzm\":0,\"_z\":null}},\"date\":true,\"format\":\"YYYY-MM-DD HH:mm\",\"interval\":10800000}},\"y\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"enableHover\":false,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"#555\",\"overwriteColor\":false,\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"[Shell] Heatmap by Source IP\",\"type\":\"heatmap\"}", 273 | "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 1.125\":\"rgb(247,252,245)\",\"1.125 - 2.25\":\"rgb(199,233,192)\",\"2.25 - 3.375\":\"rgb(116,196,118)\",\"3.375 - 4.5\":\"rgb(35,139,69)\"}}}", 274 | "description": "", 275 | "version": 1, 276 | "kibanaSavedObjectMeta": { 277 | "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" 278 | } 279 | }, 280 | "_migrationVersion": { 281 | "visualization": "7.0.0" 282 | }, 283 | "_references": [ 284 | { 285 | "name": "kibanaSavedObjectMeta.searchSourceJSON.index", 286 | "type": "index-pattern", 287 | "id": "4be97470-3372-11e9-997e-839d37c3a8b5" 288 | } 289 | ] 290 | }, 291 | { 292 | "_id": "956cdac0-3065-11e9-a22b-f101349ec9c3", 293 | "_type": "visualization", 294 | "_source": { 295 | "title": "[Shell] Count by ASN", 296 | "visState": "{\"title\":\"[Shell] Count by ASN\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.organization_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Organization ASN\"}}]}", 297 | "uiStateJSON": "{}", 298 | "description": "", 299 | "version": 1, 300 | "kibanaSavedObjectMeta": { 301 | "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" 302 | } 303 | }, 304 | "_migrationVersion": { 305 | "visualization": "7.0.0" 306 | }, 307 | "_references": [ 308 | { 309 | "name": "kibanaSavedObjectMeta.searchSourceJSON.index", 310 | "type": "index-pattern", 311 | "id": "4be97470-3372-11e9-997e-839d37c3a8b5" 312 | } 313 | ] 314 | }, 315 | { 316 | "_id": "15662f10-3061-11e9-a22b-f101349ec9c3", 317 | "_type": "visualization", 318 | "_source": { 319 | "title": "[Shell] Area - Top 10 IPs by Percentage", 320 | "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"source_ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customInterval\":\"2h\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"2019-02-12T23:52:25.737Z\",\"to\":\"now\"},\"time_zone\":\"America/New_York\",\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"dimensions\":{\"series\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"x\":{\"accessor\":1,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"params\":{\"bounds\":{\"max\":{\"_d\":\"2019-02-18T12:18:08.032Z\",\"_isAMomentObject\":true,\"_isUTC\":false,\"_isValid\":true,\"_locale\":{\"_abbr\":\"en\",\"_calendar\":{\"lastDay\":\"[Yesterday at] LT\",\"lastWeek\":\"[Last] dddd [at] LT\",\"nextDay\":\"[Tomorrow at] LT\",\"nextWeek\":\"dddd [at] LT\",\"sameDay\":\"[Today at] LT\",\"sameElse\":\"L\"},\"_config\":{\"abbr\":\"en\",\"calendar\":{\"lastDay\":\"[Yesterday at] LT\",\"lastWeek\":\"[Last] dddd [at] LT\",\"nextDay\":\"[Tomorrow at] LT\",\"nextWeek\":\"dddd [at] LT\",\"sameDay\":\"[Today at] LT\",\"sameElse\":\"L\"},\"dayOfMonthOrdinalParse\":{},\"invalidDate\":\"Invalid date\",\"longDateFormat\":{\"L\":\"MM/DD/YYYY\",\"LL\":\"MMMM D, YYYY\",\"LLL\":\"MMMM D, YYYY h:mm A\",\"LLLL\":\"dddd, MMMM D, YYYY h:mm A\",\"LT\":\"h:mm A\",\"LTS\":\"h:mm:ss A\",\"lll\":\"MMM D, YYYY h:mm A\"},\"meridiemParse\":{},\"months\":[\"January\",\"February\",\"March\",\"April\",\"May\",\"June\",\"July\",\"August\",\"September\",\"October\",\"November\",\"December\"],\"monthsShort\":[\"Jan\",\"Feb\",\"Mar\",\"Apr\",\"May\",\"Jun\",\"Jul\",\"Aug\",\"Sep\",\"Oct\",\"Nov\",\"Dec\"],\"relativeTime\":{\"M\":\"a month\",\"MM\":\"%d months\",\"d\":\"a day\",\"dd\":\"%d days\",\"future\":\"in %s\",\"h\":\"an hour\",\"hh\":\"%d hours\",\"m\":\"a minute\",\"mm\":\"%d minutes\",\"past\":\"%s ago\",\"s\":\"a few seconds\",\"ss\":\"%d seconds\",\"y\":\"a year\",\"yy\":\"%d years\"},\"week\":{\"dow\":0,\"doy\":6},\"weekdays\":[\"Sunday\",\"Monday\",\"Tuesday\",\"Wednesday\",\"Thursday\",\"Friday\",\"Saturday\"],\"weekdaysMin\":[\"Su\",\"Mo\",\"Tu\",\"We\",\"Th\",\"Fr\",\"Sa\"],\"weekdaysShort\":[\"Sun\",\"Mon\",\"Tue\",\"Wed\",\"Thu\",\"Fri\",\"Sat\"]},\"_dayOfMonthOrdinalParse\":{},\"_dayOfMonthOrdinalParseLenient\":{},\"_invalidDate\":\"Invalid date\",\"_longDateFormat\":{\"L\":\"MM/DD/YYYY\",\"LL\":\"MMMM D, YYYY\",\"LLL\":\"MMMM D, YYYY h:mm A\",\"LLLL\":\"dddd, MMMM D, YYYY h:mm A\",\"LT\":\"h:mm A\",\"LTS\":\"h:mm:ss A\",\"lll\":\"MMM D, YYYY h:mm A\"},\"_meridiemParse\":{},\"_months\":[\"January\",\"February\",\"March\",\"April\",\"May\",\"June\",\"July\",\"August\",\"September\",\"October\",\"November\",\"December\"],\"_monthsShort\":[\"Jan\",\"Feb\",\"Mar\",\"Apr\",\"May\",\"Jun\",\"Jul\",\"Aug\",\"Sep\",\"Oct\",\"Nov\",\"Dec\"],\"_relativeTime\":{\"M\":\"a month\",\"MM\":\"%d months\",\"d\":\"a day\",\"dd\":\"%d days\",\"future\":\"in %s\",\"h\":\"an hour\",\"hh\":\"%d hours\",\"m\":\"a minute\",\"mm\":\"%d minutes\",\"past\":\"%s ago\",\"s\":\"a few seconds\",\"ss\":\"%d seconds\",\"y\":\"a year\",\"yy\":\"%d years\"},\"_week\":{\"dow\":0,\"doy\":6},\"_weekdays\":[\"Sunday\",\"Monday\",\"Tuesday\",\"Wednesday\",\"Thursday\",\"Friday\",\"Saturday\"],\"_weekdaysMin\":[\"Su\",\"Mo\",\"Tu\",\"We\",\"Th\",\"Fr\",\"Sa\"],\"_weekdaysShort\":[\"Sun\",\"Mon\",\"Tue\",\"Wed\",\"Thu\",\"Fri\",\"Sat\"],\"parentLocale\":{\"_abbr\":\"en\",\"_calendar\":{\"lastDay\":\"[Yesterday at] LT\",\"lastWeek\":\"[Last] dddd [at] LT\",\"nextDay\":\"[Tomorrow at] LT\",\"nextWeek\":\"dddd [at] LT\",\"sameDay\":\"[Today at] LT\",\"sameElse\":\"L\"},\"_config\":{\"abbr\":\"en\",\"calendar\":{\"lastDay\":\"[Yesterday at] LT\",\"lastWeek\":\"[Last] dddd [at] LT\",\"nextDay\":\"[Tomorrow at] LT\",\"nextWeek\":\"dddd [at] LT\",\"sameDay\":\"[Today at] LT\",\"sameElse\":\"L\"},\"dayOfMonthOrdinalParse\":{},\"invalidDate\":\"Invalid date\",\"longDateFormat\":{\"L\":\"MM/DD/YYYY\",\"LL\":\"MMMM D, YYYY\",\"LLL\":\"MMMM D, YYYY h:mm A\",\"LLLL\":\"dddd, MMMM D, YYYY h:mm A\",\"LT\":\"h:mm A\",\"LTS\":\"h:mm:ss A\"},\"meridiemParse\":{},\"months\":[\"January\",\"February\",\"March\",\"April\",\"May\",\"June\",\"July\",\"August\",\"September\",\"October\",\"November\",\"December\"],\"monthsShort\":[\"Jan\",\"Feb\",\"Mar\",\"Apr\",\"May\",\"Jun\",\"Jul\",\"Aug\",\"Sep\",\"Oct\",\"Nov\",\"Dec\"],\"relativeTime\":{\"M\":\"a month\",\"MM\":\"%d months\",\"d\":\"a day\",\"dd\":\"%d days\",\"future\":\"in %s\",\"h\":\"an hour\",\"hh\":\"%d hours\",\"m\":\"a minute\",\"mm\":\"%d minutes\",\"past\":\"%s ago\",\"s\":\"a few seconds\",\"ss\":\"%d seconds\",\"y\":\"a year\",\"yy\":\"%d years\"},\"week\":{\"dow\":0,\"doy\":6},\"weekdays\":[\"Sunday\",\"Monday\",\"Tuesday\",\"Wednesday\",\"Thursday\",\"Friday\",\"Saturday\"],\"weekdaysMin\":[\"Su\",\"Mo\",\"Tu\",\"We\",\"Th\",\"Fr\",\"Sa\"],\"weekdaysShort\":[\"Sun\",\"Mon\",\"Tue\",\"Wed\",\"Thu\",\"Fri\",\"Sat\"]},\"_dayOfMonthOrdinalParse\":{},\"_dayOfMonthOrdinalParseLenient\":{},\"_invalidDate\":\"Invalid date\",\"_longDateFormat\":{\"L\":\"MM/DD/YYYY\",\"LL\":\"MMMM D, YYYY\",\"LLL\":\"MMMM D, YYYY h:mm A\",\"LLLL\":\"dddd, MMMM D, YYYY h:mm A\",\"LT\":\"h:mm A\",\"LTS\":\"h:mm:ss A\"},\"_meridiemParse\":{},\"_months\":[\"January\",\"February\",\"March\",\"April\",\"May\",\"June\",\"July\",\"August\",\"September\",\"October\",\"November\",\"December\"],\"_monthsShort\":[\"Jan\",\"Feb\",\"Mar\",\"Apr\",\"May\",\"Jun\",\"Jul\",\"Aug\",\"Sep\",\"Oct\",\"Nov\",\"Dec\"],\"_relativeTime\":{\"M\":\"a month\",\"MM\":\"%d months\",\"d\":\"a day\",\"dd\":\"%d days\",\"future\":\"in %s\",\"h\":\"an hour\",\"hh\":\"%d hours\",\"m\":\"a minute\",\"mm\":\"%d minutes\",\"past\":\"%s ago\",\"s\":\"a few seconds\",\"ss\":\"%d seconds\",\"y\":\"a year\",\"yy\":\"%d years\"},\"_week\":{\"dow\":0,\"doy\":6},\"_weekdays\":[\"Sunday\",\"Monday\",\"Tuesday\",\"Wednesday\",\"Thursday\",\"Friday\",\"Saturday\"],\"_weekdaysMin\":[\"Su\",\"Mo\",\"Tu\",\"We\",\"Th\",\"Fr\",\"Sa\"],\"_weekdaysShort\":[\"Sun\",\"Mon\",\"Tue\",\"Wed\",\"Thu\",\"Fri\",\"Sat\"]}},\"_pf\":{\"charsLeftOver\":0,\"empty\":false,\"invalidFormat\":false,\"invalidMonth\":null,\"iso\":false,\"meridiem\":null,\"nullInput\":false,\"overflow\":-2,\"parsedDateParts\":[],\"rfc2822\":false,\"unusedInput\":[],\"unusedTokens\":[],\"userInvalidated\":false,\"weekdayMismatch\":false},\"_z\":null},\"min\":{\"_a\":[2019,1,12,23,52,25,737],\"_d\":\"2019-02-12T23:52:25.737Z\",\"_f\":\"YYYY-MM-DDTHH:mm:ss.SSSSZ\",\"_i\":\"2019-02-12T23:52:25.737Z\",\"_isAMomentObject\":true,\"_isUTC\":false,\"_isValid\":true,\"_locale\":{\"_abbr\":\"en\",\"_calendar\":{\"lastDay\":\"[Yesterday at] LT\",\"lastWeek\":\"[Last] dddd [at] LT\",\"nextDay\":\"[Tomorrow at] LT\",\"nextWeek\":\"dddd [at] LT\",\"sameDay\":\"[Today at] LT\",\"sameElse\":\"L\"},\"_config\":{\"abbr\":\"en\",\"calendar\":{\"lastDay\":\"[Yesterday at] LT\",\"lastWeek\":\"[Last] dddd [at] LT\",\"nextDay\":\"[Tomorrow at] LT\",\"nextWeek\":\"dddd [at] LT\",\"sameDay\":\"[Today at] LT\",\"sameElse\":\"L\"},\"dayOfMonthOrdinalParse\":{},\"invalidDate\":\"Invalid date\",\"longDateFormat\":{\"L\":\"MM/DD/YYYY\",\"LL\":\"MMMM D, YYYY\",\"LLL\":\"MMMM D, YYYY h:mm A\",\"LLLL\":\"dddd, MMMM D, YYYY h:mm A\",\"LT\":\"h:mm A\",\"LTS\":\"h:mm:ss A\",\"lll\":\"MMM D, YYYY h:mm A\"},\"meridiemParse\":{},\"months\":[\"January\",\"February\",\"March\",\"April\",\"May\",\"June\",\"July\",\"August\",\"September\",\"October\",\"November\",\"December\"],\"monthsShort\":[\"Jan\",\"Feb\",\"Mar\",\"Apr\",\"May\",\"Jun\",\"Jul\",\"Aug\",\"Sep\",\"Oct\",\"Nov\",\"Dec\"],\"relativeTime\":{\"M\":\"a month\",\"MM\":\"%d months\",\"d\":\"a day\",\"dd\":\"%d days\",\"future\":\"in %s\",\"h\":\"an hour\",\"hh\":\"%d hours\",\"m\":\"a minute\",\"mm\":\"%d minutes\",\"past\":\"%s ago\",\"s\":\"a few seconds\",\"ss\":\"%d seconds\",\"y\":\"a year\",\"yy\":\"%d years\"},\"week\":{\"dow\":0,\"doy\":6},\"weekdays\":[\"Sunday\",\"Monday\",\"Tuesday\",\"Wednesday\",\"Thursday\",\"Friday\",\"Saturday\"],\"weekdaysMin\":[\"Su\",\"Mo\",\"Tu\",\"We\",\"Th\",\"Fr\",\"Sa\"],\"weekdaysShort\":[\"Sun\",\"Mon\",\"Tue\",\"Wed\",\"Thu\",\"Fri\",\"Sat\"]},\"_dayOfMonthOrdinalParse\":{},\"_dayOfMonthOrdinalParseLenient\":{},\"_invalidDate\":\"Invalid date\",\"_longDateFormat\":{\"L\":\"MM/DD/YYYY\",\"LL\":\"MMMM D, YYYY\",\"LLL\":\"MMMM D, YYYY h:mm A\",\"LLLL\":\"dddd, MMMM D, YYYY h:mm A\",\"LT\":\"h:mm A\",\"LTS\":\"h:mm:ss A\",\"lll\":\"MMM D, YYYY h:mm A\"},\"_meridiemParse\":{},\"_months\":[\"January\",\"February\",\"March\",\"April\",\"May\",\"June\",\"July\",\"August\",\"September\",\"October\",\"November\",\"December\"],\"_monthsShort\":[\"Jan\",\"Feb\",\"Mar\",\"Apr\",\"May\",\"Jun\",\"Jul\",\"Aug\",\"Sep\",\"Oct\",\"Nov\",\"Dec\"],\"_relativeTime\":{\"M\":\"a month\",\"MM\":\"%d months\",\"d\":\"a day\",\"dd\":\"%d days\",\"future\":\"in %s\",\"h\":\"an hour\",\"hh\":\"%d hours\",\"m\":\"a minute\",\"mm\":\"%d minutes\",\"past\":\"%s ago\",\"s\":\"a few seconds\",\"ss\":\"%d seconds\",\"y\":\"a year\",\"yy\":\"%d years\"},\"_week\":{\"dow\":0,\"doy\":6},\"_weekdays\":[\"Sunday\",\"Monday\",\"Tuesday\",\"Wednesday\",\"Thursday\",\"Friday\",\"Saturday\"],\"_weekdaysMin\":[\"Su\",\"Mo\",\"Tu\",\"We\",\"Th\",\"Fr\",\"Sa\"],\"_weekdaysShort\":[\"Sun\",\"Mon\",\"Tue\",\"Wed\",\"Thu\",\"Fri\",\"Sat\"],\"parentLocale\":{\"_abbr\":\"en\",\"_calendar\":{\"lastDay\":\"[Yesterday at] LT\",\"lastWeek\":\"[Last] dddd [at] LT\",\"nextDay\":\"[Tomorrow at] LT\",\"nextWeek\":\"dddd [at] LT\",\"sameDay\":\"[Today at] LT\",\"sameElse\":\"L\"},\"_config\":{\"abbr\":\"en\",\"calendar\":{\"lastDay\":\"[Yesterday at] LT\",\"lastWeek\":\"[Last] dddd [at] LT\",\"nextDay\":\"[Tomorrow at] LT\",\"nextWeek\":\"dddd [at] LT\",\"sameDay\":\"[Today at] LT\",\"sameElse\":\"L\"},\"dayOfMonthOrdinalParse\":{},\"invalidDate\":\"Invalid date\",\"longDateFormat\":{\"L\":\"MM/DD/YYYY\",\"LL\":\"MMMM D, YYYY\",\"LLL\":\"MMMM D, YYYY h:mm A\",\"LLLL\":\"dddd, MMMM D, YYYY h:mm A\",\"LT\":\"h:mm A\",\"LTS\":\"h:mm:ss A\"},\"meridiemParse\":{},\"months\":[\"January\",\"February\",\"March\",\"April\",\"May\",\"June\",\"July\",\"August\",\"September\",\"October\",\"November\",\"December\"],\"monthsShort\":[\"Jan\",\"Feb\",\"Mar\",\"Apr\",\"May\",\"Jun\",\"Jul\",\"Aug\",\"Sep\",\"Oct\",\"Nov\",\"Dec\"],\"relativeTime\":{\"M\":\"a month\",\"MM\":\"%d months\",\"d\":\"a day\",\"dd\":\"%d days\",\"future\":\"in %s\",\"h\":\"an hour\",\"hh\":\"%d hours\",\"m\":\"a minute\",\"mm\":\"%d minutes\",\"past\":\"%s ago\",\"s\":\"a few seconds\",\"ss\":\"%d seconds\",\"y\":\"a year\",\"yy\":\"%d years\"},\"week\":{\"dow\":0,\"doy\":6},\"weekdays\":[\"Sunday\",\"Monday\",\"Tuesday\",\"Wednesday\",\"Thursday\",\"Friday\",\"Saturday\"],\"weekdaysMin\":[\"Su\",\"Mo\",\"Tu\",\"We\",\"Th\",\"Fr\",\"Sa\"],\"weekdaysShort\":[\"Sun\",\"Mon\",\"Tue\",\"Wed\",\"Thu\",\"Fri\",\"Sat\"]},\"_dayOfMonthOrdinalParse\":{},\"_dayOfMonthOrdinalParseLenient\":{},\"_invalidDate\":\"Invalid date\",\"_longDateFormat\":{\"L\":\"MM/DD/YYYY\",\"LL\":\"MMMM D, YYYY\",\"LLL\":\"MMMM D, YYYY h:mm A\",\"LLLL\":\"dddd, MMMM D, YYYY h:mm A\",\"LT\":\"h:mm A\",\"LTS\":\"h:mm:ss A\"},\"_meridiemParse\":{},\"_months\":[\"January\",\"February\",\"March\",\"April\",\"May\",\"June\",\"July\",\"August\",\"September\",\"October\",\"November\",\"December\"],\"_monthsShort\":[\"Jan\",\"Feb\",\"Mar\",\"Apr\",\"May\",\"Jun\",\"Jul\",\"Aug\",\"Sep\",\"Oct\",\"Nov\",\"Dec\"],\"_relativeTime\":{\"M\":\"a month\",\"MM\":\"%d months\",\"d\":\"a day\",\"dd\":\"%d days\",\"future\":\"in %s\",\"h\":\"an hour\",\"hh\":\"%d hours\",\"m\":\"a minute\",\"mm\":\"%d minutes\",\"past\":\"%s ago\",\"s\":\"a few seconds\",\"ss\":\"%d seconds\",\"y\":\"a year\",\"yy\":\"%d years\"},\"_week\":{\"dow\":0,\"doy\":6},\"_weekdays\":[\"Sunday\",\"Monday\",\"Tuesday\",\"Wednesday\",\"Thursday\",\"Friday\",\"Saturday\"],\"_weekdaysMin\":[\"Su\",\"Mo\",\"Tu\",\"We\",\"Th\",\"Fr\",\"Sa\"],\"_weekdaysShort\":[\"Sun\",\"Mon\",\"Tue\",\"Wed\",\"Thu\",\"Fri\",\"Sat\"]}},\"_pf\":{\"charsLeftOver\":0,\"empty\":false,\"invalidFormat\":false,\"invalidMonth\":null,\"iso\":true,\"nullInput\":false,\"overflow\":-1,\"parsedDateParts\":[2019,1,12,23,52,25,737],\"rfc2822\":false,\"unusedInput\":[],\"unusedTokens\":[],\"userInvalidated\":false,\"weekdayMismatch\":false},\"_tzm\":0,\"_z\":null}},\"date\":true,\"format\":\"YYYY-MM-DD HH:mm\",\"interval\":10800000}},\"y\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"percentage\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Shell] Area - Top 10 IPs by Percentage\",\"type\":\"area\"}", 321 | "uiStateJSON": "{}", 322 | "description": "", 323 | "version": 1, 324 | "kibanaSavedObjectMeta": { 325 | "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" 326 | } 327 | }, 328 | "_migrationVersion": { 329 | "visualization": "7.0.0" 330 | }, 331 | "_references": [ 332 | { 333 | "name": "kibanaSavedObjectMeta.searchSourceJSON.index", 334 | "type": "index-pattern", 335 | "id": "4be97470-3372-11e9-997e-839d37c3a8b5" 336 | } 337 | ] 338 | } 339 | ] -------------------------------------------------------------------------------- /docker-compose.yaml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | networks: 4 | shell-network: 5 | driver: bridge 6 | 7 | services: 8 | 9 | elasticsearch: 10 | image: "docker.elastic.co/elasticsearch/elasticsearch:7.0.0" 11 | container_name: elasticsearch 12 | networks: 13 | - shell-network 14 | ports: 15 | - "9200:9200" 16 | - "9300:9300" 17 | volumes: 18 | - /tmp:/usr/share/elasticsearch/data 19 | environment: 20 | discovery.type: single-node 21 | 22 | 23 | kibana: 24 | image: "docker.elastic.co/kibana/kibana:7.0.0" 25 | container_name: kibana 26 | networks: 27 | - shell-network 28 | ports: 29 | - "5601:5601" 30 | environment: 31 | ELASTICSEARCH_URL: http://elasticsearch:9200 32 | depends_on: 33 | - elasticsearch 34 | 35 | cerebro: 36 | image: "lmenezes/cerebro" 37 | container_name: cerebro 38 | networks: 39 | - shell-network 40 | ports: 41 | - "9000:9000" 42 | -------------------------------------------------------------------------------- /sample_logstash_config.conf: -------------------------------------------------------------------------------- 1 | input { 2 | tcp { 3 | port => 9999 4 | } 5 | stdin {} 6 | syslog { 7 | port => 1514 8 | } 9 | } 10 | 11 | filter { 12 | 13 | } 14 | 15 | output { 16 | stdout {codec => rubydebug} 17 | elasticsearch { 18 | hosts => ["localhost"] 19 | index => "my_first_index" 20 | } 21 | } 22 | --------------------------------------------------------------------------------