├── .gitignore ├── LICENSE ├── README.md └── Templates ├── ALERTS ├── ALL ├── DNS ├── FILE-Transactions ├── FLOW ├── HTTP ├── HTTP-Extended-Custom ├── PRIVACY ├── SMTP ├── SSH ├── TLS └── VLAN /.gitignore: -------------------------------------------------------------------------------- 1 | *.swp 2 | *~ 3 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 2, June 1991 3 | 4 | Copyright (C) 1989, 1991 Free Software Foundation, Inc., 5 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 6 | Everyone is permitted to copy and distribute verbatim copies 7 | of this license document, but changing it is not allowed. 8 | 9 | Preamble 10 | 11 | The licenses for most software are designed to take away your 12 | freedom to share and change it. By contrast, the GNU General Public 13 | License is intended to guarantee your freedom to share and change free 14 | software--to make sure the software is free for all its users. This 15 | General Public License applies to most of the Free Software 16 | Foundation's software and to any other program whose authors commit to 17 | using it. (Some other Free Software Foundation software is covered by 18 | the GNU Lesser General Public License instead.) You can apply it to 19 | your programs, too. 20 | 21 | When we speak of free software, we are referring to freedom, not 22 | price. Our General Public Licenses are designed to make sure that you 23 | have the freedom to distribute copies of free software (and charge for 24 | this service if you wish), that you receive source code or can get it 25 | if you want it, that you can change the software or use pieces of it 26 | in new free programs; and that you know you can do these things. 27 | 28 | To protect your rights, we need to make restrictions that forbid 29 | anyone to deny you these rights or to ask you to surrender the rights. 30 | These restrictions translate to certain responsibilities for you if you 31 | distribute copies of the software, or if you modify it. 32 | 33 | For example, if you distribute copies of such a program, whether 34 | gratis or for a fee, you must give the recipients all the rights that 35 | you have. You must make sure that they, too, receive or can get the 36 | source code. And you must show them these terms so they know their 37 | rights. 38 | 39 | We protect your rights with two steps: (1) copyright the software, and 40 | (2) offer you this license which gives you legal permission to copy, 41 | distribute and/or modify the software. 42 | 43 | Also, for each author's protection and ours, we want to make certain 44 | that everyone understands that there is no warranty for this free 45 | software. If the software is modified by someone else and passed on, we 46 | want its recipients to know that what they have is not the original, so 47 | that any problems introduced by others will not reflect on the original 48 | authors' reputations. 49 | 50 | Finally, any free program is threatened constantly by software 51 | patents. We wish to avoid the danger that redistributors of a free 52 | program will individually obtain patent licenses, in effect making the 53 | program proprietary. To prevent this, we have made it clear that any 54 | patent must be licensed for everyone's free use or not licensed at all. 55 | 56 | The precise terms and conditions for copying, distribution and 57 | modification follow. 58 | 59 | GNU GENERAL PUBLIC LICENSE 60 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 61 | 62 | 0. This License applies to any program or other work which contains 63 | a notice placed by the copyright holder saying it may be distributed 64 | under the terms of this General Public License. The "Program", below, 65 | refers to any such program or work, and a "work based on the Program" 66 | means either the Program or any derivative work under copyright law: 67 | that is to say, a work containing the Program or a portion of it, 68 | either verbatim or with modifications and/or translated into another 69 | language. (Hereinafter, translation is included without limitation in 70 | the term "modification".) Each licensee is addressed as "you". 71 | 72 | Activities other than copying, distribution and modification are not 73 | covered by this License; they are outside its scope. The act of 74 | running the Program is not restricted, and the output from the Program 75 | is covered only if its contents constitute a work based on the 76 | Program (independent of having been made by running the Program). 77 | Whether that is true depends on what the Program does. 78 | 79 | 1. You may copy and distribute verbatim copies of the Program's 80 | source code as you receive it, in any medium, provided that you 81 | conspicuously and appropriately publish on each copy an appropriate 82 | copyright notice and disclaimer of warranty; keep intact all the 83 | notices that refer to this License and to the absence of any warranty; 84 | and give any other recipients of the Program a copy of this License 85 | along with the Program. 86 | 87 | You may charge a fee for the physical act of transferring a copy, and 88 | you may at your option offer warranty protection in exchange for a fee. 89 | 90 | 2. You may modify your copy or copies of the Program or any portion 91 | of it, thus forming a work based on the Program, and copy and 92 | distribute such modifications or work under the terms of Section 1 93 | above, provided that you also meet all of these conditions: 94 | 95 | a) You must cause the modified files to carry prominent notices 96 | stating that you changed the files and the date of any change. 97 | 98 | b) You must cause any work that you distribute or publish, that in 99 | whole or in part contains or is derived from the Program or any 100 | part thereof, to be licensed as a whole at no charge to all third 101 | parties under the terms of this License. 102 | 103 | c) If the modified program normally reads commands interactively 104 | when run, you must cause it, when started running for such 105 | interactive use in the most ordinary way, to print or display an 106 | announcement including an appropriate copyright notice and a 107 | notice that there is no warranty (or else, saying that you provide 108 | a warranty) and that users may redistribute the program under 109 | these conditions, and telling the user how to view a copy of this 110 | License. (Exception: if the Program itself is interactive but 111 | does not normally print such an announcement, your work based on 112 | the Program is not required to print an announcement.) 113 | 114 | These requirements apply to the modified work as a whole. If 115 | identifiable sections of that work are not derived from the Program, 116 | and can be reasonably considered independent and separate works in 117 | themselves, then this License, and its terms, do not apply to those 118 | sections when you distribute them as separate works. But when you 119 | distribute the same sections as part of a whole which is a work based 120 | on the Program, the distribution of the whole must be on the terms of 121 | this License, whose permissions for other licensees extend to the 122 | entire whole, and thus to each and every part regardless of who wrote it. 123 | 124 | Thus, it is not the intent of this section to claim rights or contest 125 | your rights to work written entirely by you; rather, the intent is to 126 | exercise the right to control the distribution of derivative or 127 | collective works based on the Program. 128 | 129 | In addition, mere aggregation of another work not based on the Program 130 | with the Program (or with a work based on the Program) on a volume of 131 | a storage or distribution medium does not bring the other work under 132 | the scope of this License. 133 | 134 | 3. You may copy and distribute the Program (or a work based on it, 135 | under Section 2) in object code or executable form under the terms of 136 | Sections 1 and 2 above provided that you also do one of the following: 137 | 138 | a) Accompany it with the complete corresponding machine-readable 139 | source code, which must be distributed under the terms of Sections 140 | 1 and 2 above on a medium customarily used for software interchange; or, 141 | 142 | b) Accompany it with a written offer, valid for at least three 143 | years, to give any third party, for a charge no more than your 144 | cost of physically performing source distribution, a complete 145 | machine-readable copy of the corresponding source code, to be 146 | distributed under the terms of Sections 1 and 2 above on a medium 147 | customarily used for software interchange; or, 148 | 149 | c) Accompany it with the information you received as to the offer 150 | to distribute corresponding source code. (This alternative is 151 | allowed only for noncommercial distribution and only if you 152 | received the program in object code or executable form with such 153 | an offer, in accord with Subsection b above.) 154 | 155 | The source code for a work means the preferred form of the work for 156 | making modifications to it. For an executable work, complete source 157 | code means all the source code for all modules it contains, plus any 158 | associated interface definition files, plus the scripts used to 159 | control compilation and installation of the executable. However, as a 160 | special exception, the source code distributed need not include 161 | anything that is normally distributed (in either source or binary 162 | form) with the major components (compiler, kernel, and so on) of the 163 | operating system on which the executable runs, unless that component 164 | itself accompanies the executable. 165 | 166 | If distribution of executable or object code is made by offering 167 | access to copy from a designated place, then offering equivalent 168 | access to copy the source code from the same place counts as 169 | distribution of the source code, even though third parties are not 170 | compelled to copy the source along with the object code. 171 | 172 | 4. You may not copy, modify, sublicense, or distribute the Program 173 | except as expressly provided under this License. Any attempt 174 | otherwise to copy, modify, sublicense or distribute the Program is 175 | void, and will automatically terminate your rights under this License. 176 | However, parties who have received copies, or rights, from you under 177 | this License will not have their licenses terminated so long as such 178 | parties remain in full compliance. 179 | 180 | 5. You are not required to accept this License, since you have not 181 | signed it. However, nothing else grants you permission to modify or 182 | distribute the Program or its derivative works. These actions are 183 | prohibited by law if you do not accept this License. Therefore, by 184 | modifying or distributing the Program (or any work based on the 185 | Program), you indicate your acceptance of this License to do so, and 186 | all its terms and conditions for copying, distributing or modifying 187 | the Program or works based on it. 188 | 189 | 6. Each time you redistribute the Program (or any work based on the 190 | Program), the recipient automatically receives a license from the 191 | original licensor to copy, distribute or modify the Program subject to 192 | these terms and conditions. You may not impose any further 193 | restrictions on the recipients' exercise of the rights granted herein. 194 | You are not responsible for enforcing compliance by third parties to 195 | this License. 196 | 197 | 7. If, as a consequence of a court judgment or allegation of patent 198 | infringement or for any other reason (not limited to patent issues), 199 | conditions are imposed on you (whether by court order, agreement or 200 | otherwise) that contradict the conditions of this License, they do not 201 | excuse you from the conditions of this License. If you cannot 202 | distribute so as to satisfy simultaneously your obligations under this 203 | License and any other pertinent obligations, then as a consequence you 204 | may not distribute the Program at all. For example, if a patent 205 | license would not permit royalty-free redistribution of the Program by 206 | all those who receive copies directly or indirectly through you, then 207 | the only way you could satisfy both it and this License would be to 208 | refrain entirely from distribution of the Program. 209 | 210 | If any portion of this section is held invalid or unenforceable under 211 | any particular circumstance, the balance of the section is intended to 212 | apply and the section as a whole is intended to apply in other 213 | circumstances. 214 | 215 | It is not the purpose of this section to induce you to infringe any 216 | patents or other property right claims or to contest validity of any 217 | such claims; this section has the sole purpose of protecting the 218 | integrity of the free software distribution system, which is 219 | implemented by public license practices. Many people have made 220 | generous contributions to the wide range of software distributed 221 | through that system in reliance on consistent application of that 222 | system; it is up to the author/donor to decide if he or she is willing 223 | to distribute software through any other system and a licensee cannot 224 | impose that choice. 225 | 226 | This section is intended to make thoroughly clear what is believed to 227 | be a consequence of the rest of this License. 228 | 229 | 8. If the distribution and/or use of the Program is restricted in 230 | certain countries either by patents or by copyrighted interfaces, the 231 | original copyright holder who places the Program under this License 232 | may add an explicit geographical distribution limitation excluding 233 | those countries, so that distribution is permitted only in or among 234 | countries not thus excluded. In such case, this License incorporates 235 | the limitation as if written in the body of this License. 236 | 237 | 9. The Free Software Foundation may publish revised and/or new versions 238 | of the General Public License from time to time. Such new versions will 239 | be similar in spirit to the present version, but may differ in detail to 240 | address new problems or concerns. 241 | 242 | Each version is given a distinguishing version number. If the Program 243 | specifies a version number of this License which applies to it and "any 244 | later version", you have the option of following the terms and conditions 245 | either of that version or of any later version published by the Free 246 | Software Foundation. If the Program does not specify a version number of 247 | this License, you may choose any version ever published by the Free Software 248 | Foundation. 249 | 250 | 10. If you wish to incorporate parts of the Program into other free 251 | programs whose distribution conditions are different, write to the author 252 | to ask for permission. For software which is copyrighted by the Free 253 | Software Foundation, write to the Free Software Foundation; we sometimes 254 | make exceptions for this. Our decision will be guided by the two goals 255 | of preserving the free status of all derivatives of our free software and 256 | of promoting the sharing and reuse of software generally. 257 | 258 | NO WARRANTY 259 | 260 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY 261 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN 262 | OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES 263 | PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED 264 | OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 265 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS 266 | TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE 267 | PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, 268 | REPAIR OR CORRECTION. 269 | 270 | 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 271 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR 272 | REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, 273 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING 274 | OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED 275 | TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY 276 | YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER 277 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE 278 | POSSIBILITY OF SUCH DAMAGES. 279 | 280 | END OF TERMS AND CONDITIONS 281 | 282 | How to Apply These Terms to Your New Programs 283 | 284 | If you develop a new program, and you want it to be of the greatest 285 | possible use to the public, the best way to achieve this is to make it 286 | free software which everyone can redistribute and change under these terms. 287 | 288 | To do so, attach the following notices to the program. It is safest 289 | to attach them to the start of each source file to most effectively 290 | convey the exclusion of warranty; and each file should have at least 291 | the "copyright" line and a pointer to where the full notice is found. 292 | 293 | {description} 294 | Copyright (C) {year} {fullname} 295 | 296 | This program is free software; you can redistribute it and/or modify 297 | it under the terms of the GNU General Public License as published by 298 | the Free Software Foundation; either version 2 of the License, or 299 | (at your option) any later version. 300 | 301 | This program is distributed in the hope that it will be useful, 302 | but WITHOUT ANY WARRANTY; without even the implied warranty of 303 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 304 | GNU General Public License for more details. 305 | 306 | You should have received a copy of the GNU General Public License along 307 | with this program; if not, write to the Free Software Foundation, Inc., 308 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 309 | 310 | Also add information on how to contact you by electronic and paper mail. 311 | 312 | If the program is interactive, make it output a short notice like this 313 | when it starts in an interactive mode: 314 | 315 | Gnomovision version 69, Copyright (C) year name of author 316 | Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 317 | This is free software, and you are welcome to redistribute it 318 | under certain conditions; type `show c' for details. 319 | 320 | The hypothetical commands `show w' and `show c' should show the appropriate 321 | parts of the General Public License. Of course, the commands you use may 322 | be called something other than `show w' and `show c'; they could even be 323 | mouse-clicks or menu items--whatever suits your program. 324 | 325 | You should also get your employer (if you work as a programmer) or your 326 | school, if any, to sign a "copyright disclaimer" for the program, if 327 | necessary. Here is a sample; alter the names: 328 | 329 | Yoyodyne, Inc., hereby disclaims all copyright interest in the program 330 | `Gnomovision' (which makes passes at compilers) written by James Hacker. 331 | 332 | {signature of Ty Coon}, 1 April 1989 333 | Ty Coon, President of Vice 334 | 335 | This General Public License does not permit incorporating your program into 336 | proprietary programs. If your program is a subroutine library, you may 337 | consider it more useful to permit linking proprietary applications with the 338 | library. If this is what you want to do, use the GNU Lesser General 339 | Public License instead of this License. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Suricata-Logstash-Templates 2 | =========================== 3 | 4 | These templates/dashboards are for Kibana 3 to use with Suricata IDPS 5 | 6 | For Kibana 4,Elasticsearch 2.x and Suricata IDPS you can use those templates here - 7 | https://github.com/StamusNetworks/KTS 8 | 9 | This repository provides 12 templates for the Kibana interface of Logstash 10 | for use with Suricata IDS/IPS - Intrusion Detection and Prevention System. 11 | 12 | These dashboards are for use with Suricata and ELK - Elasticsearch, Logstash, 13 | Kibana. You can install all of them following the guide here: 14 | 15 | https://redmine.openinfosecfoundation.org/projects/suricata/wiki/_Logstash_Kibana_and_Suricata_JSON_output 16 | 17 | or you can just try them out ready to use with SELKS: 18 | 19 | https://www.stamus-networks.com/open-source/ 20 | 21 | 22 | The templates found in the Templates directory: 23 | 24 | - ALL 25 | - ALERTS 26 | - DNS 27 | - FILE Transactions 28 | - FLOW 29 | - HTTP 30 | - HTTP-Extended-Custom 31 | - PRIVACY 32 | - SMTP 33 | - SSH 34 | - TLS 35 | - VLAN 36 | 37 | 38 | 39 | 40 | ========== 41 | How to use 42 | ========== 43 | 44 | apt-get install git-core 45 | git clone https://github.com/pevma/Suricata-Logstash-Templates 46 | 47 | That will create a directory - Suricata-Logstash-Templates - holding the templates. 48 | 49 | - Open your Kibana web interface 50 | - Right upper corner, Load -> Advanced -> Browse 51 | - Load the desired template(s) 52 | 53 | **NOTE:** 54 | In order to use the HTTP-Extended-Custom template you need to set up Suricata as 55 | explained here - http://www.pevma.blogspot.se/2014/06/http-header-fields-extended-logging.html 56 | 57 | **NOTE:** 58 | If the traffic you are inspecting contains vlans - in order to use the VLAN template, make sure you have enabled vlan tracking in suricata.yaml - 59 | 60 | vlan: 61 | use-for-tracking: true 62 | 63 | **NOTE:** 64 | For best user experience use with 1680 x 1050 screen resolution!! 65 | 66 | Do not hesitate to contribute ! 67 | -------------------------------------------------------------------------------- /Templates/ALERTS: -------------------------------------------------------------------------------- 1 | { 2 | "index": { 3 | "default": "NO_TIME_FILTER_OR_INDEX_PATTERN_NOT_MATCHED", 4 | "pattern": "[logstash-]YYYY.MM.DD", 5 | "warm_fields": true, 6 | "interval": "day" 7 | }, 8 | "style": "light", 9 | "rows": [ 10 | { 11 | "notice": false, 12 | "collapsable": true, 13 | "collapse": false, 14 | "title": "Timeline", 15 | "editable": true, 16 | "height": "220px", 17 | "panels": [ 18 | { 19 | "show_query": true, 20 | "bars": true, 21 | "y-axis": true, 22 | "zoomlinks": true, 23 | "annotate": { 24 | "sort": [ 25 | "_score", 26 | "desc" 27 | ], 28 | "query": "*", 29 | "enable": false, 30 | "size": 20, 31 | "field": "_type" 32 | }, 33 | "intervals": [ 34 | "auto", 35 | "1s", 36 | "1m", 37 | "5m", 38 | "10m", 39 | "30m", 40 | "1h", 41 | "3h", 42 | "12h", 43 | "1d", 44 | "1w", 45 | "1M", 46 | "1y" 47 | ], 48 | "spyable": true, 49 | "timezone": "browser", 50 | "linewidth": 3, 51 | "fill": 3, 52 | "scale": 1, 53 | "span": 10, 54 | "title": "Events over time", 55 | "tooltip": { 56 | "value_type": "individual", 57 | "query_as_alias": true 58 | }, 59 | "legend": true, 60 | "derivative": false, 61 | "percentage": false, 62 | "auto_int": true, 63 | "type": "histogram", 64 | "value_field": null, 65 | "x-axis": true, 66 | "queries": { 67 | "mode": "all", 68 | "ids": [ 69 | 3 70 | ] 71 | }, 72 | "editable": true, 73 | "zerofill": true, 74 | "grid": { 75 | "max": null, 76 | "min": 0 77 | }, 78 | "group": [ 79 | "default" 80 | ], 81 | "stack": true, 82 | "legend_counts": true, 83 | "time_field": "@timestamp", 84 | "interval": "10m", 85 | "lines": false, 86 | "y_format": "none", 87 | "points": false, 88 | "mode": "count", 89 | "pointradius": 5, 90 | "resolution": 100, 91 | "options": true, 92 | "interactive": true 93 | }, 94 | { 95 | "span": 2, 96 | "title": "Trends", 97 | "editable": true, 98 | "error": false, 99 | "loadingEditor": false, 100 | "panels": [ 101 | { 102 | "ago": "1d", 103 | "style": { 104 | "font-size": "12pt" 105 | }, 106 | "reverse": false, 107 | "title": "1 day trend", 108 | "arrangement": "vertical", 109 | "queries": { 110 | "mode": "all", 111 | "ids": [ 112 | 3 113 | ] 114 | }, 115 | "spyable": true, 116 | "height": "60px", 117 | "type": "trends" 118 | }, 119 | { 120 | "ago": "4h", 121 | "style": { 122 | "font-size": "12pt" 123 | }, 124 | "loading": false, 125 | "span": 10, 126 | "reverse": false, 127 | "title": "4h trend", 128 | "editable": true, 129 | "height": "60px", 130 | "draggable": false, 131 | "sizeable": false, 132 | "removable": false, 133 | "queries": { 134 | "mode": "all", 135 | "ids": [ 136 | 3 137 | ] 138 | }, 139 | "spyable": true, 140 | "arrangement": "vertical", 141 | "type": "trends" 142 | }, 143 | { 144 | "ago": "1h", 145 | "style": { 146 | "font-size": "12pt" 147 | }, 148 | "loading": false, 149 | "span": 10, 150 | "reverse": false, 151 | "title": "1 h trend", 152 | "editable": true, 153 | "height": "60px", 154 | "draggable": false, 155 | "sizeable": false, 156 | "removable": false, 157 | "queries": { 158 | "mode": "all", 159 | "ids": [ 160 | 3 161 | ] 162 | }, 163 | "spyable": true, 164 | "arrangement": "vertical", 165 | "type": "trends" 166 | } 167 | ], 168 | "type": "column" 169 | } 170 | ] 171 | }, 172 | { 173 | "notice": false, 174 | "panels": [ 175 | { 176 | "exclude": [], 177 | "map": "world", 178 | "span": 6, 179 | "title": "World", 180 | "queries": { 181 | "mode": "all", 182 | "ids": [ 183 | 3 184 | ] 185 | }, 186 | "editable": true, 187 | "field": "geoip.country_code2", 188 | "colors": [ 189 | "#A0E2E2", 190 | "#265656" 191 | ], 192 | "index_limit": 0, 193 | "error": false, 194 | "spyable": true, 195 | "loadingEditor": false, 196 | "type": "map", 197 | "size": 100 198 | }, 199 | { 200 | "exclude": [], 201 | "map": "europe", 202 | "span": 3, 203 | "title": "Europe", 204 | "queries": { 205 | "mode": "all", 206 | "ids": [ 207 | 3 208 | ] 209 | }, 210 | "editable": true, 211 | "field": "geoip.country_code2", 212 | "colors": [ 213 | "#A0E2E2", 214 | "#265656" 215 | ], 216 | "index_limit": 0, 217 | "error": false, 218 | "spyable": true, 219 | "type": "map", 220 | "size": 100 221 | }, 222 | { 223 | "exclude": [], 224 | "map": "usa", 225 | "span": 3, 226 | "title": "USA", 227 | "queries": { 228 | "mode": "all", 229 | "ids": [ 230 | 3 231 | ] 232 | }, 233 | "editable": true, 234 | "field": "geoip.region_name.raw", 235 | "colors": [ 236 | "#A0E2E2", 237 | "#265656" 238 | ], 239 | "index_limit": 0, 240 | "error": false, 241 | "spyable": true, 242 | "loadingEditor": false, 243 | "type": "map", 244 | "size": 100 245 | } 246 | ], 247 | "collapse": false, 248 | "title": "Maps", 249 | "editable": true, 250 | "height": "200px", 251 | "collapsable": true 252 | }, 253 | { 254 | "notice": false, 255 | "collapsable": true, 256 | "collapse": false, 257 | "title": "Graph2", 258 | "editable": true, 259 | "height": "250px", 260 | "panels": [ 261 | { 262 | "labels": true, 263 | "tmode": "terms", 264 | "valuefield": "", 265 | "exclude": [], 266 | "spyable": true, 267 | "size": 10, 268 | "style": { 269 | "font-size": "10pt" 270 | }, 271 | "span": 4, 272 | "title": "Alert Categories", 273 | "tilt": false, 274 | "arrangement": "horizontal", 275 | "field": "alert.category.raw", 276 | "other": false, 277 | "type": "terms", 278 | "missing": false, 279 | "queries": { 280 | "mode": "all", 281 | "ids": [ 282 | 3 283 | ] 284 | }, 285 | "editable": true, 286 | "chart": "table", 287 | "counter_pos": "below", 288 | "tstat": "total", 289 | "donut": false, 290 | "error": false, 291 | "order": "count" 292 | }, 293 | { 294 | "labels": true, 295 | "tmode": "terms", 296 | "valuefield": "", 297 | "exclude": [], 298 | "spyable": true, 299 | "size": 10, 300 | "style": { 301 | "font-size": "10pt" 302 | }, 303 | "span": 4, 304 | "title": "Alert Signatures", 305 | "tilt": false, 306 | "arrangement": "vertical", 307 | "field": "alert.signature.raw", 308 | "other": false, 309 | "loadingEditor": false, 310 | "type": "terms", 311 | "missing": false, 312 | "queries": { 313 | "mode": "all", 314 | "ids": [ 315 | 3 316 | ] 317 | }, 318 | "editable": true, 319 | "chart": "pie", 320 | "counter_pos": "none", 321 | "tstat": "total", 322 | "donut": false, 323 | "error": false, 324 | "order": "count" 325 | }, 326 | { 327 | "labels": true, 328 | "tmode": "terms", 329 | "valuefield": "", 330 | "exclude": [], 331 | "spyable": true, 332 | "size": 10, 333 | "style": { 334 | "font-size": "10pt" 335 | }, 336 | "span": 4, 337 | "title": "Alerts severity", 338 | "tilt": false, 339 | "arrangement": "horizontal", 340 | "field": "alert.severity", 341 | "other": false, 342 | "loadingEditor": false, 343 | "type": "terms", 344 | "missing": false, 345 | "error": false, 346 | "editable": true, 347 | "chart": "bar", 348 | "counter_pos": "above", 349 | "tstat": "total", 350 | "donut": false, 351 | "queries": { 352 | "mode": "all", 353 | "ids": [ 354 | 3 355 | ] 356 | }, 357 | "order": "count" 358 | } 359 | ] 360 | }, 361 | { 362 | "notice": false, 363 | "collapsable": true, 364 | "collapse": false, 365 | "title": "GeoIP Coordinates", 366 | "editable": true, 367 | "height": "550px", 368 | "panels": [ 369 | { 370 | "span": 12, 371 | "title": "GeoIP Localization", 372 | "error": false, 373 | "editable": true, 374 | "tooltip": "_id", 375 | "field": "geoip.coordinates", 376 | "queries": { 377 | "mode": "all", 378 | "ids": [ 379 | 3 380 | ] 381 | }, 382 | "spyable": true, 383 | "loadingEditor": false, 384 | "type": "bettermap", 385 | "size": 1000 386 | } 387 | ] 388 | }, 389 | { 390 | "notice": false, 391 | "collapsable": true, 392 | "collapse": false, 393 | "title": "Events", 394 | "editable": true, 395 | "height": "350px", 396 | "panels": [ 397 | { 398 | "header": true, 399 | "trimFactor": 300, 400 | "spyable": true, 401 | "field_list": true, 402 | "size": 100, 403 | "all_fields": true, 404 | "style": { 405 | "font-size": "9pt" 406 | }, 407 | "span": 12, 408 | "title": "Alert Details", 409 | "pages": 5, 410 | "loadingEditor": false, 411 | "type": "table", 412 | "sort": [ 413 | "_score", 414 | "desc" 415 | ], 416 | "queries": { 417 | "mode": "all", 418 | "ids": [ 419 | 3 420 | ] 421 | }, 422 | "editable": true, 423 | "offset": 0, 424 | "overflow": "min-height", 425 | "normTimes": true, 426 | "localTime": false, 427 | "sortable": true, 428 | "fields": [ 429 | "@timestamp", 430 | "alert.signature", 431 | "alert.signature_id", 432 | "src_ip", 433 | "src_port", 434 | "dest_ip", 435 | "dest_port" 436 | ], 437 | "paging": true, 438 | "error": false, 439 | "timeField": "@timestamp", 440 | "highlight": [] 441 | } 442 | ] 443 | } 444 | ], 445 | "title": "ALERTS", 446 | "failover": false, 447 | "editable": true, 448 | "refresh": false, 449 | "loader": { 450 | "load_gist": true, 451 | "hide": false, 452 | "save_temp": true, 453 | "load_elasticsearch_size": 20, 454 | "load_local": true, 455 | "save_temp_ttl": "30d", 456 | "load_elasticsearch": true, 457 | "save_local": true, 458 | "save_temp_ttl_enable": true, 459 | "save_elasticsearch": true, 460 | "save_gist": false, 461 | "save_default": true 462 | }, 463 | "pulldowns": [ 464 | { 465 | "notice": false, 466 | "enable": true, 467 | "collapse": true, 468 | "pinned": true, 469 | "query": "*", 470 | "history": [ 471 | "event_type:\"alert\"", 472 | "alert*" 473 | ], 474 | "type": "query", 475 | "remember": 10 476 | }, 477 | { 478 | "notice": true, 479 | "enable": true, 480 | "type": "filtering", 481 | "collapse": true 482 | } 483 | ], 484 | "nav": [ 485 | { 486 | "status": "Stable", 487 | "notice": false, 488 | "enable": true, 489 | "collapse": false, 490 | "time_options": [ 491 | "5m", 492 | "15m", 493 | "1h", 494 | "6h", 495 | "12h", 496 | "24h", 497 | "2d", 498 | "7d", 499 | "30d" 500 | ], 501 | "refresh_intervals": [ 502 | "5s", 503 | "10s", 504 | "30s", 505 | "1m", 506 | "5m", 507 | "15m", 508 | "30m", 509 | "1h", 510 | "2h", 511 | "1d" 512 | ], 513 | "filter_id": 0, 514 | "timefield": "@timestamp", 515 | "now": true, 516 | "type": "timepicker" 517 | } 518 | ], 519 | "services": { 520 | "filter": { 521 | "list": { 522 | "0": { 523 | "type": "time", 524 | "field": "@timestamp", 525 | "from": "now-24h", 526 | "to": "now", 527 | "mandate": "must", 528 | "active": true, 529 | "alias": "", 530 | "id": 0 531 | } 532 | }, 533 | "ids": [ 534 | 0 535 | ], 536 | "idQueue": [ 537 | 1 538 | ] 539 | }, 540 | "query": { 541 | "list": { 542 | "3": { 543 | "enable": true, 544 | "pin": true, 545 | "color": "#BF1B00", 546 | "alias": "Alerts", 547 | "query": "event_type:\"alert\"", 548 | "type": "lucene", 549 | "id": 3 550 | } 551 | }, 552 | "ids": [ 553 | 3 554 | ], 555 | "idQueue": [] 556 | } 557 | }, 558 | "panel_hints": true 559 | } -------------------------------------------------------------------------------- /Templates/DNS: -------------------------------------------------------------------------------- 1 | { 2 | "index": { 3 | "default": "NO_TIME_FILTER_OR_INDEX_PATTERN_NOT_MATCHED", 4 | "pattern": "[logstash-]YYYY.MM.DD", 5 | "warm_fields": true, 6 | "interval": "day" 7 | }, 8 | "style": "light", 9 | "rows": [ 10 | { 11 | "notice": false, 12 | "collapsable": true, 13 | "collapse": false, 14 | "title": "Graph", 15 | "editable": true, 16 | "height": "220px", 17 | "panels": [ 18 | { 19 | "show_query": true, 20 | "bars": false, 21 | "y-axis": true, 22 | "zoomlinks": true, 23 | "annotate": { 24 | "sort": [ 25 | "_score", 26 | "desc" 27 | ], 28 | "query": "*", 29 | "enable": false, 30 | "size": 20, 31 | "field": "_type" 32 | }, 33 | "intervals": [ 34 | "auto", 35 | "1s", 36 | "1m", 37 | "5m", 38 | "10m", 39 | "30m", 40 | "1h", 41 | "3h", 42 | "12h", 43 | "1d", 44 | "1w", 45 | "1M", 46 | "1y" 47 | ], 48 | "spyable": true, 49 | "timezone": "browser", 50 | "linewidth": 3, 51 | "fill": 3, 52 | "scale": 1, 53 | "span": 10, 54 | "title": "Events over time", 55 | "tooltip": { 56 | "value_type": "individual", 57 | "query_as_alias": true 58 | }, 59 | "legend": true, 60 | "derivative": false, 61 | "percentage": true, 62 | "auto_int": true, 63 | "type": "histogram", 64 | "value_field": null, 65 | "x-axis": true, 66 | "queries": { 67 | "mode": "all", 68 | "ids": [ 69 | 3 70 | ] 71 | }, 72 | "editable": true, 73 | "zerofill": true, 74 | "grid": { 75 | "max": null, 76 | "min": 0 77 | }, 78 | "group": [ 79 | "default" 80 | ], 81 | "stack": false, 82 | "legend_counts": true, 83 | "time_field": "@timestamp", 84 | "interval": "10m", 85 | "lines": true, 86 | "y_format": "none", 87 | "points": false, 88 | "mode": "count", 89 | "pointradius": 5, 90 | "resolution": 100, 91 | "options": true, 92 | "interactive": true 93 | }, 94 | { 95 | "span": 2, 96 | "title": "Trends", 97 | "editable": true, 98 | "error": false, 99 | "loadingEditor": false, 100 | "panels": [ 101 | { 102 | "ago": "1d", 103 | "style": { 104 | "font-size": "12pt" 105 | }, 106 | "reverse": false, 107 | "title": "1 day trend", 108 | "arrangement": "vertical", 109 | "queries": { 110 | "mode": "all", 111 | "ids": [ 112 | 3 113 | ] 114 | }, 115 | "spyable": true, 116 | "height": "60px", 117 | "type": "trends" 118 | }, 119 | { 120 | "ago": "4h", 121 | "style": { 122 | "font-size": "12pt" 123 | }, 124 | "reverse": false, 125 | "title": "4 hour trend", 126 | "arrangement": "vertical", 127 | "queries": { 128 | "mode": "all", 129 | "ids": [ 130 | 3 131 | ] 132 | }, 133 | "spyable": true, 134 | "height": "60px", 135 | "type": "trends" 136 | }, 137 | { 138 | "ago": "1h", 139 | "style": { 140 | "font-size": "12pt" 141 | }, 142 | "loading": false, 143 | "span": 10, 144 | "reverse": false, 145 | "title": "1 hour trend", 146 | "editable": true, 147 | "height": "60px", 148 | "draggable": false, 149 | "sizeable": false, 150 | "removable": false, 151 | "queries": { 152 | "mode": "all", 153 | "ids": [ 154 | 3 155 | ] 156 | }, 157 | "spyable": true, 158 | "arrangement": "vertical", 159 | "type": "trends" 160 | } 161 | ], 162 | "type": "column" 163 | } 164 | ] 165 | }, 166 | { 167 | "notice": false, 168 | "panels": [ 169 | { 170 | "exclude": [], 171 | "map": "world", 172 | "span": 6, 173 | "title": "World", 174 | "queries": { 175 | "mode": "all", 176 | "ids": [ 177 | 3 178 | ] 179 | }, 180 | "editable": true, 181 | "field": "geoip.country_code2", 182 | "colors": [ 183 | "#A0E2E2", 184 | "#265656" 185 | ], 186 | "index_limit": 0, 187 | "error": false, 188 | "spyable": true, 189 | "loadingEditor": false, 190 | "type": "map", 191 | "size": 100 192 | }, 193 | { 194 | "exclude": [], 195 | "map": "europe", 196 | "span": 3, 197 | "title": "Europe", 198 | "queries": { 199 | "mode": "all", 200 | "ids": [ 201 | 3 202 | ] 203 | }, 204 | "editable": true, 205 | "field": "geoip.country_code2", 206 | "colors": [ 207 | "#A0E2E2", 208 | "#265656" 209 | ], 210 | "index_limit": 0, 211 | "error": false, 212 | "spyable": true, 213 | "type": "map", 214 | "size": 100 215 | }, 216 | { 217 | "exclude": [], 218 | "map": "usa", 219 | "span": 3, 220 | "title": "USA", 221 | "queries": { 222 | "mode": "all", 223 | "ids": [ 224 | 3 225 | ] 226 | }, 227 | "editable": true, 228 | "field": "geoip.region_name.raw", 229 | "colors": [ 230 | "#A0E2E2", 231 | "#265656" 232 | ], 233 | "index_limit": 0, 234 | "error": false, 235 | "spyable": true, 236 | "loadingEditor": false, 237 | "type": "map", 238 | "size": 100 239 | } 240 | ], 241 | "collapse": false, 242 | "title": "Maps", 243 | "editable": true, 244 | "height": "200px", 245 | "collapsable": true 246 | }, 247 | { 248 | "notice": false, 249 | "collapsable": true, 250 | "collapse": false, 251 | "title": "Graph2", 252 | "editable": true, 253 | "height": "250px", 254 | "panels": [ 255 | { 256 | "labels": true, 257 | "tmode": "terms", 258 | "valuefield": "", 259 | "exclude": [], 260 | "spyable": true, 261 | "size": 10, 262 | "style": { 263 | "font-size": "10pt" 264 | }, 265 | "span": 6, 266 | "title": "DNS rdata", 267 | "tilt": false, 268 | "arrangement": "horizontal", 269 | "field": "dns.rdata.raw", 270 | "other": false, 271 | "type": "terms", 272 | "missing": false, 273 | "queries": { 274 | "mode": "all", 275 | "ids": [ 276 | 3 277 | ] 278 | }, 279 | "editable": true, 280 | "chart": "table", 281 | "counter_pos": "below", 282 | "tstat": "total", 283 | "donut": false, 284 | "error": false, 285 | "order": "count" 286 | }, 287 | { 288 | "labels": true, 289 | "tmode": "terms", 290 | "valuefield": "", 291 | "exclude": [], 292 | "spyable": true, 293 | "size": 10, 294 | "style": { 295 | "font-size": "10pt" 296 | }, 297 | "span": 6, 298 | "title": "DNS rrname", 299 | "tilt": false, 300 | "arrangement": "horizontal", 301 | "field": "dns.rrname.raw", 302 | "other": false, 303 | "loadingEditor": false, 304 | "type": "terms", 305 | "missing": false, 306 | "queries": { 307 | "mode": "all", 308 | "ids": [ 309 | 3 310 | ] 311 | }, 312 | "editable": true, 313 | "chart": "bar", 314 | "counter_pos": "above", 315 | "tstat": "total", 316 | "donut": false, 317 | "error": false, 318 | "order": "count" 319 | } 320 | ] 321 | }, 322 | { 323 | "notice": false, 324 | "panels": [ 325 | { 326 | "labels": true, 327 | "tmode": "terms", 328 | "valuefield": "", 329 | "exclude": [], 330 | "spyable": true, 331 | "size": 10, 332 | "style": { 333 | "font-size": "10pt" 334 | }, 335 | "span": 4, 336 | "title": "DNS type", 337 | "tilt": false, 338 | "arrangement": "horizontal", 339 | "field": "dns.type.raw", 340 | "other": false, 341 | "loadingEditor": false, 342 | "type": "terms", 343 | "missing": false, 344 | "queries": { 345 | "mode": "all", 346 | "ids": [ 347 | 3 348 | ] 349 | }, 350 | "editable": true, 351 | "chart": "pie", 352 | "counter_pos": "above", 353 | "tstat": "total", 354 | "donut": false, 355 | "error": false, 356 | "order": "count" 357 | }, 358 | { 359 | "labels": true, 360 | "tmode": "terms", 361 | "valuefield": "", 362 | "exclude": [], 363 | "spyable": true, 364 | "size": 10, 365 | "style": { 366 | "font-size": "10pt" 367 | }, 368 | "span": 4, 369 | "title": "DNS ttl", 370 | "tilt": false, 371 | "arrangement": "horizontal", 372 | "field": "dns.ttl", 373 | "other": false, 374 | "loadingEditor": false, 375 | "type": "terms", 376 | "missing": false, 377 | "queries": { 378 | "mode": "all", 379 | "ids": [ 380 | 3 381 | ] 382 | }, 383 | "editable": true, 384 | "chart": "bar", 385 | "counter_pos": "above", 386 | "tstat": "total", 387 | "donut": false, 388 | "error": false, 389 | "order": "count" 390 | }, 391 | { 392 | "labels": true, 393 | "tmode": "terms", 394 | "valuefield": "", 395 | "exclude": [], 396 | "spyable": true, 397 | "size": 10, 398 | "style": { 399 | "font-size": "10pt" 400 | }, 401 | "span": 4, 402 | "title": "DNS rrtype", 403 | "tilt": false, 404 | "arrangement": "horizontal", 405 | "field": "dns.rrtype.raw", 406 | "other": false, 407 | "loadingEditor": false, 408 | "type": "terms", 409 | "missing": false, 410 | "queries": { 411 | "mode": "all", 412 | "ids": [ 413 | 3 414 | ] 415 | }, 416 | "editable": true, 417 | "chart": "pie", 418 | "counter_pos": "above", 419 | "tstat": "total", 420 | "donut": false, 421 | "error": false, 422 | "order": "count" 423 | } 424 | ], 425 | "collapse": false, 426 | "title": "DNS data", 427 | "editable": true, 428 | "height": "200px", 429 | "collapsable": true 430 | }, 431 | { 432 | "notice": false, 433 | "collapsable": true, 434 | "collapse": false, 435 | "title": "GeoIP Coordinates", 436 | "editable": true, 437 | "height": "550px", 438 | "panels": [ 439 | { 440 | "span": 12, 441 | "title": "GeoIP Localization", 442 | "error": false, 443 | "editable": true, 444 | "tooltip": "_id", 445 | "field": "geoip.coordinates", 446 | "queries": { 447 | "mode": "all", 448 | "ids": [ 449 | 3 450 | ] 451 | }, 452 | "spyable": true, 453 | "loadingEditor": false, 454 | "type": "bettermap", 455 | "size": 100000 456 | } 457 | ] 458 | }, 459 | { 460 | "notice": false, 461 | "collapsable": true, 462 | "collapse": false, 463 | "title": "Events", 464 | "editable": true, 465 | "height": "350px", 466 | "panels": [ 467 | { 468 | "header": true, 469 | "trimFactor": 300, 470 | "spyable": true, 471 | "field_list": true, 472 | "size": 100, 473 | "all_fields": false, 474 | "style": { 475 | "font-size": "9pt" 476 | }, 477 | "span": 12, 478 | "title": "DNS Transaction Details", 479 | "pages": 5, 480 | "loadingEditor": false, 481 | "type": "table", 482 | "sort": [ 483 | "_score", 484 | "desc" 485 | ], 486 | "queries": { 487 | "mode": "all", 488 | "ids": [ 489 | 3 490 | ] 491 | }, 492 | "editable": true, 493 | "offset": 0, 494 | "overflow": "min-height", 495 | "normTimes": true, 496 | "localTime": false, 497 | "sortable": true, 498 | "fields": [ 499 | "@timestamp", 500 | "src_ip", 501 | "src_port", 502 | "dest_ip", 503 | "dest_port", 504 | "dns.rrname", 505 | "dns.rrtype", 506 | "dns.rdata" 507 | ], 508 | "paging": true, 509 | "error": false, 510 | "timeField": "@timestamp", 511 | "highlight": [] 512 | } 513 | ] 514 | } 515 | ], 516 | "title": "DNS", 517 | "failover": false, 518 | "editable": true, 519 | "refresh": false, 520 | "loader": { 521 | "load_gist": true, 522 | "hide": false, 523 | "save_temp": true, 524 | "load_elasticsearch_size": 20, 525 | "load_local": true, 526 | "save_temp_ttl": "30d", 527 | "load_elasticsearch": true, 528 | "save_local": true, 529 | "save_temp_ttl_enable": true, 530 | "save_elasticsearch": true, 531 | "save_gist": false, 532 | "save_default": true 533 | }, 534 | "pulldowns": [ 535 | { 536 | "notice": false, 537 | "enable": true, 538 | "collapse": true, 539 | "pinned": true, 540 | "query": "*", 541 | "history": [ 542 | "event_type:\"dns\"", 543 | "dns*", 544 | "tls*", 545 | "tls.*", 546 | "http*", 547 | "http", 548 | "" 549 | ], 550 | "type": "query", 551 | "remember": 10 552 | }, 553 | { 554 | "notice": true, 555 | "enable": true, 556 | "type": "filtering", 557 | "collapse": true 558 | } 559 | ], 560 | "nav": [ 561 | { 562 | "status": "Stable", 563 | "notice": false, 564 | "enable": true, 565 | "collapse": false, 566 | "time_options": [ 567 | "5m", 568 | "15m", 569 | "1h", 570 | "6h", 571 | "12h", 572 | "24h", 573 | "2d", 574 | "7d", 575 | "30d" 576 | ], 577 | "refresh_intervals": [ 578 | "5s", 579 | "10s", 580 | "30s", 581 | "1m", 582 | "5m", 583 | "15m", 584 | "30m", 585 | "1h", 586 | "2h", 587 | "1d" 588 | ], 589 | "filter_id": 0, 590 | "timefield": "@timestamp", 591 | "now": true, 592 | "type": "timepicker" 593 | } 594 | ], 595 | "services": { 596 | "filter": { 597 | "list": { 598 | "0": { 599 | "type": "time", 600 | "field": "@timestamp", 601 | "from": "now-24h", 602 | "to": "now", 603 | "mandate": "must", 604 | "active": true, 605 | "alias": "", 606 | "id": 0 607 | } 608 | }, 609 | "ids": [ 610 | 0 611 | ], 612 | "idQueue": [ 613 | 1 614 | ] 615 | }, 616 | "query": { 617 | "list": { 618 | "3": { 619 | "enable": true, 620 | "pin": true, 621 | "color": "#70DBED", 622 | "alias": "DNS transactions", 623 | "query": "event_type:\"dns\"", 624 | "type": "lucene", 625 | "id": 3 626 | } 627 | }, 628 | "ids": [ 629 | 3 630 | ], 631 | "idQueue": [] 632 | } 633 | }, 634 | "panel_hints": true 635 | } -------------------------------------------------------------------------------- /Templates/FILE-Transactions: -------------------------------------------------------------------------------- 1 | { 2 | "index": { 3 | "default": "NO_TIME_FILTER_OR_INDEX_PATTERN_NOT_MATCHED", 4 | "pattern": "[logstash-]YYYY.MM.DD", 5 | "warm_fields": true, 6 | "interval": "day" 7 | }, 8 | "style": "light", 9 | "rows": [ 10 | { 11 | "notice": false, 12 | "collapsable": true, 13 | "collapse": false, 14 | "title": "Graph", 15 | "editable": true, 16 | "height": "200px", 17 | "panels": [ 18 | { 19 | "show_query": true, 20 | "bars": true, 21 | "y-axis": true, 22 | "zoomlinks": true, 23 | "annotate": { 24 | "sort": [ 25 | "_score", 26 | "desc" 27 | ], 28 | "query": "*", 29 | "enable": false, 30 | "size": 20, 31 | "field": "_type" 32 | }, 33 | "intervals": [ 34 | "auto", 35 | "1s", 36 | "1m", 37 | "5m", 38 | "10m", 39 | "30m", 40 | "1h", 41 | "3h", 42 | "12h", 43 | "1d", 44 | "1w", 45 | "1M", 46 | "1y" 47 | ], 48 | "spyable": true, 49 | "timezone": "browser", 50 | "linewidth": 3, 51 | "fill": 3, 52 | "scale": 1, 53 | "span": 12, 54 | "title": "Events over time", 55 | "tooltip": { 56 | "value_type": "individual", 57 | "query_as_alias": true 58 | }, 59 | "legend": true, 60 | "derivative": false, 61 | "percentage": false, 62 | "auto_int": true, 63 | "type": "histogram", 64 | "value_field": null, 65 | "x-axis": true, 66 | "queries": { 67 | "mode": "all", 68 | "ids": [ 69 | 0, 70 | 1, 71 | 2, 72 | 3, 73 | 4, 74 | 5, 75 | 6, 76 | 7, 77 | 8 78 | ] 79 | }, 80 | "editable": true, 81 | "zerofill": true, 82 | "grid": { 83 | "max": null, 84 | "min": 0 85 | }, 86 | "group": [ 87 | "default" 88 | ], 89 | "stack": true, 90 | "legend_counts": true, 91 | "time_field": "@timestamp", 92 | "interval": "10m", 93 | "lines": false, 94 | "y_format": "none", 95 | "points": false, 96 | "mode": "count", 97 | "pointradius": 5, 98 | "resolution": 100, 99 | "options": true, 100 | "interactive": true 101 | } 102 | ] 103 | }, 104 | { 105 | "notice": false, 106 | "panels": [ 107 | { 108 | "ago": "1d", 109 | "style": { 110 | "font-size": "14pt" 111 | }, 112 | "span": 4, 113 | "reverse": false, 114 | "title": "1 Day Trend", 115 | "editable": true, 116 | "arrangement": "vertical", 117 | "queries": { 118 | "mode": "all", 119 | "ids": [ 120 | 0, 121 | 1, 122 | 2, 123 | 3, 124 | 4, 125 | 5, 126 | 6, 127 | 7, 128 | 8 129 | ] 130 | }, 131 | "spyable": true, 132 | "type": "trends" 133 | }, 134 | { 135 | "ago": "4hr", 136 | "style": { 137 | "font-size": "14pt" 138 | }, 139 | "span": 4, 140 | "reverse": false, 141 | "title": "4 Hour Trend", 142 | "editable": true, 143 | "arrangement": "vertical", 144 | "queries": { 145 | "mode": "all", 146 | "ids": [ 147 | 0, 148 | 1, 149 | 2, 150 | 3, 151 | 4, 152 | 5, 153 | 6, 154 | 7, 155 | 8 156 | ] 157 | }, 158 | "spyable": true, 159 | "type": "trends" 160 | }, 161 | { 162 | "ago": "2h", 163 | "style": { 164 | "font-size": "14pt" 165 | }, 166 | "span": 4, 167 | "reverse": false, 168 | "title": "2 Hour Trend", 169 | "editable": true, 170 | "arrangement": "vertical", 171 | "queries": { 172 | "mode": "all", 173 | "ids": [ 174 | 0, 175 | 1, 176 | 2, 177 | 3, 178 | 4, 179 | 5, 180 | 6, 181 | 7, 182 | 8 183 | ] 184 | }, 185 | "spyable": true, 186 | "type": "trends" 187 | } 188 | ], 189 | "collapse": false, 190 | "title": "Trends", 191 | "editable": true, 192 | "height": "100px", 193 | "collapsable": true 194 | }, 195 | { 196 | "notice": false, 197 | "panels": [ 198 | { 199 | "exclude": [], 200 | "map": "world", 201 | "span": 6, 202 | "title": "World", 203 | "queries": { 204 | "mode": "all", 205 | "ids": [ 206 | 0, 207 | 1, 208 | 2, 209 | 3, 210 | 4, 211 | 5, 212 | 6, 213 | 7, 214 | 8 215 | ] 216 | }, 217 | "editable": true, 218 | "field": "geoip.country_code2", 219 | "colors": [ 220 | "#A0E2E2", 221 | "#265656" 222 | ], 223 | "index_limit": 0, 224 | "error": false, 225 | "spyable": true, 226 | "loadingEditor": false, 227 | "type": "map", 228 | "size": 100 229 | }, 230 | { 231 | "exclude": [], 232 | "map": "europe", 233 | "span": 3, 234 | "title": "Europe", 235 | "queries": { 236 | "mode": "all", 237 | "ids": [ 238 | 0, 239 | 1, 240 | 2, 241 | 3, 242 | 4, 243 | 5, 244 | 6, 245 | 7, 246 | 8 247 | ] 248 | }, 249 | "editable": true, 250 | "field": "geoip.country_code2", 251 | "colors": [ 252 | "#A0E2E2", 253 | "#265656" 254 | ], 255 | "index_limit": 0, 256 | "error": false, 257 | "spyable": true, 258 | "type": "map", 259 | "size": 100 260 | }, 261 | { 262 | "exclude": [], 263 | "map": "usa", 264 | "span": 3, 265 | "title": "USA", 266 | "queries": { 267 | "mode": "all", 268 | "ids": [ 269 | 0, 270 | 1, 271 | 2, 272 | 3, 273 | 4, 274 | 5, 275 | 6, 276 | 7, 277 | 8 278 | ] 279 | }, 280 | "editable": true, 281 | "field": "geoip.region_name.raw", 282 | "colors": [ 283 | "#A0E2E2", 284 | "#265656" 285 | ], 286 | "index_limit": 0, 287 | "error": false, 288 | "spyable": true, 289 | "loadingEditor": false, 290 | "type": "map", 291 | "size": 100 292 | } 293 | ], 294 | "collapse": false, 295 | "title": "Maps", 296 | "editable": true, 297 | "height": "250px", 298 | "collapsable": true 299 | }, 300 | { 301 | "notice": false, 302 | "collapsable": true, 303 | "collapse": false, 304 | "title": "Graph2", 305 | "editable": true, 306 | "height": "250px", 307 | "panels": [ 308 | { 309 | "labels": true, 310 | "tmode": "terms", 311 | "valuefield": "", 312 | "exclude": [], 313 | "spyable": true, 314 | "size": 15, 315 | "style": { 316 | "font-size": "10pt" 317 | }, 318 | "span": 4, 319 | "title": "Downloaded files from www hosts", 320 | "tilt": false, 321 | "arrangement": "horizontal", 322 | "field": "http.hostname.raw", 323 | "other": false, 324 | "type": "terms", 325 | "missing": false, 326 | "queries": { 327 | "mode": "all", 328 | "ids": [ 329 | 0, 330 | 1, 331 | 2, 332 | 3, 333 | 4, 334 | 5, 335 | 6, 336 | 7, 337 | 8 338 | ] 339 | }, 340 | "editable": true, 341 | "chart": "table", 342 | "counter_pos": "below", 343 | "tstat": "total", 344 | "donut": false, 345 | "error": false, 346 | "order": "count" 347 | }, 348 | { 349 | "labels": true, 350 | "tmode": "terms", 351 | "valuefield": "", 352 | "exclude": [], 353 | "spyable": true, 354 | "size": 15, 355 | "style": { 356 | "font-size": "10pt" 357 | }, 358 | "span": 5, 359 | "title": "Type of Files Transferred", 360 | "tilt": false, 361 | "arrangement": "vertical", 362 | "field": "fileinfo.type.raw", 363 | "other": false, 364 | "loadingEditor": false, 365 | "type": "terms", 366 | "missing": false, 367 | "queries": { 368 | "mode": "all", 369 | "ids": [ 370 | 0, 371 | 1, 372 | 2, 373 | 3, 374 | 4, 375 | 5, 376 | 6, 377 | 7, 378 | 8 379 | ] 380 | }, 381 | "editable": true, 382 | "chart": "table", 383 | "counter_pos": "above", 384 | "tstat": "total", 385 | "donut": false, 386 | "error": false, 387 | "order": "count" 388 | }, 389 | { 390 | "style": { 391 | "font-size": "10pt" 392 | }, 393 | "span": 3, 394 | "title": "Total hits", 395 | "tilt": false, 396 | "labels": true, 397 | "editable": true, 398 | "chart": "pie", 399 | "arrangement": "vertical", 400 | "donut": false, 401 | "type": "hits", 402 | "queries": { 403 | "mode": "all", 404 | "ids": [ 405 | 0, 406 | 1, 407 | 2, 408 | 3, 409 | 4, 410 | 5, 411 | 6, 412 | 7, 413 | 8 414 | ] 415 | }, 416 | "spyable": true, 417 | "loadingEditor": false, 418 | "counter_pos": "above" 419 | } 420 | ] 421 | }, 422 | { 423 | "title": "File Transaction Info", 424 | "height": "250px", 425 | "editable": true, 426 | "collapse": false, 427 | "collapsable": true, 428 | "panels": [ 429 | { 430 | "error": false, 431 | "span": 3, 432 | "editable": true, 433 | "type": "terms", 434 | "loadingEditor": false, 435 | "field": "dest_ip.raw", 436 | "exclude": [], 437 | "missing": false, 438 | "other": false, 439 | "size": 10, 440 | "order": "count", 441 | "style": { 442 | "font-size": "10pt" 443 | }, 444 | "donut": false, 445 | "tilt": false, 446 | "labels": true, 447 | "arrangement": "horizontal", 448 | "chart": "table", 449 | "counter_pos": "above", 450 | "spyable": true, 451 | "queries": { 452 | "mode": "all", 453 | "ids": [ 454 | 0, 455 | 1, 456 | 2, 457 | 3, 458 | 4, 459 | 5, 460 | 6, 461 | 7, 462 | 8 463 | ] 464 | }, 465 | "tmode": "terms", 466 | "tstat": "total", 467 | "valuefield": "fileinfo.size", 468 | "title": "Top Dest IP" 469 | }, 470 | { 471 | "error": false, 472 | "span": 3, 473 | "editable": true, 474 | "type": "terms", 475 | "loadingEditor": false, 476 | "field": "dest_port", 477 | "exclude": [], 478 | "missing": false, 479 | "other": false, 480 | "size": 10, 481 | "order": "count", 482 | "style": { 483 | "font-size": "10pt" 484 | }, 485 | "donut": false, 486 | "tilt": false, 487 | "labels": true, 488 | "arrangement": "horizontal", 489 | "chart": "table", 490 | "counter_pos": "above", 491 | "spyable": true, 492 | "queries": { 493 | "mode": "all", 494 | "ids": [ 495 | 0, 496 | 1, 497 | 2, 498 | 3, 499 | 4, 500 | 5, 501 | 6, 502 | 7, 503 | 8 504 | ] 505 | }, 506 | "tmode": "terms", 507 | "tstat": "total", 508 | "valuefield": "", 509 | "title": "Top Dest Ports" 510 | }, 511 | { 512 | "error": false, 513 | "span": 3, 514 | "editable": true, 515 | "type": "terms", 516 | "loadingEditor": false, 517 | "field": "src_ip.raw", 518 | "exclude": [], 519 | "missing": false, 520 | "other": false, 521 | "size": 10, 522 | "order": "count", 523 | "style": { 524 | "font-size": "10pt" 525 | }, 526 | "donut": false, 527 | "tilt": false, 528 | "labels": true, 529 | "arrangement": "horizontal", 530 | "chart": "table", 531 | "counter_pos": "above", 532 | "spyable": true, 533 | "queries": { 534 | "mode": "all", 535 | "ids": [ 536 | 0, 537 | 1, 538 | 2, 539 | 3, 540 | 4, 541 | 5, 542 | 6, 543 | 7, 544 | 8 545 | ] 546 | }, 547 | "tmode": "terms", 548 | "tstat": "total", 549 | "valuefield": "", 550 | "title": "Top SRC IP" 551 | }, 552 | { 553 | "error": false, 554 | "span": 3, 555 | "editable": true, 556 | "type": "terms", 557 | "loadingEditor": false, 558 | "field": "src_port", 559 | "exclude": [], 560 | "missing": false, 561 | "other": false, 562 | "size": 10, 563 | "order": "count", 564 | "style": { 565 | "font-size": "10pt" 566 | }, 567 | "donut": false, 568 | "tilt": false, 569 | "labels": true, 570 | "arrangement": "horizontal", 571 | "chart": "table", 572 | "counter_pos": "above", 573 | "spyable": true, 574 | "queries": { 575 | "mode": "all", 576 | "ids": [ 577 | 0, 578 | 1, 579 | 2, 580 | 3, 581 | 4, 582 | 5, 583 | 6, 584 | 7, 585 | 8 586 | ] 587 | }, 588 | "tmode": "terms", 589 | "tstat": "total", 590 | "valuefield": "", 591 | "title": "Top SRC Ports" 592 | } 593 | ], 594 | "notice": false 595 | }, 596 | { 597 | "notice": false, 598 | "collapsable": true, 599 | "collapse": false, 600 | "title": "Events", 601 | "editable": true, 602 | "height": "350px", 603 | "panels": [ 604 | { 605 | "header": true, 606 | "trimFactor": 300, 607 | "spyable": true, 608 | "field_list": true, 609 | "size": 100, 610 | "all_fields": false, 611 | "style": { 612 | "font-size": "9pt" 613 | }, 614 | "span": 12, 615 | "title": "Network File Transaction", 616 | "pages": 5, 617 | "loadingEditor": false, 618 | "type": "table", 619 | "sort": [ 620 | "_score", 621 | "desc" 622 | ], 623 | "queries": { 624 | "mode": "all", 625 | "ids": [ 626 | 0, 627 | 1, 628 | 2, 629 | 3, 630 | 4, 631 | 5, 632 | 6, 633 | 7, 634 | 8 635 | ] 636 | }, 637 | "editable": true, 638 | "offset": 0, 639 | "overflow": "min-height", 640 | "normTimes": true, 641 | "localTime": false, 642 | "sortable": true, 643 | "fields": [ 644 | "@timestamp", 645 | "src_ip", 646 | "src_port", 647 | "dest_ip", 648 | "fileinfo.filename", 649 | "fileinfo.magic", 650 | "fileinfo.size", 651 | "http.hostname" 652 | ], 653 | "paging": true, 654 | "error": false, 655 | "timeField": "@timestamp", 656 | "highlight": [] 657 | } 658 | ] 659 | } 660 | ], 661 | "title": "FILE-Transactions", 662 | "failover": false, 663 | "editable": true, 664 | "refresh": false, 665 | "loader": { 666 | "load_gist": true, 667 | "hide": false, 668 | "save_temp": true, 669 | "load_elasticsearch_size": 20, 670 | "load_local": true, 671 | "save_temp_ttl": "30d", 672 | "load_elasticsearch": true, 673 | "save_local": true, 674 | "save_temp_ttl_enable": true, 675 | "save_elasticsearch": true, 676 | "save_gist": false, 677 | "save_default": true 678 | }, 679 | "pulldowns": [ 680 | { 681 | "notice": false, 682 | "enable": true, 683 | "collapse": true, 684 | "pinned": true, 685 | "query": "*", 686 | "history": [ 687 | "fileinfo.magic:\"video\"", 688 | "fileinfo.magic:\"Macromedia Flash\"", 689 | "fileinfo.magic:\"image data\"", 690 | "fileinfo.magic:\"Windows Installer\"", 691 | "fileinfo.magic:\"executable\"", 692 | "fileinfo.magic:\"Microsoft PowerPoint\" OR fileinfo.magic:\"Microsoft Excel\" OR fileinfo.magic:\"Microsoft Word\"", 693 | "fileinfo.magic:\"binary\"", 694 | "fileinfo.magic:*", 695 | "fileinfo.magic:\"PDF document\"", 696 | "fileinfo.magic:\"*\"" 697 | ], 698 | "type": "query", 699 | "remember": 10 700 | }, 701 | { 702 | "notice": true, 703 | "enable": true, 704 | "type": "filtering", 705 | "collapse": true 706 | } 707 | ], 708 | "nav": [ 709 | { 710 | "status": "Stable", 711 | "notice": false, 712 | "enable": true, 713 | "collapse": false, 714 | "time_options": [ 715 | "5m", 716 | "15m", 717 | "1h", 718 | "6h", 719 | "12h", 720 | "24h", 721 | "2d", 722 | "7d", 723 | "30d" 724 | ], 725 | "refresh_intervals": [ 726 | "5s", 727 | "10s", 728 | "30s", 729 | "1m", 730 | "5m", 731 | "15m", 732 | "30m", 733 | "1h", 734 | "2h", 735 | "1d" 736 | ], 737 | "filter_id": 0, 738 | "timefield": "@timestamp", 739 | "now": true, 740 | "type": "timepicker" 741 | } 742 | ], 743 | "services": { 744 | "filter": { 745 | "list": { 746 | "0": { 747 | "type": "time", 748 | "field": "@timestamp", 749 | "from": "now-24h", 750 | "to": "now", 751 | "mandate": "must", 752 | "active": true, 753 | "alias": "", 754 | "id": 0 755 | } 756 | }, 757 | "ids": [ 758 | 0 759 | ], 760 | "idQueue": [ 761 | 1 762 | ] 763 | }, 764 | "query": { 765 | "list": { 766 | "0": { 767 | "id": 0, 768 | "color": "#7EB26D", 769 | "alias": "PDF", 770 | "pin": true, 771 | "type": "lucene", 772 | "enable": true, 773 | "query": "fileinfo.magic:\"PDF document\"" 774 | }, 775 | "1": { 776 | "id": 1, 777 | "type": "lucene", 778 | "query": "fileinfo.magic:*", 779 | "alias": "Total Files", 780 | "color": "#EAB839", 781 | "pin": true, 782 | "enable": true 783 | }, 784 | "2": { 785 | "id": 2, 786 | "type": "lucene", 787 | "query": "fileinfo.magic:\"binary\"", 788 | "alias": "Binaries", 789 | "color": "#6ED0E0", 790 | "pin": true, 791 | "enable": true 792 | }, 793 | "3": { 794 | "id": 3, 795 | "type": "lucene", 796 | "query": "fileinfo.magic:\"Microsoft PowerPoint\" OR fileinfo.magic:\"Microsoft Excel\" OR fileinfo.magic:\"Microsoft Word\"", 797 | "alias": "MS Office", 798 | "color": "#BF1B00", 799 | "pin": true, 800 | "enable": true 801 | }, 802 | "4": { 803 | "id": 4, 804 | "color": "#E24D42", 805 | "alias": "Executables", 806 | "pin": true, 807 | "type": "lucene", 808 | "enable": true, 809 | "query": "fileinfo.magic:\"executable\"" 810 | }, 811 | "5": { 812 | "id": 5, 813 | "color": "#1F78C1", 814 | "alias": "Windows Installer", 815 | "pin": true, 816 | "type": "lucene", 817 | "enable": true, 818 | "query": "fileinfo.magic:\"Windows Installer\"" 819 | }, 820 | "6": { 821 | "id": 6, 822 | "type": "lucene", 823 | "query": "fileinfo.magic:\"image data\"", 824 | "alias": "Image Data", 825 | "color": "#3F2B5B", 826 | "pin": true, 827 | "enable": true 828 | }, 829 | "7": { 830 | "id": 7, 831 | "color": "#705DA0", 832 | "alias": "Macromedia Flash", 833 | "pin": true, 834 | "type": "lucene", 835 | "enable": true, 836 | "query": "fileinfo.magic:\"Macromedia Flash\"" 837 | }, 838 | "8": { 839 | "id": 8, 840 | "color": "#967302", 841 | "alias": "Video", 842 | "pin": true, 843 | "type": "lucene", 844 | "enable": true, 845 | "query": "fileinfo.magic:\"video\"" 846 | } 847 | }, 848 | "ids": [ 849 | 0, 850 | 1, 851 | 2, 852 | 3, 853 | 4, 854 | 5, 855 | 6, 856 | 7, 857 | 8 858 | ], 859 | "idQueue": [] 860 | } 861 | }, 862 | "panel_hints": true 863 | } -------------------------------------------------------------------------------- /Templates/FLOW: -------------------------------------------------------------------------------- 1 | { 2 | "index": { 3 | "default": "_all", 4 | "pattern": "[logstash-]YYYY.MM.DD", 5 | "warm_fields": false, 6 | "interval": "none" 7 | }, 8 | "style": "light", 9 | "rows": [ 10 | { 11 | "notice": false, 12 | "collapsable": true, 13 | "collapse": false, 14 | "title": "Options", 15 | "editable": true, 16 | "height": "200px", 17 | "panels": [ 18 | { 19 | "show_query": true, 20 | "bars": false, 21 | "y-axis": true, 22 | "zoomlinks": true, 23 | "annotate": { 24 | "sort": [ 25 | "_score", 26 | "desc" 27 | ], 28 | "query": "*", 29 | "enable": false, 30 | "size": 20, 31 | "field": "_type" 32 | }, 33 | "intervals": [ 34 | "auto", 35 | "1s", 36 | "1m", 37 | "5m", 38 | "10m", 39 | "30m", 40 | "1h", 41 | "3h", 42 | "12h", 43 | "1d", 44 | "1w", 45 | "1y" 46 | ], 47 | "timezone": "browser", 48 | "spyable": true, 49 | "stack": true, 50 | "linewidth": 3, 51 | "fill": 0, 52 | "scale": 1, 53 | "span": 12, 54 | "tooltip": { 55 | "value_type": "cumulative", 56 | "query_as_alias": true 57 | }, 58 | "legend": true, 59 | "derivative": false, 60 | "loadingEditor": false, 61 | "auto_int": true, 62 | "type": "histogram", 63 | "value_field": null, 64 | "x-axis": true, 65 | "queries": { 66 | "mode": "all", 67 | "ids": [ 68 | 0, 69 | 1, 70 | 2 71 | ] 72 | }, 73 | "editable": true, 74 | "zerofill": true, 75 | "grid": { 76 | "max": null, 77 | "min": 0 78 | }, 79 | "percentage": false, 80 | "legend_counts": true, 81 | "time_field": "@timestamp", 82 | "interval": "10m", 83 | "lines": true, 84 | "y_format": "none", 85 | "points": false, 86 | "mode": "count", 87 | "pointradius": 5, 88 | "resolution": 100, 89 | "options": true, 90 | "interactive": true 91 | } 92 | ] 93 | }, 94 | { 95 | "notice": false, 96 | "collapsable": true, 97 | "collapse": false, 98 | "title": "Graph", 99 | "editable": true, 100 | "height": "250px", 101 | "panels": [ 102 | { 103 | "labels": true, 104 | "tmode": "terms", 105 | "valuefield": "", 106 | "exclude": [], 107 | "spyable": true, 108 | "size": 10, 109 | "style": { 110 | "font-size": "10pt" 111 | }, 112 | "span": 3, 113 | "title": "Flow Destination ports", 114 | "tilt": false, 115 | "arrangement": "horizontal", 116 | "field": "dest_port", 117 | "other": false, 118 | "loadingEditor": false, 119 | "type": "terms", 120 | "missing": false, 121 | "queries": { 122 | "mode": "all", 123 | "ids": [ 124 | 0, 125 | 1, 126 | 2 127 | ] 128 | }, 129 | "editable": true, 130 | "chart": "table", 131 | "counter_pos": "above", 132 | "tstat": "total", 133 | "donut": false, 134 | "error": false, 135 | "order": "count" 136 | }, 137 | { 138 | "labels": true, 139 | "tmode": "terms", 140 | "valuefield": "", 141 | "exclude": [], 142 | "spyable": true, 143 | "size": 10, 144 | "style": { 145 | "font-size": "10pt" 146 | }, 147 | "span": 3, 148 | "title": "Flow Source Ports", 149 | "tilt": false, 150 | "arrangement": "horizontal", 151 | "field": "src_port", 152 | "other": false, 153 | "loadingEditor": false, 154 | "type": "terms", 155 | "missing": false, 156 | "queries": { 157 | "mode": "all", 158 | "ids": [ 159 | 0, 160 | 1, 161 | 2 162 | ] 163 | }, 164 | "editable": true, 165 | "chart": "table", 166 | "counter_pos": "above", 167 | "tstat": "total", 168 | "donut": false, 169 | "error": false, 170 | "order": "count" 171 | }, 172 | { 173 | "labels": true, 174 | "tmode": "terms", 175 | "valuefield": "", 176 | "exclude": [], 177 | "spyable": true, 178 | "size": 10, 179 | "style": { 180 | "font-size": "10pt" 181 | }, 182 | "span": 3, 183 | "title": "Destination IP", 184 | "tilt": false, 185 | "arrangement": "horizontal", 186 | "field": "dest_ip", 187 | "other": false, 188 | "loadingEditor": false, 189 | "type": "terms", 190 | "missing": false, 191 | "queries": { 192 | "mode": "all", 193 | "ids": [ 194 | 0, 195 | 1, 196 | 2 197 | ] 198 | }, 199 | "editable": true, 200 | "chart": "table", 201 | "counter_pos": "above", 202 | "tstat": "total", 203 | "donut": false, 204 | "error": false, 205 | "order": "count" 206 | }, 207 | { 208 | "labels": true, 209 | "tmode": "terms", 210 | "valuefield": "", 211 | "exclude": [], 212 | "spyable": true, 213 | "size": 10, 214 | "style": { 215 | "font-size": "10pt" 216 | }, 217 | "span": 3, 218 | "title": "Source IP", 219 | "tilt": false, 220 | "arrangement": "horizontal", 221 | "field": "src_ip", 222 | "other": false, 223 | "loadingEditor": false, 224 | "type": "terms", 225 | "missing": false, 226 | "queries": { 227 | "mode": "all", 228 | "ids": [ 229 | 0, 230 | 1, 231 | 2 232 | ] 233 | }, 234 | "editable": true, 235 | "chart": "table", 236 | "counter_pos": "above", 237 | "tstat": "total", 238 | "donut": false, 239 | "error": false, 240 | "order": "count" 241 | } 242 | ] 243 | }, 244 | { 245 | "notice": false, 246 | "panels": [ 247 | { 248 | "labels": true, 249 | "tmode": "terms_stats", 250 | "valuefield": "flow.bytes_toclient", 251 | "exclude": [], 252 | "spyable": true, 253 | "size": 10, 254 | "style": { 255 | "font-size": "10pt" 256 | }, 257 | "span": 3, 258 | "title": "bytes to client - number of flows", 259 | "tilt": false, 260 | "arrangement": "horizontal", 261 | "field": "flow.bytes_toclient", 262 | "other": false, 263 | "loadingEditor": false, 264 | "type": "terms", 265 | "missing": false, 266 | "queries": { 267 | "mode": "all", 268 | "ids": [ 269 | 0, 270 | 1, 271 | 2 272 | ] 273 | }, 274 | "editable": true, 275 | "chart": "pie", 276 | "counter_pos": "above", 277 | "tstat": "total", 278 | "donut": false, 279 | "error": false, 280 | "order": "count" 281 | }, 282 | { 283 | "labels": true, 284 | "tmode": "terms_stats", 285 | "valuefield": "flow.bytes_toserver", 286 | "exclude": [], 287 | "spyable": true, 288 | "size": 10, 289 | "style": { 290 | "font-size": "10pt" 291 | }, 292 | "span": 3, 293 | "title": "bytes to server - number of flows", 294 | "tilt": false, 295 | "arrangement": "horizontal", 296 | "field": "flow.bytes_toserver", 297 | "other": false, 298 | "loadingEditor": false, 299 | "type": "terms", 300 | "missing": false, 301 | "queries": { 302 | "mode": "all", 303 | "ids": [ 304 | 0, 305 | 1, 306 | 2 307 | ] 308 | }, 309 | "editable": true, 310 | "chart": "pie", 311 | "counter_pos": "above", 312 | "tstat": "total", 313 | "donut": false, 314 | "error": false, 315 | "order": "count" 316 | }, 317 | { 318 | "labels": true, 319 | "tmode": "terms_stats", 320 | "valuefield": "flow.pkts_toclient", 321 | "exclude": [], 322 | "spyable": true, 323 | "size": 10, 324 | "style": { 325 | "font-size": "10pt" 326 | }, 327 | "span": 3, 328 | "title": "packets to client - number of flows", 329 | "tilt": false, 330 | "arrangement": "horizontal", 331 | "field": "flow.pkts_toclient", 332 | "other": false, 333 | "loadingEditor": false, 334 | "type": "terms", 335 | "missing": false, 336 | "queries": { 337 | "mode": "all", 338 | "ids": [ 339 | 0, 340 | 1, 341 | 2 342 | ] 343 | }, 344 | "editable": true, 345 | "chart": "pie", 346 | "counter_pos": "above", 347 | "tstat": "total", 348 | "donut": false, 349 | "error": false, 350 | "order": "count" 351 | }, 352 | { 353 | "labels": true, 354 | "tmode": "terms_stats", 355 | "valuefield": "flow.pkts_toserver", 356 | "exclude": [], 357 | "spyable": true, 358 | "size": 10, 359 | "style": { 360 | "font-size": "10pt" 361 | }, 362 | "span": 3, 363 | "title": "packets to server - number of flows", 364 | "tilt": false, 365 | "arrangement": "horizontal", 366 | "field": "flow.pkts_toserver", 367 | "other": false, 368 | "loadingEditor": false, 369 | "type": "terms", 370 | "missing": false, 371 | "queries": { 372 | "mode": "all", 373 | "ids": [ 374 | 0, 375 | 1, 376 | 2 377 | ] 378 | }, 379 | "editable": true, 380 | "chart": "pie", 381 | "counter_pos": "above", 382 | "tstat": "total", 383 | "donut": false, 384 | "error": false, 385 | "order": "count" 386 | } 387 | ], 388 | "collapse": false, 389 | "title": "Volumetry", 390 | "editable": true, 391 | "height": "250px", 392 | "collapsable": true 393 | }, 394 | { 395 | "notice": false, 396 | "panels": [ 397 | { 398 | "labels": true, 399 | "tmode": "terms", 400 | "valuefield": "", 401 | "exclude": [], 402 | "spyable": true, 403 | "size": 10, 404 | "style": { 405 | "font-size": "10pt" 406 | }, 407 | "span": 3, 408 | "title": "Flow state", 409 | "tilt": false, 410 | "arrangement": "horizontal", 411 | "field": "flow.state", 412 | "other": false, 413 | "loadingEditor": false, 414 | "type": "terms", 415 | "missing": false, 416 | "queries": { 417 | "mode": "all", 418 | "ids": [ 419 | 0, 420 | 1, 421 | 2 422 | ] 423 | }, 424 | "editable": true, 425 | "chart": "pie", 426 | "counter_pos": "above", 427 | "tstat": "total", 428 | "donut": false, 429 | "error": false, 430 | "order": "count" 431 | }, 432 | { 433 | "labels": true, 434 | "tmode": "terms", 435 | "valuefield": "", 436 | "exclude": [], 437 | "spyable": true, 438 | "size": 10, 439 | "style": { 440 | "font-size": "10pt" 441 | }, 442 | "span": 3, 443 | "title": "Flow Protocols", 444 | "tilt": false, 445 | "arrangement": "horizontal", 446 | "field": "flow.app_proto", 447 | "other": false, 448 | "loadingEditor": false, 449 | "type": "terms", 450 | "missing": false, 451 | "queries": { 452 | "mode": "all", 453 | "ids": [ 454 | 0, 455 | 1, 456 | 2 457 | ] 458 | }, 459 | "editable": true, 460 | "chart": "table", 461 | "counter_pos": "above", 462 | "tstat": "total", 463 | "donut": false, 464 | "error": false, 465 | "order": "count" 466 | }, 467 | { 468 | "labels": true, 469 | "tmode": "terms", 470 | "valuefield": "", 471 | "exclude": [], 472 | "spyable": true, 473 | "size": 10, 474 | "style": { 475 | "font-size": "10pt" 476 | }, 477 | "span": 3, 478 | "title": "Flow closing reason", 479 | "tilt": false, 480 | "arrangement": "horizontal", 481 | "field": "flow.reason", 482 | "other": false, 483 | "loadingEditor": false, 484 | "type": "terms", 485 | "missing": false, 486 | "queries": { 487 | "mode": "all", 488 | "ids": [ 489 | 0, 490 | 1, 491 | 2 492 | ] 493 | }, 494 | "editable": true, 495 | "chart": "pie", 496 | "counter_pos": "above", 497 | "tstat": "total", 498 | "donut": false, 499 | "error": false, 500 | "order": "count" 501 | }, 502 | { 503 | "labels": true, 504 | "tmode": "terms_stats", 505 | "valuefield": "flow.age", 506 | "spyable": true, 507 | "exclude": [], 508 | "size": 10, 509 | "style": { 510 | "font-size": "10pt" 511 | }, 512 | "group": [ 513 | "default" 514 | ], 515 | "title": "Flow Age - Number of flows", 516 | "tilt": false, 517 | "arrangement": "horizontal", 518 | "field": "flow.age", 519 | "other": false, 520 | "type": "terms", 521 | "missing": false, 522 | "error": false, 523 | "editable": true, 524 | "chart": "pie", 525 | "span": 3, 526 | "counter_pos": "above", 527 | "tstat": "total", 528 | "donut": false, 529 | "queries": { 530 | "mode": "all", 531 | "ids": [ 532 | 0, 533 | 1, 534 | 2 535 | ] 536 | }, 537 | "order": "count" 538 | } 539 | ], 540 | "collapse": false, 541 | "title": "Flow info", 542 | "editable": true, 543 | "height": "150px", 544 | "collapsable": true 545 | }, 546 | { 547 | "notice": false, 548 | "panels": [ 549 | { 550 | "labels": true, 551 | "tmode": "terms", 552 | "valuefield": "", 553 | "exclude": [], 554 | "spyable": true, 555 | "size": 10, 556 | "style": { 557 | "font-size": "10pt" 558 | }, 559 | "span": 3, 560 | "title": "TCP state", 561 | "tilt": false, 562 | "arrangement": "horizontal", 563 | "field": "tcp.state", 564 | "other": false, 565 | "loadingEditor": false, 566 | "type": "terms", 567 | "missing": false, 568 | "queries": { 569 | "mode": "all", 570 | "ids": [ 571 | 0, 572 | 1, 573 | 2 574 | ] 575 | }, 576 | "editable": true, 577 | "chart": "table", 578 | "counter_pos": "above", 579 | "tstat": "total", 580 | "donut": false, 581 | "error": false, 582 | "order": "count" 583 | }, 584 | { 585 | "labels": true, 586 | "tmode": "terms", 587 | "valuefield": "", 588 | "exclude": [], 589 | "spyable": true, 590 | "size": 10, 591 | "style": { 592 | "font-size": "10pt" 593 | }, 594 | "span": 3, 595 | "title": "tcp flags", 596 | "tilt": false, 597 | "arrangement": "horizontal", 598 | "field": "tcp.tcp_flags", 599 | "other": false, 600 | "loadingEditor": false, 601 | "type": "terms", 602 | "missing": false, 603 | "queries": { 604 | "mode": "all", 605 | "ids": [ 606 | 0, 607 | 1, 608 | 2 609 | ] 610 | }, 611 | "editable": true, 612 | "chart": "table", 613 | "counter_pos": "above", 614 | "tstat": "total", 615 | "donut": false, 616 | "error": false, 617 | "order": "count" 618 | }, 619 | { 620 | "labels": true, 621 | "tmode": "terms", 622 | "valuefield": "", 623 | "exclude": [], 624 | "spyable": true, 625 | "size": 10, 626 | "style": { 627 | "font-size": "10pt" 628 | }, 629 | "span": 3, 630 | "title": "tcp flags to client", 631 | "tilt": false, 632 | "arrangement": "horizontal", 633 | "field": "tcp.tcp_flags_tc", 634 | "other": false, 635 | "loadingEditor": false, 636 | "type": "terms", 637 | "missing": false, 638 | "queries": { 639 | "mode": "all", 640 | "ids": [ 641 | 0, 642 | 1, 643 | 2 644 | ] 645 | }, 646 | "editable": true, 647 | "chart": "table", 648 | "counter_pos": "above", 649 | "tstat": "total", 650 | "donut": false, 651 | "error": false, 652 | "order": "count" 653 | }, 654 | { 655 | "labels": true, 656 | "tmode": "terms", 657 | "valuefield": "", 658 | "exclude": [], 659 | "spyable": true, 660 | "size": 10, 661 | "style": { 662 | "font-size": "10pt" 663 | }, 664 | "span": 3, 665 | "title": "tcp flags to server", 666 | "tilt": false, 667 | "arrangement": "horizontal", 668 | "field": "tcp.tcp_flags_ts", 669 | "other": false, 670 | "loadingEditor": false, 671 | "type": "terms", 672 | "missing": false, 673 | "queries": { 674 | "mode": "all", 675 | "ids": [ 676 | 0, 677 | 1, 678 | 2 679 | ] 680 | }, 681 | "editable": true, 682 | "chart": "table", 683 | "counter_pos": "above", 684 | "tstat": "total", 685 | "donut": false, 686 | "error": false, 687 | "order": "count" 688 | } 689 | ], 690 | "collapse": false, 691 | "title": "TCP State", 692 | "editable": true, 693 | "height": "150px", 694 | "collapsable": true 695 | }, 696 | { 697 | "notice": false, 698 | "panels": [ 699 | { 700 | "span": 12, 701 | "title": "Location", 702 | "queries": { 703 | "mode": "all", 704 | "ids": [ 705 | 0, 706 | 1, 707 | 2 708 | ] 709 | }, 710 | "editable": true, 711 | "tooltip": "_id", 712 | "field": "geoip.coordinates", 713 | "error": false, 714 | "spyable": true, 715 | "loadingEditor": false, 716 | "type": "bettermap", 717 | "size": 1000 718 | } 719 | ], 720 | "collapse": false, 721 | "title": "Geoip", 722 | "editable": true, 723 | "height": "350px", 724 | "collapsable": true 725 | }, 726 | { 727 | "notice": false, 728 | "collapsable": true, 729 | "collapse": false, 730 | "title": "Events", 731 | "editable": true, 732 | "height": "650px", 733 | "panels": [ 734 | { 735 | "sort": [ 736 | "_score", 737 | "desc" 738 | ], 739 | "header": true, 740 | "trimFactor": 300, 741 | "spyable": true, 742 | "field_list": true, 743 | "size": 100, 744 | "all_fields": false, 745 | "style": { 746 | "font-size": "9pt" 747 | }, 748 | "span": 12, 749 | "title": "Documents", 750 | "pages": 5, 751 | "type": "table", 752 | "status": "Stable", 753 | "error": false, 754 | "editable": true, 755 | "offset": 0, 756 | "group": [ 757 | "default" 758 | ], 759 | "overflow": "min-height", 760 | "normTimes": true, 761 | "localTime": false, 762 | "sortable": true, 763 | "fields": [ 764 | "@timestamp", 765 | "src_ip", 766 | "src_port", 767 | "dest_ip", 768 | "dest_port", 769 | "flow.app_proto", 770 | "flow.start", 771 | "flow.end", 772 | "flow.age", 773 | "flow_id" 774 | ], 775 | "paging": true, 776 | "queries": { 777 | "mode": "all", 778 | "ids": [ 779 | 0, 780 | 1, 781 | 2 782 | ] 783 | }, 784 | "timeField": "@timestamp", 785 | "highlight": [] 786 | } 787 | ] 788 | } 789 | ], 790 | "title": "FLOW", 791 | "failover": false, 792 | "editable": true, 793 | "refresh": false, 794 | "loader": { 795 | "load_gist": true, 796 | "hide": false, 797 | "save_temp": true, 798 | "load_elasticsearch_size": 20, 799 | "load_local": true, 800 | "save_temp_ttl": "30d", 801 | "load_elasticsearch": true, 802 | "save_local": true, 803 | "save_temp_ttl_enable": true, 804 | "save_elasticsearch": true, 805 | "save_gist": false, 806 | "save_default": true 807 | }, 808 | "pulldowns": [ 809 | { 810 | "notice": false, 811 | "enable": true, 812 | "collapse": true, 813 | "pinned": true, 814 | "query": "*", 815 | "history": [ 816 | "event_type:\"flow\" AND flow.state:\"closed\"", 817 | "event_type:\"flow\" AND flow.state:\"established\"", 818 | "event_type:\"flow\" AND flow.state:\"new\"", 819 | "event_type:\"flow\" and flow.state:\"closed\"", 820 | "event_type:\"flow\" and flow.state:\"established\"", 821 | "event_type:\"flow\" and flow.state:\"new\"", 822 | "event_type:\"flow\" and flow.bytes_toclient", 823 | "event_type:\"flow\" and flow.bytes_toserver", 824 | "event_type:\"flow\" and flow.pkts_toclient", 825 | "event_type:\"flow\" and flow.pkts_toserver" 826 | ], 827 | "type": "query", 828 | "remember": 10 829 | }, 830 | { 831 | "notice": true, 832 | "enable": true, 833 | "type": "filtering", 834 | "collapse": true 835 | } 836 | ], 837 | "nav": [ 838 | { 839 | "status": "Stable", 840 | "notice": false, 841 | "enable": true, 842 | "collapse": false, 843 | "time_options": [ 844 | "5m", 845 | "15m", 846 | "1h", 847 | "6h", 848 | "12h", 849 | "24h", 850 | "2d", 851 | "7d", 852 | "30d" 853 | ], 854 | "refresh_intervals": [ 855 | "5s", 856 | "10s", 857 | "30s", 858 | "1m", 859 | "5m", 860 | "15m", 861 | "30m", 862 | "1h", 863 | "2h", 864 | "1d" 865 | ], 866 | "filter_id": 0, 867 | "timefield": "@timestamp", 868 | "now": true, 869 | "type": "timepicker" 870 | } 871 | ], 872 | "services": { 873 | "filter": { 874 | "list": { 875 | "0": { 876 | "from": "now-24h", 877 | "to": "now", 878 | "field": "@timestamp", 879 | "alias": "", 880 | "mandate": "must", 881 | "active": true, 882 | "type": "time", 883 | "id": 0 884 | } 885 | }, 886 | "ids": [ 887 | 0 888 | ] 889 | }, 890 | "query": { 891 | "list": { 892 | "0": { 893 | "enable": true, 894 | "pin": true, 895 | "color": "#7EB26D", 896 | "alias": "New flows", 897 | "query": "event_type:\"flow\" AND flow.state:\"new\"", 898 | "type": "lucene", 899 | "id": 0 900 | }, 901 | "1": { 902 | "enable": true, 903 | "pin": true, 904 | "color": "#EAB839", 905 | "alias": "Established flows", 906 | "query": "event_type:\"flow\" AND flow.state:\"established\"", 907 | "type": "lucene", 908 | "id": 1 909 | }, 910 | "2": { 911 | "enable": true, 912 | "pin": true, 913 | "color": "#890F02", 914 | "alias": "Closed flows", 915 | "query": "event_type:\"flow\" AND flow.state:\"closed\"", 916 | "type": "lucene", 917 | "id": 2 918 | } 919 | }, 920 | "ids": [ 921 | 0, 922 | 1, 923 | 2 924 | ] 925 | } 926 | }, 927 | "panel_hints": true 928 | } -------------------------------------------------------------------------------- /Templates/HTTP: -------------------------------------------------------------------------------- 1 | { 2 | "index": { 3 | "default": "NO_TIME_FILTER_OR_INDEX_PATTERN_NOT_MATCHED", 4 | "pattern": "[logstash-]YYYY.MM.DD", 5 | "warm_fields": true, 6 | "interval": "day" 7 | }, 8 | "style": "light", 9 | "rows": [ 10 | { 11 | "notice": false, 12 | "collapsable": true, 13 | "collapse": false, 14 | "title": "Graph", 15 | "editable": true, 16 | "height": "220px", 17 | "panels": [ 18 | { 19 | "show_query": true, 20 | "bars": true, 21 | "y-axis": true, 22 | "zoomlinks": true, 23 | "annotate": { 24 | "sort": [ 25 | "_score", 26 | "desc" 27 | ], 28 | "query": "*", 29 | "enable": false, 30 | "size": 20, 31 | "field": "_type" 32 | }, 33 | "intervals": [ 34 | "auto", 35 | "1s", 36 | "1m", 37 | "5m", 38 | "10m", 39 | "30m", 40 | "1h", 41 | "3h", 42 | "12h", 43 | "1d", 44 | "1w", 45 | "1M", 46 | "1y" 47 | ], 48 | "spyable": true, 49 | "timezone": "browser", 50 | "linewidth": 3, 51 | "fill": 3, 52 | "scale": 1, 53 | "span": 10, 54 | "title": "Events over time", 55 | "tooltip": { 56 | "value_type": "individual", 57 | "query_as_alias": true 58 | }, 59 | "legend": true, 60 | "derivative": false, 61 | "percentage": true, 62 | "auto_int": true, 63 | "type": "histogram", 64 | "value_field": null, 65 | "x-axis": true, 66 | "queries": { 67 | "mode": "all", 68 | "ids": [ 69 | 3 70 | ] 71 | }, 72 | "editable": true, 73 | "zerofill": true, 74 | "grid": { 75 | "max": null, 76 | "min": 0 77 | }, 78 | "group": [ 79 | "default" 80 | ], 81 | "stack": false, 82 | "legend_counts": true, 83 | "time_field": "@timestamp", 84 | "interval": "10m", 85 | "lines": false, 86 | "y_format": "none", 87 | "points": false, 88 | "mode": "count", 89 | "pointradius": 5, 90 | "resolution": 100, 91 | "options": true, 92 | "interactive": true 93 | }, 94 | { 95 | "span": 2, 96 | "title": "Trends", 97 | "editable": true, 98 | "error": false, 99 | "loadingEditor": false, 100 | "panels": [ 101 | { 102 | "ago": "1d", 103 | "style": { 104 | "font-size": "12pt" 105 | }, 106 | "reverse": false, 107 | "title": "1 day trend", 108 | "arrangement": "vertical", 109 | "queries": { 110 | "mode": "all", 111 | "ids": [ 112 | 3 113 | ] 114 | }, 115 | "spyable": true, 116 | "type": "trends" 117 | }, 118 | { 119 | "ago": "4h", 120 | "style": { 121 | "font-size": "12pt" 122 | }, 123 | "loading": false, 124 | "span": 10, 125 | "reverse": false, 126 | "title": "4 hours trend", 127 | "editable": true, 128 | "height": "", 129 | "draggable": false, 130 | "sizeable": false, 131 | "removable": false, 132 | "queries": { 133 | "mode": "all", 134 | "ids": [ 135 | 3 136 | ] 137 | }, 138 | "spyable": true, 139 | "arrangement": "vertical", 140 | "type": "trends" 141 | }, 142 | { 143 | "ago": "1h", 144 | "style": { 145 | "font-size": "12pt" 146 | }, 147 | "loading": false, 148 | "span": 10, 149 | "reverse": false, 150 | "title": "1 hour trend", 151 | "editable": true, 152 | "height": "", 153 | "draggable": false, 154 | "sizeable": false, 155 | "removable": false, 156 | "queries": { 157 | "mode": "all", 158 | "ids": [ 159 | 3 160 | ] 161 | }, 162 | "spyable": true, 163 | "arrangement": "vertical", 164 | "type": "trends" 165 | } 166 | ], 167 | "type": "column" 168 | } 169 | ] 170 | }, 171 | { 172 | "notice": false, 173 | "panels": [ 174 | { 175 | "exclude": [], 176 | "map": "world", 177 | "span": 6, 178 | "title": "World", 179 | "queries": { 180 | "mode": "all", 181 | "ids": [ 182 | 3 183 | ] 184 | }, 185 | "editable": true, 186 | "field": "geoip.country_code2", 187 | "colors": [ 188 | "#A0E2E2", 189 | "#265656" 190 | ], 191 | "index_limit": 0, 192 | "error": false, 193 | "spyable": true, 194 | "loadingEditor": false, 195 | "type": "map", 196 | "size": 100 197 | }, 198 | { 199 | "exclude": [], 200 | "map": "europe", 201 | "span": 3, 202 | "title": "Europe", 203 | "queries": { 204 | "mode": "all", 205 | "ids": [ 206 | 3 207 | ] 208 | }, 209 | "editable": true, 210 | "field": "geoip.country_code2", 211 | "colors": [ 212 | "#A0E2E2", 213 | "#265656" 214 | ], 215 | "index_limit": 0, 216 | "error": false, 217 | "spyable": true, 218 | "type": "map", 219 | "size": 100 220 | }, 221 | { 222 | "exclude": [], 223 | "map": "usa", 224 | "span": 3, 225 | "title": "USA", 226 | "queries": { 227 | "mode": "all", 228 | "ids": [ 229 | 3 230 | ] 231 | }, 232 | "editable": true, 233 | "field": "geoip.region_name.raw", 234 | "colors": [ 235 | "#A0E2E2", 236 | "#265656" 237 | ], 238 | "index_limit": 0, 239 | "error": false, 240 | "spyable": true, 241 | "loadingEditor": false, 242 | "type": "map", 243 | "size": 100 244 | } 245 | ], 246 | "collapse": false, 247 | "title": "Maps", 248 | "editable": true, 249 | "height": "250px", 250 | "collapsable": true 251 | }, 252 | { 253 | "notice": false, 254 | "collapsable": true, 255 | "collapse": false, 256 | "title": "Graph2", 257 | "editable": true, 258 | "height": "250px", 259 | "panels": [ 260 | { 261 | "labels": true, 262 | "tmode": "terms", 263 | "valuefield": "", 264 | "exclude": [], 265 | "spyable": true, 266 | "size": 10, 267 | "style": { 268 | "font-size": "10pt" 269 | }, 270 | "span": 4, 271 | "title": "HTTP Hostname Visited", 272 | "tilt": false, 273 | "arrangement": "horizontal", 274 | "field": "http.hostname.raw", 275 | "other": false, 276 | "type": "terms", 277 | "missing": false, 278 | "queries": { 279 | "mode": "all", 280 | "ids": [ 281 | 3 282 | ] 283 | }, 284 | "editable": true, 285 | "chart": "table", 286 | "counter_pos": "below", 287 | "tstat": "total", 288 | "donut": false, 289 | "error": false, 290 | "order": "count" 291 | }, 292 | { 293 | "labels": true, 294 | "tmode": "terms", 295 | "valuefield": "", 296 | "exclude": [], 297 | "spyable": true, 298 | "size": 10, 299 | "style": { 300 | "font-size": "10pt" 301 | }, 302 | "span": 4, 303 | "title": "Http User Agents", 304 | "tilt": false, 305 | "arrangement": "vertical", 306 | "field": "http.http_user_agent.raw", 307 | "other": false, 308 | "loadingEditor": false, 309 | "type": "terms", 310 | "missing": false, 311 | "queries": { 312 | "mode": "all", 313 | "ids": [ 314 | 3 315 | ] 316 | }, 317 | "editable": true, 318 | "chart": "pie", 319 | "counter_pos": "none", 320 | "tstat": "total", 321 | "donut": false, 322 | "error": false, 323 | "order": "count" 324 | }, 325 | { 326 | "labels": true, 327 | "tmode": "terms", 328 | "valuefield": "", 329 | "exclude": [], 330 | "spyable": true, 331 | "size": 10, 332 | "style": { 333 | "font-size": "10pt" 334 | }, 335 | "span": 8, 336 | "title": "HTTP Referrals", 337 | "tilt": false, 338 | "arrangement": "horizontal", 339 | "field": "http.http_refer.raw", 340 | "other": false, 341 | "loadingEditor": false, 342 | "type": "terms", 343 | "missing": false, 344 | "queries": { 345 | "mode": "all", 346 | "ids": [ 347 | 3 348 | ] 349 | }, 350 | "editable": true, 351 | "chart": "table", 352 | "counter_pos": "above", 353 | "tstat": "total", 354 | "donut": false, 355 | "error": false, 356 | "order": "count" 357 | } 358 | ] 359 | }, 360 | { 361 | "notice": false, 362 | "panels": [ 363 | { 364 | "labels": true, 365 | "tmode": "terms", 366 | "valuefield": "", 367 | "exclude": [], 368 | "spyable": true, 369 | "size": 10, 370 | "style": { 371 | "font-size": "10pt" 372 | }, 373 | "span": 6, 374 | "title": "URLs Visited", 375 | "tilt": false, 376 | "arrangement": "horizontal", 377 | "field": "http.url.raw", 378 | "other": false, 379 | "loadingEditor": false, 380 | "type": "terms", 381 | "missing": false, 382 | "queries": { 383 | "mode": "all", 384 | "ids": [ 385 | 3 386 | ] 387 | }, 388 | "editable": true, 389 | "chart": "bar", 390 | "counter_pos": "above", 391 | "tstat": "total", 392 | "donut": false, 393 | "error": false, 394 | "order": "count" 395 | }, 396 | { 397 | "labels": true, 398 | "tmode": "terms", 399 | "valuefield": "", 400 | "exclude": [], 401 | "spyable": true, 402 | "size": 10, 403 | "style": { 404 | "font-size": "10pt" 405 | }, 406 | "span": 3, 407 | "title": "HTTP Status", 408 | "tilt": false, 409 | "arrangement": "horizontal", 410 | "field": "http.status", 411 | "other": false, 412 | "loadingEditor": false, 413 | "type": "terms", 414 | "missing": false, 415 | "error": false, 416 | "editable": true, 417 | "chart": "table", 418 | "counter_pos": "above", 419 | "tstat": "total", 420 | "donut": false, 421 | "queries": { 422 | "mode": "all", 423 | "ids": [ 424 | 3 425 | ] 426 | }, 427 | "order": "count" 428 | }, 429 | { 430 | "labels": true, 431 | "tmode": "terms", 432 | "valuefield": "", 433 | "exclude": [], 434 | "spyable": true, 435 | "size": 10, 436 | "style": { 437 | "font-size": "10pt" 438 | }, 439 | "span": 3, 440 | "title": "HTTP lengths", 441 | "tilt": false, 442 | "arrangement": "horizontal", 443 | "field": "http.length", 444 | "other": false, 445 | "loadingEditor": false, 446 | "type": "terms", 447 | "missing": false, 448 | "error": false, 449 | "editable": true, 450 | "chart": "bar", 451 | "counter_pos": "above", 452 | "tstat": "total", 453 | "donut": false, 454 | "queries": { 455 | "mode": "all", 456 | "ids": [ 457 | 3 458 | ] 459 | }, 460 | "order": "count" 461 | } 462 | ], 463 | "collapse": false, 464 | "title": "HTTP URIs", 465 | "editable": true, 466 | "height": "250px", 467 | "collapsable": true 468 | }, 469 | { 470 | "notice": false, 471 | "panels": [ 472 | { 473 | "labels": true, 474 | "tmode": "terms", 475 | "valuefield": "", 476 | "exclude": [], 477 | "spyable": true, 478 | "size": 10, 479 | "style": { 480 | "font-size": "10pt" 481 | }, 482 | "span": 4, 483 | "title": "HTTP Method", 484 | "tilt": false, 485 | "arrangement": "horizontal", 486 | "field": "http.http_method.raw", 487 | "other": false, 488 | "loadingEditor": false, 489 | "type": "terms", 490 | "missing": false, 491 | "queries": { 492 | "mode": "all", 493 | "ids": [ 494 | 3 495 | ] 496 | }, 497 | "editable": true, 498 | "chart": "pie", 499 | "counter_pos": "above", 500 | "tstat": "total", 501 | "donut": false, 502 | "error": false, 503 | "order": "count" 504 | }, 505 | { 506 | "labels": true, 507 | "tmode": "terms", 508 | "valuefield": "", 509 | "exclude": [], 510 | "spyable": true, 511 | "size": 10, 512 | "style": { 513 | "font-size": "10pt" 514 | }, 515 | "span": 4, 516 | "title": "HTTP Protocol", 517 | "tilt": false, 518 | "arrangement": "horizontal", 519 | "field": "http.protocol.raw", 520 | "other": false, 521 | "loadingEditor": false, 522 | "type": "terms", 523 | "missing": false, 524 | "queries": { 525 | "mode": "all", 526 | "ids": [ 527 | 3 528 | ] 529 | }, 530 | "editable": true, 531 | "chart": "pie", 532 | "counter_pos": "above", 533 | "tstat": "total", 534 | "donut": false, 535 | "error": false, 536 | "order": "count" 537 | }, 538 | { 539 | "labels": true, 540 | "tmode": "terms", 541 | "valuefield": "", 542 | "exclude": [], 543 | "spyable": true, 544 | "size": 10, 545 | "style": { 546 | "font-size": "10pt" 547 | }, 548 | "span": 4, 549 | "title": "HTTP Status Code", 550 | "tilt": false, 551 | "arrangement": "horizontal", 552 | "field": "http.status.raw", 553 | "other": false, 554 | "loadingEditor": false, 555 | "type": "terms", 556 | "missing": false, 557 | "queries": { 558 | "mode": "all", 559 | "ids": [ 560 | 3 561 | ] 562 | }, 563 | "editable": true, 564 | "chart": "pie", 565 | "counter_pos": "above", 566 | "tstat": "total", 567 | "donut": false, 568 | "error": false, 569 | "order": "count" 570 | } 571 | ], 572 | "collapse": false, 573 | "title": "HTTP values", 574 | "editable": true, 575 | "height": "250px", 576 | "collapsable": true 577 | }, 578 | { 579 | "notice": false, 580 | "collapsable": true, 581 | "collapse": false, 582 | "title": "GeoIP Coordinates", 583 | "editable": true, 584 | "height": "550px", 585 | "panels": [ 586 | { 587 | "span": 12, 588 | "title": "GeoIP Localization", 589 | "error": false, 590 | "editable": true, 591 | "tooltip": "_id", 592 | "field": "geoip.coordinates", 593 | "queries": { 594 | "mode": "all", 595 | "ids": [ 596 | 3 597 | ] 598 | }, 599 | "spyable": true, 600 | "loadingEditor": false, 601 | "type": "bettermap", 602 | "size": 100000 603 | } 604 | ] 605 | }, 606 | { 607 | "notice": false, 608 | "collapsable": true, 609 | "collapse": false, 610 | "title": "Events", 611 | "editable": true, 612 | "height": "350px", 613 | "panels": [ 614 | { 615 | "header": true, 616 | "trimFactor": 300, 617 | "spyable": true, 618 | "field_list": true, 619 | "size": 100, 620 | "all_fields": false, 621 | "style": { 622 | "font-size": "9pt" 623 | }, 624 | "span": 12, 625 | "title": "HTTP Transaction Details", 626 | "pages": 5, 627 | "loadingEditor": false, 628 | "type": "table", 629 | "sort": [ 630 | "_score", 631 | "desc" 632 | ], 633 | "queries": { 634 | "mode": "all", 635 | "ids": [ 636 | 3 637 | ] 638 | }, 639 | "editable": true, 640 | "offset": 0, 641 | "overflow": "min-height", 642 | "normTimes": true, 643 | "localTime": false, 644 | "sortable": true, 645 | "fields": [ 646 | "@timestamp", 647 | "src_ip", 648 | "src_port", 649 | "dest_ip", 650 | "dest_port", 651 | "http.hostname", 652 | "http.url", 653 | "http.status" 654 | ], 655 | "paging": true, 656 | "error": false, 657 | "timeField": "@timestamp", 658 | "highlight": [] 659 | } 660 | ] 661 | } 662 | ], 663 | "title": "HTTP", 664 | "failover": false, 665 | "editable": true, 666 | "refresh": false, 667 | "loader": { 668 | "load_gist": true, 669 | "hide": false, 670 | "save_temp": true, 671 | "load_elasticsearch_size": 20, 672 | "load_local": true, 673 | "save_temp_ttl": "30d", 674 | "load_elasticsearch": true, 675 | "save_local": true, 676 | "save_temp_ttl_enable": true, 677 | "save_elasticsearch": true, 678 | "save_gist": false, 679 | "save_default": true 680 | }, 681 | "pulldowns": [ 682 | { 683 | "notice": false, 684 | "enable": true, 685 | "collapse": true, 686 | "pinned": true, 687 | "query": "*", 688 | "history": [ 689 | "event_type:\"http\"", 690 | "http*", 691 | "http", 692 | "" 693 | ], 694 | "type": "query", 695 | "remember": 10 696 | }, 697 | { 698 | "notice": true, 699 | "enable": true, 700 | "type": "filtering", 701 | "collapse": true 702 | } 703 | ], 704 | "nav": [ 705 | { 706 | "status": "Stable", 707 | "notice": false, 708 | "enable": true, 709 | "collapse": false, 710 | "time_options": [ 711 | "5m", 712 | "15m", 713 | "1h", 714 | "6h", 715 | "12h", 716 | "24h", 717 | "2d", 718 | "7d", 719 | "30d" 720 | ], 721 | "refresh_intervals": [ 722 | "5s", 723 | "10s", 724 | "30s", 725 | "1m", 726 | "5m", 727 | "15m", 728 | "30m", 729 | "1h", 730 | "2h", 731 | "1d" 732 | ], 733 | "filter_id": 0, 734 | "timefield": "@timestamp", 735 | "now": true, 736 | "type": "timepicker" 737 | } 738 | ], 739 | "services": { 740 | "filter": { 741 | "list": { 742 | "0": { 743 | "from": "now-24h", 744 | "to": "now", 745 | "field": "@timestamp", 746 | "alias": "", 747 | "mandate": "must", 748 | "active": true, 749 | "type": "time", 750 | "id": 0 751 | } 752 | }, 753 | "ids": [ 754 | 0 755 | ], 756 | "idQueue": [ 757 | 1 758 | ] 759 | }, 760 | "query": { 761 | "list": { 762 | "3": { 763 | "enable": true, 764 | "pin": true, 765 | "color": "#7EB26D", 766 | "alias": "HTTP transactions", 767 | "query": "event_type:\"http\"", 768 | "type": "lucene", 769 | "id": 3 770 | } 771 | }, 772 | "ids": [ 773 | 3 774 | ], 775 | "idQueue": [] 776 | } 777 | }, 778 | "panel_hints": true 779 | } -------------------------------------------------------------------------------- /Templates/HTTP-Extended-Custom: -------------------------------------------------------------------------------- 1 | { 2 | "index": { 3 | "default": "_all", 4 | "pattern": "[logstash-]YYYY.MM.DD", 5 | "warm_fields": false, 6 | "interval": "none" 7 | }, 8 | "style": "light", 9 | "rows": [ 10 | { 11 | "notice": false, 12 | "collapsable": true, 13 | "collapse": false, 14 | "title": "Options", 15 | "editable": true, 16 | "height": "220px", 17 | "panels": [ 18 | { 19 | "show_query": true, 20 | "bars": true, 21 | "y-axis": true, 22 | "zoomlinks": true, 23 | "annotate": { 24 | "sort": [ 25 | "_score", 26 | "desc" 27 | ], 28 | "query": "*", 29 | "enable": false, 30 | "size": 20, 31 | "field": "_type" 32 | }, 33 | "intervals": [ 34 | "auto", 35 | "1s", 36 | "1m", 37 | "5m", 38 | "10m", 39 | "30m", 40 | "1h", 41 | "3h", 42 | "12h", 43 | "1d", 44 | "1w", 45 | "1y" 46 | ], 47 | "timezone": "browser", 48 | "spyable": true, 49 | "stack": true, 50 | "linewidth": 3, 51 | "fill": 0, 52 | "scale": 1, 53 | "span": 12, 54 | "title": "Timechart", 55 | "tooltip": { 56 | "value_type": "cumulative", 57 | "query_as_alias": true 58 | }, 59 | "legend": true, 60 | "derivative": false, 61 | "loadingEditor": false, 62 | "auto_int": true, 63 | "type": "histogram", 64 | "value_field": null, 65 | "x-axis": true, 66 | "queries": { 67 | "mode": "all", 68 | "ids": [ 69 | 0 70 | ] 71 | }, 72 | "editable": true, 73 | "zerofill": true, 74 | "grid": { 75 | "max": null, 76 | "min": 0 77 | }, 78 | "percentage": false, 79 | "legend_counts": true, 80 | "time_field": "@timestamp", 81 | "interval": "10m", 82 | "lines": false, 83 | "y_format": "none", 84 | "points": false, 85 | "mode": "count", 86 | "pointradius": 5, 87 | "resolution": 100, 88 | "options": true, 89 | "interactive": true 90 | } 91 | ] 92 | }, 93 | { 94 | "notice": false, 95 | "collapsable": true, 96 | "collapse": false, 97 | "title": "Graph", 98 | "editable": true, 99 | "height": "250px", 100 | "panels": [ 101 | { 102 | "labels": true, 103 | "tmode": "terms", 104 | "valuefield": "", 105 | "exclude": [], 106 | "spyable": true, 107 | "size": 10, 108 | "style": { 109 | "font-size": "10pt" 110 | }, 111 | "span": 4, 112 | "title": "HTTP URL - Top 10", 113 | "tilt": false, 114 | "arrangement": "horizontal", 115 | "field": "http.url.raw", 116 | "other": false, 117 | "loadingEditor": false, 118 | "type": "terms", 119 | "missing": false, 120 | "queries": { 121 | "mode": "all", 122 | "ids": [ 123 | 0 124 | ] 125 | }, 126 | "editable": true, 127 | "chart": "table", 128 | "counter_pos": "above", 129 | "tstat": "total", 130 | "donut": false, 131 | "error": false, 132 | "order": "count" 133 | }, 134 | { 135 | "labels": true, 136 | "tmode": "terms", 137 | "valuefield": "", 138 | "exclude": [], 139 | "spyable": true, 140 | "size": 10, 141 | "style": { 142 | "font-size": "10pt" 143 | }, 144 | "span": 3, 145 | "title": "HTTP Hostname", 146 | "tilt": false, 147 | "arrangement": "horizontal", 148 | "field": "http.hostname.raw", 149 | "other": false, 150 | "loadingEditor": false, 151 | "type": "terms", 152 | "missing": false, 153 | "queries": { 154 | "mode": "all", 155 | "ids": [ 156 | 0 157 | ] 158 | }, 159 | "editable": true, 160 | "chart": "table", 161 | "counter_pos": "above", 162 | "tstat": "total", 163 | "donut": false, 164 | "error": false, 165 | "order": "count" 166 | }, 167 | { 168 | "labels": true, 169 | "tmode": "terms", 170 | "valuefield": "", 171 | "exclude": [], 172 | "spyable": true, 173 | "size": 10, 174 | "style": { 175 | "font-size": "10pt" 176 | }, 177 | "span": 3, 178 | "title": "HTTP Content Type", 179 | "tilt": false, 180 | "arrangement": "horizontal", 181 | "field": "http.content_type.raw", 182 | "other": false, 183 | "loadingEditor": false, 184 | "type": "terms", 185 | "missing": false, 186 | "queries": { 187 | "mode": "all", 188 | "ids": [ 189 | 0 190 | ] 191 | }, 192 | "editable": true, 193 | "chart": "table", 194 | "counter_pos": "above", 195 | "tstat": "total", 196 | "donut": false, 197 | "error": false, 198 | "order": "count" 199 | }, 200 | { 201 | "labels": true, 202 | "tmode": "terms", 203 | "valuefield": "", 204 | "exclude": [], 205 | "spyable": true, 206 | "size": 10, 207 | "style": { 208 | "font-size": "10pt" 209 | }, 210 | "span": 2, 211 | "title": "HTTP Connection", 212 | "tilt": false, 213 | "arrangement": "horizontal", 214 | "field": "http.connection.raw", 215 | "other": false, 216 | "loadingEditor": false, 217 | "type": "terms", 218 | "missing": false, 219 | "queries": { 220 | "mode": "all", 221 | "ids": [ 222 | 0 223 | ] 224 | }, 225 | "editable": true, 226 | "chart": "pie", 227 | "counter_pos": "above", 228 | "tstat": "total", 229 | "donut": false, 230 | "error": false, 231 | "order": "count" 232 | } 233 | ] 234 | }, 235 | { 236 | "notice": false, 237 | "panels": [ 238 | { 239 | "labels": true, 240 | "tmode": "terms", 241 | "valuefield": "", 242 | "exclude": [], 243 | "spyable": true, 244 | "size": 10, 245 | "style": { 246 | "font-size": "10pt" 247 | }, 248 | "span": 4, 249 | "title": "HTTP Server", 250 | "tilt": false, 251 | "arrangement": "horizontal", 252 | "field": "http.server.raw", 253 | "other": false, 254 | "loadingEditor": false, 255 | "type": "terms", 256 | "missing": false, 257 | "queries": { 258 | "mode": "all", 259 | "ids": [ 260 | 0 261 | ] 262 | }, 263 | "editable": true, 264 | "chart": "pie", 265 | "counter_pos": "above", 266 | "tstat": "total", 267 | "donut": false, 268 | "error": false, 269 | "order": "count" 270 | }, 271 | { 272 | "exclude": [], 273 | "map": "europe", 274 | "span": 4, 275 | "title": "HTTP Europe Map", 276 | "error": false, 277 | "editable": true, 278 | "field": "geoip.country_code2", 279 | "colors": [ 280 | "#A0E2E2", 281 | "#265656" 282 | ], 283 | "queries": { 284 | "mode": "all", 285 | "ids": [ 286 | 0 287 | ] 288 | }, 289 | "spyable": true, 290 | "loadingEditor": false, 291 | "type": "map", 292 | "size": 167 293 | }, 294 | { 295 | "exclude": [], 296 | "map": "usa", 297 | "span": 4, 298 | "title": "HTTP USA Map", 299 | "error": false, 300 | "editable": true, 301 | "field": "geoip.region_name.raw", 302 | "colors": [ 303 | "#A0E2E2", 304 | "#265656" 305 | ], 306 | "queries": { 307 | "mode": "all", 308 | "ids": [ 309 | 0 310 | ] 311 | }, 312 | "spyable": true, 313 | "loadingEditor": false, 314 | "type": "map", 315 | "size": 167 316 | } 317 | ], 318 | "collapse": false, 319 | "title": "HTTP servers", 320 | "editable": true, 321 | "height": "250px", 322 | "collapsable": true 323 | }, 324 | { 325 | "notice": false, 326 | "panels": [ 327 | { 328 | "labels": true, 329 | "tmode": "terms", 330 | "valuefield": "", 331 | "exclude": [], 332 | "spyable": true, 333 | "size": 10, 334 | "style": { 335 | "font-size": "10pt" 336 | }, 337 | "span": 3, 338 | "title": "HTTP User Agent", 339 | "tilt": false, 340 | "arrangement": "horizontal", 341 | "field": "http.http_user_agent.raw", 342 | "other": false, 343 | "loadingEditor": false, 344 | "type": "terms", 345 | "missing": false, 346 | "queries": { 347 | "mode": "all", 348 | "ids": [ 349 | 0 350 | ] 351 | }, 352 | "editable": true, 353 | "chart": "table", 354 | "counter_pos": "above", 355 | "tstat": "total", 356 | "donut": false, 357 | "error": false, 358 | "order": "count" 359 | }, 360 | { 361 | "labels": true, 362 | "tmode": "terms", 363 | "valuefield": "", 364 | "exclude": [], 365 | "spyable": true, 366 | "size": 10, 367 | "style": { 368 | "font-size": "10pt" 369 | }, 370 | "span": 3, 371 | "title": "HTTP Accept Encoding", 372 | "tilt": false, 373 | "arrangement": "horizontal", 374 | "field": "http.accept_encoding.raw", 375 | "other": false, 376 | "loadingEditor": false, 377 | "type": "terms", 378 | "missing": false, 379 | "queries": { 380 | "mode": "all", 381 | "ids": [ 382 | 0 383 | ] 384 | }, 385 | "editable": true, 386 | "chart": "table", 387 | "counter_pos": "above", 388 | "tstat": "total", 389 | "donut": false, 390 | "error": false, 391 | "order": "count" 392 | }, 393 | { 394 | "labels": true, 395 | "tmode": "terms", 396 | "valuefield": "", 397 | "exclude": [], 398 | "spyable": true, 399 | "size": 10, 400 | "style": { 401 | "font-size": "10pt" 402 | }, 403 | "span": 3, 404 | "title": "HTTP Via", 405 | "tilt": false, 406 | "arrangement": "horizontal", 407 | "field": "http.via.raw", 408 | "other": false, 409 | "loadingEditor": false, 410 | "type": "terms", 411 | "missing": false, 412 | "queries": { 413 | "mode": "all", 414 | "ids": [ 415 | 0 416 | ] 417 | }, 418 | "editable": true, 419 | "chart": "pie", 420 | "counter_pos": "above", 421 | "tstat": "total", 422 | "donut": false, 423 | "error": false, 424 | "order": "count" 425 | }, 426 | { 427 | "labels": true, 428 | "tmode": "terms", 429 | "valuefield": "", 430 | "exclude": [], 431 | "spyable": true, 432 | "size": 10, 433 | "style": { 434 | "font-size": "10pt" 435 | }, 436 | "span": 3, 437 | "title": "HTTP XFF", 438 | "tilt": false, 439 | "arrangement": "horizontal", 440 | "field": "http.xff.raw", 441 | "other": false, 442 | "loadingEditor": false, 443 | "type": "terms", 444 | "missing": false, 445 | "queries": { 446 | "mode": "all", 447 | "ids": [ 448 | 0 449 | ] 450 | }, 451 | "editable": true, 452 | "chart": "pie", 453 | "counter_pos": "above", 454 | "tstat": "total", 455 | "donut": false, 456 | "error": false, 457 | "order": "count" 458 | } 459 | ], 460 | "collapse": false, 461 | "title": "HTTP headers", 462 | "editable": true, 463 | "height": "250px", 464 | "collapsable": true 465 | }, 466 | { 467 | "notice": false, 468 | "panels": [ 469 | { 470 | "labels": true, 471 | "tmode": "terms", 472 | "valuefield": "", 473 | "exclude": [], 474 | "spyable": true, 475 | "size": 10, 476 | "style": { 477 | "font-size": "10pt" 478 | }, 479 | "span": 4, 480 | "title": "HTTP Vary", 481 | "tilt": false, 482 | "arrangement": "horizontal", 483 | "field": "http.vary.raw", 484 | "other": false, 485 | "loadingEditor": false, 486 | "type": "terms", 487 | "missing": false, 488 | "queries": { 489 | "mode": "all", 490 | "ids": [ 491 | 0 492 | ] 493 | }, 494 | "editable": true, 495 | "chart": "pie", 496 | "counter_pos": "above", 497 | "tstat": "total", 498 | "donut": false, 499 | "error": false, 500 | "order": "count" 501 | }, 502 | { 503 | "labels": true, 504 | "tmode": "terms", 505 | "valuefield": "", 506 | "exclude": [], 507 | "spyable": true, 508 | "size": 10, 509 | "style": { 510 | "font-size": "10pt" 511 | }, 512 | "span": 4, 513 | "title": "HTTP Set Cookie", 514 | "tilt": false, 515 | "arrangement": "horizontal", 516 | "field": "http.set_cookie.raw", 517 | "other": false, 518 | "loadingEditor": false, 519 | "type": "terms", 520 | "missing": false, 521 | "queries": { 522 | "mode": "all", 523 | "ids": [ 524 | 0 525 | ] 526 | }, 527 | "editable": true, 528 | "chart": "table", 529 | "counter_pos": "above", 530 | "tstat": "total", 531 | "donut": false, 532 | "error": false, 533 | "order": "count" 534 | }, 535 | { 536 | "labels": true, 537 | "tmode": "terms", 538 | "valuefield": "", 539 | "exclude": [], 540 | "spyable": true, 541 | "size": 10, 542 | "style": { 543 | "font-size": "10pt" 544 | }, 545 | "span": 3, 546 | "title": "HTTP Transfer Encoding", 547 | "tilt": false, 548 | "arrangement": "horizontal", 549 | "field": "http.transfer_encoding.raw", 550 | "other": false, 551 | "loadingEditor": false, 552 | "type": "terms", 553 | "missing": false, 554 | "queries": { 555 | "mode": "all", 556 | "ids": [ 557 | 0 558 | ] 559 | }, 560 | "editable": true, 561 | "chart": "pie", 562 | "counter_pos": "above", 563 | "tstat": "total", 564 | "donut": false, 565 | "error": false, 566 | "order": "count" 567 | } 568 | ], 569 | "collapse": false, 570 | "title": "HTTP params", 571 | "editable": true, 572 | "height": "250px", 573 | "collapsable": true 574 | }, 575 | { 576 | "notice": false, 577 | "panels": [ 578 | { 579 | "labels": true, 580 | "tmode": "terms", 581 | "valuefield": "", 582 | "exclude": [], 583 | "spyable": true, 584 | "size": 10, 585 | "style": { 586 | "font-size": "10pt" 587 | }, 588 | "span": 4, 589 | "title": "HTTP Method", 590 | "tilt": false, 591 | "arrangement": "horizontal", 592 | "field": "http.http_method.raw", 593 | "other": false, 594 | "loadingEditor": false, 595 | "type": "terms", 596 | "missing": false, 597 | "queries": { 598 | "mode": "all", 599 | "ids": [ 600 | 0 601 | ] 602 | }, 603 | "editable": true, 604 | "chart": "pie", 605 | "counter_pos": "above", 606 | "tstat": "total", 607 | "donut": false, 608 | "error": false, 609 | "order": "count" 610 | }, 611 | { 612 | "labels": true, 613 | "tmode": "terms", 614 | "valuefield": "", 615 | "exclude": [], 616 | "spyable": true, 617 | "size": 10, 618 | "style": { 619 | "font-size": "10pt" 620 | }, 621 | "span": 4, 622 | "title": "HTTP Status Code", 623 | "tilt": false, 624 | "arrangement": "horizontal", 625 | "field": "http.status", 626 | "other": false, 627 | "loadingEditor": false, 628 | "type": "terms", 629 | "missing": false, 630 | "queries": { 631 | "mode": "all", 632 | "ids": [ 633 | 0 634 | ] 635 | }, 636 | "editable": true, 637 | "chart": "table", 638 | "counter_pos": "above", 639 | "tstat": "total", 640 | "donut": false, 641 | "error": false, 642 | "order": "count" 643 | }, 644 | { 645 | "labels": true, 646 | "tmode": "terms", 647 | "valuefield": "", 648 | "exclude": [], 649 | "spyable": true, 650 | "size": 10, 651 | "style": { 652 | "font-size": "10pt" 653 | }, 654 | "span": 4, 655 | "title": "HTTP Length", 656 | "tilt": false, 657 | "arrangement": "horizontal", 658 | "field": "http.length", 659 | "other": false, 660 | "loadingEditor": false, 661 | "type": "terms", 662 | "missing": false, 663 | "queries": { 664 | "mode": "all", 665 | "ids": [ 666 | 0 667 | ] 668 | }, 669 | "editable": true, 670 | "chart": "pie", 671 | "counter_pos": "above", 672 | "tstat": "total", 673 | "donut": false, 674 | "error": false, 675 | "order": "count" 676 | } 677 | ], 678 | "collapse": false, 679 | "title": "HTTP values", 680 | "editable": true, 681 | "height": "250px", 682 | "collapsable": true 683 | }, 684 | { 685 | "notice": false, 686 | "collapsable": true, 687 | "collapse": false, 688 | "title": "Locations", 689 | "editable": true, 690 | "height": "500px", 691 | "panels": [ 692 | { 693 | "span": 12, 694 | "title": "HTTP World Geoip Src Map", 695 | "error": false, 696 | "editable": true, 697 | "tooltip": "_id", 698 | "field": "geoip.coordinates", 699 | "queries": { 700 | "mode": "all", 701 | "ids": [ 702 | 0 703 | ] 704 | }, 705 | "spyable": true, 706 | "loadingEditor": false, 707 | "type": "bettermap", 708 | "size": 100000 709 | } 710 | ] 711 | }, 712 | { 713 | "notice": false, 714 | "collapsable": true, 715 | "collapse": false, 716 | "title": "Events", 717 | "editable": true, 718 | "height": "650px", 719 | "panels": [ 720 | { 721 | "sort": [ 722 | "_score", 723 | "desc" 724 | ], 725 | "header": true, 726 | "trimFactor": 300, 727 | "spyable": true, 728 | "field_list": true, 729 | "size": 100, 730 | "all_fields": false, 731 | "style": { 732 | "font-size": "9pt" 733 | }, 734 | "span": 12, 735 | "title": "Documents", 736 | "pages": 5, 737 | "type": "table", 738 | "status": "Stable", 739 | "error": false, 740 | "editable": true, 741 | "offset": 0, 742 | "group": [ 743 | "default" 744 | ], 745 | "overflow": "min-height", 746 | "normTimes": true, 747 | "localTime": false, 748 | "sortable": true, 749 | "fields": [ 750 | "@timestamp", 751 | "src_ip", 752 | "dest_ip", 753 | "dest_port", 754 | "http.hostname", 755 | "http.content_type", 756 | "http.url", 757 | "http.status", 758 | "http.http_user_agent" 759 | ], 760 | "paging": true, 761 | "queries": { 762 | "mode": "all", 763 | "ids": [ 764 | 0 765 | ] 766 | }, 767 | "timeField": "@timestamp", 768 | "highlight": [] 769 | } 770 | ] 771 | } 772 | ], 773 | "title": "HTTP-Extended-Custom", 774 | "failover": false, 775 | "editable": true, 776 | "refresh": false, 777 | "loader": { 778 | "load_gist": true, 779 | "hide": false, 780 | "save_temp": true, 781 | "load_elasticsearch_size": 20, 782 | "load_local": true, 783 | "save_temp_ttl": "30d", 784 | "load_elasticsearch": true, 785 | "save_local": true, 786 | "save_temp_ttl_enable": true, 787 | "save_elasticsearch": true, 788 | "save_gist": false, 789 | "save_default": true 790 | }, 791 | "pulldowns": [ 792 | { 793 | "notice": false, 794 | "enable": true, 795 | "collapse": true, 796 | "pinned": true, 797 | "query": "*", 798 | "history": [ 799 | "event_type:\"http\"" 800 | ], 801 | "type": "query", 802 | "remember": 10 803 | }, 804 | { 805 | "notice": true, 806 | "enable": true, 807 | "type": "filtering", 808 | "collapse": true 809 | } 810 | ], 811 | "nav": [ 812 | { 813 | "status": "Stable", 814 | "notice": false, 815 | "enable": true, 816 | "collapse": false, 817 | "time_options": [ 818 | "5m", 819 | "15m", 820 | "1h", 821 | "6h", 822 | "12h", 823 | "24h", 824 | "2d", 825 | "7d", 826 | "30d" 827 | ], 828 | "refresh_intervals": [ 829 | "5s", 830 | "10s", 831 | "30s", 832 | "1m", 833 | "5m", 834 | "15m", 835 | "30m", 836 | "1h", 837 | "2h", 838 | "1d" 839 | ], 840 | "filter_id": 0, 841 | "timefield": "@timestamp", 842 | "now": true, 843 | "type": "timepicker" 844 | } 845 | ], 846 | "services": { 847 | "filter": { 848 | "list": { 849 | "0": { 850 | "from": "now-24h", 851 | "to": "now", 852 | "field": "@timestamp", 853 | "alias": "", 854 | "mandate": "must", 855 | "active": true, 856 | "type": "time", 857 | "id": 0 858 | } 859 | }, 860 | "ids": [ 861 | 0 862 | ] 863 | }, 864 | "query": { 865 | "list": { 866 | "0": { 867 | "enable": true, 868 | "pin": true, 869 | "color": "#7EB26D", 870 | "alias": "HTTP", 871 | "query": "event_type:\"http\"", 872 | "type": "lucene", 873 | "id": 0 874 | } 875 | }, 876 | "ids": [ 877 | 0 878 | ] 879 | } 880 | }, 881 | "panel_hints": true 882 | } -------------------------------------------------------------------------------- /Templates/SMTP: -------------------------------------------------------------------------------- 1 | { 2 | "index": { 3 | "default": "NO_TIME_FILTER_OR_INDEX_PATTERN_NOT_MATCHED", 4 | "pattern": "[logstash-]YYYY.MM.DD", 5 | "warm_fields": true, 6 | "interval": "day" 7 | }, 8 | "style": "light", 9 | "rows": [ 10 | { 11 | "notice": false, 12 | "collapsable": true, 13 | "collapse": false, 14 | "title": "Graph", 15 | "editable": true, 16 | "height": "200px", 17 | "panels": [ 18 | { 19 | "show_query": true, 20 | "bars": true, 21 | "y-axis": true, 22 | "zoomlinks": true, 23 | "annotate": { 24 | "sort": [ 25 | "_score", 26 | "desc" 27 | ], 28 | "query": "*", 29 | "enable": false, 30 | "size": 20, 31 | "field": "_type" 32 | }, 33 | "intervals": [ 34 | "auto", 35 | "1s", 36 | "1m", 37 | "5m", 38 | "10m", 39 | "30m", 40 | "1h", 41 | "3h", 42 | "12h", 43 | "1d", 44 | "1w", 45 | "1M", 46 | "1y" 47 | ], 48 | "spyable": true, 49 | "timezone": "browser", 50 | "linewidth": 3, 51 | "fill": 3, 52 | "scale": 1, 53 | "span": 12, 54 | "title": "Events over time", 55 | "tooltip": { 56 | "value_type": "individual", 57 | "query_as_alias": true 58 | }, 59 | "legend": true, 60 | "derivative": false, 61 | "percentage": false, 62 | "auto_int": true, 63 | "type": "histogram", 64 | "value_field": null, 65 | "x-axis": true, 66 | "queries": { 67 | "mode": "all", 68 | "ids": [ 69 | 0, 70 | 1, 71 | 2, 72 | 3, 73 | 4, 74 | 8 75 | ] 76 | }, 77 | "editable": true, 78 | "zerofill": true, 79 | "grid": { 80 | "max": null, 81 | "min": 0 82 | }, 83 | "group": [ 84 | "default" 85 | ], 86 | "stack": true, 87 | "legend_counts": true, 88 | "time_field": "@timestamp", 89 | "interval": "10m", 90 | "lines": false, 91 | "y_format": "none", 92 | "points": false, 93 | "mode": "count", 94 | "pointradius": 5, 95 | "resolution": 100, 96 | "options": true, 97 | "interactive": true 98 | } 99 | ] 100 | }, 101 | { 102 | "notice": false, 103 | "panels": [ 104 | { 105 | "ago": "1d", 106 | "style": { 107 | "font-size": "14pt" 108 | }, 109 | "span": 4, 110 | "reverse": false, 111 | "title": "1 Day Trend", 112 | "editable": true, 113 | "arrangement": "vertical", 114 | "queries": { 115 | "mode": "all", 116 | "ids": [ 117 | 0, 118 | 1, 119 | 2, 120 | 3, 121 | 4, 122 | 8 123 | ] 124 | }, 125 | "spyable": true, 126 | "type": "trends" 127 | }, 128 | { 129 | "ago": "4hr", 130 | "style": { 131 | "font-size": "14pt" 132 | }, 133 | "span": 4, 134 | "reverse": false, 135 | "title": "4 Hour Trend", 136 | "editable": true, 137 | "arrangement": "vertical", 138 | "queries": { 139 | "mode": "all", 140 | "ids": [ 141 | 0, 142 | 1, 143 | 2, 144 | 3, 145 | 4, 146 | 8 147 | ] 148 | }, 149 | "spyable": true, 150 | "type": "trends" 151 | }, 152 | { 153 | "ago": "2h", 154 | "style": { 155 | "font-size": "14pt" 156 | }, 157 | "span": 4, 158 | "reverse": false, 159 | "title": "2 Hour Trend", 160 | "editable": true, 161 | "arrangement": "vertical", 162 | "queries": { 163 | "mode": "all", 164 | "ids": [ 165 | 0, 166 | 1, 167 | 2, 168 | 3, 169 | 4, 170 | 8 171 | ] 172 | }, 173 | "spyable": true, 174 | "type": "trends" 175 | } 176 | ], 177 | "collapse": false, 178 | "title": "Trends", 179 | "editable": true, 180 | "height": "100px", 181 | "collapsable": true 182 | }, 183 | { 184 | "notice": false, 185 | "panels": [ 186 | { 187 | "exclude": [], 188 | "map": "world", 189 | "span": 6, 190 | "title": "World", 191 | "queries": { 192 | "mode": "all", 193 | "ids": [ 194 | 0, 195 | 1, 196 | 2, 197 | 3, 198 | 4, 199 | 8 200 | ] 201 | }, 202 | "editable": true, 203 | "field": "geoip.country_code2", 204 | "colors": [ 205 | "#A0E2E2", 206 | "#265656" 207 | ], 208 | "index_limit": 0, 209 | "error": false, 210 | "spyable": true, 211 | "loadingEditor": false, 212 | "type": "map", 213 | "size": 100 214 | }, 215 | { 216 | "exclude": [], 217 | "map": "europe", 218 | "span": 3, 219 | "title": "Europe", 220 | "queries": { 221 | "mode": "all", 222 | "ids": [ 223 | 0, 224 | 1, 225 | 2, 226 | 3, 227 | 4, 228 | 8 229 | ] 230 | }, 231 | "editable": true, 232 | "field": "geoip.country_code2", 233 | "colors": [ 234 | "#A0E2E2", 235 | "#265656" 236 | ], 237 | "index_limit": 0, 238 | "error": false, 239 | "spyable": true, 240 | "type": "map", 241 | "size": 100 242 | }, 243 | { 244 | "exclude": [], 245 | "map": "usa", 246 | "span": 3, 247 | "title": "USA", 248 | "queries": { 249 | "mode": "all", 250 | "ids": [ 251 | 0, 252 | 1, 253 | 2, 254 | 3, 255 | 4, 256 | 8 257 | ] 258 | }, 259 | "editable": true, 260 | "field": "geoip.region_name.raw", 261 | "colors": [ 262 | "#A0E2E2", 263 | "#265656" 264 | ], 265 | "index_limit": 0, 266 | "error": false, 267 | "spyable": true, 268 | "loadingEditor": false, 269 | "type": "map", 270 | "size": 100 271 | } 272 | ], 273 | "collapse": false, 274 | "title": "Maps", 275 | "editable": true, 276 | "height": "250px", 277 | "collapsable": true 278 | }, 279 | { 280 | "title": "File Transaction Info", 281 | "height": "250px", 282 | "editable": true, 283 | "collapse": false, 284 | "collapsable": true, 285 | "panels": [ 286 | { 287 | "error": false, 288 | "span": 3, 289 | "editable": true, 290 | "type": "terms", 291 | "loadingEditor": false, 292 | "field": "dest_ip.raw", 293 | "exclude": [], 294 | "missing": false, 295 | "other": false, 296 | "size": 10, 297 | "order": "count", 298 | "style": { 299 | "font-size": "10pt" 300 | }, 301 | "donut": false, 302 | "tilt": false, 303 | "labels": true, 304 | "arrangement": "horizontal", 305 | "chart": "table", 306 | "counter_pos": "above", 307 | "spyable": true, 308 | "queries": { 309 | "mode": "all", 310 | "ids": [ 311 | 0, 312 | 1, 313 | 2, 314 | 3, 315 | 4, 316 | 8 317 | ] 318 | }, 319 | "tmode": "terms", 320 | "tstat": "total", 321 | "valuefield": "fileinfo.size", 322 | "title": "Top Dest IP" 323 | }, 324 | { 325 | "error": false, 326 | "span": 3, 327 | "editable": true, 328 | "type": "terms", 329 | "loadingEditor": false, 330 | "field": "dest_port", 331 | "exclude": [], 332 | "missing": false, 333 | "other": false, 334 | "size": 10, 335 | "order": "count", 336 | "style": { 337 | "font-size": "10pt" 338 | }, 339 | "donut": false, 340 | "tilt": false, 341 | "labels": true, 342 | "arrangement": "horizontal", 343 | "chart": "table", 344 | "counter_pos": "above", 345 | "spyable": true, 346 | "queries": { 347 | "mode": "all", 348 | "ids": [ 349 | 0, 350 | 1, 351 | 2, 352 | 3, 353 | 4, 354 | 8 355 | ] 356 | }, 357 | "tmode": "terms", 358 | "tstat": "total", 359 | "valuefield": "", 360 | "title": "Top Dest Ports" 361 | }, 362 | { 363 | "error": false, 364 | "span": 3, 365 | "editable": true, 366 | "type": "terms", 367 | "loadingEditor": false, 368 | "field": "src_ip.raw", 369 | "exclude": [], 370 | "missing": false, 371 | "other": false, 372 | "size": 10, 373 | "order": "count", 374 | "style": { 375 | "font-size": "10pt" 376 | }, 377 | "donut": false, 378 | "tilt": false, 379 | "labels": true, 380 | "arrangement": "horizontal", 381 | "chart": "table", 382 | "counter_pos": "above", 383 | "spyable": true, 384 | "queries": { 385 | "mode": "all", 386 | "ids": [ 387 | 0, 388 | 1, 389 | 2, 390 | 3, 391 | 4, 392 | 8 393 | ] 394 | }, 395 | "tmode": "terms", 396 | "tstat": "total", 397 | "valuefield": "", 398 | "title": "Top SRC IP" 399 | }, 400 | { 401 | "error": false, 402 | "span": 3, 403 | "editable": true, 404 | "type": "terms", 405 | "loadingEditor": false, 406 | "field": "src_port", 407 | "exclude": [], 408 | "missing": false, 409 | "other": false, 410 | "size": 10, 411 | "order": "count", 412 | "style": { 413 | "font-size": "10pt" 414 | }, 415 | "donut": false, 416 | "tilt": false, 417 | "labels": true, 418 | "arrangement": "horizontal", 419 | "chart": "table", 420 | "counter_pos": "above", 421 | "spyable": true, 422 | "queries": { 423 | "mode": "all", 424 | "ids": [ 425 | 0, 426 | 1, 427 | 2, 428 | 3, 429 | 4, 430 | 8 431 | ] 432 | }, 433 | "tmode": "terms", 434 | "tstat": "total", 435 | "valuefield": "", 436 | "title": "Top SRC Ports" 437 | } 438 | ], 439 | "notice": false 440 | }, 441 | { 442 | "notice": false, 443 | "collapsable": true, 444 | "collapse": false, 445 | "title": "Events", 446 | "editable": true, 447 | "height": "350px", 448 | "panels": [ 449 | { 450 | "header": true, 451 | "trimFactor": 300, 452 | "spyable": true, 453 | "field_list": true, 454 | "size": 100, 455 | "all_fields": false, 456 | "style": { 457 | "font-size": "9pt" 458 | }, 459 | "span": 12, 460 | "title": "Network File Transaction", 461 | "pages": 5, 462 | "loadingEditor": false, 463 | "type": "table", 464 | "sort": [ 465 | "_score", 466 | "desc" 467 | ], 468 | "queries": { 469 | "mode": "all", 470 | "ids": [ 471 | 0, 472 | 1, 473 | 2, 474 | 3, 475 | 4, 476 | 8 477 | ] 478 | }, 479 | "editable": true, 480 | "offset": 0, 481 | "overflow": "min-height", 482 | "normTimes": true, 483 | "localTime": false, 484 | "sortable": true, 485 | "fields": [ 486 | "@timestamp", 487 | "src_ip", 488 | "src_port", 489 | "dest_ip", 490 | "dest_port", 491 | "smtp.to", 492 | "smtp.from", 493 | "smtp.attachment" 494 | ], 495 | "paging": true, 496 | "error": false, 497 | "timeField": "@timestamp", 498 | "highlight": [] 499 | } 500 | ] 501 | } 502 | ], 503 | "title": "SMTP", 504 | "failover": false, 505 | "editable": true, 506 | "refresh": false, 507 | "loader": { 508 | "load_gist": true, 509 | "hide": false, 510 | "save_temp": true, 511 | "load_elasticsearch_size": 20, 512 | "load_local": true, 513 | "save_temp_ttl": "30d", 514 | "load_elasticsearch": true, 515 | "save_local": true, 516 | "save_temp_ttl_enable": true, 517 | "save_elasticsearch": true, 518 | "save_gist": false, 519 | "save_default": true 520 | }, 521 | "pulldowns": [ 522 | { 523 | "notice": false, 524 | "enable": true, 525 | "collapse": true, 526 | "pinned": true, 527 | "query": "*", 528 | "history": [ 529 | "event_type:\"smtp\"", 530 | "smtp.attachment:\"*.pdf\"", 531 | "event_type:smtp", 532 | "fileinfo.magic:\"video\"", 533 | "fileinfo.magic:\"Macromedia Flash\"", 534 | "fileinfo.magic:\"image data\"", 535 | "fileinfo.magic:\"Windows Installer\"", 536 | "fileinfo.magic:\"executable\"", 537 | "fileinfo.magic:\"Microsoft PowerPoint\" OR fileinfo.magic:\"Microsoft Excel\" OR fileinfo.magic:\"Microsoft Word\"", 538 | "fileinfo.magic:\"binary\"" 539 | ], 540 | "type": "query", 541 | "remember": 10 542 | }, 543 | { 544 | "notice": true, 545 | "enable": true, 546 | "type": "filtering", 547 | "collapse": true 548 | } 549 | ], 550 | "nav": [ 551 | { 552 | "status": "Stable", 553 | "notice": false, 554 | "enable": true, 555 | "collapse": false, 556 | "time_options": [ 557 | "5m", 558 | "15m", 559 | "1h", 560 | "6h", 561 | "12h", 562 | "24h", 563 | "2d", 564 | "7d", 565 | "30d" 566 | ], 567 | "refresh_intervals": [ 568 | "5s", 569 | "10s", 570 | "30s", 571 | "1m", 572 | "5m", 573 | "15m", 574 | "30m", 575 | "1h", 576 | "2h", 577 | "1d" 578 | ], 579 | "filter_id": 0, 580 | "timefield": "@timestamp", 581 | "now": true, 582 | "type": "timepicker" 583 | } 584 | ], 585 | "services": { 586 | "filter": { 587 | "list": { 588 | "0": { 589 | "type": "time", 590 | "field": "@timestamp", 591 | "from": "now-24h", 592 | "to": "now", 593 | "mandate": "must", 594 | "active": true, 595 | "alias": "", 596 | "id": 0 597 | } 598 | }, 599 | "ids": [ 600 | 0 601 | ], 602 | "idQueue": [ 603 | 1 604 | ] 605 | }, 606 | "query": { 607 | "list": { 608 | "0": { 609 | "id": 0, 610 | "type": "lucene", 611 | "query": "smtp.attachment:\"*.pdf\"", 612 | "alias": "PDF-Attachments", 613 | "color": "#AEA2E0", 614 | "pin": true, 615 | "enable": true 616 | }, 617 | "1": { 618 | "id": 1, 619 | "color": "#EAB839", 620 | "alias": "Word-Attachments", 621 | "pin": true, 622 | "type": "lucene", 623 | "enable": true, 624 | "query": "smtp.attachment:\"*.doc\" OR smtp.attachment:\"*.docx\"" 625 | }, 626 | "2": { 627 | "id": 2, 628 | "color": "#99440A", 629 | "alias": "Excel-Attachments", 630 | "pin": true, 631 | "type": "lucene", 632 | "enable": true, 633 | "query": "smtp.attachment:\"*.xls\" OR smtp.attachment:\"*.xlsx\"" 634 | }, 635 | "3": { 636 | "id": 3, 637 | "color": "#7EB26D", 638 | "alias": "PowerPoint-Attachments", 639 | "pin": true, 640 | "type": "lucene", 641 | "enable": true, 642 | "query": "smtp.attachment:\"*.ppt\" OR smtp.attachment:\"*.pptx\"" 643 | }, 644 | "4": { 645 | "id": 4, 646 | "color": "#BF1B00", 647 | "alias": "Executables-Attachments", 648 | "pin": true, 649 | "type": "lucene", 650 | "enable": true, 651 | "query": "smtp.attachment:\"*.exe\" OR smtp.attachment:\"*.com\" OR smtp.attachment:\"*.dll\" OR smtp.attachment:\"*.sh\"" 652 | }, 653 | "8": { 654 | "id": 8, 655 | "type": "lucene", 656 | "query": "event_type:\"smtp\"", 657 | "alias": "SMTP-Total", 658 | "color": "#70DBED", 659 | "pin": true, 660 | "enable": true 661 | } 662 | }, 663 | "ids": [ 664 | 0, 665 | 1, 666 | 2, 667 | 3, 668 | 4, 669 | 8 670 | ], 671 | "idQueue": [] 672 | } 673 | }, 674 | "panel_hints": true 675 | } -------------------------------------------------------------------------------- /Templates/SSH: -------------------------------------------------------------------------------- 1 | { 2 | "index": { 3 | "default": "NO_TIME_FILTER_OR_INDEX_PATTERN_NOT_MATCHED", 4 | "pattern": "[logstash-]YYYY.MM.DD", 5 | "warm_fields": true, 6 | "interval": "day" 7 | }, 8 | "style": "light", 9 | "rows": [ 10 | { 11 | "notice": false, 12 | "collapsable": true, 13 | "collapse": false, 14 | "title": "Graph", 15 | "editable": true, 16 | "height": "220px", 17 | "panels": [ 18 | { 19 | "show_query": true, 20 | "bars": true, 21 | "y-axis": true, 22 | "zoomlinks": true, 23 | "annotate": { 24 | "sort": [ 25 | "_score", 26 | "desc" 27 | ], 28 | "query": "*", 29 | "enable": false, 30 | "size": 20, 31 | "field": "_type" 32 | }, 33 | "intervals": [ 34 | "auto", 35 | "1s", 36 | "1m", 37 | "5m", 38 | "10m", 39 | "30m", 40 | "1h", 41 | "3h", 42 | "12h", 43 | "1d", 44 | "1w", 45 | "1M", 46 | "1y" 47 | ], 48 | "spyable": true, 49 | "timezone": "browser", 50 | "linewidth": 3, 51 | "fill": 3, 52 | "scale": 1, 53 | "span": 10, 54 | "title": "Events over time", 55 | "tooltip": { 56 | "value_type": "individual", 57 | "query_as_alias": true 58 | }, 59 | "legend": true, 60 | "derivative": false, 61 | "percentage": true, 62 | "auto_int": true, 63 | "type": "histogram", 64 | "value_field": null, 65 | "x-axis": true, 66 | "queries": { 67 | "mode": "all", 68 | "ids": [ 69 | 3 70 | ] 71 | }, 72 | "editable": true, 73 | "zerofill": true, 74 | "grid": { 75 | "max": null, 76 | "min": 0 77 | }, 78 | "group": [ 79 | "default" 80 | ], 81 | "stack": false, 82 | "legend_counts": true, 83 | "time_field": "@timestamp", 84 | "interval": "10m", 85 | "lines": false, 86 | "y_format": "none", 87 | "points": false, 88 | "mode": "count", 89 | "pointradius": 5, 90 | "resolution": 100, 91 | "options": true, 92 | "interactive": true 93 | }, 94 | { 95 | "span": 2, 96 | "title": "Trends", 97 | "editable": true, 98 | "error": false, 99 | "loadingEditor": false, 100 | "panels": [ 101 | { 102 | "ago": "1d", 103 | "style": { 104 | "font-size": "12pt" 105 | }, 106 | "reverse": false, 107 | "title": "1 day trend", 108 | "arrangement": "vertical", 109 | "queries": { 110 | "mode": "all", 111 | "ids": [ 112 | 3 113 | ] 114 | }, 115 | "spyable": true, 116 | "type": "trends" 117 | }, 118 | { 119 | "ago": "4h", 120 | "style": { 121 | "font-size": "12pt" 122 | }, 123 | "loading": false, 124 | "span": 10, 125 | "reverse": false, 126 | "title": "4 hours trend", 127 | "editable": true, 128 | "height": "", 129 | "draggable": false, 130 | "sizeable": false, 131 | "removable": false, 132 | "queries": { 133 | "mode": "all", 134 | "ids": [ 135 | 3 136 | ] 137 | }, 138 | "spyable": true, 139 | "arrangement": "vertical", 140 | "type": "trends" 141 | }, 142 | { 143 | "ago": "1h", 144 | "style": { 145 | "font-size": "12pt" 146 | }, 147 | "loading": false, 148 | "span": 10, 149 | "reverse": false, 150 | "title": "1 hour trend", 151 | "editable": true, 152 | "height": "", 153 | "draggable": false, 154 | "sizeable": false, 155 | "removable": false, 156 | "queries": { 157 | "mode": "all", 158 | "ids": [ 159 | 3 160 | ] 161 | }, 162 | "spyable": true, 163 | "arrangement": "vertical", 164 | "type": "trends" 165 | } 166 | ], 167 | "type": "column" 168 | } 169 | ] 170 | }, 171 | { 172 | "notice": false, 173 | "panels": [ 174 | { 175 | "exclude": [], 176 | "map": "world", 177 | "span": 6, 178 | "title": "World", 179 | "queries": { 180 | "mode": "all", 181 | "ids": [ 182 | 3 183 | ] 184 | }, 185 | "editable": true, 186 | "field": "geoip.country_code2", 187 | "colors": [ 188 | "#A0E2E2", 189 | "#265656" 190 | ], 191 | "index_limit": 0, 192 | "error": false, 193 | "spyable": true, 194 | "loadingEditor": false, 195 | "type": "map", 196 | "size": 100 197 | }, 198 | { 199 | "exclude": [], 200 | "map": "europe", 201 | "span": 3, 202 | "title": "Europe", 203 | "queries": { 204 | "mode": "all", 205 | "ids": [ 206 | 3 207 | ] 208 | }, 209 | "editable": true, 210 | "field": "geoip.country_code2", 211 | "colors": [ 212 | "#A0E2E2", 213 | "#265656" 214 | ], 215 | "index_limit": 0, 216 | "error": false, 217 | "spyable": true, 218 | "type": "map", 219 | "size": 100 220 | }, 221 | { 222 | "exclude": [], 223 | "map": "usa", 224 | "span": 3, 225 | "title": "USA", 226 | "queries": { 227 | "mode": "all", 228 | "ids": [ 229 | 3 230 | ] 231 | }, 232 | "editable": true, 233 | "field": "geoip.region_name.raw", 234 | "colors": [ 235 | "#A0E2E2", 236 | "#265656" 237 | ], 238 | "index_limit": 0, 239 | "error": false, 240 | "spyable": true, 241 | "loadingEditor": false, 242 | "type": "map", 243 | "size": 100 244 | } 245 | ], 246 | "collapse": false, 247 | "title": "Maps", 248 | "editable": true, 249 | "height": "250px", 250 | "collapsable": true 251 | }, 252 | { 253 | "notice": false, 254 | "panels": [ 255 | { 256 | "labels": true, 257 | "tmode": "terms", 258 | "valuefield": "", 259 | "exclude": [], 260 | "spyable": true, 261 | "size": 10, 262 | "style": { 263 | "font-size": "10pt" 264 | }, 265 | "span": 6, 266 | "title": "SSH Client Version", 267 | "tilt": false, 268 | "arrangement": "horizontal", 269 | "field": "ssh.client.software_version.raw", 270 | "other": false, 271 | "loadingEditor": false, 272 | "type": "terms", 273 | "missing": false, 274 | "queries": { 275 | "mode": "all", 276 | "ids": [ 277 | 3 278 | ] 279 | }, 280 | "editable": true, 281 | "chart": "table", 282 | "counter_pos": "above", 283 | "tstat": "total", 284 | "donut": false, 285 | "error": false, 286 | "order": "count" 287 | }, 288 | { 289 | "labels": true, 290 | "tmode": "terms", 291 | "valuefield": "", 292 | "exclude": [], 293 | "spyable": true, 294 | "size": 10, 295 | "style": { 296 | "font-size": "10pt" 297 | }, 298 | "span": 6, 299 | "title": "SSH Server Version", 300 | "tilt": false, 301 | "arrangement": "horizontal", 302 | "field": "ssh.server.software_version", 303 | "other": false, 304 | "type": "terms", 305 | "missing": false, 306 | "queries": { 307 | "mode": "all", 308 | "ids": [ 309 | 3 310 | ] 311 | }, 312 | "editable": true, 313 | "chart": "table", 314 | "counter_pos": "below", 315 | "tstat": "total", 316 | "donut": false, 317 | "error": false, 318 | "order": "count" 319 | } 320 | ], 321 | "collapse": false, 322 | "title": "Software Versions", 323 | "editable": true, 324 | "height": "200px", 325 | "collapsable": true 326 | }, 327 | { 328 | "notice": false, 329 | "collapsable": true, 330 | "collapse": false, 331 | "title": "Graph2", 332 | "editable": true, 333 | "height": "250px", 334 | "panels": [ 335 | { 336 | "labels": true, 337 | "tmode": "terms", 338 | "valuefield": "", 339 | "exclude": [], 340 | "spyable": true, 341 | "size": 10, 342 | "style": { 343 | "font-size": "10pt" 344 | }, 345 | "span": 4, 346 | "title": "SSH Server Protocol", 347 | "tilt": false, 348 | "arrangement": "horizontal", 349 | "field": "ssh.server.proto_version.raw", 350 | "other": false, 351 | "loadingEditor": false, 352 | "type": "terms", 353 | "missing": false, 354 | "queries": { 355 | "mode": "all", 356 | "ids": [ 357 | 3 358 | ] 359 | }, 360 | "editable": true, 361 | "chart": "pie", 362 | "counter_pos": "above", 363 | "tstat": "total", 364 | "donut": false, 365 | "error": false, 366 | "order": "count" 367 | }, 368 | { 369 | "labels": true, 370 | "tmode": "terms", 371 | "valuefield": "", 372 | "exclude": [], 373 | "spyable": true, 374 | "size": 10, 375 | "style": { 376 | "font-size": "10pt" 377 | }, 378 | "span": 4, 379 | "title": "SSH Client Protocol", 380 | "tilt": false, 381 | "arrangement": "horizontal", 382 | "field": "ssh.client.proto_version.raw", 383 | "other": false, 384 | "loadingEditor": false, 385 | "type": "terms", 386 | "missing": false, 387 | "queries": { 388 | "mode": "all", 389 | "ids": [ 390 | 3 391 | ] 392 | }, 393 | "editable": true, 394 | "chart": "pie", 395 | "counter_pos": "above", 396 | "tstat": "total", 397 | "donut": false, 398 | "error": false, 399 | "order": "count" 400 | }, 401 | { 402 | "labels": true, 403 | "tmode": "terms", 404 | "valuefield": "", 405 | "exclude": [], 406 | "spyable": true, 407 | "size": 10, 408 | "style": { 409 | "font-size": "10pt" 410 | }, 411 | "span": 4, 412 | "title": "SSH Destination Ports", 413 | "tilt": false, 414 | "arrangement": "horizontal", 415 | "field": "dest_port", 416 | "other": false, 417 | "loadingEditor": false, 418 | "type": "terms", 419 | "missing": false, 420 | "queries": { 421 | "mode": "all", 422 | "ids": [ 423 | 3 424 | ] 425 | }, 426 | "editable": true, 427 | "chart": "table", 428 | "counter_pos": "above", 429 | "tstat": "total", 430 | "donut": false, 431 | "error": false, 432 | "order": "count" 433 | } 434 | ] 435 | }, 436 | { 437 | "notice": false, 438 | "collapsable": true, 439 | "collapse": false, 440 | "title": "Events", 441 | "editable": true, 442 | "height": "350px", 443 | "panels": [ 444 | { 445 | "header": true, 446 | "trimFactor": 300, 447 | "spyable": true, 448 | "field_list": true, 449 | "size": 100, 450 | "all_fields": false, 451 | "style": { 452 | "font-size": "9pt" 453 | }, 454 | "span": 12, 455 | "title": "SSH Transaction Details", 456 | "pages": 5, 457 | "loadingEditor": false, 458 | "type": "table", 459 | "sort": [ 460 | "_score", 461 | "desc" 462 | ], 463 | "queries": { 464 | "mode": "all", 465 | "ids": [ 466 | 3 467 | ] 468 | }, 469 | "editable": true, 470 | "offset": 0, 471 | "overflow": "min-height", 472 | "normTimes": true, 473 | "localTime": false, 474 | "sortable": true, 475 | "fields": [ 476 | "@timestamp", 477 | "src_ip", 478 | "src_port", 479 | "dest_ip", 480 | "dest_port", 481 | "ssh.client.software_version", 482 | "ssh.server.software_version", 483 | "geoip.country_name" 484 | ], 485 | "paging": true, 486 | "error": false, 487 | "timeField": "@timestamp", 488 | "highlight": [] 489 | } 490 | ] 491 | } 492 | ], 493 | "title": "SSH", 494 | "failover": false, 495 | "editable": true, 496 | "refresh": false, 497 | "loader": { 498 | "load_gist": true, 499 | "hide": false, 500 | "save_temp": true, 501 | "load_elasticsearch_size": 20, 502 | "load_local": true, 503 | "save_temp_ttl": "30d", 504 | "load_elasticsearch": true, 505 | "save_local": true, 506 | "save_temp_ttl_enable": true, 507 | "save_elasticsearch": true, 508 | "save_gist": false, 509 | "save_default": true 510 | }, 511 | "pulldowns": [ 512 | { 513 | "notice": false, 514 | "enable": true, 515 | "collapse": true, 516 | "pinned": true, 517 | "query": "*", 518 | "history": [ 519 | "event_type:\"ssh\"", 520 | "event_type:\"tls\"", 521 | "tls*", 522 | "tls.*", 523 | "http*", 524 | "http", 525 | "" 526 | ], 527 | "type": "query", 528 | "remember": 10 529 | }, 530 | { 531 | "notice": true, 532 | "enable": true, 533 | "type": "filtering", 534 | "collapse": true 535 | } 536 | ], 537 | "nav": [ 538 | { 539 | "status": "Stable", 540 | "notice": false, 541 | "enable": true, 542 | "collapse": false, 543 | "time_options": [ 544 | "5m", 545 | "15m", 546 | "1h", 547 | "6h", 548 | "12h", 549 | "24h", 550 | "2d", 551 | "7d", 552 | "30d" 553 | ], 554 | "refresh_intervals": [ 555 | "5s", 556 | "10s", 557 | "30s", 558 | "1m", 559 | "5m", 560 | "15m", 561 | "30m", 562 | "1h", 563 | "2h", 564 | "1d" 565 | ], 566 | "filter_id": 0, 567 | "timefield": "@timestamp", 568 | "now": true, 569 | "type": "timepicker" 570 | } 571 | ], 572 | "services": { 573 | "filter": { 574 | "list": { 575 | "0": { 576 | "from": "now-24h", 577 | "to": "now", 578 | "field": "@timestamp", 579 | "alias": "", 580 | "mandate": "must", 581 | "active": true, 582 | "type": "time", 583 | "id": 0 584 | } 585 | }, 586 | "ids": [ 587 | 0 588 | ], 589 | "idQueue": [ 590 | 1 591 | ] 592 | }, 593 | "query": { 594 | "list": { 595 | "3": { 596 | "enable": true, 597 | "pin": true, 598 | "color": "#BF1B00", 599 | "alias": "SSH Connections", 600 | "query": "event_type:\"ssh\"", 601 | "type": "lucene", 602 | "id": 3 603 | } 604 | }, 605 | "ids": [ 606 | 3 607 | ], 608 | "idQueue": [] 609 | } 610 | }, 611 | "panel_hints": true 612 | } -------------------------------------------------------------------------------- /Templates/TLS: -------------------------------------------------------------------------------- 1 | { 2 | "index": { 3 | "default": "NO_TIME_FILTER_OR_INDEX_PATTERN_NOT_MATCHED", 4 | "pattern": "[logstash-]YYYY.MM.DD", 5 | "warm_fields": true, 6 | "interval": "day" 7 | }, 8 | "style": "light", 9 | "rows": [ 10 | { 11 | "notice": false, 12 | "collapsable": true, 13 | "collapse": false, 14 | "title": "Graph", 15 | "editable": true, 16 | "height": "220px", 17 | "panels": [ 18 | { 19 | "show_query": true, 20 | "bars": true, 21 | "y-axis": true, 22 | "zoomlinks": true, 23 | "annotate": { 24 | "sort": [ 25 | "_score", 26 | "desc" 27 | ], 28 | "query": "*", 29 | "enable": false, 30 | "size": 20, 31 | "field": "_type" 32 | }, 33 | "intervals": [ 34 | "auto", 35 | "1s", 36 | "1m", 37 | "5m", 38 | "10m", 39 | "30m", 40 | "1h", 41 | "3h", 42 | "12h", 43 | "1d", 44 | "1w", 45 | "1M", 46 | "1y" 47 | ], 48 | "spyable": true, 49 | "timezone": "browser", 50 | "linewidth": 3, 51 | "fill": 3, 52 | "scale": 1, 53 | "span": 10, 54 | "title": "Events over time", 55 | "tooltip": { 56 | "value_type": "individual", 57 | "query_as_alias": true 58 | }, 59 | "legend": true, 60 | "derivative": false, 61 | "percentage": true, 62 | "auto_int": true, 63 | "type": "histogram", 64 | "value_field": null, 65 | "x-axis": true, 66 | "queries": { 67 | "mode": "all", 68 | "ids": [ 69 | 3 70 | ] 71 | }, 72 | "editable": true, 73 | "zerofill": true, 74 | "grid": { 75 | "max": null, 76 | "min": 0 77 | }, 78 | "group": [ 79 | "default" 80 | ], 81 | "stack": false, 82 | "legend_counts": true, 83 | "time_field": "@timestamp", 84 | "interval": "10m", 85 | "lines": false, 86 | "y_format": "none", 87 | "points": false, 88 | "mode": "count", 89 | "pointradius": 5, 90 | "resolution": 100, 91 | "options": true, 92 | "interactive": true 93 | }, 94 | { 95 | "span": 2, 96 | "title": "Trends", 97 | "editable": true, 98 | "error": false, 99 | "loadingEditor": false, 100 | "panels": [ 101 | { 102 | "ago": "1d", 103 | "style": { 104 | "font-size": "12pt" 105 | }, 106 | "loading": false, 107 | "span": 10, 108 | "reverse": false, 109 | "title": "1 day trend", 110 | "editable": true, 111 | "height": "", 112 | "draggable": false, 113 | "sizeable": false, 114 | "removable": false, 115 | "queries": { 116 | "mode": "all", 117 | "ids": [ 118 | 3 119 | ] 120 | }, 121 | "spyable": true, 122 | "arrangement": "vertical", 123 | "type": "trends" 124 | }, 125 | { 126 | "ago": "4h", 127 | "style": { 128 | "font-size": "12pt" 129 | }, 130 | "loading": false, 131 | "span": 10, 132 | "reverse": false, 133 | "title": "4 hours trend", 134 | "editable": true, 135 | "height": "", 136 | "draggable": false, 137 | "sizeable": false, 138 | "removable": false, 139 | "queries": { 140 | "mode": "all", 141 | "ids": [ 142 | 3 143 | ] 144 | }, 145 | "spyable": true, 146 | "arrangement": "vertical", 147 | "type": "trends" 148 | }, 149 | { 150 | "ago": "1h", 151 | "style": { 152 | "font-size": "12pt" 153 | }, 154 | "loading": false, 155 | "span": 10, 156 | "reverse": false, 157 | "title": "1 hour trend", 158 | "editable": true, 159 | "height": "", 160 | "draggable": false, 161 | "sizeable": false, 162 | "removable": false, 163 | "queries": { 164 | "mode": "all", 165 | "ids": [ 166 | 3 167 | ] 168 | }, 169 | "spyable": true, 170 | "arrangement": "vertical", 171 | "type": "trends" 172 | } 173 | ], 174 | "type": "column" 175 | } 176 | ] 177 | }, 178 | { 179 | "notice": false, 180 | "panels": [ 181 | { 182 | "exclude": [], 183 | "map": "world", 184 | "span": 6, 185 | "title": "World", 186 | "queries": { 187 | "mode": "all", 188 | "ids": [ 189 | 3 190 | ] 191 | }, 192 | "editable": true, 193 | "field": "geoip.country_code2", 194 | "colors": [ 195 | "#A0E2E2", 196 | "#265656" 197 | ], 198 | "index_limit": 0, 199 | "error": false, 200 | "spyable": true, 201 | "loadingEditor": false, 202 | "type": "map", 203 | "size": 100 204 | }, 205 | { 206 | "exclude": [], 207 | "map": "europe", 208 | "span": 3, 209 | "title": "Europe", 210 | "queries": { 211 | "mode": "all", 212 | "ids": [ 213 | 3 214 | ] 215 | }, 216 | "editable": true, 217 | "field": "geoip.country_code2", 218 | "colors": [ 219 | "#A0E2E2", 220 | "#265656" 221 | ], 222 | "index_limit": 0, 223 | "error": false, 224 | "spyable": true, 225 | "type": "map", 226 | "size": 100 227 | }, 228 | { 229 | "exclude": [], 230 | "map": "usa", 231 | "span": 3, 232 | "title": "USA", 233 | "queries": { 234 | "mode": "all", 235 | "ids": [ 236 | 3 237 | ] 238 | }, 239 | "editable": true, 240 | "field": "geoip.region_name.raw", 241 | "colors": [ 242 | "#A0E2E2", 243 | "#265656" 244 | ], 245 | "index_limit": 0, 246 | "error": false, 247 | "spyable": true, 248 | "loadingEditor": false, 249 | "type": "map", 250 | "size": 100 251 | } 252 | ], 253 | "collapse": false, 254 | "title": "Maps", 255 | "editable": true, 256 | "height": "250px", 257 | "collapsable": true 258 | }, 259 | { 260 | "notice": false, 261 | "collapsable": true, 262 | "collapse": false, 263 | "title": "Graph2", 264 | "editable": true, 265 | "height": "250px", 266 | "panels": [ 267 | { 268 | "labels": true, 269 | "tmode": "terms", 270 | "valuefield": "", 271 | "exclude": [], 272 | "spyable": true, 273 | "size": 10, 274 | "style": { 275 | "font-size": "10pt" 276 | }, 277 | "span": 4, 278 | "title": "TLS Subject", 279 | "tilt": false, 280 | "arrangement": "horizontal", 281 | "field": "tls.subject.raw", 282 | "other": false, 283 | "loadingEditor": false, 284 | "type": "terms", 285 | "missing": false, 286 | "queries": { 287 | "mode": "all", 288 | "ids": [ 289 | 3 290 | ] 291 | }, 292 | "editable": true, 293 | "chart": "table", 294 | "counter_pos": "above", 295 | "tstat": "total", 296 | "donut": false, 297 | "error": false, 298 | "order": "count" 299 | }, 300 | { 301 | "labels": true, 302 | "tmode": "terms", 303 | "valuefield": "", 304 | "exclude": [], 305 | "spyable": true, 306 | "size": 10, 307 | "style": { 308 | "font-size": "10pt" 309 | }, 310 | "span": 4, 311 | "title": "TLS Issuerdn", 312 | "tilt": false, 313 | "arrangement": "horizontal", 314 | "field": "tls.issuerdn.raw", 315 | "other": false, 316 | "type": "terms", 317 | "missing": false, 318 | "queries": { 319 | "mode": "all", 320 | "ids": [ 321 | 3 322 | ] 323 | }, 324 | "editable": true, 325 | "chart": "table", 326 | "counter_pos": "below", 327 | "tstat": "total", 328 | "donut": false, 329 | "error": false, 330 | "order": "count" 331 | }, 332 | { 333 | "labels": true, 334 | "tmode": "terms", 335 | "valuefield": "", 336 | "exclude": [], 337 | "spyable": true, 338 | "size": 10, 339 | "style": { 340 | "font-size": "10pt" 341 | }, 342 | "span": 4, 343 | "title": "TLS Version", 344 | "tilt": false, 345 | "arrangement": "horizontal", 346 | "field": "tls.version.raw", 347 | "other": false, 348 | "loadingEditor": false, 349 | "type": "terms", 350 | "missing": false, 351 | "queries": { 352 | "mode": "all", 353 | "ids": [ 354 | 3 355 | ] 356 | }, 357 | "editable": true, 358 | "chart": "pie", 359 | "counter_pos": "above", 360 | "tstat": "total", 361 | "donut": false, 362 | "error": false, 363 | "order": "count" 364 | } 365 | ] 366 | }, 367 | { 368 | "notice": false, 369 | "panels": [ 370 | { 371 | "labels": true, 372 | "tmode": "terms", 373 | "valuefield": "", 374 | "exclude": [], 375 | "spyable": true, 376 | "size": 10, 377 | "style": { 378 | "font-size": "10pt" 379 | }, 380 | "span": 8, 381 | "title": "TLS Fingerprint", 382 | "tilt": false, 383 | "arrangement": "horizontal", 384 | "field": "tls.fingerprint.raw", 385 | "other": false, 386 | "loadingEditor": false, 387 | "type": "terms", 388 | "missing": false, 389 | "queries": { 390 | "mode": "all", 391 | "ids": [ 392 | 3 393 | ] 394 | }, 395 | "editable": true, 396 | "chart": "bar", 397 | "counter_pos": "above", 398 | "tstat": "total", 399 | "donut": false, 400 | "error": false, 401 | "order": "count" 402 | }, 403 | { 404 | "labels": true, 405 | "tmode": "terms", 406 | "valuefield": "", 407 | "exclude": [], 408 | "spyable": true, 409 | "size": 10, 410 | "style": { 411 | "font-size": "10pt" 412 | }, 413 | "span": 4, 414 | "title": "TLS TCP ports", 415 | "tilt": false, 416 | "arrangement": "horizontal", 417 | "field": "dest_port", 418 | "other": false, 419 | "loadingEditor": false, 420 | "type": "terms", 421 | "missing": false, 422 | "error": false, 423 | "editable": true, 424 | "chart": "pie", 425 | "counter_pos": "above", 426 | "tstat": "total", 427 | "donut": false, 428 | "queries": { 429 | "mode": "all", 430 | "ids": [ 431 | 3 432 | ] 433 | }, 434 | "order": "count" 435 | } 436 | ], 437 | "collapse": false, 438 | "title": "Details", 439 | "editable": true, 440 | "height": "250px", 441 | "collapsable": true 442 | }, 443 | { 444 | "notice": false, 445 | "collapsable": true, 446 | "collapse": false, 447 | "title": "GeoIP Coordinates", 448 | "editable": true, 449 | "height": "550px", 450 | "panels": [ 451 | { 452 | "span": 12, 453 | "title": "GeoIP Localization", 454 | "error": false, 455 | "editable": true, 456 | "tooltip": "_id", 457 | "field": "geoip.coordinates", 458 | "queries": { 459 | "mode": "all", 460 | "ids": [ 461 | 3 462 | ] 463 | }, 464 | "spyable": true, 465 | "loadingEditor": false, 466 | "type": "bettermap", 467 | "size": 100000 468 | } 469 | ] 470 | }, 471 | { 472 | "notice": false, 473 | "collapsable": true, 474 | "collapse": false, 475 | "title": "Events", 476 | "editable": true, 477 | "height": "350px", 478 | "panels": [ 479 | { 480 | "header": true, 481 | "trimFactor": 300, 482 | "spyable": true, 483 | "field_list": true, 484 | "size": 100, 485 | "all_fields": false, 486 | "style": { 487 | "font-size": "9pt" 488 | }, 489 | "span": 12, 490 | "title": "TLS Transaction Details", 491 | "pages": 5, 492 | "loadingEditor": false, 493 | "type": "table", 494 | "sort": [ 495 | "_score", 496 | "desc" 497 | ], 498 | "queries": { 499 | "mode": "all", 500 | "ids": [ 501 | 3 502 | ] 503 | }, 504 | "editable": true, 505 | "offset": 0, 506 | "overflow": "min-height", 507 | "normTimes": true, 508 | "localTime": false, 509 | "sortable": true, 510 | "fields": [ 511 | "@timestamp", 512 | "src_ip", 513 | "src_port", 514 | "dest_ip", 515 | "dest_port", 516 | "tls.version", 517 | "tls.subject" 518 | ], 519 | "paging": true, 520 | "error": false, 521 | "timeField": "@timestamp", 522 | "highlight": [] 523 | } 524 | ] 525 | } 526 | ], 527 | "title": "TLS", 528 | "failover": false, 529 | "editable": true, 530 | "refresh": false, 531 | "loader": { 532 | "load_gist": true, 533 | "hide": false, 534 | "save_temp": true, 535 | "load_elasticsearch_size": 20, 536 | "load_local": true, 537 | "save_temp_ttl": "30d", 538 | "load_elasticsearch": true, 539 | "save_local": true, 540 | "save_temp_ttl_enable": true, 541 | "save_elasticsearch": true, 542 | "save_gist": false, 543 | "save_default": true 544 | }, 545 | "pulldowns": [ 546 | { 547 | "notice": false, 548 | "enable": true, 549 | "collapse": true, 550 | "pinned": true, 551 | "query": "*", 552 | "history": [ 553 | "event_type:\"tls\"", 554 | "tls*", 555 | "tls.*", 556 | "http*", 557 | "http", 558 | "" 559 | ], 560 | "type": "query", 561 | "remember": 10 562 | }, 563 | { 564 | "notice": true, 565 | "enable": true, 566 | "type": "filtering", 567 | "collapse": true 568 | } 569 | ], 570 | "nav": [ 571 | { 572 | "status": "Stable", 573 | "notice": false, 574 | "enable": true, 575 | "collapse": false, 576 | "time_options": [ 577 | "5m", 578 | "15m", 579 | "1h", 580 | "6h", 581 | "12h", 582 | "24h", 583 | "2d", 584 | "7d", 585 | "30d" 586 | ], 587 | "refresh_intervals": [ 588 | "5s", 589 | "10s", 590 | "30s", 591 | "1m", 592 | "5m", 593 | "15m", 594 | "30m", 595 | "1h", 596 | "2h", 597 | "1d" 598 | ], 599 | "filter_id": 0, 600 | "timefield": "@timestamp", 601 | "now": true, 602 | "type": "timepicker" 603 | } 604 | ], 605 | "services": { 606 | "filter": { 607 | "list": { 608 | "0": { 609 | "from": "now-24h", 610 | "to": "now", 611 | "field": "@timestamp", 612 | "alias": "", 613 | "mandate": "must", 614 | "active": true, 615 | "type": "time", 616 | "id": 0 617 | } 618 | }, 619 | "ids": [ 620 | 0 621 | ], 622 | "idQueue": [ 623 | 1 624 | ] 625 | }, 626 | "query": { 627 | "list": { 628 | "3": { 629 | "enable": true, 630 | "pin": true, 631 | "color": "#7EB26D", 632 | "alias": "TLS/SSL transactions", 633 | "query": "event_type:\"tls\"", 634 | "type": "lucene", 635 | "id": 3 636 | } 637 | }, 638 | "ids": [ 639 | 3 640 | ], 641 | "idQueue": [] 642 | } 643 | }, 644 | "panel_hints": true 645 | } -------------------------------------------------------------------------------- /Templates/VLAN: -------------------------------------------------------------------------------- 1 | { 2 | "index": { 3 | "default": "NO_TIME_FILTER_OR_INDEX_PATTERN_NOT_MATCHED", 4 | "pattern": "[logstash-]YYYY.MM.DD", 5 | "warm_fields": true, 6 | "interval": "day" 7 | }, 8 | "style": "light", 9 | "rows": [ 10 | { 11 | "notice": false, 12 | "panels": [ 13 | { 14 | "span": 12, 15 | "editable": true, 16 | "type": "histogram", 17 | "loadingEditor": false, 18 | "mode": "count", 19 | "time_field": "@timestamp", 20 | "value_field": null, 21 | "x-axis": true, 22 | "y-axis": true, 23 | "scale": 1, 24 | "y_format": "none", 25 | "grid": { 26 | "max": null, 27 | "min": 0 28 | }, 29 | "queries": { 30 | "mode": "selected", 31 | "ids": [ 32 | 0 33 | ] 34 | }, 35 | "annotate": { 36 | "enable": false, 37 | "query": "*", 38 | "size": 20, 39 | "field": "_type", 40 | "sort": [ 41 | "_score", 42 | "desc" 43 | ] 44 | }, 45 | "auto_int": true, 46 | "resolution": 100, 47 | "interval": "30m", 48 | "intervals": [ 49 | "auto", 50 | "1s", 51 | "1m", 52 | "5m", 53 | "10m", 54 | "30m", 55 | "1h", 56 | "3h", 57 | "12h", 58 | "1d", 59 | "1w", 60 | "1y" 61 | ], 62 | "lines": true, 63 | "fill": 0, 64 | "linewidth": 1, 65 | "points": true, 66 | "pointradius": 3, 67 | "bars": false, 68 | "stack": false, 69 | "spyable": true, 70 | "zoomlinks": true, 71 | "options": true, 72 | "legend": true, 73 | "show_query": true, 74 | "interactive": true, 75 | "legend_counts": true, 76 | "timezone": "browser", 77 | "percentage": false, 78 | "zerofill": true, 79 | "derivative": false, 80 | "tooltip": { 81 | "value_type": "cumulative", 82 | "query_as_alias": true 83 | }, 84 | "title": "PER VLAN-ALERTS" 85 | }, 86 | { 87 | "show_query": true, 88 | "bars": true, 89 | "interval": "30m", 90 | "zoomlinks": true, 91 | "annotate": { 92 | "sort": [ 93 | "_score", 94 | "desc" 95 | ], 96 | "query": "*", 97 | "enable": false, 98 | "field": "_type", 99 | "size": 20 100 | }, 101 | "intervals": [ 102 | "auto", 103 | "1s", 104 | "1m", 105 | "5m", 106 | "10m", 107 | "30m", 108 | "1h", 109 | "3h", 110 | "12h", 111 | "1d", 112 | "1w", 113 | "1M", 114 | "1y" 115 | ], 116 | "spyable": true, 117 | "timezone": "browser", 118 | "linewidth": 3, 119 | "fill": 3, 120 | "scale": 1, 121 | "span": 12, 122 | "title": "PER VLAN-HTTP", 123 | "tooltip": { 124 | "query_as_alias": true, 125 | "value_type": "individual" 126 | }, 127 | "stack": false, 128 | "derivative": false, 129 | "percentage": true, 130 | "auto_int": true, 131 | "type": "histogram", 132 | "value_field": null, 133 | "x-axis": true, 134 | "pointradius": 5, 135 | "editable": true, 136 | "zerofill": true, 137 | "grid": { 138 | "max": null, 139 | "min": 0 140 | }, 141 | "group": [ 142 | "default" 143 | ], 144 | "legend": true, 145 | "legend_counts": true, 146 | "time_field": "@timestamp", 147 | "y-axis": true, 148 | "lines": false, 149 | "y_format": "none", 150 | "points": false, 151 | "mode": "count", 152 | "queries": { 153 | "mode": "selected", 154 | "ids": [ 155 | 3 156 | ] 157 | }, 158 | "resolution": 100, 159 | "options": true, 160 | "interactive": true 161 | }, 162 | { 163 | "span": 12, 164 | "editable": true, 165 | "type": "histogram", 166 | "loadingEditor": false, 167 | "mode": "count", 168 | "time_field": "@timestamp", 169 | "value_field": null, 170 | "x-axis": true, 171 | "y-axis": true, 172 | "scale": 1, 173 | "y_format": "none", 174 | "grid": { 175 | "max": null, 176 | "min": 0 177 | }, 178 | "queries": { 179 | "mode": "selected", 180 | "ids": [ 181 | 4 182 | ] 183 | }, 184 | "annotate": { 185 | "enable": false, 186 | "query": "*", 187 | "size": 20, 188 | "field": "_type", 189 | "sort": [ 190 | "_score", 191 | "desc" 192 | ] 193 | }, 194 | "auto_int": true, 195 | "resolution": 100, 196 | "interval": "30m", 197 | "intervals": [ 198 | "auto", 199 | "1s", 200 | "1m", 201 | "5m", 202 | "10m", 203 | "30m", 204 | "1h", 205 | "3h", 206 | "12h", 207 | "1d", 208 | "1w", 209 | "1y" 210 | ], 211 | "lines": true, 212 | "fill": 0, 213 | "linewidth": 1, 214 | "points": false, 215 | "pointradius": 5, 216 | "bars": false, 217 | "stack": false, 218 | "spyable": true, 219 | "zoomlinks": true, 220 | "options": true, 221 | "legend": true, 222 | "show_query": true, 223 | "interactive": true, 224 | "legend_counts": true, 225 | "timezone": "browser", 226 | "percentage": false, 227 | "zerofill": true, 228 | "derivative": false, 229 | "tooltip": { 230 | "value_type": "cumulative", 231 | "query_as_alias": true 232 | }, 233 | "title": "PER VLAN-DNS" 234 | }, 235 | { 236 | "span": 12, 237 | "editable": true, 238 | "type": "histogram", 239 | "loadingEditor": false, 240 | "mode": "count", 241 | "time_field": "@timestamp", 242 | "value_field": null, 243 | "x-axis": true, 244 | "y-axis": true, 245 | "scale": 1, 246 | "y_format": "none", 247 | "grid": { 248 | "max": null, 249 | "min": 0 250 | }, 251 | "queries": { 252 | "mode": "selected", 253 | "ids": [ 254 | 2 255 | ] 256 | }, 257 | "annotate": { 258 | "enable": false, 259 | "query": "*", 260 | "size": 20, 261 | "field": "_type", 262 | "sort": [ 263 | "_score", 264 | "desc" 265 | ] 266 | }, 267 | "auto_int": true, 268 | "resolution": 100, 269 | "interval": "30m", 270 | "intervals": [ 271 | "auto", 272 | "1s", 273 | "1m", 274 | "5m", 275 | "10m", 276 | "30m", 277 | "1h", 278 | "3h", 279 | "12h", 280 | "1d", 281 | "1w", 282 | "1y" 283 | ], 284 | "lines": true, 285 | "fill": 0, 286 | "linewidth": 1, 287 | "points": true, 288 | "pointradius": 3, 289 | "bars": false, 290 | "stack": true, 291 | "spyable": true, 292 | "zoomlinks": true, 293 | "options": true, 294 | "legend": true, 295 | "show_query": true, 296 | "interactive": true, 297 | "legend_counts": true, 298 | "timezone": "browser", 299 | "percentage": false, 300 | "zerofill": true, 301 | "derivative": false, 302 | "tooltip": { 303 | "value_type": "cumulative", 304 | "query_as_alias": true 305 | }, 306 | "title": "PER VLAN-TLS" 307 | }, 308 | { 309 | "span": 12, 310 | "editable": true, 311 | "type": "histogram", 312 | "loadingEditor": false, 313 | "mode": "count", 314 | "time_field": "@timestamp", 315 | "value_field": null, 316 | "x-axis": true, 317 | "y-axis": true, 318 | "scale": 1, 319 | "y_format": "none", 320 | "grid": { 321 | "max": null, 322 | "min": 0 323 | }, 324 | "queries": { 325 | "mode": "selected", 326 | "ids": [ 327 | 1 328 | ] 329 | }, 330 | "annotate": { 331 | "enable": false, 332 | "query": "*", 333 | "size": 20, 334 | "field": "_type", 335 | "sort": [ 336 | "_score", 337 | "desc" 338 | ] 339 | }, 340 | "auto_int": true, 341 | "resolution": 100, 342 | "interval": "30m", 343 | "intervals": [ 344 | "auto", 345 | "1s", 346 | "1m", 347 | "5m", 348 | "10m", 349 | "30m", 350 | "1h", 351 | "3h", 352 | "12h", 353 | "1d", 354 | "1w", 355 | "1y" 356 | ], 357 | "lines": false, 358 | "fill": 0, 359 | "linewidth": 3, 360 | "points": false, 361 | "pointradius": 5, 362 | "bars": true, 363 | "stack": false, 364 | "spyable": true, 365 | "zoomlinks": true, 366 | "options": true, 367 | "legend": true, 368 | "show_query": true, 369 | "interactive": true, 370 | "legend_counts": true, 371 | "timezone": "browser", 372 | "percentage": false, 373 | "zerofill": true, 374 | "derivative": false, 375 | "tooltip": { 376 | "value_type": "cumulative", 377 | "query_as_alias": true 378 | }, 379 | "title": "PER VLAN -FileTrans" 380 | }, 381 | { 382 | "span": 12, 383 | "editable": true, 384 | "type": "histogram", 385 | "loadingEditor": false, 386 | "mode": "count", 387 | "time_field": "@timestamp", 388 | "value_field": null, 389 | "x-axis": true, 390 | "y-axis": true, 391 | "scale": 1, 392 | "y_format": "none", 393 | "grid": { 394 | "max": null, 395 | "min": 0 396 | }, 397 | "queries": { 398 | "mode": "selected", 399 | "ids": [ 400 | 5 401 | ] 402 | }, 403 | "annotate": { 404 | "enable": false, 405 | "query": "*", 406 | "size": 20, 407 | "field": "_type", 408 | "sort": [ 409 | "_score", 410 | "desc" 411 | ] 412 | }, 413 | "auto_int": true, 414 | "resolution": 100, 415 | "interval": "30m", 416 | "intervals": [ 417 | "auto", 418 | "1s", 419 | "1m", 420 | "5m", 421 | "10m", 422 | "30m", 423 | "1h", 424 | "3h", 425 | "12h", 426 | "1d", 427 | "1w", 428 | "1y" 429 | ], 430 | "lines": true, 431 | "fill": 0, 432 | "linewidth": 1, 433 | "points": false, 434 | "pointradius": 5, 435 | "bars": true, 436 | "stack": false, 437 | "spyable": true, 438 | "zoomlinks": true, 439 | "options": true, 440 | "legend": true, 441 | "show_query": true, 442 | "interactive": true, 443 | "legend_counts": true, 444 | "timezone": "browser", 445 | "percentage": false, 446 | "zerofill": true, 447 | "derivative": false, 448 | "tooltip": { 449 | "value_type": "cumulative", 450 | "query_as_alias": true 451 | }, 452 | "title": "PER VLAN-SSH" 453 | }, 454 | { 455 | "span": 12, 456 | "editable": true, 457 | "type": "histogram", 458 | "loadingEditor": false, 459 | "mode": "count", 460 | "time_field": "@timestamp", 461 | "value_field": null, 462 | "x-axis": true, 463 | "y-axis": true, 464 | "scale": 1, 465 | "y_format": "none", 466 | "grid": { 467 | "max": null, 468 | "min": 0 469 | }, 470 | "queries": { 471 | "mode": "selected", 472 | "ids": [ 473 | 6 474 | ] 475 | }, 476 | "annotate": { 477 | "enable": false, 478 | "query": "*", 479 | "size": 20, 480 | "field": "_type", 481 | "sort": [ 482 | "_score", 483 | "desc" 484 | ] 485 | }, 486 | "auto_int": true, 487 | "resolution": 100, 488 | "interval": "30m", 489 | "intervals": [ 490 | "auto", 491 | "1s", 492 | "1m", 493 | "5m", 494 | "10m", 495 | "30m", 496 | "1h", 497 | "3h", 498 | "12h", 499 | "1d", 500 | "1w", 501 | "1y" 502 | ], 503 | "lines": true, 504 | "fill": 0, 505 | "linewidth": 1, 506 | "points": false, 507 | "pointradius": 5, 508 | "bars": false, 509 | "stack": false, 510 | "spyable": true, 511 | "zoomlinks": true, 512 | "options": true, 513 | "legend": true, 514 | "show_query": true, 515 | "interactive": true, 516 | "legend_counts": true, 517 | "timezone": "browser", 518 | "percentage": false, 519 | "zerofill": true, 520 | "derivative": false, 521 | "tooltip": { 522 | "value_type": "cumulative", 523 | "query_as_alias": true 524 | }, 525 | "title": "PER VLAN-SMTP" 526 | } 527 | ], 528 | "collapse": false, 529 | "title": "Graph", 530 | "editable": true, 531 | "height": "220px", 532 | "collapsable": true 533 | }, 534 | { 535 | "notice": false, 536 | "panels": [ 537 | { 538 | "header": true, 539 | "trimFactor": 300, 540 | "spyable": true, 541 | "field_list": true, 542 | "size": 100, 543 | "all_fields": false, 544 | "style": { 545 | "font-size": "9pt" 546 | }, 547 | "span": 12, 548 | "title": "HTTP Transaction Details", 549 | "pages": 5, 550 | "loadingEditor": false, 551 | "type": "table", 552 | "sort": [ 553 | "@timestamp", 554 | "desc" 555 | ], 556 | "error": false, 557 | "editable": true, 558 | "offset": 0, 559 | "overflow": "min-height", 560 | "normTimes": true, 561 | "localTime": false, 562 | "sortable": true, 563 | "fields": [ 564 | "@timestamp", 565 | "src_ip", 566 | "src_port", 567 | "dest_ip", 568 | "dest_port", 569 | "vlan", 570 | "event_type" 571 | ], 572 | "paging": true, 573 | "queries": { 574 | "mode": "all", 575 | "ids": [ 576 | 0, 577 | 1, 578 | 2, 579 | 3, 580 | 4, 581 | 5, 582 | 6 583 | ] 584 | }, 585 | "timeField": "@timestamp", 586 | "highlight": [] 587 | } 588 | ], 589 | "collapse": false, 590 | "title": "Events", 591 | "editable": true, 592 | "height": "350px", 593 | "collapsable": true 594 | } 595 | ], 596 | "title": "VLAN", 597 | "failover": false, 598 | "editable": true, 599 | "refresh": false, 600 | "loader": { 601 | "load_gist": true, 602 | "hide": false, 603 | "save_temp": true, 604 | "load_elasticsearch_size": 20, 605 | "load_local": true, 606 | "save_temp_ttl": "30d", 607 | "load_elasticsearch": true, 608 | "save_local": true, 609 | "save_elasticsearch": true, 610 | "save_temp_ttl_enable": true, 611 | "save_gist": false, 612 | "save_default": true 613 | }, 614 | "pulldowns": [ 615 | { 616 | "notice": false, 617 | "enable": true, 618 | "collapse": true, 619 | "remember": 10, 620 | "pinned": true, 621 | "query": "*", 622 | "type": "query", 623 | "history": [ 624 | "+event_type:\"smtp\" +_exists_:vlan", 625 | "+event_type:\"ssh\" +_exists_:vlan", 626 | "+event_type:\"dns\" +_exists_:vlan", 627 | "+event_type:\"http\" +_exists_:vlan", 628 | "+event_type:\"tls\" +_exists_:vlan", 629 | "+event_type:\"fileinfo\" +_exists_:vlan", 630 | "+event_type:\"alert\" +_exists_:vlan", 631 | "+_exists_:vlan +event_type:*", 632 | "+_exists_:vlan", 633 | "event_type:\"smtp\" and vlan:*" 634 | ] 635 | }, 636 | { 637 | "notice": true, 638 | "enable": true, 639 | "type": "filtering", 640 | "collapse": true 641 | } 642 | ], 643 | "nav": [ 644 | { 645 | "status": "Stable", 646 | "notice": false, 647 | "enable": true, 648 | "collapse": false, 649 | "time_options": [ 650 | "5m", 651 | "15m", 652 | "1h", 653 | "6h", 654 | "12h", 655 | "24h", 656 | "2d", 657 | "7d", 658 | "30d" 659 | ], 660 | "refresh_intervals": [ 661 | "5s", 662 | "10s", 663 | "30s", 664 | "1m", 665 | "5m", 666 | "15m", 667 | "30m", 668 | "1h", 669 | "2h", 670 | "1d" 671 | ], 672 | "filter_id": 0, 673 | "timefield": "@timestamp", 674 | "now": true, 675 | "type": "timepicker" 676 | } 677 | ], 678 | "services": { 679 | "filter": { 680 | "list": { 681 | "0": { 682 | "type": "time", 683 | "field": "@timestamp", 684 | "from": "now-2d", 685 | "to": "now", 686 | "mandate": "must", 687 | "active": true, 688 | "alias": "", 689 | "id": 0 690 | } 691 | }, 692 | "ids": [ 693 | 0 694 | ], 695 | "idQueue": [ 696 | 1 697 | ] 698 | }, 699 | "query": { 700 | "list": { 701 | "0": { 702 | "id": 0, 703 | "type": "topN", 704 | "query": "+event_type:\"alert\" +_exists_:vlan", 705 | "alias": "VLAN-ALERTS", 706 | "color": "#E24D42", 707 | "pin": true, 708 | "enable": true, 709 | "field": "vlan", 710 | "size": 10, 711 | "union": "AND" 712 | }, 713 | "1": { 714 | "id": 1, 715 | "type": "topN", 716 | "query": "+event_type:\"fileinfo\" +_exists_:vlan", 717 | "alias": "VLAN-FileTrans", 718 | "color": "#6ED0E0", 719 | "pin": true, 720 | "enable": true, 721 | "field": "vlan", 722 | "size": 10, 723 | "union": "AND" 724 | }, 725 | "2": { 726 | "id": 2, 727 | "type": "topN", 728 | "query": "+event_type:\"tls\" +_exists_:vlan", 729 | "alias": "VLAN-TLS", 730 | "color": "#F29191", 731 | "pin": true, 732 | "enable": true, 733 | "field": "vlan", 734 | "size": 10, 735 | "union": "AND" 736 | }, 737 | "3": { 738 | "id": 3, 739 | "type": "topN", 740 | "query": "+event_type:\"http\" +_exists_:vlan", 741 | "alias": "VLAN-HTTP", 742 | "color": "#7EB26D", 743 | "pin": true, 744 | "enable": true, 745 | "field": "vlan", 746 | "size": 10, 747 | "union": "AND" 748 | }, 749 | "4": { 750 | "id": 4, 751 | "type": "topN", 752 | "query": "+event_type:\"dns\" +_exists_:vlan", 753 | "alias": "VLAN-DNS", 754 | "color": "#2F575E", 755 | "pin": true, 756 | "enable": true, 757 | "field": "vlan", 758 | "size": 10, 759 | "union": "AND" 760 | }, 761 | "5": { 762 | "id": 5, 763 | "type": "topN", 764 | "query": "+event_type:\"ssh\" +_exists_:vlan", 765 | "alias": "VLAN-SSH", 766 | "color": "#F9934E", 767 | "pin": true, 768 | "enable": true, 769 | "field": "vlan", 770 | "size": 10, 771 | "union": "AND" 772 | }, 773 | "6": { 774 | "id": 6, 775 | "type": "topN", 776 | "query": "+event_type:\"smtp\" +_exists_:vlan", 777 | "alias": "VLAN-SMTP", 778 | "color": "#BA43A9", 779 | "pin": true, 780 | "enable": true, 781 | "field": "vlan", 782 | "size": 10, 783 | "union": "AND" 784 | } 785 | }, 786 | "ids": [ 787 | 0, 788 | 1, 789 | 2, 790 | 3, 791 | 4, 792 | 5, 793 | 6 794 | ], 795 | "idQueue": [] 796 | } 797 | }, 798 | "panel_hints": true 799 | } --------------------------------------------------------------------------------