diff --git a/.dockerignore b/.dockerignore index e18e0b551..2790c07f4 100644 --- a/.dockerignore +++ b/.dockerignore @@ -13,7 +13,9 @@ docker-compose*yml Dockerfiles elasticsearch +elasticsearch-backup malcolm-iso +sensor-iso moloch-logs moloch-raw nginx/nginx_ldap.conf diff --git a/Dockerfiles/curator.Dockerfile b/Dockerfiles/curator.Dockerfile index 8cc6969a9..6a8bfa096 100644 --- a/Dockerfiles/curator.Dockerfile +++ b/Dockerfiles/curator.Dockerfile @@ -1,6 +1,6 @@ FROM debian:buster-slim -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm.netsec@gmail.com" LABEL org.opencontainers.image.authors='malcolm.netsec@gmail.com' LABEL org.opencontainers.image.url='https://github.com/idaholab/Malcolm' diff --git a/Dockerfiles/elastalert.Dockerfile b/Dockerfiles/elastalert.Dockerfile index 1cbe1d181..99754c5bd 100644 --- a/Dockerfiles/elastalert.Dockerfile +++ b/Dockerfiles/elastalert.Dockerfile @@ -1,6 +1,6 @@ FROM mmguero/elastalert:2.0.2 -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm.netsec@gmail.com" LABEL org.opencontainers.image.authors='malcolm.netsec@gmail.com' LABEL org.opencontainers.image.url='https://github.com/idaholab/Malcolm' diff --git a/Dockerfiles/file-monitor.Dockerfile b/Dockerfiles/file-monitor.Dockerfile index 0901ea7ba..66ecf6473 100644 --- a/Dockerfiles/file-monitor.Dockerfile +++ b/Dockerfiles/file-monitor.Dockerfile @@ -1,6 +1,6 @@ FROM debian:buster-slim -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm.netsec@gmail.com" LABEL org.opencontainers.image.authors='malcolm.netsec@gmail.com' LABEL org.opencontainers.image.url='https://github.com/idaholab/Malcolm' diff --git a/Dockerfiles/file-upload.Dockerfile b/Dockerfiles/file-upload.Dockerfile index 2c17f8dbf..95b825d29 100644 --- a/Dockerfiles/file-upload.Dockerfile +++ b/Dockerfiles/file-upload.Dockerfile @@ -1,6 +1,6 @@ FROM debian:buster-slim AS build -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm.netsec@gmail.com" LABEL org.opencontainers.image.authors='malcolm.netsec@gmail.com' LABEL org.opencontainers.image.url='https://github.com/idaholab/Malcolm' @@ -52,14 +52,15 @@ RUN apt-get update && \ apt-get clean -y -q && \ rm -rf /var/lib/apt/lists/* -ADD file-upload/supervisord.conf /supervisord.conf -ADD file-upload/jquery-file-upload/index.html /var/www/upload/index.html ADD docs/images/logo/Malcolm_banner.png /var/www/upload/Malcolm_banner.png +ADD file-upload/docker-entrypoint.sh /docker-entrypoint.sh +ADD file-upload/jquery-file-upload/bootstrap.min.css /var/www/upload/bower_components/bootstrap/dist/css/bootstrap.min.css +ADD file-upload/jquery-file-upload/index.html /var/www/upload/index.html ADD file-upload/jquery-file-upload/index.php /var/www/upload/server/php/index.php -ADD file-upload/php/php.ini /etc/php/7.3/fpm/php.ini ADD file-upload/nginx/sites-available/default /etc/nginx/sites-available/default +ADD file-upload/php/php.ini /etc/php/7.3/fpm/php.ini ADD file-upload/sshd_config /tmp/sshd_config -ADD file-upload/docker-entrypoint.sh /docker-entrypoint.sh +ADD file-upload/supervisord.conf /supervisord.conf RUN mkdir -p /var/run/sshd /var/www/upload/server/php/chroot /run/php && \ mv /var/www/upload/server/php/files /var/www/upload/server/php/chroot && \ diff --git a/Dockerfiles/filebeat.Dockerfile b/Dockerfiles/filebeat.Dockerfile index 7a36ee8f1..46634cd36 100644 --- a/Dockerfiles/filebeat.Dockerfile +++ b/Dockerfiles/filebeat.Dockerfile @@ -1,6 +1,6 @@ -FROM docker.elastic.co/beats/filebeat-oss:7.5.1 +FROM docker.elastic.co/beats/filebeat-oss:7.6.2 -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm.netsec@gmail.com" LABEL org.opencontainers.image.authors='malcolm.netsec@gmail.com' LABEL org.opencontainers.image.url='https://github.com/idaholab/Malcolm' @@ -10,7 +10,6 @@ LABEL org.opencontainers.image.vendor='Idaho National Laboratory' LABEL org.opencontainers.image.title='malcolmnetsec/filebeat-oss' LABEL org.opencontainers.image.description='Malcolm container providing Filebeat (the Apache-licensed variant)' - ARG FILEBEAT_LOG_CLEANUP_MINUTES=0 ARG FILEBEAT_ZIP_CLEANUP_MINUTES=0 ARG FILEBEAT_SCAN_FREQUENCY=10s @@ -22,6 +21,8 @@ ARG FILEBEAT_CLOSE_REMOVED=true ARG FILEBEAT_CLOSE_EOF=true ARG FILEBEAT_CLEAN_REMOVED=true ARG FILEBEAT_LOG_PATH="/data/zeek/current" +ARG FILEBEAT_NGINX_LOG_PATH="/data/nginx" +ARG NGINX_LOG_ACCESS_AND_ERRORS=false ARG AUTO_TAG=true USER root @@ -36,10 +37,16 @@ RUN yum install -y epel-release && \ ADD shared/bin/cron_env_centos.sh /data/ ADD filebeat/filebeat.yml /usr/share/filebeat/filebeat.yml +ADD filebeat/filebeat-nginx.yml /usr/share/filebeat-nginx/filebeat-nginx.yml ADD filebeat/scripts /data/ +ADD shared/bin/elastic_search_status.sh /data/ ADD filebeat/supervisord.conf /etc/supervisord.conf -RUN chmod 755 /data/*.sh /data/*.py && \ - mkdir -p /var/log/supervisor && \ +RUN mkdir -p /var/log/supervisor /usr/share/filebeat-nginx/data && \ + chown -R root:filebeat /usr/share/filebeat-nginx && \ + cp -a /usr/share/filebeat/module /usr/share/filebeat-nginx/module && \ + chmod 750 /usr/share/filebeat-nginx && \ + chmod 770 /usr/share/filebeat-nginx/data && \ + chmod 755 /data/*.sh /data/*.py && \ (echo -e "* * * * * su -c /data/filebeat-process-zeek-folder.sh filebeat >/dev/null 2>&1\n*/5 * * * * su -c /data/filebeat-clean-zeeklogs-processed-folder.py filebeat >/dev/null 2>&1" | crontab -) ENV FILEBEAT_LOG_CLEANUP_MINUTES $FILEBEAT_LOG_CLEANUP_MINUTES @@ -53,13 +60,15 @@ ENV FILEBEAT_CLOSE_REMOVED $FILEBEAT_CLOSE_REMOVED ENV FILEBEAT_CLOSE_EOF $FILEBEAT_CLOSE_EOF ENV FILEBEAT_CLEAN_REMOVED $FILEBEAT_CLEAN_REMOVED ENV FILEBEAT_LOG_PATH $FILEBEAT_LOG_PATH +ENV FILEBEAT_NGINX_LOG_PATH $FILEBEAT_NGINX_LOG_PATH +ENV NGINX_LOG_ACCESS_AND_ERRORS $NGINX_LOG_ACCESS_AND_ERRORS ENV AUTO_TAG $AUTO_TAG ENV FILEBEAT_REGISTRY_FILE "/usr/share/filebeat/data/registry/filebeat/data.json" ENV FILEBEAT_ZEEK_DIR "/data/zeek/" ENV PATH="/data:${PATH}" -VOLUME ["/usr/share/filebeat/data"] +VOLUME ["/usr/share/filebeat/data", "/usr/share/filebeat-nginx/data"] CMD ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf", "-u", "root", "-n"] diff --git a/Dockerfiles/freq.Dockerfile b/Dockerfiles/freq.Dockerfile new file mode 100644 index 000000000..5f87f8be7 --- /dev/null +++ b/Dockerfiles/freq.Dockerfile @@ -0,0 +1,59 @@ +FROM debian:buster-slim + +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. +LABEL maintainer="malcolm.netsec@gmail.com" +LABEL org.opencontainers.image.authors='malcolm.netsec@gmail.com' +LABEL org.opencontainers.image.url='https://github.com/idaholab/Malcolm' +LABEL org.opencontainers.image.documentation='https://github.com/idaholab/Malcolm/blob/master/README.md' +LABEL org.opencontainers.image.source='https://github.com/idaholab/Malcolm' +LABEL org.opencontainers.image.vendor='Idaho National Laboratory' +LABEL org.opencontainers.image.title='malcolmnetsec/freq' +LABEL org.opencontainers.image.description='Malcolm container providing an interface to Mark Baggett''s freq_server.py' + +ARG FREQ_USER=freq +ARG FREQ_PORT=10004 +ARG FREQ_LOOKUP=true + +ENV FREQ_USER $FREQ_USER +ENV FREQ_PORT $FREQ_PORT +ENV FREQ_LOOKUP $FREQ_LOOKUP + +RUN sed -i "s/buster main/buster main contrib non-free/g" /etc/apt/sources.list && \ + apt-get update && \ + apt-get -y -q install \ + curl \ + git \ + procps \ + psmisc \ + python3 \ + python3-dev \ + python3-pip && \ + pip3 install supervisor && \ + mkdir -p /var/log/supervisor && \ + git clone --depth=1 --single-branch -b master https://github.com/markbaggett/freq /opt/freq_server && \ + rm -rf /opt/freq_server/systemd /opt/freq_server/upstart /opt/freq_server/*.md /opt/freq_server/*.exe && \ + mv -v "$(ls /opt/freq_server/*.freq | tail -n 1)" /opt/freq_server/freq_table.freq && \ + groupadd --gid 1000 $FREQ_USER && \ + useradd -M --uid 1000 --gid 1000 --home /nonexistant $FREQ_USER && \ + chown -R $FREQ_USER:$FREQ_USER /opt/freq_server && \ + apt-get -y -q --allow-downgrades --allow-remove-essential --allow-change-held-packages --purge remove git python3-dev && \ + apt-get -y -q --allow-downgrades --allow-remove-essential --allow-change-held-packages autoremove && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* + +ADD freq-server/supervisord.conf /etc/supervisord.conf + +WORKDIR /opt/freq_server + +EXPOSE $FREQ_PORT + +CMD ["/usr/local/bin/supervisord", "-c", "/etc/supervisord.conf", "-u", "root", "-n"] + +# to be populated at build-time: +ARG BUILD_DATE +ARG MALCOLM_VERSION +ARG VCS_REVISION + +LABEL org.opencontainers.image.created=$BUILD_DATE +LABEL org.opencontainers.image.version=$MALCOLM_VERSION +LABEL org.opencontainers.image.revision=$VCS_REVISION diff --git a/Dockerfiles/htadmin.Dockerfile b/Dockerfiles/htadmin.Dockerfile index f8276613b..89b771bae 100644 --- a/Dockerfiles/htadmin.Dockerfile +++ b/Dockerfiles/htadmin.Dockerfile @@ -1,6 +1,6 @@ FROM debian:buster-slim -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm.netsec@gmail.com" LABEL org.opencontainers.image.authors='malcolm.netsec@gmail.com' LABEL org.opencontainers.image.url='https://github.com/idaholab/Malcolm' diff --git a/Dockerfiles/kibana.Dockerfile b/Dockerfiles/kibana.Dockerfile index f5fb8b2a8..20aefd3f9 100644 --- a/Dockerfiles/kibana.Dockerfile +++ b/Dockerfiles/kibana.Dockerfile @@ -1,6 +1,6 @@ -FROM docker.elastic.co/kibana/kibana-oss:7.5.1 +FROM docker.elastic.co/kibana/kibana-oss:7.6.2 -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm.netsec@gmail.com" LABEL org.opencontainers.image.authors='malcolm.netsec@gmail.com' LABEL org.opencontainers.image.url='https://github.com/idaholab/Malcolm' @@ -47,15 +47,15 @@ ADD kibana/kibana-offline-maps.yml /opt/kibana/config/kibana-offline-maps.yml ADD kibana/supervisord.conf /etc/supervisord.conf ADD kibana/dashboards /opt/kibana/dashboards ADD kibana/maps /opt/maps +ADD https://github.com/gwintzer/kibana-comments-app-plugin/releases/download/7.4.0/kibana-comments-app-plugin-7.4.0-latest.zip /tmp/kibana-comments.zip +ADD https://github.com/prelert/kibana-swimlane-vis/releases/download/v7.6.2/prelert_swimlane_vis-7.6.2.zip /tmp/kibana-swimlane.zip ADD https://github.com/bitsensor/elastalert-kibana-plugin/releases/download/1.1.0/elastalert-kibana-plugin-1.1.0-7.5.0.zip /tmp/elastalert-kibana-plugin.zip +ADD kibana/elastalert-kibana-plugin/server/routes/elastalert.js /tmp/elastalert-server-routes.js # todo: these extra plugins are kind of gutted right now with 7.5.x, need to fix -# ADD https://github.com/prelert/kibana-swimlane-vis/releases/download/v7.4.2/prelert_swimlane_vis-7.4.2.zip /tmp/kibana-swimlane.zip -# ADD https://github.com/gwintzer/kibana-comments-app-plugin/releases/download/7.4.0/kibana-comments-app-plugin-7.4.0-latest.zip /tmp/kibana-comments.zip - # see https://github.com/walterra/kibana-milestones-vis/issues/9 -#ADD https://github.com/walterra/kibana-milestones-vis/releases/download/v7.1.1/kibana-milestones-vis-7.1.1.zip /tmp/kibana-milestones.zip +# ADD https://github.com/walterra/kibana-milestones-vis/releases/download/v7.1.1/kibana-milestones-vis-7.1.1.zip /tmp/kibana-milestones.zip # TODO: commented out because it's not optimizing in 6.6+ correctly # put these back in here and below in the build section: @@ -72,39 +72,46 @@ RUN chmod 755 /data/*.sh /data/*.py && \ chown -R kibana:kibana /opt/kibana/dashboards /opt/maps /opt/kibana/config/kibana*.yml && \ chmod 400 /opt/maps/* && \ mkdir -p /var/log/supervisor && \ - (echo -e "*/5 * * * * su -c /data/kibana-create-moloch-sessions-index.sh kibana >/dev/null 2>&1\n0 * * * * su -c /data/kibana_index_refresh.py kibana >/dev/null 2>&1\n" | crontab -) && \ + (echo -e "*/2 * * * * su -c /data/kibana-create-moloch-sessions-index.sh kibana >/dev/null 2>&1\n0 * * * * su -c /data/kibana_index_refresh.py kibana >/dev/null 2>&1\n" | crontab -) && \ cd /tmp && \ echo "Installing ElastAlert plugin..." && \ - unzip elastalert-kibana-plugin.zip kibana/elastalert-kibana-plugin/package.json && \ - sed -i "s/7\.5\.0/7\.5\.1/g" kibana/elastalert-kibana-plugin/package.json && \ - zip elastalert-kibana-plugin.zip kibana/elastalert-kibana-plugin/package.json && \ + unzip elastalert-kibana-plugin.zip kibana/elastalert-kibana-plugin/package.json kibana/elastalert-kibana-plugin/public/components/main/main.js && \ + sed -i "s/7\.5\.0/7\.6\.2/g" kibana/elastalert-kibana-plugin/package.json && \ + sed -i "s/^import.*eui_theme_light.css.*$//" kibana/elastalert-kibana-plugin/public/components/main/main.js && \ + mkdir -p kibana/elastalert-kibana-plugin/server/routes/ && \ + cp /tmp/elastalert-server-routes.js kibana/elastalert-kibana-plugin/server/routes/elastalert.js && \ + zip elastalert-kibana-plugin.zip \ + kibana/elastalert-kibana-plugin/package.json \ + kibana/elastalert-kibana-plugin/public/components/main/main.js \ + kibana/elastalert-kibana-plugin/server/routes/elastalert.js && \ + cd /usr/share/kibana/plugins && \ /usr/share/kibana/bin/kibana-plugin install file:///tmp/elastalert-kibana-plugin.zip --allow-root && \ - rm -f /tmp/elastalert-kibana-plugin.zip - - ## && \ - ## echo "Installing Swimlanes visualization..." && \ - ## unzip kibana-swimlane.zip kibana/prelert_swimlane_vis-7.4.2/package.json && \ - ## sed -i "s/7\.4\.2/7\.5\.1/g" kibana/prelert_swimlane_vis-7.4.2/package.json && \ - ## zip kibana-swimlane.zip kibana/prelert_swimlane_vis-7.4.2/package.json && \ - ## /usr/share/kibana/bin/kibana-plugin install file:///tmp/kibana-swimlane.zip --allow-root && \ - ## bash -c "find /usr/share/kibana/plugins/prelert_swimlane_vis/ -type f -exec chmod 644 '{}' \;" && \ - ## rm -f /tmp/kibana-swimlane.zip && \ - ## echo "Installing Comments visualization..." && \ - ## unzip kibana-comments.zip kibana/kibana-comments-app-plugin/package.json && \ - ## sed -i "s/7\.4\.0/7\.5\.1/g" kibana/kibana-comments-app-plugin/package.json && \ - ## zip kibana-comments.zip kibana/kibana-comments-app-plugin/package.json && \ - ## /usr/share/kibana/bin/kibana-plugin install file:///tmp/kibana-comments.zip --allow-root && \ - ## rm -rf /tmp/kibana-comments.zip /tmp/kibana && \ - ## https://github.com/walterra/kibana-milestones-vis/issues/9 - ## && \ - ## echo "Installing Milestones visualization..." && \ - ## unzip kibana-milestones.zip kibana/kibana-milestones-vis/package.json && \ - ## sed -i "s/7\.1\.1/7\.5\.1/g" kibana/kibana-milestones-vis/package.json && \ - ## zip kibana-milestones.zip kibana/kibana-milestones-vis/package.json && \ - ## /usr/share/kibana/bin/kibana-plugin install file:///tmp/kibana-milestones.zip --allow-root && \ - ## rm -rf /tmp/kibana-milestones.zip /tmp/kibana - -ADD docs/images/kibana/ebdca7741674eca4e1fadeca157f3ae6.svg /usr/share/kibana/optimize/bundles/ebdca7741674eca4e1fadeca157f3ae6.svg + rm -rf /tmp/elastalert-kibana-plugin.zip /tmp/elastalert.js /tmp/kibana && \ + cd /tmp && \ + echo "Installing Comments visualization..." && \ + unzip kibana-comments.zip kibana/kibana-comments-app-plugin/package.json && \ + sed -i "s/7\.4\.0/7\.6\.2/g" kibana/kibana-comments-app-plugin/package.json && \ + zip kibana-comments.zip kibana/kibana-comments-app-plugin/package.json && \ + cd /usr/share/kibana/plugins && \ + /usr/share/kibana/bin/kibana-plugin install file:///tmp/kibana-comments.zip --allow-root && \ + rm -rf /tmp/kibana-comments.zip /tmp/kibana && \ + cd /tmp && \ + echo "Installing Swimlanes visualization..." && \ + unzip kibana-swimlane.zip kibana/prelert_swimlane_vis/package.json && \ + sed -i "s/7\.6\.2/7\.6\.2/g" kibana/prelert_swimlane_vis/package.json && \ + zip kibana-swimlane.zip kibana/prelert_swimlane_vis/package.json && \ + cd /usr/share/kibana/plugins && \ + /usr/share/kibana/bin/kibana-plugin install file:///tmp/kibana-swimlane.zip --allow-root && \ + bash -c "find /usr/share/kibana/plugins/prelert_swimlane_vis/ -type f -exec chmod 644 '{}' \;" && \ + rm -rf /tmp/kibana-swimlane.zip /tmp/kibana + # cd /tmp && \ + # echo "Installing Milestones visualization..." && \ + # unzip kibana-milestones.zip kibana/kibana-milestones-vis/package.json && \ + # sed -i "s/7\.1\.1/7\.6\.2/g" kibana/kibana-milestones-vis/package.json && \ + # zip kibana-milestones.zip kibana/kibana-milestones-vis/package.json && \ + # cd /usr/share/kibana/plugins && \ + # /usr/share/kibana/bin/kibana-plugin install file:///tmp/kibana-milestones.zip --allow-root && \ + # rm -rf /tmp/kibana-milestones.zip /tmp/kibana CMD ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf", "-u", "root", "-n"] diff --git a/Dockerfiles/logstash.Dockerfile b/Dockerfiles/logstash.Dockerfile index 9d92c15da..61d866e79 100644 --- a/Dockerfiles/logstash.Dockerfile +++ b/Dockerfiles/logstash.Dockerfile @@ -1,6 +1,6 @@ FROM centos:7 AS build -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm.netsec@gmail.com" LABEL org.opencontainers.image.authors='malcolm.netsec@gmail.com' LABEL org.opencontainers.image.url='https://github.com/idaholab/Malcolm' @@ -10,21 +10,6 @@ LABEL org.opencontainers.image.vendor='Idaho National Laboratory' LABEL org.opencontainers.image.title='malcolmnetsec/logstash-oss' LABEL org.opencontainers.image.description='Malcolm container providing Logstash (the Apache-licensed variant)' - -ARG LOGSTASH_JAVA_EXECUTION_ENGINE=true -ARG LOGSTASH_ENRICHMENT_PIPELINE=enrichment -ARG LOGSTASH_PARSE_PIPELINE_ADDRESSES=zeek-parse -ARG LOGSTASH_ELASTICSEARCH_PIPELINE_ADDRESS_INTERNAL=internal-es -ARG LOGSTASH_ELASTICSEARCH_PIPELINE_ADDRESS_EXTERNAL=external-es -ARG LOGSTASH_ELASTICSEARCH_OUTPUT_PIPELINE_ADDRESSES=internal-es,external-es - -ENV LOGSTASH_JAVA_EXECUTION_ENGINE $LOGSTASH_JAVA_EXECUTION_ENGINE -ENV LOGSTASH_ENRICHMENT_PIPELINE $LOGSTASH_ENRICHMENT_PIPELINE -ENV LOGSTASH_PARSE_PIPELINE_ADDRESSES $LOGSTASH_PARSE_PIPELINE_ADDRESSES -ENV LOGSTASH_ELASTICSEARCH_PIPELINE_ADDRESS_INTERNAL $LOGSTASH_ELASTICSEARCH_PIPELINE_ADDRESS_INTERNAL -ENV LOGSTASH_ELASTICSEARCH_PIPELINE_ADDRESS_EXTERNAL $LOGSTASH_ELASTICSEARCH_PIPELINE_ADDRESS_EXTERNAL -ENV LOGSTASH_ELASTICSEARCH_OUTPUT_PIPELINE_ADDRESSES $LOGSTASH_ELASTICSEARCH_OUTPUT_PIPELINE_ADDRESSES - RUN yum install -y epel-release && \ yum update -y && \ yum install -y java-1.8.0-openjdk-devel git curl wget tar which \ @@ -42,7 +27,20 @@ RUN /bin/bash -lc "command curl -sSL https://rvm.io/mpapis.asc | gpg2 --import - git clone --depth 1 https://github.com/mmguero/logstash-filter-ieee_oui.git /opt/logstash-filter-ieee_oui && \ /bin/bash -lc "cd /opt/logstash-filter-ieee_oui && bundle install && gem build logstash-filter-ieee_oui.gemspec && bundle info logstash-filter-ieee_oui" -FROM docker.elastic.co/logstash/logstash-oss:7.5.1 +FROM docker.elastic.co/logstash/logstash-oss:7.6.2 + +ARG LOGSTASH_ENRICHMENT_PIPELINE=enrichment +ARG LOGSTASH_PARSE_PIPELINE_ADDRESSES=zeek-parse +ARG LOGSTASH_ELASTICSEARCH_PIPELINE_ADDRESS_INTERNAL=internal-es +ARG LOGSTASH_ELASTICSEARCH_PIPELINE_ADDRESS_EXTERNAL=external-es +ARG LOGSTASH_ELASTICSEARCH_OUTPUT_PIPELINE_ADDRESSES=internal-es,external-es + +ENV LOGSTASH_ENRICHMENT_PIPELINE $LOGSTASH_ENRICHMENT_PIPELINE +ENV LOGSTASH_PARSE_PIPELINE_ADDRESSES $LOGSTASH_PARSE_PIPELINE_ADDRESSES +ENV LOGSTASH_ELASTICSEARCH_PIPELINE_ADDRESS_INTERNAL $LOGSTASH_ELASTICSEARCH_PIPELINE_ADDRESS_INTERNAL +ENV LOGSTASH_ELASTICSEARCH_PIPELINE_ADDRESS_EXTERNAL $LOGSTASH_ELASTICSEARCH_PIPELINE_ADDRESS_EXTERNAL +ENV LOGSTASH_ELASTICSEARCH_OUTPUT_PIPELINE_ADDRESSES $LOGSTASH_ELASTICSEARCH_OUTPUT_PIPELINE_ADDRESSES + USER root COPY --from=build /opt/logstash-filter-ieee_oui /opt/logstash-filter-ieee_oui @@ -51,9 +49,9 @@ RUN yum install -y epel-release && \ yum update -y && \ yum install -y gettext python-setuptools python-pip python-requests python-yaml && \ yum clean all && \ - pip install py2-ipaddress && \ + pip install py2-ipaddress supervisor && \ logstash-plugin install logstash-filter-translate logstash-filter-cidr logstash-filter-dns \ - logstash-filter-json logstash-filter-prune \ + logstash-filter-json logstash-filter-prune logstash-filter-http \ logstash-filter-grok logstash-filter-geoip logstash-filter-uuid \ logstash-filter-kv logstash-filter-mutate logstash-filter-dissect \ logstash-input-beats logstash-output-elasticsearch && \ @@ -65,9 +63,11 @@ ADD logstash/config/log4j2.properties /usr/share/logstash/config/ ADD logstash/config/logstash.yml /usr/share/logstash/config/ ADD logstash/pipelines/ /usr/share/logstash/malcolm-pipelines/ ADD logstash/scripts /usr/local/bin/ +ADD logstash/supervisord.conf /etc/supervisord.conf ADD https://raw.githubusercontent.com/wireshark/wireshark/master/manuf /usr/share/logstash/config/oui.txt RUN bash -c "chmod --silent 755 /usr/local/bin/*.sh /usr/local/bin/*.py || true" && \ + mkdir -p /var/log/supervisor && \ rm -f /usr/share/logstash/pipeline/logstash.conf && \ rmdir /usr/share/logstash/pipeline && \ mkdir /logstash-persistent-queue && \ @@ -83,10 +83,11 @@ ENV LOGSTASH_KEYSTORE_PASS "a410a267b1404c949284dee25518a917" VOLUME ["/logstash-persistent-queue"] -USER logstash - -ENTRYPOINT ["/usr/local/bin/logstash-start.sh"] +EXPOSE 5044 +EXPOSE 9001 +EXPOSE 9600 +CMD ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf", "-u", "root", "-n"] # to be populated at build-time: ARG BUILD_DATE diff --git a/Dockerfiles/moloch.Dockerfile b/Dockerfiles/moloch.Dockerfile index eb9078887..6c69c9b62 100644 --- a/Dockerfiles/moloch.Dockerfile +++ b/Dockerfiles/moloch.Dockerfile @@ -1,10 +1,10 @@ FROM debian:buster-slim AS build -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. ENV DEBIAN_FRONTEND noninteractive -ENV MOLOCH_VERSION "2.1.2" +ENV MOLOCH_VERSION "2.2.3" ENV MOLOCHDIR "/data/moloch" ADD moloch/scripts/bs4_remove_div.py /data/ @@ -12,7 +12,10 @@ ADD moloch/patch/* /data/patches/ ADD README.md $MOLOCHDIR/doc/ ADD doc.css $MOLOCHDIR/doc/ ADD docs/images $MOLOCHDIR/doc/images/ -ADD https://github.com/aol/moloch/archive/v$MOLOCH_VERSION.tar.gz /data/moloch.tar.gz + +# TODO: temporarily using my github fork branch until issue https://github.com/aol/moloch/issues/1162 and +# https://github.com/idaholab/Malcolm/issues/2 are merged in +# ADD https://github.com/aol/moloch/archive/v$MOLOCH_VERSION.tar.gz /data/moloch.tar.gz RUN sed -i "s/buster main/buster main contrib non-free/g" /etc/apt/sources.list && \ apt-get -q update && \ @@ -62,14 +65,16 @@ RUN sed -i "s/buster main/buster main contrib non-free/g" /etc/apt/sources.list sed -i "s@docs/images@images@g" README.md && \ pandoc -s --self-contained --metadata title="Malcolm README" --css $MOLOCHDIR/doc/doc.css -o $MOLOCHDIR/doc/README.html $MOLOCHDIR/doc/README.md && \ cd /data && \ - tar -xvf "moloch.tar.gz" && \ + # TODO: see comment above about aol/moloch vs. mmguero-dev/moloch + # tar -xvf "moloch.tar.gz" && \ + git clone --recursive --depth=1 --single-branch -b "topic/netdiff_2.2.3" "https://github.com/mmguero-dev/moloch.git" "./moloch-"$MOLOCH_VERSION && \ cd "./moloch-"$MOLOCH_VERSION && \ + rm -rf ./.git && \ bash -c 'for i in /data/patches/*; do patch -p 1 -r - --no-backup-if-mismatch < $i || true; done' && \ cp -v $MOLOCHDIR/doc/images/moloch/moloch_155.png ./viewer/public/moloch_155.png && \ cp -v $MOLOCHDIR/doc/images/moloch/moloch_77.png ./viewer/public/moloch_77.png && \ cp -v $MOLOCHDIR/doc/images/moloch/header_logo.png ./parliament/vueapp/src/assets/header_logo.png && \ cp -v $MOLOCHDIR/doc/images/moloch/header_logo.png ./viewer/public/header_logo.png && \ - cp -v $MOLOCHDIR/doc/images/moloch/header_logo.png ./viewer/vueapp/src/assets/logo.png && \ find $MOLOCHDIR/doc/images/screenshots -name "*.png" -delete && \ export PATH="$MOLOCHDIR/bin:${PATH}" && \ ln -sfr $MOLOCHDIR/bin/npm /usr/local/bin/npm && \ @@ -77,6 +82,7 @@ RUN sed -i "s/buster main/buster main contrib non-free/g" /etc/apt/sources.list ln -sfr $MOLOCHDIR/bin/npx /usr/local/bin/npx && \ python3 /data/bs4_remove_div.py -i ./viewer/vueapp/src/components/users/Users.vue -o ./viewer/vueapp/src/components/users/Users.new -c "new-user-form" && \ mv -vf ./viewer/vueapp/src/components/users/Users.new ./viewer/vueapp/src/components/users/Users.vue && \ + rm -rf ./viewer/vueapp/src/components/upload && \ ./easybutton-build.sh --install && \ npm cache clean --force && \ bash -c "file ${MOLOCHDIR}/bin/* ${MOLOCHDIR}/node-v*/bin/* | grep 'ELF 64-bit' | sed 's/:.*//' | xargs -l -r strip -v --strip-unneeded" diff --git a/Dockerfiles/name-map-ui.Dockerfile b/Dockerfiles/name-map-ui.Dockerfile new file mode 100644 index 000000000..383269c7d --- /dev/null +++ b/Dockerfiles/name-map-ui.Dockerfile @@ -0,0 +1,67 @@ +FROM alpine:3.11 + +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. +LABEL maintainer="malcolm.netsec@gmail.com" +LABEL org.opencontainers.image.authors='malcolm.netsec@gmail.com' +LABEL org.opencontainers.image.url='https://github.com/idaholab/Malcolm' +LABEL org.opencontainers.image.documentation='https://github.com/idaholab/Malcolm/blob/master/README.md' +LABEL org.opencontainers.image.source='https://github.com/idaholab/Malcolm' +LABEL org.opencontainers.image.vendor='Idaho National Laboratory' +LABEL org.opencontainers.image.title='malcolmnetsec/name-map-ui' +LABEL org.opencontainers.image.description='Malcolm container providing a user interface for mapping names to network hosts and subnets' + +ENV JQUERY_VERSION 1.6.4 +ENV LISTJS_VERSION v1.5.0 + +RUN apk --no-cache add bash php7 php7-fpm php7-mysqli php7-json php7-openssl php7-curl php7-fileinfo \ + php7-zlib php7-xml php7-phar php7-intl php7-dom php7-xmlreader php7-ctype php7-session \ + php7-mbstring php7-gd nginx supervisor curl inotify-tools file psmisc + +COPY name-map-ui/config/nginx.conf /etc/nginx/nginx.conf +COPY name-map-ui/config/fpm-pool.conf /etc/php7/php-fpm.d/www.conf +COPY name-map-ui/config/php.ini /etc/php7/conf.d/custom.ini +COPY name-map-ui/config/supervisord.conf /etc/supervisord.conf +COPY name-map-ui/config/supervisor_logstash_ctl.conf /etc/supervisor/logstash/supervisord.conf +COPY name-map-ui/scripts/*.sh /usr/local/bin/ + +ADD https://code.jquery.com/jquery-${JQUERY_VERSION}.min.js /tmp/jquery.min.js +ADD https://raw.githubusercontent.com/javve/list.js/${LISTJS_VERSION}/dist/list.min.js /tmp/list.min.js + +RUN rm -rf /etc/nginx/conf.d/default.conf /var/www/html/* && \ + mkdir -p /var/www/html/upload /var/www/html/maps && \ + cd /var/www/html && \ + mv /tmp/jquery.min.js /tmp/list.min.js ./ && \ + chmod 644 ./jquery.min.js ./list.min.js && \ + ln -s . name-map-ui && \ + addgroup -g 1000 nginxsrv ; \ + adduser -D -H -u 1000 -h /var/www/html -s /sbin/nologin -G nginxsrv -g nginxsrv nginxsrv ; \ + addgroup nginxsrv nginx ; \ + addgroup nginxsrv shadow ; \ + chown -R nginxsrv.nginxsrv /var/www/html && \ + chown -R nginxsrv.nginxsrv /run && \ + chown -R nginxsrv.nginxsrv /var/lib/nginx && \ + chown -R nginxsrv.nginxsrv /var/log/nginx && \ + chmod 755 /usr/local/bin/*.sh + +VOLUME /var/www/html + +USER nginxsrv + +WORKDIR /var/www/html + +COPY --chown=1000 name-map-ui/site/ /var/www/html/ +COPY --chown=1000 docs/images/logo/Malcolm_banner.png /var/www/html/ +COPY --chown=1000 docs/images/favicon/favicon.ico /var/www/html/ + +EXPOSE 8080 + +CMD ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"] + +# to be populated at build-time: +ARG BUILD_DATE +ARG MALCOLM_VERSION +ARG VCS_REVISION + +LABEL org.opencontainers.image.created=$BUILD_DATE +LABEL org.opencontainers.image.version=$MALCOLM_VERSION +LABEL org.opencontainers.image.revision=$VCS_REVISION diff --git a/Dockerfiles/nginx.Dockerfile b/Dockerfiles/nginx.Dockerfile index 84a1c8ac3..3b1cb044a 100644 --- a/Dockerfiles/nginx.Dockerfile +++ b/Dockerfiles/nginx.Dockerfile @@ -1,4 +1,4 @@ -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. #################################################################################### # thanks to: nginx - https://github.com/nginxinc/docker-nginx/blob/master/mainline/alpine/Dockerfile @@ -10,7 +10,7 @@ # build a patched APK of stunnel supporting ldap StartTLS (patched protocols.c) # (based on https://www.stunnel.org/pipermail/stunnel-users/2013-November/004437.html) -FROM alpine:3.10 as stunnel_build +FROM alpine:3.11 as stunnel_build ADD https://codeload.github.com/alpinelinux/aports/tar.gz/master /aports-master.tar.gz ADD nginx/src/*.patch /usr/src/patches/ @@ -18,7 +18,7 @@ ADD nginx/src/*.patch /usr/src/patches/ USER root RUN set -x ; \ - apk add --no-cache alpine-sdk patchutils sudo ; \ + apk add --no-cache alpine-sdk patchutils sudo openssl-dev linux-headers; \ sed -i 's/^#\s*\(%wheel\s\+ALL=(ALL)\s\+NOPASSWD:\s\+ALL\)/\1/' /etc/sudoers ; \ adduser -D -u 1000 -h /apkbuild -G abuild builder ; \ addgroup builder wheel ; \ @@ -39,7 +39,7 @@ RUN set -x ; \ #################################################################################### -FROM alpine:3.10 +FROM alpine:3.11 LABEL maintainer="malcolm.netsec@gmail.com" LABEL org.opencontainers.image.authors='malcolm.netsec@gmail.com' @@ -67,12 +67,10 @@ ENV NGINX_LDAP_TLS_STUNNEL_PROTOCOL $NGINX_LDAP_TLS_STUNNEL_PROTOCOL # build latest nginx with nginx-auth-ldap -ENV NGINX_VERSION=1.17.6 -ENV DOCKER_GEN_VERSION=0.7.4 +ENV NGINX_VERSION=1.17.9 ENV NGINX_AUTH_LDAP_BRANCH=master ENV NGINX_AUTH_PAM_BRANCH=master -ADD https://github.com/jwilder/docker-gen/releases/download/$DOCKER_GEN_VERSION/docker-gen-alpine-linux-amd64-$DOCKER_GEN_VERSION.tar.gz /docker-gen-alpine-linux-amd64-$DOCKER_GEN_VERSION.tar.gz ADD https://codeload.github.com/kvspb/nginx-auth-ldap/tar.gz/$NGINX_AUTH_LDAP_BRANCH /nginx-auth-ldap.tar.gz ADD https://codeload.github.com/sto/ngx_http_auth_pam_module/tar.gz/$NGINX_AUTH_PAM_BRANCH /ngx_http_auth_pam_module.tar.gz ADD http://nginx.org/download/nginx-$NGINX_VERSION.tar.gz /nginx.tar.gz @@ -201,14 +199,11 @@ RUN set -x ; \ apk add --no-cache --virtual .nginx-rundeps $runDeps ca-certificates bash wget openssl apache2-utils openldap linux-pam nss-pam-ldapd supervisor tzdata; \ update-ca-certificates; \ apk add --no-cache --allow-untrusted /tmp/stunnel-*.apk; \ - tar -C /usr/local/bin -xzf /docker-gen-alpine-linux-amd64-$DOCKER_GEN_VERSION.tar.gz; \ apk del .nginx-build-deps ; \ apk del .gettext ; \ mv /tmp/envsubst /usr/local/bin/ ; \ mkdir -p /var/log/supervisor ; \ - rm -rf /usr/src/* /var/tmp/* /var/cache/apk/* /tmp/stunnel-*.apk /nginx.tar.gz /nginx-auth-ldap.tar.gz /ngx_http_auth_pam_module.tar.gz /docker-gen-alpine-linux-amd64-$DOCKER_GEN_VERSION.tar.gz; \ - ln -sf /dev/stdout /var/log/nginx/access.log; \ - ln -sf /dev/stderr /var/log/nginx/error.log; \ + rm -rf /usr/src/* /var/tmp/* /var/cache/apk/* /tmp/stunnel-*.apk /nginx.tar.gz /nginx-auth-ldap.tar.gz /ngx_http_auth_pam_module.tar.gz; \ touch /etc/nginx/nginx_ldap.conf /etc/nginx/nginx_blank.conf; COPY --from=jwilder/nginx-proxy:alpine /app/nginx.tmpl /etc/nginx/ @@ -222,8 +217,6 @@ ADD docs/images/icon/favicon.ico /etc/nginx/favicon.ico EXPOSE 80 -ENV DOCKER_HOST unix:///tmp/docker.sock - VOLUME ["/etc/nginx/certs", "/etc/nginx/dhparam"] ENTRYPOINT ["/usr/local/bin/docker_entrypoint.sh"] diff --git a/Dockerfiles/pcap-capture.Dockerfile b/Dockerfiles/pcap-capture.Dockerfile index 572d0a266..71bbfa016 100644 --- a/Dockerfiles/pcap-capture.Dockerfile +++ b/Dockerfiles/pcap-capture.Dockerfile @@ -1,6 +1,6 @@ FROM debian:buster-slim -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm.netsec@gmail.com" LABEL org.opencontainers.image.authors='malcolm.netsec@gmail.com' LABEL org.opencontainers.image.url='https://github.com/idaholab/Malcolm' diff --git a/Dockerfiles/pcap-monitor.Dockerfile b/Dockerfiles/pcap-monitor.Dockerfile index 1e7649438..c02a981bf 100644 --- a/Dockerfiles/pcap-monitor.Dockerfile +++ b/Dockerfiles/pcap-monitor.Dockerfile @@ -1,6 +1,6 @@ FROM debian:buster-slim -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm.netsec@gmail.com" LABEL org.opencontainers.image.authors='malcolm.netsec@gmail.com' LABEL org.opencontainers.image.url='https://github.com/idaholab/Malcolm' diff --git a/Dockerfiles/zeek.Dockerfile b/Dockerfiles/zeek.Dockerfile index 115341bf9..d41854e11 100644 --- a/Dockerfiles/zeek.Dockerfile +++ b/Dockerfiles/zeek.Dockerfile @@ -1,11 +1,11 @@ FROM debian:buster-slim AS build -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. ENV DEBIAN_FRONTEND noninteractive ENV SRC_BASE_DIR "/usr/local/src" -ENV ZEEK_VERSION "3.0.1" +ENV ZEEK_VERSION "3.0.3" ENV ZEEK_DIR "/opt/zeek" ENV ZEEK_SRC_DIR "${SRC_BASE_DIR}/zeek-${ZEEK_VERSION}" ENV ZEEK_PATCH_DIR "${SRC_BASE_DIR}/zeek-patches" diff --git a/License.txt b/License.txt index 4d044c4b5..ec86f9075 100644 --- a/License.txt +++ b/License.txt @@ -2,7 +2,7 @@ Software License Agreement For more information, please see DHS_TOU.pdf. -Malcolm is Copyright (c) 2019 Battelle Energy Alliance, LLC, and is developed +Malcolm is Copyright (c) 2020 Battelle Energy Alliance, LLC, and is developed and released through the cooperation of the Cybersecurity and Infrastructure Security Agency of the U.S. Department of Homeland Security. All rights reserved. @@ -22,7 +22,7 @@ means, and for any purpose whatsoever. https://github.com/idaholab/Malcolm -Copyright 2019 Battelle Energy Alliance, LLC +Copyright 2020 Battelle Energy Alliance, LLC ALL RIGHTS RESERVED diff --git a/Notice.txt b/Notice.txt index 19d797946..30c7a7221 100644 --- a/Notice.txt +++ b/Notice.txt @@ -4,7 +4,7 @@ https://github.com/idaholab/Malcolm See License.txt for license terms. -Malcolm is Copyright (c) 2019 Battelle Energy Alliance, LLC, and is developed +Malcolm is Copyright (c) 2020 Battelle Energy Alliance, LLC, and is developed and released through the cooperation of the Cybersecurity and Infrastructure Security Agency of the U.S. Department of Homeland Security. All rights reserved. diff --git a/README.md b/README.md index 3a2beedda..debc950d3 100644 --- a/README.md +++ b/README.md @@ -46,7 +46,6 @@ In short, Malcolm provides an easily deployable network analysis tool suite for * [Capturing traffic on local network interfaces](#LocalPCAP) * [Using a network sensor appliance](#Hedgehog) * [Manually forwarding Zeek logs from an external source](#ZeekForward) - * [Monitoring a local Zeek instance](#LiveZeek) * [Moloch](#Moloch) * [Zeek log integration](#MolochZeek) - [Correlating Zeek logs and Moloch sessions](#ZeekMolochFlowCorrelation) @@ -73,6 +72,7 @@ In short, Malcolm provides an easily deployable network analysis tool suite for - [Automatic host and subnet name assignment](#HostAndSubnetNaming) + [IP/MAC address to hostname mapping via `host-map.txt`](#HostNaming) + [CIDR subnet to network segment name mapping via `cidr-map.txt`](#SegmentNaming) + + [Defining hostname and CIDR subnet names interface](#NameMapUI) + [Applying mapping changes](#ApplyMapping) - [Elasticsearch index curation](#Curator) * [Malcolm installer ISO](#ISO) @@ -111,10 +111,12 @@ Pulling elastalert ... done Pulling elasticsearch ... done Pulling file-monitor ... done Pulling filebeat ... done +Pulling freq ... done Pulling htadmin ... done Pulling kibana ... done Pulling logstash ... done Pulling moloch ... done +Pulling name-map-ui ... done Pulling nginx-proxy ... done Pulling pcap-capture ... done Pulling pcap-monitor ... done @@ -126,23 +128,25 @@ You can then observe that the images have been retrieved by running `docker imag ``` $ docker images REPOSITORY TAG IMAGE ID CREATED SIZE -malcolmnetsec/moloch 1.8.1 xxxxxxxxxxxx 10 minutes ago 491MB -malcolmnetsec/logstash-oss 1.8.1 xxxxxxxxxxxx 17 minutes ago 1.4GB -malcolmnetsec/zeek 1.8.1 xxxxxxxxxxxx 17 minutes ago 232MB -malcolmnetsec/file-upload 1.8.1 xxxxxxxxxxxx 23 minutes ago 199MB -malcolmnetsec/pcap-capture 1.8.1 xxxxxxxxxxxx 23 minutes ago 112MB -malcolmnetsec/file-monitor 1.8.1 xxxxxxxxxxxx 25 minutes ago 369MB -malcolmnetsec/filebeat-oss 1.8.1 xxxxxxxxxxxx 28 minutes ago 501MB -malcolmnetsec/kibana-oss 1.8.1 xxxxxxxxxxxx 28 minutes ago 964MB -malcolmnetsec/pcap-monitor 1.8.1 xxxxxxxxxxxx 28 minutes ago 156MB -malcolmnetsec/curator 1.8.1 xxxxxxxxxxxx 29 minutes ago 240MB -malcolmnetsec/nginx-proxy 1.8.1 xxxxxxxxxxxx 29 minutes ago 54.5MB -malcolmnetsec/elastalert 1.8.1 xxxxxxxxxxxx 30 minutes ago 276MB -malcolmnetsec/htadmin 1.8.1 xxxxxxxxxxxx 31 minutes ago 256MB -docker.elastic.co/elasticsearch/elasticsearch-oss 7.5.1 xxxxxxxxxxxx 5 weeks ago 825MB -``` - -You must run [`auth_setup.sh`](#AuthSetup) prior to running `docker-compose pull`. You should also ensure your system configuration and `docker-compose.yml` settings are tuned by running `./scripts/install.py` or `./scripts/install.py --configure` (see [System configuration and tuning](#ConfigAndTuning)). +malcolmnetsec/moloch 2.0.0 xxxxxxxxxxxx 10 minutes ago 491MB +malcolmnetsec/logstash-oss 2.0.0 xxxxxxxxxxxx 17 minutes ago 1.4GB +malcolmnetsec/zeek 2.0.0 xxxxxxxxxxxx 17 minutes ago 232MB +malcolmnetsec/file-upload 2.0.0 xxxxxxxxxxxx 23 minutes ago 199MB +malcolmnetsec/pcap-capture 2.0.0 xxxxxxxxxxxx 23 minutes ago 112MB +malcolmnetsec/file-monitor 2.0.0 xxxxxxxxxxxx 25 minutes ago 369MB +malcolmnetsec/filebeat-oss 2.0.0 xxxxxxxxxxxx 28 minutes ago 501MB +malcolmnetsec/kibana-oss 2.0.0 xxxxxxxxxxxx 28 minutes ago 964MB +malcolmnetsec/pcap-monitor 2.0.0 xxxxxxxxxxxx 28 minutes ago 156MB +malcolmnetsec/curator 2.0.0 xxxxxxxxxxxx 29 minutes ago 240MB +malcolmnetsec/nginx-proxy 2.0.0 xxxxxxxxxxxx 29 minutes ago 54.5MB +malcolmnetsec/elastalert 2.0.0 xxxxxxxxxxxx 30 minutes ago 276MB +malcolmnetsec/htadmin 2.0.0 xxxxxxxxxxxx 31 minutes ago 256MB +malcolmnetsec/freq 2.0.0 xxxxxxxxxxxx 32 minutes ago 188MB +malcolmnetsec/name-map-ui 2.0.0 xxxxxxxxxxxx 35 minutes ago 20MB +docker.elastic.co/elasticsearch/elasticsearch-oss 7.6.2 xxxxxxxxxxxx 5 weeks ago 825MB +``` + +You must run [`auth_setup`](#AuthSetup) prior to running `docker-compose pull`. You should also ensure your system configuration and `docker-compose.yml` settings are tuned by running `./scripts/install.py` or `./scripts/install.py --configure` (see [System configuration and tuning](#ConfigAndTuning)). #### Import from pre-packaged tarballs @@ -161,6 +165,7 @@ A few minutes after starting Malcolm (probably 5 to 10 minutes for Logstash to b * Kibana: [https://localhost/kibana/](https://localhost/kibana/) or [https://localhost:5601](https://localhost:5601) * Capture File and Log Archive Upload (Web): [https://localhost/upload/](https://localhost/upload/) or [https://localhost:8443](https://localhost:8443) * Capture File and Log Archive Upload (SFTP): `sftp://@127.0.0.1:8022/files` +* [Host and Subnet Name Mapping](#HostAndSubnetNaming) Editor: [https://localhost/name-map-ui/](https://localhost/name-map-ui/) * Account Management: [https://localhost:488](https://localhost:488) ## Overview @@ -189,21 +194,24 @@ Malcolm leverages the following excellent open source tools, among others. * [ClamAV](https://www.clamav.net/) - an antivirus engine for scanning files extracted by Zeek * [CyberChef](https://github.com/gchq/CyberChef) - a "swiss-army knife" data conversion tool * [jQuery File Upload](https://github.com/blueimp/jQuery-File-Upload) - for uploading PCAP files and Zeek logs for processing +* [List.js](https://github.com/javve/list.js) - for the [host and subnet name mapping](#HostAndSubnetNaming) interface * [Docker](https://www.docker.com/) and [Docker Compose](https://docs.docker.com/compose/) - for simple, reproducible deployment of the Malcolm appliance across environments and to coordinate communication between its various components * [Nginx](https://nginx.org/) - for HTTPS and reverse proxying Malcolm components * [nginx-auth-ldap](https://github.com/kvspb/nginx-auth-ldap) - an LDAP authentication module for nginx * [ElastAlert](https://github.com/Yelp/elastalert) - an alerting framework for Elasticsearch. Specifically, the [BitSensor fork of ElastAlert](https://github.com/bitsensor/elastalert), its Docker configuration and its corresponding [Kibana plugin](https://github.com/bitsensor/elastalert-kibana-plugin) are used. +* [freq](https://github.com/MarkBaggett/freq) - a tool for calculating entropy of strings * These third party Zeek plugins: * Amazon.com, Inc.'s [ICS protocol](https://github.com/amzn?q=zeek) analyzers * Corelight's [bro-xor-exe](https://github.com/corelight/bro-xor-exe-plugin) plugin * Corelight's [community ID](https://github.com/corelight/bro-community-id) flow hashing plugin - * J-Gras' [Bro::AF_Packet](https://github.com/J-Gras/bro-af_packet-plugin) plugin + * J-Gras' [Zeek::AF_Packet](https://github.com/J-Gras/zeek-af_packet-plugin) plugin * Lexi Brent's [EternalSafety](https://github.com/lexibrent/zeek-EternalSafety) plugin * MITRE Cyber Analytics Repository's [Bro/Zeek ATT&CK-Based Analytics (BZAR)](https://github.com/mitre-attack/car/tree/master/implementations) script * Salesforce's [gQUIC](https://github.com/salesforce/GQUIC_Protocol_Analyzer) analyzer * Salesforce's [HASSH](https://github.com/salesforce/hassh) SSH fingerprinting plugin * Salesforce's [JA3](https://github.com/salesforce/ja3) TLS fingerprinting plugin * SoftwareConsultingEmporium's [Bro::LDAP](https://github.com/SoftwareConsultingEmporium/ldap-analyzer) analyzer + * Johanna Amann's [CVE-2020-0601](https://github.com/0xxon/cve-2020-0601) ECC certificate validation plugin * [GeoLite2](https://dev.maxmind.com/geoip/geoip2/geolite2/) - Malcolm includes GeoLite2 data created by [MaxMind](https://www.maxmind.com) ## Supported Protocols @@ -273,6 +281,7 @@ Checking out the [Malcolm source code](https://github.com/idaholab/Malcolm/tree/ * `filebeat` - code and configuration for the `filebeat` container which ingests Zeek logs and forwards them to the `logstash` container * `file-monitor` - code and configuration for the `file-monitor` container which can scan files extracted by Zeek * `file-upload` - code and configuration for the `upload` container which serves a web browser-based upload form for uploading PCAP files and Zeek logs, and which serves an SFTP share as an alternate method for upload +* `freq-server` - code and configuration for the `freq` container used for calculating entropy of strings * `htadmin` - configuration for the `htadmin` user account management container * `kibana` - code and configuration for the `kibana` container for creating additional ad-hoc visualizations and dashboards beyond that which is provided by Moloch Viewer * `logstash` - code and configuration for the `logstash` container which parses Zeek logs and forwards them to the `elasticsearch` container @@ -280,23 +289,25 @@ Checking out the [Malcolm source code](https://github.com/idaholab/Malcolm/tree/ * `moloch` - code and configuration for the `moloch` container which processes PCAP files using `moloch-capture` and which serves the Viewer application * `moloch-logs` - an initially empty directory to which the `moloch` container will write some debug log files * `moloch-raw` - an initially empty directory to which the `moloch` container will write captured PCAP files; as Moloch as employed by Malcolm is currently used for processing previously-captured PCAP files, this directory is currently unused +* `name-map-ui` - code and configuration for the `name-map-ui` container which provides the [host and subnet name mapping](#HostAndSubnetNaming) interface * `nginx` - configuration for the `nginx` reverse proxy container * `pcap` - an initially empty directory for PCAP files to be uploaded, processed, and stored * `pcap-capture` - code and configuration for the `pcap-capture` container which can capture network traffic * `pcap-monitor` - code and configuration for the `pcap-monitor` container which watches for new or uploaded PCAP files notifies the other services to process them * `scripts` - control scripts for starting, stopping, restarting, etc. Malcolm +* `sensor-iso` - code and configuration for building a [Hedgehog Linux](#Hedgehog) ISO * `shared` - miscellaneous code used by various Malcolm components * `zeek` - code and configuration for the `zeek` container which handles PCAP processing using Zeek * `zeek-logs` - an initially empty directory for Zeek logs to be uploaded, processed, and stored and the following files of special note: -* `auth.env` - the script `./scripts/auth_setup.sh` prompts the user for the administrator credentials used by the Malcolm appliance, and `auth.env` is the environment file where those values are stored +* `auth.env` - the script `./scripts/auth_setup` prompts the user for the administrator credentials used by the Malcolm appliance, and `auth.env` is the environment file where those values are stored * `cidr-map.txt` - specify custom IP address to network segment mapping * `host-map.txt` - specify custom IP and/or MAC address to host mapping +* `net-map.json` - an alternative to `cidr-map.txt` and `host-map.txt`, mapping hosts and network segments to their names in a JSON-formatted file * `docker-compose.yml` - the configuration file used by `docker-compose` to build, start, and stop an instance of the Malcolm appliance * `docker-compose-standalone.yml` - similar to `docker-compose.yml`, only used for the ["packaged"](#Packager) installation of Malcolm -* `docker-compose-standalone-zeek-live.yml` - identical to `docker-compose-standalone.yml`, only Filebeat is configured to monitor local live Zeek logs (ie., being actively written to on the same host running Malcolm) ### Building from source @@ -313,11 +324,13 @@ Then, go take a walk or something since it will be a while. When you're done, yo * `malcolmnetsec/filebeat-oss` (based on `docker.elastic.co/beats/filebeat-oss`) * `malcolmnetsec/file-monitor` (based on `debian:buster-slim`) * `malcolmnetsec/file-upload` (based on `debian:buster-slim`) +* `malcolmnetsec/freq` (based on `debian:buster-slim`) * `malcolmnetsec/htadmin` (based on `debian:buster-slim`) * `malcolmnetsec/kibana-oss` (based on `docker.elastic.co/kibana/kibana-oss`) * `malcolmnetsec/logstash-oss` (based on `docker.elastic.co/logstash/logstash-oss`) +* `malcolmnetsec/name-map-ui` (based on `alpine:3.11`) * `malcolmnetsec/moloch` (based on `debian:buster-slim`) -* `malcolmnetsec/nginx-proxy` (based on `alpine:3.10`) +* `malcolmnetsec/nginx-proxy` (based on `alpine:3.11`) * `malcolmnetsec/pcap-capture` (based on `debian:buster-slim`) * `malcolmnetsec/pcap-monitor` (based on `debian:buster-slim`) * `malcolmnetsec/pcap-zeek` (based on `debian:buster-slim`) @@ -359,18 +372,19 @@ To install Malcolm: To start, stop, restart, etc. Malcolm: Use the control scripts in the "scripts/" directory: - - start.sh (start Malcolm) - - stop.sh (stop Malcolm) - - restart.sh (restart Malcolm) - - logs.sh (monitor Malcolm logs) - - wipe.sh (stop Malcolm and clear its database) - - auth_setup.sh (change authentication-related settings) + - start (start Malcolm) + - stop (stop Malcolm) + - restart (restart Malcolm) + - logs (monitor Malcolm logs) + - wipe (stop Malcolm and clear its database) + - auth_setup (change authentication-related settings) A minute or so after starting Malcolm, the following services will be accessible: - Moloch: https://localhost/ - Kibana: https://localhost/kibana/ - - PCAP Upload (web): https://localhost/upload/ - - PCAP Upload (sftp): sftp://USERNAME@127.0.0.1:8022/files/ + - PCAP upload (web): https://localhost/upload/ + - PCAP upload (sftp): sftp://USERNAME@127.0.0.1:8022/files/ + - Host and subnet name mapping editor: https://localhost/name-map-ui/ - Account management: https://localhost:488/ ``` @@ -390,7 +404,7 @@ total 2.0G If you have obtained pre-packaged installation files to install Malcolm on a non-networked machine via an internal network share or on a USB key, you likely have the following files: * `malcolm_YYYYMMDD_HHNNSS_xxxxxxx.README.txt` - This readme file contains a minimal set up instructions for extracting the contents of the other tarballs and running the Malcolm appliance. -* `malcolm_YYYYMMDD_HHNNSS_xxxxxxx.tar.gz` - This tarball contains the configuration files and directory configuration used by an instance of Malcolm. It can be extracted via `tar -xf malcolm_YYYYMMDD_HHNNSS_xxxxxxx.tar.gz` upon which a directory will be created (named similarly to the tarball) containing the directories and configuration files. Alternately, `install.py` can accept this filename as an argument and handle its extraction and initial configuration for you. +* `malcolm_YYYYMMDD_HHNNSS_xxxxxxx.tar.gz` - This tarball contains the configuration files and directory configuration used by an instance of Malcolm. It can be extracted via `tar -xf malcolm_YYYYMMDD_HHNNSS_xxxxxxx.tar.gz` upon which a directory will be created (named similarly to the tarball) containing the directories and configuration files. Alternatively, `install.py` can accept this filename as an argument and handle its extraction and initial configuration for you. * `malcolm_YYYYMMDD_HHNNSS_xxxxxxx_images.tar.gz` - This tarball contains the Docker images used by Malcolm. It can be imported manually via `docker load -i malcolm_YYYYMMDD_HHNNSS_xxxxxxx_images.tar.gz` * `install.py` - This install script can load the Docker images and extract Malcolm configuration files from the aforementioned tarballs and do some initial configuration for you. @@ -423,6 +437,8 @@ Various other environment variables inside of `docker-compose.yml` can be tweake * `NGINX_BASIC_AUTH` - if set to `true`, use [TLS-encrypted HTTP basic](#AuthBasicAccountManagement) authentication (default); if set to `false`, use [Lightweight Directory Access Protocol (LDAP)](#AuthLDAP) authentication +* `NGINX_LOG_ACCESS_AND_ERRORS` - if set to `true`, all access to Malcolm via its [web interfaces](#UserInterfaceURLs) will be logged to Elasticsearch (default `false`) + * `MANAGE_PCAP_FILES` – if set to `true`, all PCAP files imported into Malcolm will be marked as available for deletion by Moloch if available storage space becomes too low (default `false`) * `ZEEK_AUTO_ANALYZE_PCAP_FILES` – if set to `true`, all PCAP files imported into Malcolm will automatically be analyzed by Zeek, and the resulting logs will also be imported (default `false`) @@ -433,8 +449,6 @@ Various other environment variables inside of `docker-compose.yml` can be tweake * `ZEEK_AUTO_ANALYZE_PCAP_THREADS` – the number of threads available to Malcolm for analyzing Zeek logs (default `1`) -* `LOGSTASH_JAVA_EXECUTION_ENGINE` – if set to `true`, Logstash will use the new [Logstash Java Execution Engine](https://www.elastic.co/blog/meet-the-new-logstash-java-execution-engine) which may significantly speed up Logstash startup and processing - * `LOGSTASH_OUI_LOOKUP` – if set to `true`, Logstash will map MAC addresses to vendors for all source and destination MAC addresses when analyzing Zeek logs (default `true`) * `LOGSTASH_REVERSE_DNS` – if set to `true`, Logstash will perform a reverse DNS lookup for all external source and destination IP address values when analyzing Zeek logs (default `false`) @@ -619,7 +633,7 @@ After making these changes, right click on the Docker 🐋 icon in the system tr Installing and configuring Docker to run under Windows must be done manually, rather than through the `install.py` script as is done for Linux and macOS. 1. In order to be able to configure Docker volume mounts correctly, you should be running [Windows 10, version 1803](https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1803) or higher. -1. The control scripts in the `scripts/` directory are written in the Bash command language. The easiest way to run Bash in Windows is using the [Windows Subsystem for Linux](https://docs.microsoft.com/en-us/windows/wsl/install-win10) (WSL). To install WSL, run the following command in PowerShell as Administrator: +1. The control scripts in the `scripts/` directory are written in the Python. They also rely on a few other utilities such as OpenSSL and htpasswd. The easiest way to run these tools in Windows is using the [Windows Subsystem for Linux](https://docs.microsoft.com/en-us/windows/wsl/install-win10) (WSL) (however, they may also be installed and configured manually: [Python](https://www.python.org/downloads/windows); [OpenSSL](https://wiki.openssl.org/index.php/Binaries); [htpasswd](https://httpd.apache.org/docs/current/platform/windows.html#down), download the `httpd….zip` file and extract `htpasswd.exe` from the `Apache…\bin\` directory). To install WSL, run the following command in PowerShell as Administrator: + `Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux` 1. Install the [Linux distribution of your choice](https://docs.microsoft.com/en-us/windows/wsl/install-win10#install-your-linux-distribution-of-choice) in WSL. These instructions have been tested using Debian, but will probably work with other distributions as well. 1. Run the following commands in PowerShell as Administrator to enable required Windows features: @@ -648,6 +662,8 @@ Installing and configuring Docker to run under Windows must be done manually, ra Once Docker is installed, configured and running as described in the previous section, run [`./scripts/install.py --configure`](#ConfigAndTuning) (in WSL it will probably be something like `sudo python3 ./scripts/install.py --configure`) to finish configuration of the local Malcolm installation. +The control scripts outlined in the [Running Malcolm](#Running) section may not be symlinked correctly under Windows. Rather than running `./scripts/start`, `./scripts/stop`, etc., you can run `python3 ./scripts/control.py --start`, `python3 ./scripts/control.py --stop`, etc. to the same effect. + ## Running Malcolm ### Configure authentication @@ -660,7 +676,7 @@ LDAP authentication are managed on a remote directory service, such as a [Micros Malcolm's authentication method is defined in the `x-auth-variables` section near the top of the [`docker-compose.yml`](#DockerComposeYml) file with the `NGINX_BASIC_AUTH` environment variable: `true` for local TLS-encrypted HTTP basic authentication, `false` for LDAP authentication. -In either case, you **must** run `./scripts/auth_setup.sh` before starting Malcolm for the first time in order to: +In either case, you **must** run `./scripts/auth_setup` before starting Malcolm for the first time in order to: * define the local Malcolm administrator account username and password (although these credentials will only be used for basic authentication, not LDAP authentication) * specify whether or not to (re)generate the self-signed certificates used for HTTPS access @@ -673,7 +689,7 @@ In either case, you **must** run `./scripts/auth_setup.sh` before starting Malco ##### Local account management -[`auth_setup.sh`](#AuthSetup) is used to define the username and password for the administrator account. Once Malcolm is running, the administrator account can be used to manage other user accounts via a **Malcolm User Management** page served over HTTPS on port 488 (e.g., [https://localhost:488](https://localhost:488) if you are connecting locally). +[`auth_setup`](#AuthSetup) is used to define the username and password for the administrator account. Once Malcolm is running, the administrator account can be used to manage other user accounts via a **Malcolm User Management** page served over HTTPS on port 488 (e.g., [https://localhost:488](https://localhost:488) if you are connecting locally). Malcolm user accounts can be used to access the [interfaces](#UserInterfaceURLs) of all of its [components](#Components), including Moloch. Moloch uses its own internal database of user accounts, so when a Malcolm user account logs in to Moloch for the first time Malcolm creates a corresponding Moloch user account automatically. This being the case, it is *not* recommended to use the Moloch **Users** settings page or change the password via the **Password** form under the Moloch **Settings** page, as those settings would not be consistently used across Malcolm. @@ -681,7 +697,7 @@ Users may change their passwords via the **Malcolm User Management** page by cli #### Lightweight Directory Access Protocol (LDAP) authentication -The [nginx-auth-ldap](https://github.com/kvspb/nginx-auth-ldap) module serves as the interface between Malcolm's [Nginx](https://nginx.org/) web server and a remote LDAP server. When you run [`auth_setup.sh`](#AuthSetup) for the first time, a sample LDAP configuration file is created at `nginx/nginx_ldap.conf`. +The [nginx-auth-ldap](https://github.com/kvspb/nginx-auth-ldap) module serves as the interface between Malcolm's [Nginx](https://nginx.org/) web server and a remote LDAP server. When you run [`auth_setup`](#AuthSetup) for the first time, a sample LDAP configuration file is created at `nginx/nginx_ldap.conf`. ``` # This is a sample configuration for the ldap_server section of nginx.conf. @@ -716,7 +732,7 @@ The contents of `nginx_ldap.conf` will vary depending on how the LDAP server is * **`group_attribute_is_dn`** - whether or not to search for the full distinguished name in the member object * **`require`** and **`satisfy`** - `require user`, `require group` and `require valid_user` can be used in conjunction with `satisfy any` or `satisfy all` to limit the users that are allowed to access the Malcolm instance -Before starting Malcolm, edit `nginx/nginx_ldap.conf` according to the specifics of your LDAP server and directory tree structure. Using a LDAP search tool such as [`ldapsearch`](https://www.openldap.org/software/man.cgi?query=ldapsearch) in Linux or [`dsquery`](https://social.technet.microsoft.com/wiki/contents/articles/2195.active-directory-dsquery-commands.aspx) in Windows may be of help as you formulate the configuration. Your changes should be made within the curly braces of the `ldap_server ad_server { … }` section. You can troubleshoot configuration file syntax errors and LDAP connection or credentials issues by running `./scripts/logs.sh` (or `docker-compose logs nginx`) and examining the output of the `nginx` container. +Before starting Malcolm, edit `nginx/nginx_ldap.conf` according to the specifics of your LDAP server and directory tree structure. Using a LDAP search tool such as [`ldapsearch`](https://www.openldap.org/software/man.cgi?query=ldapsearch) in Linux or [`dsquery`](https://social.technet.microsoft.com/wiki/contents/articles/2195.active-directory-dsquery-commands.aspx) in Windows may be of help as you formulate the configuration. Your changes should be made within the curly braces of the `ldap_server ad_server { … }` section. You can troubleshoot configuration file syntax errors and LDAP connection or credentials issues by running `./scripts/logs` (or `docker-compose logs nginx`) and examining the output of the `nginx` container. The **Malcolm User Management** page described above is not available when using LDAP authentication. @@ -745,23 +761,23 @@ In addition to the `NGINX_BASIC_AUTH` environment variable being set to `false` [Docker compose](https://docs.docker.com/compose/) is used to coordinate running the Docker containers. To start Malcolm, navigate to the directory containing `docker-compose.yml` and run: ``` -$ ./scripts/start.sh +$ ./scripts/start ``` This will create the containers' virtual network and instantiate them, then leave them running in the background. The Malcolm containers may take a several minutes to start up completely. To follow the debug output for an already-running Malcolm instance, run: ``` -$ ./scripts/logs.sh +$ ./scripts/logs ``` You can also use `docker stats` to monitor the resource utilization of running containers. ### Stopping and restarting Malcolm -You can run `./scripts/stop.sh` to stop the docker containers and remove their virtual network. Alternately, `./scripts/restart.sh` will restart an instance of Malcolm. Because the data on disk is stored on the host in docker volumes, doing these operations will not result in loss of data. +You can run `./scripts/stop` to stop the docker containers and remove their virtual network. Alternatively, `./scripts/restart` will restart an instance of Malcolm. Because the data on disk is stored on the host in docker volumes, doing these operations will not result in loss of data. Malcolm can be configured to be automatically restarted when the Docker system daemon restart (for example, on system reboot). This behavior depends on the [value](https://docs.docker.com/config/containers/start-containers-automatically/) of the [`restart:`](https://docs.docker.com/compose/compose-file/#restart) setting for each service in the `docker-compose.yml` file. This value can be set by running [`./scripts/install.py --configure`](#ConfigAndTuning) and answering "yes" to "`Restart Malcolm upon system or Docker daemon restart?`." ### Clearing Malcolm’s data -Run `./scripts/wipe.sh` to stop the Malcolm instance and wipe its Elasticsearch database (including [index snapshots](#Curator)). +Run `./scripts/wipe` to stop the Malcolm instance and wipe its Elasticsearch database (including [index snapshots](#Curator)). ## Capture file and log archive upload @@ -846,23 +862,6 @@ output.logstash: ssl.verification_mode: "none" ``` -### Monitoring a local Zeek instance - -Another option for analyzing live network data is to run an external local copy of Zeek (ie., not within Malcolm) so that the log files it creates are seen by Malcolm and automatically processed as they are written to a local directory on the same host. - -To do this, you'll need to configure Malcolm's local Filebeat log forwarder so that it will continue to look for changes to Zeek logs that are actively being written to even once it reaches the end of the file. You can do this by replacing `docker-compose.yml` with `docker-compose-standalone-zeek-live.yml` before starting Malcolm: - -``` -$ mv -f ./docker-compose-standalone-zeek-live.yml ./docker-compose.yml -``` - -Alternately, you can run the `start.sh` script (and the other control scripts) like this, without modifying your original `docker-compose.yml` file: -``` -$ ./scripts/start.sh ./docker-compose-standalone-zeek-live.yml -``` - -Once Malcolm has been [started](#Starting), `cd` into `./zeek-logs/current/` and run `bro` from inside that directory. - ## Moloch The Moloch interface will be accessible over HTTPS on port 443 at the docker hosts IP address (e.g., [https://localhost](https://localhost) if you are connecting locally). @@ -1301,8 +1300,29 @@ If both `zeek.orig_segment` and `zeek.resp_segment` are added to a log, and if t ![Cross-segment traffic in Connections](./docs/images/screenshots/moloch_connections_segments.png) +#### Defining hostname and CIDR subnet names interface + +As an alternative to manually editing `cidr-map.txt` and `host-map.txt`, a **Host and Subnet Name Mapping** editor is available at [https://localhost/name-map-ui/](https://localhost/name-map-ui/) if you are connecting locally. Upon loading, the editor is populated from `cidr-map.txt`, `host-map.txt` and `net-map.json`. + +This editor provides the following controls: + +* 🔎 **Search mappings** - narrow the list of visible items using a search filter +* **Type**, **Address**, **Name** and **Tag** *(column headings)* - sort the list of items by clicking a column header +* 📝 *(per item)* - modify the selected item +* 🚫 *(per item)* - remove the selected item +* 🖳 **host** / 🖧 **segment**, **Address**, **Name**, **Tag (optional)** and 💾 - save the item with these values (either adding a new item or updating the item being modified) +* 📥 **Import** - clear the list and replace it with the contents of an uploaded `net-map.json` file +* 📤 **Export** - format and download the list as a `net-map.json` file +* 💾 **Save Mappings** - format and store `net-map.json` in the Malcolm directory (replacing the existing `net-map.json` file) +* 🔁 **Restart Logstash** - restart log ingestion, parsing and enrichment + +![Host and Subnet Name Mapping Editor](./docs/images/screenshots/malcolm_name_map_ui.png) + #### Applying mapping changes -When changes are made to either `cidr-map.txt` or `host-map.txt`, Malcolm's Logstash container must be restarted. The easiest way to do this is to restart malcolm via `restart.sh` (see [Stopping and restarting Malcolm](#StopAndRestart)). + +When changes are made to either `cidr-map.txt`, `host-map.txt` or `net-map.json`, Malcolm's Logstash container must be restarted. The easiest way to do this is to restart malcolm via `restart` (see [Stopping and restarting Malcolm](#StopAndRestart)) or by clicking the 🔁 **Restart Logstash** button in the [name mapping interface](#NameMapUI) interface. + +Restarting Logstash may take several minutes, after which log ingestion will be resumed. ## Elasticsearch index curation @@ -1353,7 +1373,7 @@ Building the ISO may take 30 minutes or more depending on your system. As the bu ``` … -Finished, created "/malcolm-build/malcolm-iso/malcolm-1.8.1.iso" +Finished, created "/malcolm-build/malcolm-iso/malcolm-2.0.0.iso" … ``` @@ -1392,7 +1412,7 @@ Following these prompts, the installer will reboot and the Malcolm base operatin When the system boots for the first time, the Malcolm Docker images will load if the installer was built with pre-packaged installation files as described above. Wait for this operation to continue (the progress dialog will disappear when they have finished loading) before continuing the setup. -Open a terminal (click the red terminal 🗔 icon next to the Debian swirl logo 🍥 menu button in the menu bar). At this point, setup is similar to the steps described in the [Quick start](#QuickStart) section. Navigate to the Malcolm directory (`cd ~/Malcolm`) and run [`auth_setup.sh`](#AuthSetup) to configure authentication. If the ISO didn't have pre-packaged Malcolm images, or if you'd like to retrieve the latest updates, run `docker-compose pull`. Finalize your configuration by running `sudo python3 scripts/install.py -c` and follow the prompts as illustrated in the [installation example](#InstallationExample). +Open a terminal (click the red terminal 🗔 icon next to the Debian swirl logo 🍥 menu button in the menu bar). At this point, setup is similar to the steps described in the [Quick start](#QuickStart) section. Navigate to the Malcolm directory (`cd ~/Malcolm`) and run [`auth_setup`](#AuthSetup) to configure authentication. If the ISO didn't have pre-packaged Malcolm images, or if you'd like to retrieve the latest updates, run `docker-compose pull`. Finalize your configuration by running `sudo python3 scripts/install.py -c` and follow the prompts as illustrated in the [installation example](#InstallationExample). Once Malcolm is configured, you can [start Malcolm](#Starting) via the command line or by clicking the circular yellow Malcolm icon in the menu bar. @@ -1639,7 +1659,7 @@ Enter installation path for Malcolm [/home/user/Downloads/malcolm]: /home/user/M Malcolm runtime files extracted to /home/user/Malcolm ``` -Alternately, **if you are configuring Malcolm from within a git working copy**, `install.py` will now exit. Run `install.py` again like you did at the beginning of the example, only remove the `sudo` and add `--configure` to run `install.py` in "configuration only" mode. +Alternatively, **if you are configuring Malcolm from within a git working copy**, `install.py` will now exit. Run `install.py` again like you did at the beginning of the example, only remove the `sudo` and add `--configure` to run `install.py` in "configuration only" mode. ``` user@host:~/Malcolm$ python3 scripts/install.py --configure ``` @@ -1715,7 +1735,7 @@ At this point you should **reboot your computer** so that the new system setting Now we need to [set up authentication](#AuthSetup) and generate some unique self-signed SSL certificates. You can replace `analyst` in this example with whatever username you wish to use to log in to the Malcolm web interface. ``` -user@host:~/Malcolm$ ./scripts/auth_setup.sh +user@host:~/Malcolm$ ./scripts/auth_setup Username: analyst analyst password: analyst password (again): @@ -1735,6 +1755,8 @@ Pulling elastalert ... done Pulling elasticsearch ... done Pulling file-monitor ... done Pulling filebeat ... done +Pulling freq ... done +Pulling name-map-ui ... done Pulling htadmin ... done Pulling kibana ... done Pulling logstash ... done @@ -1747,34 +1769,38 @@ Pulling zeek ... done user@host:~/Malcolm$ docker images REPOSITORY TAG IMAGE ID CREATED SIZE -malcolmnetsec/moloch 1.8.1 xxxxxxxxxxxx 27 minutes ago 517MB -malcolmnetsec/zeek 1.8.1 xxxxxxxxxxxx 27 minutes ago 489MB -malcolmnetsec/htadmin 1.8.1 xxxxxxxxxxxx 2 hours ago 180MB -malcolmnetsec/nginx-proxy 1.8.1 xxxxxxxxxxxx 4 hours ago 53MB -malcolmnetsec/file-upload 1.8.1 xxxxxxxxxxxx 24 hours ago 198MB -malcolmnetsec/pcap-capture 1.8.1 xxxxxxxxxxxx 24 hours ago 111MB -malcolmnetsec/pcap-monitor 1.8.1 xxxxxxxxxxxx 24 hours ago 156MB -malcolmnetsec/file-monitor 1.8.1 xxxxxxxxxxxx 24 hours ago 355MB -malcolmnetsec/logstash-oss 1.8.1 xxxxxxxxxxxx 25 hours ago 1.24GB -malcolmnetsec/curator 1.8.1 xxxxxxxxxxxx 25 hours ago 303MB -malcolmnetsec/kibana-oss 1.8.1 xxxxxxxxxxxx 33 hours ago 944MB -malcolmnetsec/filebeat-oss 1.8.1 xxxxxxxxxxxx 11 days ago 459MB -malcolmnetsec/elastalert 1.8.1 xxxxxxxxxxxx 11 days ago 276MB -docker.elastic.co/elasticsearch/elasticsearch-oss 7.5.1 xxxxxxxxxxxx 5 weeks ago 769MB +malcolmnetsec/moloch 2.0.0 xxxxxxxxxxxx 27 minutes ago 517MB +malcolmnetsec/zeek 2.0.0 xxxxxxxxxxxx 27 minutes ago 489MB +malcolmnetsec/htadmin 2.0.0 xxxxxxxxxxxx 2 hours ago 180MB +malcolmnetsec/nginx-proxy 2.0.0 xxxxxxxxxxxx 4 hours ago 53MB +malcolmnetsec/file-upload 2.0.0 xxxxxxxxxxxx 24 hours ago 198MB +malcolmnetsec/pcap-capture 2.0.0 xxxxxxxxxxxx 24 hours ago 111MB +malcolmnetsec/pcap-monitor 2.0.0 xxxxxxxxxxxx 24 hours ago 156MB +malcolmnetsec/file-monitor 2.0.0 xxxxxxxxxxxx 24 hours ago 355MB +malcolmnetsec/logstash-oss 2.0.0 xxxxxxxxxxxx 25 hours ago 1.24GB +malcolmnetsec/curator 2.0.0 xxxxxxxxxxxx 25 hours ago 303MB +malcolmnetsec/kibana-oss 2.0.0 xxxxxxxxxxxx 33 hours ago 944MB +malcolmnetsec/filebeat-oss 2.0.0 xxxxxxxxxxxx 11 days ago 459MB +malcolmnetsec/elastalert 2.0.0 xxxxxxxxxxxx 11 days ago 276MB +malcolmnetsec/freq 2.0.0 xxxxxxxxxxxx 11 days ago 188MB +malcolmnetsec/name-map-ui 2.0.0 xxxxxxxxxxxx 35 minutes ago 20MB +docker.elastic.co/elasticsearch/elasticsearch-oss 7.6.2 xxxxxxxxxxxx 5 weeks ago 769MB ``` Finally, we can start Malcolm. When Malcolm starts it will stream informational and debug messages to the console. If you wish, you can safely close the console or use `Ctrl+C` to stop these messages; Malcolm will continue running in the background. ``` -user@host:~/Malcolm$ ./scripts/start.sh +user@host:~/Malcolm$ ./scripts/start Creating network "malcolm_default" with the default driver Creating malcolm_curator_1 ... done Creating malcolm_elastalert_1 ... done Creating malcolm_elasticsearch_1 ... done Creating malcolm_file-monitor_1 ... done Creating malcolm_filebeat_1 ... done +Creating malcolm_freq_1 ... done Creating malcolm_htadmin_1 ... done Creating malcolm_kibana_1 ... done Creating malcolm_logstash_1 ... done +Creating malcolm_name-map-ui_1 ... done Creating malcolm_moloch_1 ... done Creating malcolm_nginx-proxy_1 ... done Creating malcolm_pcap-capture_1 ... done @@ -1788,11 +1814,12 @@ In a few minutes, Malcolm services will be accessible via the following URLs: - Kibana: https://localhost/kibana/ - PCAP Upload (web): https://localhost/upload/ - PCAP Upload (sftp): sftp://username@127.0.0.1:8022/files/ + - Host and subnet name mapping editor: https://localhost/name-map-ui/ - Account management: https://localhost:488/ … ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- … -Attaching to malcolm_curator_1, malcolm_elastalert_1, malcolm_elasticsearch_1, malcolm_file-monitor_1, malcolm_filebeat_1, malcolm_htadmin_1, malcolm_kibana_1, malcolm_logstash_1, malcolm_moloch_1, malcolm_nginx-proxy_1, malcolm_pcap-capture_1, malcolm_pcap-monitor_1, malcolm_upload_1, malcolm_zeek_1 +Attaching to malcolm_curator_1, malcolm_elastalert_1, malcolm_elasticsearch_1, malcolm_file-monitor_1, malcolm_filebeat_1, malcolm_freq_1, malcolm_htadmin_1, malcolm_kibana_1, malcolm_logstash_1, malcolm_name-map-ui_1, malcolm_moloch_1, malcolm_nginx-proxy_1, malcolm_pcap-capture_1, malcolm_pcap-monitor_1, malcolm_upload_1, malcolm_zeek_1 … ``` @@ -1808,7 +1835,7 @@ You can now open a web browser and navigate to one of the [Malcolm user interfac ## Copyright -[Malcolm](https://github.com/idaholab/Malcolm) is Copyright 2019 Battelle Energy Alliance, LLC, and is developed and released through the cooperation of the Cybersecurity and Infrastructure Security Agency of the U.S. Department of Homeland Security. +[Malcolm](https://github.com/idaholab/Malcolm) is Copyright 2020 Battelle Energy Alliance, LLC, and is developed and released through the cooperation of the Cybersecurity and Infrastructure Security Agency of the U.S. Department of Homeland Security. See [`License.txt`](./License.txt) for the terms of its release. diff --git a/cidr-map.txt b/cidr-map.txt index 5ca134e3f..e4417cff2 100644 --- a/cidr-map.txt +++ b/cidr-map.txt @@ -10,3 +10,5 @@ # required tag (optional): only check match and apply segment name if the event # contains this tag # +# Alternatively, as of Malcolm v2.0 there is a web UI editor for defining subnet +# to segment name maps, located at https:///name-map-ui. \ No newline at end of file diff --git a/curator/scripts/register-elasticsearch-snapshot-repo.sh b/curator/scripts/register-elasticsearch-snapshot-repo.sh index 883baf522..4564d4e54 100755 --- a/curator/scripts/register-elasticsearch-snapshot-repo.sh +++ b/curator/scripts/register-elasticsearch-snapshot-repo.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. if [ $# -gt 0 ]; then ES_URL="$1" diff --git a/docker-compose-standalone-zeek-live.yml b/docker-compose-standalone-zeek-live.yml deleted file mode 100644 index 4c2e1cefa..000000000 --- a/docker-compose-standalone-zeek-live.yml +++ /dev/null @@ -1,380 +0,0 @@ -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. - -version: '3.7' - -################################################################################ -# Commonly tweaked configuration options -#------------------------------------------------------------------------------- -x-auth-variables: &auth-variables - # authentication method: encrypted HTTP basic authentication ('true') vs LDAP ('false') - NGINX_BASIC_AUTH : 'true' - # NGINX LDAP (NGINX_BASIC_AUTH=false) can support LDAP, LDAPS, or LDAP+StartTLS. - # For StartTLS, set NGINX_LDAP_TLS_STUNNEL=true to issue the StartTLS command - # and use stunnel to tunnel the connection. - NGINX_LDAP_TLS_STUNNEL : 'false' - # When NGINX_LDAP_TLS_STUNNEL=true, which protocol to use when initiating the - # "extendedReq(1) LDAP_START_TLS_OID" command: winldap or openldap - NGINX_LDAP_TLS_STUNNEL_PROTOCOL : 'winldap' - -x-moloch-variables: &moloch-variables - MANAGE_PCAP_FILES : 'false' - MOLOCH_ANALYZE_PCAP_THREADS : 1 - MAXMIND_GEOIP_DB_LICENSE_KEY : '0' - -x-zeek-variables: &zeek-variables - ZEEK_AUTO_ANALYZE_PCAP_FILES : 'true' - ZEEK_AUTO_ANALYZE_PCAP_THREADS : 1 - ZEEK_EXTRACTOR_MODE : 'none' - EXTRACTED_FILE_IGNORE_EXISTING : 'false' - EXTRACTED_FILE_PRESERVATION : 'quarantined' - EXTRACTED_FILE_MIN_BYTES : 64 - EXTRACTED_FILE_MAX_BYTES : 134217728 - VTOT_API2_KEY : '0' - VTOT_REQUESTS_PER_MINUTE : 4 - EXTRACTED_FILE_ENABLE_CLAMAV : 'false' - EXTRACTED_FILE_ENABLE_FRESHCLAM : 'false' - EXTRACTED_FILE_PIPELINE_DEBUG : 'false' - EXTRACTED_FILE_PIPELINE_DEBUG_EXTRA : 'false' - -x-logstash-variables: &logstash-variables - # experimental java execution engine (https://www.elastic.co/blog/meet-the-new-logstash-java-execution-engine) - LOGSTASH_JAVA_EXECUTION_ENGINE : 'true' - LOGSTASH_OUI_LOOKUP : 'true' - LOGSTASH_REVERSE_DNS : 'false' - # ES_EXTERNAL_HOSTS : '10.0.0.123:9200' - # ES_EXTERNAL_SSL : 'true' - # ES_EXTERNAL_SSL_CERTIFICATE_VERIFICATION : 'false' - # For security, ES_EXTERNAL_USER and ES_EXTERNAL_PASSWORD should be stored in Logstash keystore using ./scripts/auth_setup.sh - # See also volume mount for logstash.keystore below. - # ES_EXTERNAL_USER : 'janedoe' - # ES_EXTERNAL_PASSWORD : 'secret' - -x-kibana-variables: &kibana-variables - KIBANA_OFFLINE_REGION_MAPS : 'true' - -x-curator-variables: &curator-variables - # get index dates from actual date index was created (creation_date) vs. extracted from index name (name) - CURATOR_TIME_SOURCE : 'name' - # for managing automatic closing of older Elasticsearch indices (to conserve memory) - CURATOR_CLOSE_UNITS : years - CURATOR_CLOSE_COUNT : 10 - # for managing automatic deleting of older Elasticsearch indices (to reduce disk consumption) - CURATOR_DELETE_UNITS : years - CURATOR_DELETE_COUNT : 99 - # for managing automatic deleting of Elasticsearch indices based on cumulative size (to reduce disk consumption) - CURATOR_DELETE_GIGS : 1000000 - # for managing automatic snapshots of Elasticsearch indices - CURATOR_SNAPSHOT_DISABLED : 'True' - # name of Elasticsearch snapshot repository under path.repo - CURATOR_SNAPSHOT_REPO : 'logs' - # controls compression of Elasticsearch snapshots managed by the curator - CURATOR_SNAPSHOT_COMPRESSED : 'false' - -x-common-upload-variables: &common-upload-variables - AUTO_TAG : 'true' - PCAP_PIPELINE_DEBUG : 'false' - PCAP_PIPELINE_DEBUG_EXTRA : 'false' - PCAP_PIPELINE_IGNORE_PREEXISTING : 'false' - PCAP_MONITOR_HOST : 'pcap-monitor' - -x-common-beats-variables: &common-beats-variables - BEATS_SSL : 'false' - -x-pcap-capture-variables: &pcap-capture-variables - PCAP_ENABLE_NETSNIFF : 'false' - PCAP_ENABLE_TCPDUMP : 'false' - PCAP_IFACE : 'eth0' - PCAP_ROTATE_MEGABYTES : 1024 - PCAP_ROTATE_MINUTES : 10 - PCAP_FILTER : '' -################################################################################ - -services: - elasticsearch: - image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.5.1 - restart: "no" - hostname: elasticsearch - environment: - logger.level : 'WARN' - bootstrap.memory_lock : 'true' - ES_JAVA_OPTS : '-Xms4g -Xmx4g -Xss256k -Djava.security.egd=file:/dev/./urandom' - VIRTUAL_HOST : 'es.malcolm.local' - discovery.type : 'single-node' - # cluster.initial_master_nodes : 'elasticsearch' - cluster.routing.allocation.disk.threshold_enabled : 'false' - cluster.routing.allocation.node_initial_primaries_recoveries : 8 - path.repo : '/opt/elasticsearch/backup' - expose: - - 9200 - ulimits: - memlock: - soft: -1 - hard: -1 - cap_add: - - IPC_LOCK - healthcheck: - test: ["CMD", "curl", "-f", "http://localhost:9200"] - interval: 30s - timeout: 15s - retries: 3 - start_period: 180s - volumes: - - ./elasticsearch:/usr/share/elasticsearch/data:delegated - - ./elasticsearch-backup:/opt/elasticsearch/backup:delegated - kibana: - image: malcolmnetsec/kibana-oss:1.8.1 - restart: "no" - hostname: kibana - environment: - << : *kibana-variables - ELASTICSEARCH_URL : 'http://elasticsearch:9200' - VIRTUAL_HOST : 'kibana.malcolm.local' - CREATE_ES_MOLOCH_SESSION_INDEX : 'true' - MOLOCH_INDEX_PATTERN : 'sessions2-*' - MOLOCH_INDEX_PATTERN_ID : 'sessions2-*' - MOLOCH_INDEX_TIME_FIELD : 'firstPacket' - depends_on: - - elasticsearch - expose: - - 5601 - - 28991 - healthcheck: - test: ["CMD", "curl", "-f", "http://localhost:5601/kibana/api/status"] - interval: 30s - timeout: 15s - retries: 3 - start_period: 200s - elastalert: - image: malcolmnetsec/elastalert:1.8.1 - restart: "no" - hostname: elastalert - environment: - ELASTICSEARCH_URL : 'http://elasticsearch:9200' - ES_HOST : 'elasticsearch' - ES_PORT : 9200 - VIRTUAL_HOST : 'elastalert.malcolm.local' - depends_on: - - elasticsearch - expose: - - 3030 - - 3333 - healthcheck: - test: ["CMD", "curl", "-f", "http://localhost:3030"] - interval: 30s - timeout: 15s - retries: 3 - start_period: 200s - volumes: - - ./elastalert/config/elastalert.yaml:/opt/elastalert/config.yaml - - ./elastalert/config/smtp-auth.yaml:/opt/elastalert/smtp-auth.yaml:ro - - ./elastalert/config/config.json:/opt/elastalert-server/config/config.json - - ./elastalert/rules/:/opt/elastalert/rules/ - curator: - image: malcolmnetsec/curator:1.8.1 - restart: "no" - hostname: curator - environment: - << : *curator-variables - ES_HOST : 'elasticsearch' - ES_PORT : 9200 - depends_on: - - elasticsearch - logstash: - image: malcolmnetsec/logstash-oss:1.8.1 - restart: "no" - hostname: logstash - environment: - << : *logstash-variables - << : *common-beats-variables - ES_HOSTS : 'elasticsearch:9200' - LS_JAVA_OPTS : '-Xms2g -Xmx2g -Djava.security.egd=file:/dev/./urandom' - depends_on: - - elasticsearch - expose: - - 5000 - - 5044 - - 9600 - healthcheck: - test: ["CMD", "curl", "-f", "http://localhost:9600"] - interval: 30s - timeout: 15s - retries: 3 - start_period: 600s - volumes: - # - ./logstash/certs/logstash.keystore:/usr/share/logstash/config/logstash.keystore:ro - - ./logstash/certs/ca.crt:/certs/ca.crt:ro - - ./logstash/certs/server.crt:/certs/server.crt:ro - - ./logstash/certs/server.key:/certs/server.key:ro - - ./cidr-map.txt:/usr/share/logstash/config/cidr-map.txt:ro - - ./host-map.txt:/usr/share/logstash/config/host-map.txt:ro - filebeat: - image: malcolmnetsec/filebeat-oss:1.8.1 - restart: "no" - hostname: filebeat - environment: - << : *common-upload-variables - << : *common-beats-variables - FILEBEAT_LOG_PATH : '/data/zeek/current' - FILEBEAT_LOG_CLEANUP_MINUTES : 180 - FILEBEAT_ZIP_CLEANUP_MINUTES : 360 - FILEBEAT_SCAN_FREQUENCY : '10s' - FILEBEAT_CLEAN_INACTIVE : '180m' - FILEBEAT_IGNORE_OLDER : '120m' - FILEBEAT_CLOSE_INACTIVE : '90m' - FILEBEAT_CLOSE_RENAMED : 'false' - FILEBEAT_CLOSE_REMOVED : 'true' - FILEBEAT_CLOSE_EOF : 'false' - FILEBEAT_CLEAN_REMOVED : 'true' - depends_on: - - logstash - volumes: - - ./zeek-logs:/data/zeek - - ./filebeat/certs/ca.crt:/certs/ca.crt:ro - - ./filebeat/certs/client.crt:/certs/client.crt:ro - - ./filebeat/certs/client.key:/certs/client.key:ro - moloch: - image: malcolmnetsec/moloch:1.8.1 - restart: "no" - hostname: moloch - env_file: - - ./auth.env - environment: - << : *common-upload-variables - << : *moloch-variables - MOLOCH_VERSION : '2.1.2' - VIRTUAL_HOST : 'moloch.malcolm.local' - ES_HOST : 'elasticsearch' - ES_PORT : 9200 - ES_MAX_SHARDS_PER_NODE : 2500 - VIEWER : 'on' - WISE : 'on' - ulimits: - memlock: - soft: -1 - hard: -1 - depends_on: - - elasticsearch - expose: - - 8000 - - 8005 - - 8081 - volumes: - - ./pcap:/data/pcap - - ./moloch-logs:/data/moloch/logs - - ./moloch-raw:/data/moloch/raw - zeek: - image: malcolmnetsec/zeek:1.8.1 - restart: "no" - hostname: zeek - environment: - << : *common-upload-variables - << : *zeek-variables - ulimits: - memlock: - soft: -1 - hard: -1 - depends_on: - - elasticsearch - volumes: - - ./pcap:/pcap - - ./zeek-logs/upload:/zeek/upload - - ./zeek-logs/extract_files:/zeek/extract_files - file-monitor: - image: malcolmnetsec/file-monitor:1.8.1 - restart: "no" - hostname: filemon - environment: - << : *zeek-variables - expose: - - 3310 - volumes: - - ./zeek-logs/extract_files:/data/zeek/extract_files - - ./zeek-logs/current:/data/zeek/logs - pcap-capture: - image: malcolmnetsec/pcap-capture:1.8.1 - restart: "no" - network_mode: host - ulimits: - memlock: - soft: -1 - hard: -1 - cap_add: - - IPC_LOCK - - NET_ADMIN - - NET_RAW - - SYS_ADMIN - environment: - << : *pcap-capture-variables - volumes: - - ./pcap/upload:/pcap - pcap-monitor: - image: malcolmnetsec/pcap-monitor:1.8.1 - restart: "no" - hostname: pcapmon - environment: - << : *common-upload-variables - ELASTICSEARCH_URL : 'http://elasticsearch:9200' - depends_on: - - elasticsearch - expose: - - 30441 - volumes: - - ./zeek-logs:/zeek - - ./pcap:/pcap - upload: - image: malcolmnetsec/file-upload:1.8.1 - restart: "no" - hostname: upload - env_file: - - ./auth.env - environment: - SITE_NAME : 'Capture File and Log Archive Upload' - VIRTUAL_HOST : 'upload.malcolm.local' - depends_on: - - moloch - expose: - - 80 - ports: - - 127.0.0.1:8022:22 - volumes: - - ./pcap/upload:/var/www/upload/server/php/chroot/files - htadmin: - image: malcolmnetsec/htadmin:1.8.1 - restart: "no" - hostname: htadmin - environment: - << : *auth-variables - VIRTUAL_HOST : 'htadmin.malcolm.local' - expose: - - 80 - volumes: - - ./htadmin/config.ini:/var/www/htadmin/config/config.ini:rw - - ./htadmin/metadata:/var/www/htadmin/config/metadata:rw - - ./nginx/htpasswd:/var/www/htadmin/config/htpasswd:rw - nginx-proxy: - image: malcolmnetsec/nginx-proxy:1.8.1 - restart: "no" - hostname: nginx-proxy - environment: - << : *auth-variables - depends_on: - - moloch - - kibana - - upload - - htadmin - ports: - - "443:443" - - "488:488" - - "3030:3030" - - "5601:5601" - - "8443:8443" - - "9200:9200" - - "9600:9600" - - "28991:28991" - volumes: - - /var/run/docker.sock:/tmp/docker.sock:ro - - ./nginx/nginx_ldap.conf:/etc/nginx/nginx_ldap.conf:ro - - ./nginx/htpasswd:/etc/nginx/.htpasswd:ro - - ./nginx/certs:/etc/nginx/certs:ro - - ./nginx/certs/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro - diff --git a/docker-compose-standalone.yml b/docker-compose-standalone.yml index 6da54a451..924ce3cb9 100644 --- a/docker-compose-standalone.yml +++ b/docker-compose-standalone.yml @@ -1,4 +1,4 @@ -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. version: '3.7' @@ -16,6 +16,10 @@ x-auth-variables: &auth-variables # "extendedReq(1) LDAP_START_TLS_OID" command: winldap or openldap NGINX_LDAP_TLS_STUNNEL_PROTOCOL : 'winldap' +x-nginx-variables: &nginx-variables + # Whether or not to write nginx's access.log and error.log to Elasticsearch + NGINX_LOG_ACCESS_AND_ERRORS : 'false' + x-moloch-variables: &moloch-variables MANAGE_PCAP_FILES : 'false' MOLOCH_ANALYZE_PCAP_THREADS : 1 @@ -37,14 +41,12 @@ x-zeek-variables: &zeek-variables EXTRACTED_FILE_PIPELINE_DEBUG_EXTRA : 'false' x-logstash-variables: &logstash-variables - # experimental java execution engine (https://www.elastic.co/blog/meet-the-new-logstash-java-execution-engine) - LOGSTASH_JAVA_EXECUTION_ENGINE : 'true' LOGSTASH_OUI_LOOKUP : 'true' LOGSTASH_REVERSE_DNS : 'false' # ES_EXTERNAL_HOSTS : '10.0.0.123:9200' # ES_EXTERNAL_SSL : 'true' # ES_EXTERNAL_SSL_CERTIFICATE_VERIFICATION : 'false' - # For security, ES_EXTERNAL_USER and ES_EXTERNAL_PASSWORD should be stored in Logstash keystore using ./scripts/auth_setup.sh + # For security, ES_EXTERNAL_USER and ES_EXTERNAL_PASSWORD should be stored in Logstash keystore using ./scripts/auth_setup # See also volume mount for logstash.keystore below. # ES_EXTERNAL_USER : 'janedoe' # ES_EXTERNAL_PASSWORD : 'secret' @@ -77,6 +79,9 @@ x-common-upload-variables: &common-upload-variables PCAP_PIPELINE_IGNORE_PREEXISTING : 'false' PCAP_MONITOR_HOST : 'pcap-monitor' +x-common-lookup-variables: &common-lookup-variables + FREQ_LOOKUP : 'false' + x-common-beats-variables: &common-beats-variables BEATS_SSL : 'false' @@ -91,7 +96,7 @@ x-pcap-capture-variables: &pcap-capture-variables services: elasticsearch: - image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.5.1 + image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.6.2 restart: "no" hostname: elasticsearch environment: @@ -112,17 +117,17 @@ services: hard: -1 cap_add: - IPC_LOCK - healthcheck: - test: ["CMD", "curl", "-f", "http://localhost:9200"] - interval: 30s - timeout: 15s - retries: 3 - start_period: 180s volumes: - ./elasticsearch:/usr/share/elasticsearch/data:delegated - ./elasticsearch-backup:/opt/elasticsearch/backup:delegated + healthcheck: + test: ["CMD", "curl", "--silent", "--fail", "http://localhost:9200"] + interval: 30s + timeout: 15s + retries: 3 + start_period: 180s kibana: - image: malcolmnetsec/kibana-oss:1.8.1 + image: malcolmnetsec/kibana-oss:2.0.0 restart: "no" hostname: kibana environment: @@ -139,13 +144,13 @@ services: - 5601 - 28991 healthcheck: - test: ["CMD", "curl", "-f", "http://localhost:5601/kibana/api/status"] - interval: 30s - timeout: 15s - retries: 3 - start_period: 200s + test: ["CMD", "curl", "--silent", "--fail", "http://localhost:5601/kibana/api/status"] + interval: 30s + timeout: 15s + retries: 3 + start_period: 210s elastalert: - image: malcolmnetsec/elastalert:1.8.1 + image: malcolmnetsec/elastalert:2.0.0 restart: "no" hostname: elastalert environment: @@ -158,19 +163,19 @@ services: expose: - 3030 - 3333 - healthcheck: - test: ["CMD", "curl", "-f", "http://localhost:3030"] - interval: 30s - timeout: 15s - retries: 3 - start_period: 200s volumes: - ./elastalert/config/elastalert.yaml:/opt/elastalert/config.yaml - ./elastalert/config/smtp-auth.yaml:/opt/elastalert/smtp-auth.yaml:ro - ./elastalert/config/config.json:/opt/elastalert-server/config/config.json - ./elastalert/rules/:/opt/elastalert/rules/ + healthcheck: + test: ["CMD", "curl", "--silent", "--fail", "http://localhost:3030"] + interval: 30s + timeout: 15s + retries: 3 + start_period: 210s curator: - image: malcolmnetsec/curator:1.8.1 + image: malcolmnetsec/curator:2.0.0 restart: "no" hostname: curator environment: @@ -179,27 +184,28 @@ services: ES_PORT : 9200 depends_on: - elasticsearch + healthcheck: + test: ["CMD", "pidof", "cron"] + interval: 30s + timeout: 5s + retries: 3 + start_period: 30s logstash: - image: malcolmnetsec/logstash-oss:1.8.1 + image: malcolmnetsec/logstash-oss:2.0.0 restart: "no" hostname: logstash environment: << : *logstash-variables << : *common-beats-variables + << : *common-lookup-variables ES_HOSTS : 'elasticsearch:9200' LS_JAVA_OPTS : '-Xms2g -Xmx2g -Djava.security.egd=file:/dev/./urandom' depends_on: - elasticsearch expose: - - 5000 - 5044 + - 9001 - 9600 - healthcheck: - test: ["CMD", "curl", "-f", "http://localhost:9600"] - interval: 30s - timeout: 15s - retries: 3 - start_period: 600s volumes: # - ./logstash/certs/logstash.keystore:/usr/share/logstash/config/logstash.keystore:ro - ./logstash/certs/ca.crt:/certs/ca.crt:ro @@ -207,14 +213,23 @@ services: - ./logstash/certs/server.key:/certs/server.key:ro - ./cidr-map.txt:/usr/share/logstash/config/cidr-map.txt:ro - ./host-map.txt:/usr/share/logstash/config/host-map.txt:ro + - ./net-map.json:/usr/share/logstash/config/net-map.json:ro + healthcheck: + test: ["CMD", "curl", "--silent", "--fail", "http://localhost:9600"] + interval: 30s + timeout: 15s + retries: 3 + start_period: 600s filebeat: - image: malcolmnetsec/filebeat-oss:1.8.1 + image: malcolmnetsec/filebeat-oss:2.0.0 restart: "no" hostname: filebeat environment: + << : *nginx-variables << : *common-upload-variables << : *common-beats-variables FILEBEAT_LOG_PATH : '/data/zeek/current' + FILEBEAT_NGINX_LOG_PATH : '/data/nginx' FILEBEAT_LOG_CLEANUP_MINUTES : 180 FILEBEAT_ZIP_CLEANUP_MINUTES : 360 FILEBEAT_SCAN_FREQUENCY : '10s' @@ -228,12 +243,19 @@ services: depends_on: - logstash volumes: + - nginx-log-path:/data/nginx:ro - ./zeek-logs:/data/zeek - ./filebeat/certs/ca.crt:/certs/ca.crt:ro - ./filebeat/certs/client.crt:/certs/client.crt:ro - ./filebeat/certs/client.key:/certs/client.key:ro + healthcheck: + test: ["CMD", "supervisorctl", "status", "filebeat"] + interval: 30s + timeout: 15s + retries: 3 + start_period: 60s moloch: - image: malcolmnetsec/moloch:1.8.1 + image: malcolmnetsec/moloch:2.0.0 restart: "no" hostname: moloch env_file: @@ -241,7 +263,7 @@ services: environment: << : *common-upload-variables << : *moloch-variables - MOLOCH_VERSION : '2.1.2' + MOLOCH_VERSION : '2.2.3' VIRTUAL_HOST : 'moloch.malcolm.local' ES_HOST : 'elasticsearch' ES_PORT : 9200 @@ -262,8 +284,14 @@ services: - ./pcap:/data/pcap - ./moloch-logs:/data/moloch/logs - ./moloch-raw:/data/moloch/raw + healthcheck: + test: ["CMD", "curl", "--silent", "--fail", "http://localhost:8005/_ns_/nstest.html"] + interval: 90s + timeout: 30s + retries: 3 + start_period: 210s zeek: - image: malcolmnetsec/zeek:1.8.1 + image: malcolmnetsec/zeek:2.0.0 restart: "no" hostname: zeek environment: @@ -279,8 +307,14 @@ services: - ./pcap:/pcap - ./zeek-logs/upload:/zeek/upload - ./zeek-logs/extract_files:/zeek/extract_files + healthcheck: + test: ["CMD", "supervisorctl", "status", "pcap-zeek"] + interval: 30s + timeout: 15s + retries: 3 + start_period: 60s file-monitor: - image: malcolmnetsec/file-monitor:1.8.1 + image: malcolmnetsec/file-monitor:2.0.0 restart: "no" hostname: filemon environment: @@ -290,8 +324,14 @@ services: volumes: - ./zeek-logs/extract_files:/data/zeek/extract_files - ./zeek-logs/current:/data/zeek/logs + healthcheck: + test: ["CMD", "supervisorctl", "status", "watcher", "scanner", "logger"] + interval: 30s + timeout: 15s + retries: 3 + start_period: 60s pcap-capture: - image: malcolmnetsec/pcap-capture:1.8.1 + image: malcolmnetsec/pcap-capture:2.0.0 restart: "no" network_mode: host ulimits: @@ -307,8 +347,14 @@ services: << : *pcap-capture-variables volumes: - ./pcap/upload:/pcap + healthcheck: + test: ["CMD", "supervisorctl", "status"] + interval: 30s + timeout: 15s + retries: 3 + start_period: 60s pcap-monitor: - image: malcolmnetsec/pcap-monitor:1.8.1 + image: malcolmnetsec/pcap-monitor:2.0.0 restart: "no" hostname: pcapmon environment: @@ -321,8 +367,14 @@ services: volumes: - ./zeek-logs:/zeek - ./pcap:/pcap + healthcheck: + test: ["CMD", "supervisorctl", "status", "watch-upload", "pcap-publisher"] + interval: 30s + timeout: 15s + retries: 3 + start_period: 90s upload: - image: malcolmnetsec/file-upload:1.8.1 + image: malcolmnetsec/file-upload:2.0.0 restart: "no" hostname: upload env_file: @@ -338,8 +390,14 @@ services: - 127.0.0.1:8022:22 volumes: - ./pcap/upload:/var/www/upload/server/php/chroot/files + healthcheck: + test: ["CMD", "wget", "-qO-", "http://localhost"] + interval: 30s + timeout: 15s + retries: 3 + start_period: 60s htadmin: - image: malcolmnetsec/htadmin:1.8.1 + image: malcolmnetsec/htadmin:2.0.0 restart: "no" hostname: htadmin environment: @@ -351,17 +409,58 @@ services: - ./htadmin/config.ini:/var/www/htadmin/config/config.ini:rw - ./htadmin/metadata:/var/www/htadmin/config/metadata:rw - ./nginx/htpasswd:/var/www/htadmin/config/htpasswd:rw + healthcheck: + test: ["CMD", "curl", "--silent", "--fail", "http://localhost"] + interval: 30s + timeout: 15s + retries: 3 + start_period: 60s + freq: + image: malcolmnetsec/freq:2.0.0 + restart: "no" + hostname: freq + environment: + << : *common-lookup-variables + VIRTUAL_HOST : 'freq.malcolm.local' + expose: + - 10004 + healthcheck: + test: ["CMD", "curl", "--silent", "--fail", "http://localhost:10004"] + interval: 30s + timeout: 15s + retries: 3 + start_period: 60s + name-map-ui: + image: malcolmnetsec/name-map-ui:2.0.0 + restart: "no" + hostname: name-map-ui + environment: + VIRTUAL_HOST : 'name-map-ui.malcolm.local' + expose: + - 8080 + volumes: + - ./cidr-map.txt:/var/www/html/maps/cidr-map.txt:ro + - ./host-map.txt:/var/www/html/maps/host-map.txt:ro + - ./net-map.json:/var/www/html/maps/net-map.json:rw + healthcheck: + test: ["CMD", "curl", "--silent", "--fail", "http://localhost:8080/fpm-ping"] + interval: 30s + timeout: 15s + retries: 3 + start_period: 60s nginx-proxy: - image: malcolmnetsec/nginx-proxy:1.8.1 + image: malcolmnetsec/nginx-proxy:2.0.0 restart: "no" hostname: nginx-proxy environment: << : *auth-variables + << : *nginx-variables depends_on: - moloch - kibana - upload - htadmin + - name-map-ui ports: - "443:443" - "488:488" @@ -370,11 +469,19 @@ services: - "8443:8443" - "9200:9200" - "9600:9600" - - "28991:28991" volumes: - - /var/run/docker.sock:/tmp/docker.sock:ro + - nginx-log-path:/var/log/nginx:rw - ./nginx/nginx_ldap.conf:/etc/nginx/nginx_ldap.conf:ro - ./nginx/htpasswd:/etc/nginx/.htpasswd:ro - ./nginx/certs:/etc/nginx/certs:ro - ./nginx/certs/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro + healthcheck: + test: ["CMD", "curl", "--insecure", "--silent", "https://localhost:443"] + interval: 30s + timeout: 15s + retries: 3 + start_period: 120s +# shared named volume so filebeat can access nginx access logs +volumes: + nginx-log-path: diff --git a/docker-compose.yml b/docker-compose.yml index 6377e49ae..2350af786 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,4 +1,4 @@ -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. version: '3.7' @@ -16,6 +16,10 @@ x-auth-variables: &auth-variables # "extendedReq(1) LDAP_START_TLS_OID" command: winldap or openldap NGINX_LDAP_TLS_STUNNEL_PROTOCOL : 'winldap' +x-nginx-variables: &nginx-variables + # Whether or not to write nginx's access.log and error.log to Elasticsearch + NGINX_LOG_ACCESS_AND_ERRORS : 'false' + x-moloch-variables: &moloch-variables MANAGE_PCAP_FILES : 'false' MOLOCH_ANALYZE_PCAP_THREADS : 1 @@ -37,14 +41,12 @@ x-zeek-variables: &zeek-variables EXTRACTED_FILE_PIPELINE_DEBUG_EXTRA : 'false' x-logstash-variables: &logstash-variables - # experimental java execution engine (https://www.elastic.co/blog/meet-the-new-logstash-java-execution-engine) - LOGSTASH_JAVA_EXECUTION_ENGINE : 'true' LOGSTASH_OUI_LOOKUP : 'true' LOGSTASH_REVERSE_DNS : 'false' # ES_EXTERNAL_HOSTS : '10.0.0.123:9200' # ES_EXTERNAL_SSL : 'true' # ES_EXTERNAL_SSL_CERTIFICATE_VERIFICATION : 'false' - # For security, ES_EXTERNAL_USER and ES_EXTERNAL_PASSWORD should be stored in Logstash keystore using ./scripts/auth_setup.sh + # For security, ES_EXTERNAL_USER and ES_EXTERNAL_PASSWORD should be stored in Logstash keystore using ./scripts/auth_setup # See also volume mount for logstash.keystore below. # ES_EXTERNAL_USER : 'janedoe' # ES_EXTERNAL_PASSWORD : 'secret' @@ -77,6 +79,9 @@ x-common-upload-variables: &common-upload-variables PCAP_PIPELINE_IGNORE_PREEXISTING : 'false' PCAP_MONITOR_HOST : 'pcap-monitor' +x-common-lookup-variables: &common-lookup-variables + FREQ_LOOKUP : 'false' + x-common-beats-variables: &common-beats-variables BEATS_SSL : 'false' @@ -91,7 +96,7 @@ x-pcap-capture-variables: &pcap-capture-variables services: elasticsearch: - image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.5.1 + image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.6.2 restart: "no" hostname: elasticsearch environment: @@ -112,20 +117,20 @@ services: hard: -1 cap_add: - IPC_LOCK - healthcheck: - test: ["CMD", "curl", "-f", "http://localhost:9200"] - interval: 30s - timeout: 15s - retries: 3 - start_period: 180s volumes: - ./elasticsearch:/usr/share/elasticsearch/data:delegated - ./elasticsearch-backup:/opt/elasticsearch/backup:delegated + healthcheck: + test: ["CMD", "curl", "--silent", "--fail", "http://localhost:9200"] + interval: 30s + timeout: 15s + retries: 3 + start_period: 180s kibana: build: context: . dockerfile: Dockerfiles/kibana.Dockerfile - image: malcolmnetsec/kibana-oss:1.8.1 + image: malcolmnetsec/kibana-oss:2.0.0 restart: "no" hostname: kibana environment: @@ -142,16 +147,16 @@ services: - 5601 - 28991 healthcheck: - test: ["CMD", "curl", "-f", "http://localhost:5601/kibana/api/status"] - interval: 30s - timeout: 15s - retries: 3 - start_period: 200s + test: ["CMD", "curl", "--silent", "--fail", "http://localhost:5601/kibana/api/status"] + interval: 30s + timeout: 15s + retries: 3 + start_period: 210s elastalert: build: context: . dockerfile: Dockerfiles/elastalert.Dockerfile - image: malcolmnetsec/elastalert:1.8.1 + image: malcolmnetsec/elastalert:2.0.0 restart: "no" hostname: elastalert environment: @@ -164,22 +169,22 @@ services: expose: - 3030 - 3333 - healthcheck: - test: ["CMD", "curl", "-f", "http://localhost:3030"] - interval: 30s - timeout: 15s - retries: 3 - start_period: 200s volumes: - ./elastalert/config/elastalert.yaml:/opt/elastalert/config.yaml - ./elastalert/config/smtp-auth.yaml:/opt/elastalert/smtp-auth.yaml:ro - ./elastalert/config/config.json:/opt/elastalert-server/config/config.json - ./elastalert/rules/:/opt/elastalert/rules/ + healthcheck: + test: ["CMD", "curl", "--silent", "--fail", "http://localhost:3030"] + interval: 30s + timeout: 15s + retries: 3 + start_period: 210s curator: build: context: . dockerfile: Dockerfiles/curator.Dockerfile - image: malcolmnetsec/curator:1.8.1 + image: malcolmnetsec/curator:2.0.0 restart: "no" hostname: curator environment: @@ -190,30 +195,31 @@ services: - elasticsearch volumes: - ./curator/config/action_file.yml:/config/action_file.yml + healthcheck: + test: ["CMD", "pidof", "cron"] + interval: 30s + timeout: 5s + retries: 3 + start_period: 30s logstash: build: context: . dockerfile: Dockerfiles/logstash.Dockerfile - image: malcolmnetsec/logstash-oss:1.8.1 + image: malcolmnetsec/logstash-oss:2.0.0 restart: "no" hostname: logstash environment: << : *logstash-variables << : *common-beats-variables + << : *common-lookup-variables ES_HOSTS : 'elasticsearch:9200' LS_JAVA_OPTS : '-Xms2g -Xmx2g -Djava.security.egd=file:/dev/./urandom' depends_on: - elasticsearch expose: - - 5000 - 5044 + - 9001 - 9600 - healthcheck: - test: ["CMD", "curl", "-f", "http://localhost:9600"] - interval: 30s - timeout: 15s - retries: 3 - start_period: 600s volumes: - ./logstash/config/logstash.yml:/usr/share/logstash/config/logstash.yml:ro - ./logstash/pipelines:/usr/share/logstash/malcolm-pipelines.available:ro @@ -223,17 +229,26 @@ services: - ./logstash/certs/server.key:/certs/server.key:ro - ./cidr-map.txt:/usr/share/logstash/config/cidr-map.txt:ro - ./host-map.txt:/usr/share/logstash/config/host-map.txt:ro + - ./net-map.json:/usr/share/logstash/config/net-map.json:ro + healthcheck: + test: ["CMD", "curl", "--silent", "--fail", "http://localhost:9600"] + interval: 30s + timeout: 15s + retries: 3 + start_period: 600s filebeat: build: context: . dockerfile: Dockerfiles/filebeat.Dockerfile - image: malcolmnetsec/filebeat-oss:1.8.1 + image: malcolmnetsec/filebeat-oss:2.0.0 restart: "no" hostname: filebeat environment: + << : *nginx-variables << : *common-upload-variables << : *common-beats-variables FILEBEAT_LOG_PATH : '/data/zeek/current' + FILEBEAT_NGINX_LOG_PATH : '/data/nginx' FILEBEAT_LOG_CLEANUP_MINUTES : 180 FILEBEAT_ZIP_CLEANUP_MINUTES : 360 FILEBEAT_SCAN_FREQUENCY : '10s' @@ -247,16 +262,23 @@ services: depends_on: - logstash volumes: + - nginx-log-path:/data/nginx:ro - ./zeek-logs:/data/zeek - ./filebeat/certs/ca.crt:/certs/ca.crt:ro - ./filebeat/certs/client.crt:/certs/client.crt:ro - ./filebeat/certs/client.key:/certs/client.key:ro - ./filebeat/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro + healthcheck: + test: ["CMD", "supervisorctl", "status", "filebeat"] + interval: 30s + timeout: 15s + retries: 3 + start_period: 60s moloch: build: context: . dockerfile: Dockerfiles/moloch.Dockerfile - image: malcolmnetsec/moloch:1.8.1 + image: malcolmnetsec/moloch:2.0.0 restart: "no" hostname: moloch env_file: @@ -264,7 +286,7 @@ services: environment: << : *common-upload-variables << : *moloch-variables - MOLOCH_VERSION : '2.1.2' + MOLOCH_VERSION : '2.2.3' VIRTUAL_HOST : 'moloch.malcolm.local' ES_HOST : 'elasticsearch' ES_PORT : 9200 @@ -288,11 +310,17 @@ services: - ./moloch/etc/config.ini:/data/moloch/etc/config.ini:ro - ./moloch/etc/user_settings.json:/data/moloch/etc/user_settings.json:ro - ./moloch/wise/source.zeeklogs.js:/data/moloch/wiseService/source.zeeklogs.js:ro + healthcheck: + test: ["CMD", "curl", "--silent", "--fail", "http://localhost:8005/_ns_/nstest.html"] + interval: 90s + timeout: 30s + retries: 3 + start_period: 210s zeek: build: context: . dockerfile: Dockerfiles/zeek.Dockerfile - image: malcolmnetsec/zeek:1.8.1 + image: malcolmnetsec/zeek:2.0.0 restart: "no" hostname: zeek environment: @@ -308,12 +336,18 @@ services: - ./pcap:/pcap - ./zeek-logs/upload:/zeek/upload - ./zeek-logs/extract_files:/zeek/extract_files - - ./zeek/config:/usr/share/zeek/site:ro + - ./zeek/config/local.zeek:/opt/zeek/share/zeek/site/local.zeek:ro + healthcheck: + test: ["CMD", "supervisorctl", "status", "pcap-zeek"] + interval: 30s + timeout: 15s + retries: 3 + start_period: 60s file-monitor: build: context: . dockerfile: Dockerfiles/file-monitor.Dockerfile - image: malcolmnetsec/file-monitor:1.8.1 + image: malcolmnetsec/file-monitor:2.0.0 restart: "no" hostname: filemon environment: @@ -323,11 +357,17 @@ services: volumes: - ./zeek-logs/extract_files:/data/zeek/extract_files - ./zeek-logs/current:/data/zeek/logs + healthcheck: + test: ["CMD", "supervisorctl", "status", "watcher", "scanner", "logger"] + interval: 30s + timeout: 15s + retries: 3 + start_period: 60s pcap-capture: build: context: . dockerfile: Dockerfiles/pcap-capture.Dockerfile - image: malcolmnetsec/pcap-capture:1.8.1 + image: malcolmnetsec/pcap-capture:2.0.0 restart: "no" network_mode: host ulimits: @@ -343,11 +383,17 @@ services: << : *pcap-capture-variables volumes: - ./pcap/upload:/pcap + healthcheck: + test: ["CMD", "supervisorctl", "status"] + interval: 30s + timeout: 15s + retries: 3 + start_period: 60s pcap-monitor: build: context: . dockerfile: Dockerfiles/pcap-monitor.Dockerfile - image: malcolmnetsec/pcap-monitor:1.8.1 + image: malcolmnetsec/pcap-monitor:2.0.0 restart: "no" hostname: pcapmon environment: @@ -360,11 +406,17 @@ services: volumes: - ./zeek-logs:/zeek - ./pcap:/pcap + healthcheck: + test: ["CMD", "supervisorctl", "status", "watch-upload", "pcap-publisher"] + interval: 30s + timeout: 15s + retries: 3 + start_period: 90s upload: build: context: . dockerfile: Dockerfiles/file-upload.Dockerfile - image: malcolmnetsec/file-upload:1.8.1 + image: malcolmnetsec/file-upload:2.0.0 restart: "no" hostname: upload env_file: @@ -380,8 +432,14 @@ services: - 127.0.0.1:8022:22 volumes: - ./pcap/upload:/var/www/upload/server/php/chroot/files + healthcheck: + test: ["CMD", "wget", "-qO-", "http://localhost"] + interval: 30s + timeout: 15s + retries: 3 + start_period: 60s htadmin: - image: malcolmnetsec/htadmin:1.8.1 + image: malcolmnetsec/htadmin:2.0.0 build: context: . dockerfile: Dockerfiles/htadmin.Dockerfile @@ -396,20 +454,67 @@ services: - ./htadmin/config.ini:/var/www/htadmin/config/config.ini:rw - ./htadmin/metadata:/var/www/htadmin/config/metadata:rw - ./nginx/htpasswd:/var/www/htadmin/config/htpasswd:rw + healthcheck: + test: ["CMD", "curl", "--silent", "--fail", "http://localhost"] + interval: 30s + timeout: 15s + retries: 3 + start_period: 60s + freq: + image: malcolmnetsec/freq:2.0.0 + build: + context: . + dockerfile: Dockerfiles/freq.Dockerfile + restart: "no" + hostname: freq + environment: + << : *common-lookup-variables + VIRTUAL_HOST : 'freq.malcolm.local' + expose: + - 10004 + healthcheck: + test: ["CMD", "curl", "--silent", "--fail", "http://localhost:10004"] + interval: 30s + timeout: 15s + retries: 3 + start_period: 60s + name-map-ui: + image: malcolmnetsec/name-map-ui:2.0.0 + build: + context: . + dockerfile: Dockerfiles/name-map-ui.Dockerfile + restart: "no" + hostname: name-map-ui + environment: + VIRTUAL_HOST : 'name-map-ui.malcolm.local' + expose: + - 8080 + volumes: + - ./cidr-map.txt:/var/www/html/maps/cidr-map.txt:ro + - ./host-map.txt:/var/www/html/maps/host-map.txt:ro + - ./net-map.json:/var/www/html/maps/net-map.json:rw + healthcheck: + test: ["CMD", "curl", "--silent", "--fail", "http://localhost:8080/fpm-ping"] + interval: 30s + timeout: 15s + retries: 3 + start_period: 60s nginx-proxy: build: context: . dockerfile: Dockerfiles/nginx.Dockerfile - image: malcolmnetsec/nginx-proxy:1.8.1 + image: malcolmnetsec/nginx-proxy:2.0.0 restart: "no" hostname: nginx-proxy environment: << : *auth-variables + << : *nginx-variables depends_on: - moloch - kibana - upload - htadmin + - name-map-ui ports: - "443:443" - "488:488" @@ -418,12 +523,20 @@ services: - "8443:8443" - "9200:9200" - "9600:9600" - - "28991:28991" volumes: - - /var/run/docker.sock:/tmp/docker.sock:ro + - nginx-log-path:/var/log/nginx:rw - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro - ./nginx/nginx_ldap.conf:/etc/nginx/nginx_ldap.conf:ro - ./nginx/htpasswd:/etc/nginx/.htpasswd:ro - ./nginx/certs:/etc/nginx/certs:ro - ./nginx/certs/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro + healthcheck: + test: ["CMD", "curl", "--insecure", "--silent", "https://localhost:443"] + interval: 30s + timeout: 15s + retries: 3 + start_period: 120s +# shared named volume so filebeat can access nginx access logs +volumes: + nginx-log-path: diff --git a/docs/images/kibana/ebdca7741674eca4e1fadeca157f3ae6.svg b/docs/images/kibana/ebdca7741674eca4e1fadeca157f3ae6.svg deleted file mode 100644 index c821d0e13..000000000 --- a/docs/images/kibana/ebdca7741674eca4e1fadeca157f3ae6.svg +++ /dev/null @@ -1,158 +0,0 @@ - - - - - - image/svg+xml - - - - - - - - - Malc lm - - - - - - - - - - - - - - - - - - - - - - diff --git a/docs/images/malcolm_poster.odg b/docs/images/malcolm_poster.odg new file mode 100644 index 000000000..c891f8f66 Binary files /dev/null and b/docs/images/malcolm_poster.odg differ diff --git a/docs/images/screenshots/malcolm_name_map_ui.png b/docs/images/screenshots/malcolm_name_map_ui.png new file mode 100644 index 000000000..a28d1b653 Binary files /dev/null and b/docs/images/screenshots/malcolm_name_map_ui.png differ diff --git a/elastalert/config/config.json b/elastalert/config/config.json index 5f28031eb..ccac36286 100644 --- a/elastalert/config/config.json +++ b/elastalert/config/config.json @@ -18,7 +18,7 @@ "es_port": 9200, "writeback_index": "elastalert_status", "index_settings": { - "shards": 2, + "shards": 1, "replicas": 0 } } diff --git a/elastalert/config/elastalert.yaml b/elastalert/config/elastalert.yaml index b0a735fad..1fdec1b25 100644 --- a/elastalert/config/elastalert.yaml +++ b/elastalert/config/elastalert.yaml @@ -43,7 +43,7 @@ buffer_time: # elastalert-create-index to set a mapping writeback_index: elastalert_status index_settings: - shards: 2 + shards: 1 replicas: 0 # If an alert fails for some reason, ElastAlert will retry diff --git a/elastalert/elastalert-start.sh b/elastalert/elastalert-start.sh index ec6991b6f..fffada6b8 100755 --- a/elastalert/elastalert-start.sh +++ b/elastalert/elastalert-start.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. set -e diff --git a/file-monitor/supervisord.conf b/file-monitor/supervisord.conf index 236e9528a..5cef37486 100644 --- a/file-monitor/supervisord.conf +++ b/file-monitor/supervisord.conf @@ -1,4 +1,4 @@ -; Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +; Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. [unix_http_server] file=/var/run/supervisor.sock ; (the path to the socket file) diff --git a/file-upload/docker-entrypoint.sh b/file-upload/docker-entrypoint.sh index b15497a7d..96251eeda 100755 --- a/file-upload/docker-entrypoint.sh +++ b/file-upload/docker-entrypoint.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. if [[ -z $SITE_NAME || -z $MALCOLM_USERNAME || -z $MALCOLM_PASSWORD ]] diff --git a/file-upload/jquery-file-upload/bootstrap.min.css b/file-upload/jquery-file-upload/bootstrap.min.css new file mode 100644 index 000000000..523da07bf --- /dev/null +++ b/file-upload/jquery-file-upload/bootstrap.min.css @@ -0,0 +1,12 @@ +/*! + * Bootswatch v4.4.1 + * Homepage: https://bootswatch.com + * Copyright 2012-2020 Thomas Park + * Licensed under MIT + * Based on Bootstrap +*//*! + * Bootstrap v4.4.1 (https://getbootstrap.com/) + * Copyright 2011-2019 The Bootstrap Authors + * Copyright 2011-2019 Twitter, Inc. + * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) + */:root{--blue: #007bff;--indigo: #6610f2;--purple: #6f42c1;--pink: #e83e8c;--red: #ee5f5b;--orange: #fd7e14;--yellow: #f89406;--green: #62c462;--teal: #20c997;--cyan: #5bc0de;--white: #fff;--gray: #7A8288;--gray-dark: #3A3F44;--primary: #3A3F44;--secondary: #7A8288;--success: #62c462;--info: #5bc0de;--warning: #f89406;--danger: #ee5f5b;--light: #e9ecef;--dark: #272B30;--breakpoint-xs: 0;--breakpoint-sm: 576px;--breakpoint-md: 768px;--breakpoint-lg: 992px;--breakpoint-xl: 1200px;--font-family-sans-serif: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, "Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji";--font-family-monospace: SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", monospace}*,*::before,*::after{-webkit-box-sizing:border-box;box-sizing:border-box}html{font-family:sans-serif;line-height:1.15;-webkit-text-size-adjust:100%;-webkit-tap-highlight-color:rgba(0,0,0,0)}article,aside,figcaption,figure,footer,header,hgroup,main,nav,section{display:block}body{margin:0;font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, "Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji";font-size:0.9375rem;font-weight:400;line-height:1.5;color:#aaa;text-align:left;background-color:#272B30}[tabindex="-1"]:focus:not(:focus-visible){outline:0 !important}hr{-webkit-box-sizing:content-box;box-sizing:content-box;height:0;overflow:visible}h1,h2,h3,h4,h5,h6{margin-top:0;margin-bottom:0.5rem}p{margin-top:0;margin-bottom:1rem}abbr[title],abbr[data-original-title]{text-decoration:underline;-webkit-text-decoration:underline dotted;text-decoration:underline dotted;cursor:help;border-bottom:0;text-decoration-skip-ink:none}address{margin-bottom:1rem;font-style:normal;line-height:inherit}ol,ul,dl{margin-top:0;margin-bottom:1rem}ol ol,ul ul,ol ul,ul ol{margin-bottom:0}dt{font-weight:700}dd{margin-bottom:.5rem;margin-left:0}blockquote{margin:0 0 1rem}b,strong{font-weight:bolder}small{font-size:80%}sub,sup{position:relative;font-size:75%;line-height:0;vertical-align:baseline}sub{bottom:-.25em}sup{top:-.5em}a{color:#fff;text-decoration:none;background-color:transparent}a:hover{color:#d9d9d9;text-decoration:underline}a:not([href]){color:inherit;text-decoration:none}a:not([href]):hover{color:inherit;text-decoration:none}pre,code,kbd,samp{font-family:SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", monospace;font-size:1em}pre{margin-top:0;margin-bottom:1rem;overflow:auto}figure{margin:0 0 1rem}img{vertical-align:middle;border-style:none}svg{overflow:hidden;vertical-align:middle}table{border-collapse:collapse}caption{padding-top:0.75rem;padding-bottom:0.75rem;color:#7A8288;text-align:left;caption-side:bottom}th{text-align:inherit}label{display:inline-block;margin-bottom:0.5rem}button{border-radius:0}button:focus{outline:1px dotted;outline:5px auto -webkit-focus-ring-color}input,button,select,optgroup,textarea{margin:0;font-family:inherit;font-size:inherit;line-height:inherit}button,input{overflow:visible}button,select{text-transform:none}select{word-wrap:normal}button,[type="button"],[type="reset"],[type="submit"]{-webkit-appearance:button}button:not(:disabled),[type="button"]:not(:disabled),[type="reset"]:not(:disabled),[type="submit"]:not(:disabled){cursor:pointer}button::-moz-focus-inner,[type="button"]::-moz-focus-inner,[type="reset"]::-moz-focus-inner,[type="submit"]::-moz-focus-inner{padding:0;border-style:none}input[type="radio"],input[type="checkbox"]{-webkit-box-sizing:border-box;box-sizing:border-box;padding:0}input[type="date"],input[type="time"],input[type="datetime-local"],input[type="month"]{-webkit-appearance:listbox}textarea{overflow:auto;resize:vertical}fieldset{min-width:0;padding:0;margin:0;border:0}legend{display:block;width:100%;max-width:100%;padding:0;margin-bottom:.5rem;font-size:1.5rem;line-height:inherit;color:inherit;white-space:normal}progress{vertical-align:baseline}[type="number"]::-webkit-inner-spin-button,[type="number"]::-webkit-outer-spin-button{height:auto}[type="search"]{outline-offset:-2px;-webkit-appearance:none}[type="search"]::-webkit-search-decoration{-webkit-appearance:none}::-webkit-file-upload-button{font:inherit;-webkit-appearance:button}output{display:inline-block}summary{display:list-item;cursor:pointer}template{display:none}[hidden]{display:none !important}h1,h2,h3,h4,h5,h6,.h1,.h2,.h3,.h4,.h5,.h6{margin-bottom:0.5rem;font-weight:500;line-height:1.2}h1,.h1{font-size:2.34375rem}h2,.h2{font-size:1.875rem}h3,.h3{font-size:1.640625rem}h4,.h4{font-size:1.40625rem}h5,.h5{font-size:1.171875rem}h6,.h6{font-size:0.9375rem}.lead{font-size:1.171875rem;font-weight:300}.display-1{font-size:6rem;font-weight:300;line-height:1.2}.display-2{font-size:5.5rem;font-weight:300;line-height:1.2}.display-3{font-size:4.5rem;font-weight:300;line-height:1.2}.display-4{font-size:3.5rem;font-weight:300;line-height:1.2}hr{margin-top:1rem;margin-bottom:1rem;border:0;border-top:1px solid rgba(0,0,0,0.1)}small,.small{font-size:80%;font-weight:400}mark,.mark{padding:0.2em;background-color:#fcf8e3}.list-unstyled{padding-left:0;list-style:none}.list-inline{padding-left:0;list-style:none}.list-inline-item{display:inline-block}.list-inline-item:not(:last-child){margin-right:0.5rem}.initialism{font-size:90%;text-transform:uppercase}.blockquote{margin-bottom:1rem;font-size:1.171875rem}.blockquote-footer{display:block;font-size:80%;color:#7A8288}.blockquote-footer::before{content:"\2014\00A0"}.img-fluid{max-width:100%;height:auto}.img-thumbnail{padding:0.25rem;background-color:#272B30;border:1px solid #dee2e6;border-radius:0.25rem;max-width:100%;height:auto}.figure{display:inline-block}.figure-img{margin-bottom:0.5rem;line-height:1}.figure-caption{font-size:90%;color:#7A8288}code{font-size:87.5%;color:#e83e8c;word-wrap:break-word}a>code{color:inherit}kbd{padding:0.2rem 0.4rem;font-size:87.5%;color:#fff;background-color:#272B30;border-radius:0.2rem}kbd kbd{padding:0;font-size:100%;font-weight:700}pre{display:block;font-size:87.5%;color:inherit}pre code{font-size:inherit;color:inherit;word-break:normal}.pre-scrollable{max-height:340px;overflow-y:scroll}.container{width:100%;padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}@media (min-width: 576px){.container{max-width:540px}}@media (min-width: 768px){.container{max-width:720px}}@media (min-width: 992px){.container{max-width:960px}}@media (min-width: 1200px){.container{max-width:1140px}}.container-fluid,.container-sm,.container-md,.container-lg,.container-xl{width:100%;padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}@media (min-width: 576px){.container,.container-sm{max-width:540px}}@media (min-width: 768px){.container,.container-sm,.container-md{max-width:720px}}@media (min-width: 992px){.container,.container-sm,.container-md,.container-lg{max-width:960px}}@media (min-width: 1200px){.container,.container-sm,.container-md,.container-lg,.container-xl{max-width:1140px}}.row{display:-webkit-box;display:-ms-flexbox;display:flex;-ms-flex-wrap:wrap;flex-wrap:wrap;margin-right:-15px;margin-left:-15px}.no-gutters{margin-right:0;margin-left:0}.no-gutters>.col,.no-gutters>[class*="col-"]{padding-right:0;padding-left:0}.col-1,.col-2,.col-3,.col-4,.col-5,.col-6,.col-7,.col-8,.col-9,.col-10,.col-11,.col-12,.col,.col-auto,.col-sm-1,.col-sm-2,.col-sm-3,.col-sm-4,.col-sm-5,.col-sm-6,.col-sm-7,.col-sm-8,.col-sm-9,.col-sm-10,.col-sm-11,.col-sm-12,.col-sm,.col-sm-auto,.col-md-1,.col-md-2,.col-md-3,.col-md-4,.col-md-5,.col-md-6,.col-md-7,.col-md-8,.col-md-9,.col-md-10,.col-md-11,.col-md-12,.col-md,.col-md-auto,.col-lg-1,.col-lg-2,.col-lg-3,.col-lg-4,.col-lg-5,.col-lg-6,.col-lg-7,.col-lg-8,.col-lg-9,.col-lg-10,.col-lg-11,.col-lg-12,.col-lg,.col-lg-auto,.col-xl-1,.col-xl-2,.col-xl-3,.col-xl-4,.col-xl-5,.col-xl-6,.col-xl-7,.col-xl-8,.col-xl-9,.col-xl-10,.col-xl-11,.col-xl-12,.col-xl,.col-xl-auto{position:relative;width:100%;padding-right:15px;padding-left:15px}.col{-ms-flex-preferred-size:0;flex-basis:0;-webkit-box-flex:1;-ms-flex-positive:1;flex-grow:1;max-width:100%}.row-cols-1>*{-webkit-box-flex:0;-ms-flex:0 0 100%;flex:0 0 100%;max-width:100%}.row-cols-2>*{-webkit-box-flex:0;-ms-flex:0 0 50%;flex:0 0 50%;max-width:50%}.row-cols-3>*{-webkit-box-flex:0;-ms-flex:0 0 33.3333333333%;flex:0 0 33.3333333333%;max-width:33.3333333333%}.row-cols-4>*{-webkit-box-flex:0;-ms-flex:0 0 25%;flex:0 0 25%;max-width:25%}.row-cols-5>*{-webkit-box-flex:0;-ms-flex:0 0 20%;flex:0 0 20%;max-width:20%}.row-cols-6>*{-webkit-box-flex:0;-ms-flex:0 0 16.6666666667%;flex:0 0 16.6666666667%;max-width:16.6666666667%}.col-auto{-webkit-box-flex:0;-ms-flex:0 0 auto;flex:0 0 auto;width:auto;max-width:100%}.col-1{-webkit-box-flex:0;-ms-flex:0 0 8.3333333333%;flex:0 0 8.3333333333%;max-width:8.3333333333%}.col-2{-webkit-box-flex:0;-ms-flex:0 0 16.6666666667%;flex:0 0 16.6666666667%;max-width:16.6666666667%}.col-3{-webkit-box-flex:0;-ms-flex:0 0 25%;flex:0 0 25%;max-width:25%}.col-4{-webkit-box-flex:0;-ms-flex:0 0 33.3333333333%;flex:0 0 33.3333333333%;max-width:33.3333333333%}.col-5{-webkit-box-flex:0;-ms-flex:0 0 41.6666666667%;flex:0 0 41.6666666667%;max-width:41.6666666667%}.col-6{-webkit-box-flex:0;-ms-flex:0 0 50%;flex:0 0 50%;max-width:50%}.col-7{-webkit-box-flex:0;-ms-flex:0 0 58.3333333333%;flex:0 0 58.3333333333%;max-width:58.3333333333%}.col-8{-webkit-box-flex:0;-ms-flex:0 0 66.6666666667%;flex:0 0 66.6666666667%;max-width:66.6666666667%}.col-9{-webkit-box-flex:0;-ms-flex:0 0 75%;flex:0 0 75%;max-width:75%}.col-10{-webkit-box-flex:0;-ms-flex:0 0 83.3333333333%;flex:0 0 83.3333333333%;max-width:83.3333333333%}.col-11{-webkit-box-flex:0;-ms-flex:0 0 91.6666666667%;flex:0 0 91.6666666667%;max-width:91.6666666667%}.col-12{-webkit-box-flex:0;-ms-flex:0 0 100%;flex:0 0 100%;max-width:100%}.order-first{-webkit-box-ordinal-group:0;-ms-flex-order:-1;order:-1}.order-last{-webkit-box-ordinal-group:14;-ms-flex-order:13;order:13}.order-0{-webkit-box-ordinal-group:1;-ms-flex-order:0;order:0}.order-1{-webkit-box-ordinal-group:2;-ms-flex-order:1;order:1}.order-2{-webkit-box-ordinal-group:3;-ms-flex-order:2;order:2}.order-3{-webkit-box-ordinal-group:4;-ms-flex-order:3;order:3}.order-4{-webkit-box-ordinal-group:5;-ms-flex-order:4;order:4}.order-5{-webkit-box-ordinal-group:6;-ms-flex-order:5;order:5}.order-6{-webkit-box-ordinal-group:7;-ms-flex-order:6;order:6}.order-7{-webkit-box-ordinal-group:8;-ms-flex-order:7;order:7}.order-8{-webkit-box-ordinal-group:9;-ms-flex-order:8;order:8}.order-9{-webkit-box-ordinal-group:10;-ms-flex-order:9;order:9}.order-10{-webkit-box-ordinal-group:11;-ms-flex-order:10;order:10}.order-11{-webkit-box-ordinal-group:12;-ms-flex-order:11;order:11}.order-12{-webkit-box-ordinal-group:13;-ms-flex-order:12;order:12}.offset-1{margin-left:8.3333333333%}.offset-2{margin-left:16.6666666667%}.offset-3{margin-left:25%}.offset-4{margin-left:33.3333333333%}.offset-5{margin-left:41.6666666667%}.offset-6{margin-left:50%}.offset-7{margin-left:58.3333333333%}.offset-8{margin-left:66.6666666667%}.offset-9{margin-left:75%}.offset-10{margin-left:83.3333333333%}.offset-11{margin-left:91.6666666667%}@media (min-width: 576px){.col-sm{-ms-flex-preferred-size:0;flex-basis:0;-webkit-box-flex:1;-ms-flex-positive:1;flex-grow:1;max-width:100%}.row-cols-sm-1>*{-webkit-box-flex:0;-ms-flex:0 0 100%;flex:0 0 100%;max-width:100%}.row-cols-sm-2>*{-webkit-box-flex:0;-ms-flex:0 0 50%;flex:0 0 50%;max-width:50%}.row-cols-sm-3>*{-webkit-box-flex:0;-ms-flex:0 0 33.3333333333%;flex:0 0 33.3333333333%;max-width:33.3333333333%}.row-cols-sm-4>*{-webkit-box-flex:0;-ms-flex:0 0 25%;flex:0 0 25%;max-width:25%}.row-cols-sm-5>*{-webkit-box-flex:0;-ms-flex:0 0 20%;flex:0 0 20%;max-width:20%}.row-cols-sm-6>*{-webkit-box-flex:0;-ms-flex:0 0 16.6666666667%;flex:0 0 16.6666666667%;max-width:16.6666666667%}.col-sm-auto{-webkit-box-flex:0;-ms-flex:0 0 auto;flex:0 0 auto;width:auto;max-width:100%}.col-sm-1{-webkit-box-flex:0;-ms-flex:0 0 8.3333333333%;flex:0 0 8.3333333333%;max-width:8.3333333333%}.col-sm-2{-webkit-box-flex:0;-ms-flex:0 0 16.6666666667%;flex:0 0 16.6666666667%;max-width:16.6666666667%}.col-sm-3{-webkit-box-flex:0;-ms-flex:0 0 25%;flex:0 0 25%;max-width:25%}.col-sm-4{-webkit-box-flex:0;-ms-flex:0 0 33.3333333333%;flex:0 0 33.3333333333%;max-width:33.3333333333%}.col-sm-5{-webkit-box-flex:0;-ms-flex:0 0 41.6666666667%;flex:0 0 41.6666666667%;max-width:41.6666666667%}.col-sm-6{-webkit-box-flex:0;-ms-flex:0 0 50%;flex:0 0 50%;max-width:50%}.col-sm-7{-webkit-box-flex:0;-ms-flex:0 0 58.3333333333%;flex:0 0 58.3333333333%;max-width:58.3333333333%}.col-sm-8{-webkit-box-flex:0;-ms-flex:0 0 66.6666666667%;flex:0 0 66.6666666667%;max-width:66.6666666667%}.col-sm-9{-webkit-box-flex:0;-ms-flex:0 0 75%;flex:0 0 75%;max-width:75%}.col-sm-10{-webkit-box-flex:0;-ms-flex:0 0 83.3333333333%;flex:0 0 83.3333333333%;max-width:83.3333333333%}.col-sm-11{-webkit-box-flex:0;-ms-flex:0 0 91.6666666667%;flex:0 0 91.6666666667%;max-width:91.6666666667%}.col-sm-12{-webkit-box-flex:0;-ms-flex:0 0 100%;flex:0 0 100%;max-width:100%}.order-sm-first{-webkit-box-ordinal-group:0;-ms-flex-order:-1;order:-1}.order-sm-last{-webkit-box-ordinal-group:14;-ms-flex-order:13;order:13}.order-sm-0{-webkit-box-ordinal-group:1;-ms-flex-order:0;order:0}.order-sm-1{-webkit-box-ordinal-group:2;-ms-flex-order:1;order:1}.order-sm-2{-webkit-box-ordinal-group:3;-ms-flex-order:2;order:2}.order-sm-3{-webkit-box-ordinal-group:4;-ms-flex-order:3;order:3}.order-sm-4{-webkit-box-ordinal-group:5;-ms-flex-order:4;order:4}.order-sm-5{-webkit-box-ordinal-group:6;-ms-flex-order:5;order:5}.order-sm-6{-webkit-box-ordinal-group:7;-ms-flex-order:6;order:6}.order-sm-7{-webkit-box-ordinal-group:8;-ms-flex-order:7;order:7}.order-sm-8{-webkit-box-ordinal-group:9;-ms-flex-order:8;order:8}.order-sm-9{-webkit-box-ordinal-group:10;-ms-flex-order:9;order:9}.order-sm-10{-webkit-box-ordinal-group:11;-ms-flex-order:10;order:10}.order-sm-11{-webkit-box-ordinal-group:12;-ms-flex-order:11;order:11}.order-sm-12{-webkit-box-ordinal-group:13;-ms-flex-order:12;order:12}.offset-sm-0{margin-left:0}.offset-sm-1{margin-left:8.3333333333%}.offset-sm-2{margin-left:16.6666666667%}.offset-sm-3{margin-left:25%}.offset-sm-4{margin-left:33.3333333333%}.offset-sm-5{margin-left:41.6666666667%}.offset-sm-6{margin-left:50%}.offset-sm-7{margin-left:58.3333333333%}.offset-sm-8{margin-left:66.6666666667%}.offset-sm-9{margin-left:75%}.offset-sm-10{margin-left:83.3333333333%}.offset-sm-11{margin-left:91.6666666667%}}@media (min-width: 768px){.col-md{-ms-flex-preferred-size:0;flex-basis:0;-webkit-box-flex:1;-ms-flex-positive:1;flex-grow:1;max-width:100%}.row-cols-md-1>*{-webkit-box-flex:0;-ms-flex:0 0 100%;flex:0 0 100%;max-width:100%}.row-cols-md-2>*{-webkit-box-flex:0;-ms-flex:0 0 50%;flex:0 0 50%;max-width:50%}.row-cols-md-3>*{-webkit-box-flex:0;-ms-flex:0 0 33.3333333333%;flex:0 0 33.3333333333%;max-width:33.3333333333%}.row-cols-md-4>*{-webkit-box-flex:0;-ms-flex:0 0 25%;flex:0 0 25%;max-width:25%}.row-cols-md-5>*{-webkit-box-flex:0;-ms-flex:0 0 20%;flex:0 0 20%;max-width:20%}.row-cols-md-6>*{-webkit-box-flex:0;-ms-flex:0 0 16.6666666667%;flex:0 0 16.6666666667%;max-width:16.6666666667%}.col-md-auto{-webkit-box-flex:0;-ms-flex:0 0 auto;flex:0 0 auto;width:auto;max-width:100%}.col-md-1{-webkit-box-flex:0;-ms-flex:0 0 8.3333333333%;flex:0 0 8.3333333333%;max-width:8.3333333333%}.col-md-2{-webkit-box-flex:0;-ms-flex:0 0 16.6666666667%;flex:0 0 16.6666666667%;max-width:16.6666666667%}.col-md-3{-webkit-box-flex:0;-ms-flex:0 0 25%;flex:0 0 25%;max-width:25%}.col-md-4{-webkit-box-flex:0;-ms-flex:0 0 33.3333333333%;flex:0 0 33.3333333333%;max-width:33.3333333333%}.col-md-5{-webkit-box-flex:0;-ms-flex:0 0 41.6666666667%;flex:0 0 41.6666666667%;max-width:41.6666666667%}.col-md-6{-webkit-box-flex:0;-ms-flex:0 0 50%;flex:0 0 50%;max-width:50%}.col-md-7{-webkit-box-flex:0;-ms-flex:0 0 58.3333333333%;flex:0 0 58.3333333333%;max-width:58.3333333333%}.col-md-8{-webkit-box-flex:0;-ms-flex:0 0 66.6666666667%;flex:0 0 66.6666666667%;max-width:66.6666666667%}.col-md-9{-webkit-box-flex:0;-ms-flex:0 0 75%;flex:0 0 75%;max-width:75%}.col-md-10{-webkit-box-flex:0;-ms-flex:0 0 83.3333333333%;flex:0 0 83.3333333333%;max-width:83.3333333333%}.col-md-11{-webkit-box-flex:0;-ms-flex:0 0 91.6666666667%;flex:0 0 91.6666666667%;max-width:91.6666666667%}.col-md-12{-webkit-box-flex:0;-ms-flex:0 0 100%;flex:0 0 100%;max-width:100%}.order-md-first{-webkit-box-ordinal-group:0;-ms-flex-order:-1;order:-1}.order-md-last{-webkit-box-ordinal-group:14;-ms-flex-order:13;order:13}.order-md-0{-webkit-box-ordinal-group:1;-ms-flex-order:0;order:0}.order-md-1{-webkit-box-ordinal-group:2;-ms-flex-order:1;order:1}.order-md-2{-webkit-box-ordinal-group:3;-ms-flex-order:2;order:2}.order-md-3{-webkit-box-ordinal-group:4;-ms-flex-order:3;order:3}.order-md-4{-webkit-box-ordinal-group:5;-ms-flex-order:4;order:4}.order-md-5{-webkit-box-ordinal-group:6;-ms-flex-order:5;order:5}.order-md-6{-webkit-box-ordinal-group:7;-ms-flex-order:6;order:6}.order-md-7{-webkit-box-ordinal-group:8;-ms-flex-order:7;order:7}.order-md-8{-webkit-box-ordinal-group:9;-ms-flex-order:8;order:8}.order-md-9{-webkit-box-ordinal-group:10;-ms-flex-order:9;order:9}.order-md-10{-webkit-box-ordinal-group:11;-ms-flex-order:10;order:10}.order-md-11{-webkit-box-ordinal-group:12;-ms-flex-order:11;order:11}.order-md-12{-webkit-box-ordinal-group:13;-ms-flex-order:12;order:12}.offset-md-0{margin-left:0}.offset-md-1{margin-left:8.3333333333%}.offset-md-2{margin-left:16.6666666667%}.offset-md-3{margin-left:25%}.offset-md-4{margin-left:33.3333333333%}.offset-md-5{margin-left:41.6666666667%}.offset-md-6{margin-left:50%}.offset-md-7{margin-left:58.3333333333%}.offset-md-8{margin-left:66.6666666667%}.offset-md-9{margin-left:75%}.offset-md-10{margin-left:83.3333333333%}.offset-md-11{margin-left:91.6666666667%}}@media (min-width: 992px){.col-lg{-ms-flex-preferred-size:0;flex-basis:0;-webkit-box-flex:1;-ms-flex-positive:1;flex-grow:1;max-width:100%}.row-cols-lg-1>*{-webkit-box-flex:0;-ms-flex:0 0 100%;flex:0 0 100%;max-width:100%}.row-cols-lg-2>*{-webkit-box-flex:0;-ms-flex:0 0 50%;flex:0 0 50%;max-width:50%}.row-cols-lg-3>*{-webkit-box-flex:0;-ms-flex:0 0 33.3333333333%;flex:0 0 33.3333333333%;max-width:33.3333333333%}.row-cols-lg-4>*{-webkit-box-flex:0;-ms-flex:0 0 25%;flex:0 0 25%;max-width:25%}.row-cols-lg-5>*{-webkit-box-flex:0;-ms-flex:0 0 20%;flex:0 0 20%;max-width:20%}.row-cols-lg-6>*{-webkit-box-flex:0;-ms-flex:0 0 16.6666666667%;flex:0 0 16.6666666667%;max-width:16.6666666667%}.col-lg-auto{-webkit-box-flex:0;-ms-flex:0 0 auto;flex:0 0 auto;width:auto;max-width:100%}.col-lg-1{-webkit-box-flex:0;-ms-flex:0 0 8.3333333333%;flex:0 0 8.3333333333%;max-width:8.3333333333%}.col-lg-2{-webkit-box-flex:0;-ms-flex:0 0 16.6666666667%;flex:0 0 16.6666666667%;max-width:16.6666666667%}.col-lg-3{-webkit-box-flex:0;-ms-flex:0 0 25%;flex:0 0 25%;max-width:25%}.col-lg-4{-webkit-box-flex:0;-ms-flex:0 0 33.3333333333%;flex:0 0 33.3333333333%;max-width:33.3333333333%}.col-lg-5{-webkit-box-flex:0;-ms-flex:0 0 41.6666666667%;flex:0 0 41.6666666667%;max-width:41.6666666667%}.col-lg-6{-webkit-box-flex:0;-ms-flex:0 0 50%;flex:0 0 50%;max-width:50%}.col-lg-7{-webkit-box-flex:0;-ms-flex:0 0 58.3333333333%;flex:0 0 58.3333333333%;max-width:58.3333333333%}.col-lg-8{-webkit-box-flex:0;-ms-flex:0 0 66.6666666667%;flex:0 0 66.6666666667%;max-width:66.6666666667%}.col-lg-9{-webkit-box-flex:0;-ms-flex:0 0 75%;flex:0 0 75%;max-width:75%}.col-lg-10{-webkit-box-flex:0;-ms-flex:0 0 83.3333333333%;flex:0 0 83.3333333333%;max-width:83.3333333333%}.col-lg-11{-webkit-box-flex:0;-ms-flex:0 0 91.6666666667%;flex:0 0 91.6666666667%;max-width:91.6666666667%}.col-lg-12{-webkit-box-flex:0;-ms-flex:0 0 100%;flex:0 0 100%;max-width:100%}.order-lg-first{-webkit-box-ordinal-group:0;-ms-flex-order:-1;order:-1}.order-lg-last{-webkit-box-ordinal-group:14;-ms-flex-order:13;order:13}.order-lg-0{-webkit-box-ordinal-group:1;-ms-flex-order:0;order:0}.order-lg-1{-webkit-box-ordinal-group:2;-ms-flex-order:1;order:1}.order-lg-2{-webkit-box-ordinal-group:3;-ms-flex-order:2;order:2}.order-lg-3{-webkit-box-ordinal-group:4;-ms-flex-order:3;order:3}.order-lg-4{-webkit-box-ordinal-group:5;-ms-flex-order:4;order:4}.order-lg-5{-webkit-box-ordinal-group:6;-ms-flex-order:5;order:5}.order-lg-6{-webkit-box-ordinal-group:7;-ms-flex-order:6;order:6}.order-lg-7{-webkit-box-ordinal-group:8;-ms-flex-order:7;order:7}.order-lg-8{-webkit-box-ordinal-group:9;-ms-flex-order:8;order:8}.order-lg-9{-webkit-box-ordinal-group:10;-ms-flex-order:9;order:9}.order-lg-10{-webkit-box-ordinal-group:11;-ms-flex-order:10;order:10}.order-lg-11{-webkit-box-ordinal-group:12;-ms-flex-order:11;order:11}.order-lg-12{-webkit-box-ordinal-group:13;-ms-flex-order:12;order:12}.offset-lg-0{margin-left:0}.offset-lg-1{margin-left:8.3333333333%}.offset-lg-2{margin-left:16.6666666667%}.offset-lg-3{margin-left:25%}.offset-lg-4{margin-left:33.3333333333%}.offset-lg-5{margin-left:41.6666666667%}.offset-lg-6{margin-left:50%}.offset-lg-7{margin-left:58.3333333333%}.offset-lg-8{margin-left:66.6666666667%}.offset-lg-9{margin-left:75%}.offset-lg-10{margin-left:83.3333333333%}.offset-lg-11{margin-left:91.6666666667%}}@media (min-width: 1200px){.col-xl{-ms-flex-preferred-size:0;flex-basis:0;-webkit-box-flex:1;-ms-flex-positive:1;flex-grow:1;max-width:100%}.row-cols-xl-1>*{-webkit-box-flex:0;-ms-flex:0 0 100%;flex:0 0 100%;max-width:100%}.row-cols-xl-2>*{-webkit-box-flex:0;-ms-flex:0 0 50%;flex:0 0 50%;max-width:50%}.row-cols-xl-3>*{-webkit-box-flex:0;-ms-flex:0 0 33.3333333333%;flex:0 0 33.3333333333%;max-width:33.3333333333%}.row-cols-xl-4>*{-webkit-box-flex:0;-ms-flex:0 0 25%;flex:0 0 25%;max-width:25%}.row-cols-xl-5>*{-webkit-box-flex:0;-ms-flex:0 0 20%;flex:0 0 20%;max-width:20%}.row-cols-xl-6>*{-webkit-box-flex:0;-ms-flex:0 0 16.6666666667%;flex:0 0 16.6666666667%;max-width:16.6666666667%}.col-xl-auto{-webkit-box-flex:0;-ms-flex:0 0 auto;flex:0 0 auto;width:auto;max-width:100%}.col-xl-1{-webkit-box-flex:0;-ms-flex:0 0 8.3333333333%;flex:0 0 8.3333333333%;max-width:8.3333333333%}.col-xl-2{-webkit-box-flex:0;-ms-flex:0 0 16.6666666667%;flex:0 0 16.6666666667%;max-width:16.6666666667%}.col-xl-3{-webkit-box-flex:0;-ms-flex:0 0 25%;flex:0 0 25%;max-width:25%}.col-xl-4{-webkit-box-flex:0;-ms-flex:0 0 33.3333333333%;flex:0 0 33.3333333333%;max-width:33.3333333333%}.col-xl-5{-webkit-box-flex:0;-ms-flex:0 0 41.6666666667%;flex:0 0 41.6666666667%;max-width:41.6666666667%}.col-xl-6{-webkit-box-flex:0;-ms-flex:0 0 50%;flex:0 0 50%;max-width:50%}.col-xl-7{-webkit-box-flex:0;-ms-flex:0 0 58.3333333333%;flex:0 0 58.3333333333%;max-width:58.3333333333%}.col-xl-8{-webkit-box-flex:0;-ms-flex:0 0 66.6666666667%;flex:0 0 66.6666666667%;max-width:66.6666666667%}.col-xl-9{-webkit-box-flex:0;-ms-flex:0 0 75%;flex:0 0 75%;max-width:75%}.col-xl-10{-webkit-box-flex:0;-ms-flex:0 0 83.3333333333%;flex:0 0 83.3333333333%;max-width:83.3333333333%}.col-xl-11{-webkit-box-flex:0;-ms-flex:0 0 91.6666666667%;flex:0 0 91.6666666667%;max-width:91.6666666667%}.col-xl-12{-webkit-box-flex:0;-ms-flex:0 0 100%;flex:0 0 100%;max-width:100%}.order-xl-first{-webkit-box-ordinal-group:0;-ms-flex-order:-1;order:-1}.order-xl-last{-webkit-box-ordinal-group:14;-ms-flex-order:13;order:13}.order-xl-0{-webkit-box-ordinal-group:1;-ms-flex-order:0;order:0}.order-xl-1{-webkit-box-ordinal-group:2;-ms-flex-order:1;order:1}.order-xl-2{-webkit-box-ordinal-group:3;-ms-flex-order:2;order:2}.order-xl-3{-webkit-box-ordinal-group:4;-ms-flex-order:3;order:3}.order-xl-4{-webkit-box-ordinal-group:5;-ms-flex-order:4;order:4}.order-xl-5{-webkit-box-ordinal-group:6;-ms-flex-order:5;order:5}.order-xl-6{-webkit-box-ordinal-group:7;-ms-flex-order:6;order:6}.order-xl-7{-webkit-box-ordinal-group:8;-ms-flex-order:7;order:7}.order-xl-8{-webkit-box-ordinal-group:9;-ms-flex-order:8;order:8}.order-xl-9{-webkit-box-ordinal-group:10;-ms-flex-order:9;order:9}.order-xl-10{-webkit-box-ordinal-group:11;-ms-flex-order:10;order:10}.order-xl-11{-webkit-box-ordinal-group:12;-ms-flex-order:11;order:11}.order-xl-12{-webkit-box-ordinal-group:13;-ms-flex-order:12;order:12}.offset-xl-0{margin-left:0}.offset-xl-1{margin-left:8.3333333333%}.offset-xl-2{margin-left:16.6666666667%}.offset-xl-3{margin-left:25%}.offset-xl-4{margin-left:33.3333333333%}.offset-xl-5{margin-left:41.6666666667%}.offset-xl-6{margin-left:50%}.offset-xl-7{margin-left:58.3333333333%}.offset-xl-8{margin-left:66.6666666667%}.offset-xl-9{margin-left:75%}.offset-xl-10{margin-left:83.3333333333%}.offset-xl-11{margin-left:91.6666666667%}}.table{width:100%;margin-bottom:1rem;color:#fff}.table th,.table td{padding:0.75rem;vertical-align:top;border-top:1px solid rgba(0,0,0,0.6)}.table thead th{vertical-align:bottom;border-bottom:2px solid rgba(0,0,0,0.6)}.table tbody+tbody{border-top:2px solid rgba(0,0,0,0.6)}.table-sm th,.table-sm td{padding:0.3rem}.table-bordered{border:1px solid rgba(0,0,0,0.6)}.table-bordered th,.table-bordered td{border:1px solid rgba(0,0,0,0.6)}.table-bordered thead th,.table-bordered thead td{border-bottom-width:2px}.table-borderless th,.table-borderless td,.table-borderless thead th,.table-borderless tbody+tbody{border:0}.table-striped tbody tr:nth-of-type(odd){background-color:rgba(255,255,255,0.05)}.table-hover tbody tr:hover{color:#fff;background-color:rgba(255,255,255,0.075)}.table-primary,.table-primary>th,.table-primary>td{background-color:#c8c9cb}.table-primary th,.table-primary td,.table-primary thead th,.table-primary tbody+tbody{border-color:#999b9e}.table-hover .table-primary:hover{background-color:#bbbcbf}.table-hover .table-primary:hover>td,.table-hover .table-primary:hover>th{background-color:#bbbcbf}.table-secondary,.table-secondary>th,.table-secondary>td{background-color:#dadcde}.table-secondary th,.table-secondary td,.table-secondary thead th,.table-secondary tbody+tbody{border-color:#babec1}.table-hover .table-secondary:hover{background-color:#cdcfd2}.table-hover .table-secondary:hover>td,.table-hover .table-secondary:hover>th{background-color:#cdcfd2}.table-success,.table-success>th,.table-success>td{background-color:#d3eed3}.table-success th,.table-success td,.table-success thead th,.table-success tbody+tbody{border-color:#ade0ad}.table-hover .table-success:hover{background-color:#c1e7c1}.table-hover .table-success:hover>td,.table-hover .table-success:hover>th{background-color:#c1e7c1}.table-info,.table-info>th,.table-info>td{background-color:#d1edf6}.table-info th,.table-info td,.table-info thead th,.table-info tbody+tbody{border-color:#aadeee}.table-hover .table-info:hover{background-color:#bce5f2}.table-hover .table-info:hover>td,.table-hover .table-info:hover>th{background-color:#bce5f2}.table-warning,.table-warning>th,.table-warning>td{background-color:#fde1b9}.table-warning th,.table-warning td,.table-warning thead th,.table-warning tbody+tbody{border-color:#fbc77e}.table-hover .table-warning:hover{background-color:#fcd6a0}.table-hover .table-warning:hover>td,.table-hover .table-warning:hover>th{background-color:#fcd6a0}.table-danger,.table-danger>th,.table-danger>td{background-color:#fad2d1}.table-danger th,.table-danger td,.table-danger thead th,.table-danger tbody+tbody{border-color:#f6acaa}.table-hover .table-danger:hover{background-color:#f8bcba}.table-hover .table-danger:hover>td,.table-hover .table-danger:hover>th{background-color:#f8bcba}.table-light,.table-light>th,.table-light>td{background-color:#f9fafb}.table-light th,.table-light td,.table-light thead th,.table-light tbody+tbody{border-color:#f4f5f7}.table-hover .table-light:hover{background-color:#eaedf1}.table-hover .table-light:hover>td,.table-hover .table-light:hover>th{background-color:#eaedf1}.table-dark,.table-dark>th,.table-dark>td{background-color:#c3c4c5}.table-dark th,.table-dark td,.table-dark thead th,.table-dark tbody+tbody{border-color:#8f9193}.table-hover .table-dark:hover{background-color:#b6b7b8}.table-hover .table-dark:hover>td,.table-hover .table-dark:hover>th{background-color:#b6b7b8}.table-active,.table-active>th,.table-active>td{background-color:rgba(255,255,255,0.075)}.table-hover .table-active:hover{background-color:rgba(242,242,242,0.075)}.table-hover .table-active:hover>td,.table-hover .table-active:hover>th{background-color:rgba(242,242,242,0.075)}.table .thead-dark th{color:#fff;background-color:#3A3F44;border-color:rgba(0,0,0,0.6)}.table .thead-light th{color:#52575C;background-color:#e9ecef;border-color:rgba(0,0,0,0.6)}.table-dark{color:#fff;background-color:#3A3F44}.table-dark th,.table-dark td,.table-dark thead th{border-color:rgba(0,0,0,0.6)}.table-dark.table-bordered{border:0}.table-dark.table-striped tbody tr:nth-of-type(odd){background-color:rgba(255,255,255,0.05)}.table-dark.table-hover tbody tr:hover{color:#fff;background-color:rgba(255,255,255,0.075)}@media (max-width: 575.98px){.table-responsive-sm{display:block;width:100%;overflow-x:auto;-webkit-overflow-scrolling:touch}.table-responsive-sm>.table-bordered{border:0}}@media (max-width: 767.98px){.table-responsive-md{display:block;width:100%;overflow-x:auto;-webkit-overflow-scrolling:touch}.table-responsive-md>.table-bordered{border:0}}@media (max-width: 991.98px){.table-responsive-lg{display:block;width:100%;overflow-x:auto;-webkit-overflow-scrolling:touch}.table-responsive-lg>.table-bordered{border:0}}@media (max-width: 1199.98px){.table-responsive-xl{display:block;width:100%;overflow-x:auto;-webkit-overflow-scrolling:touch}.table-responsive-xl>.table-bordered{border:0}}.table-responsive{display:block;width:100%;overflow-x:auto;-webkit-overflow-scrolling:touch}.table-responsive>.table-bordered{border:0}.form-control{display:block;width:100%;height:calc(1.5em + 1.5rem + 2px);padding:0.75rem 1rem;font-size:0.9375rem;font-weight:400;line-height:1.5;color:#52575C;background-color:#fff;background-clip:padding-box;border:1px solid #ced4da;border-radius:0.25rem;-webkit-transition:border-color 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out;transition:border-color 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out;transition:border-color 0.15s ease-in-out, box-shadow 0.15s ease-in-out;transition:border-color 0.15s ease-in-out, box-shadow 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out}@media (prefers-reduced-motion: reduce){.form-control{-webkit-transition:none;transition:none}}.form-control::-ms-expand{background-color:transparent;border:0}.form-control:-moz-focusring{color:transparent;text-shadow:0 0 0 #52575C}.form-control:focus{color:#52575C;background-color:#fff;border-color:#757f89;outline:0;-webkit-box-shadow:0 0 0 0.2rem rgba(58,63,68,0.25);box-shadow:0 0 0 0.2rem rgba(58,63,68,0.25)}.form-control::-webkit-input-placeholder{color:#7A8288;opacity:1}.form-control::-ms-input-placeholder{color:#7A8288;opacity:1}.form-control::placeholder{color:#7A8288;opacity:1}.form-control:disabled,.form-control[readonly]{background-color:#ccc;opacity:1}select.form-control:focus::-ms-value{color:#52575C;background-color:#fff}.form-control-file,.form-control-range{display:block;width:100%}.col-form-label{padding-top:calc(0.75rem + 1px);padding-bottom:calc(0.75rem + 1px);margin-bottom:0;font-size:inherit;line-height:1.5}.col-form-label-lg{padding-top:calc(0.5rem + 1px);padding-bottom:calc(0.5rem + 1px);font-size:1.171875rem;line-height:1.5}.col-form-label-sm{padding-top:calc(0.25rem + 1px);padding-bottom:calc(0.25rem + 1px);font-size:0.8203125rem;line-height:1.5}.form-control-plaintext{display:block;width:100%;padding:0.75rem 0;margin-bottom:0;font-size:0.9375rem;line-height:1.5;color:#aaa;background-color:transparent;border:solid transparent;border-width:1px 0}.form-control-plaintext.form-control-sm,.form-control-plaintext.form-control-lg{padding-right:0;padding-left:0}.form-control-sm{height:calc(1.5em + 0.5rem + 2px);padding:0.25rem 0.5rem;font-size:0.8203125rem;line-height:1.5;border-radius:0.2rem}.form-control-lg{height:calc(1.5em + 1rem + 2px);padding:0.5rem 1rem;font-size:1.171875rem;line-height:1.5;border-radius:0.3rem}select.form-control[size],select.form-control[multiple]{height:auto}textarea.form-control{height:auto}.form-group{margin-bottom:1rem}.form-text{display:block;margin-top:0.25rem}.form-row{display:-webkit-box;display:-ms-flexbox;display:flex;-ms-flex-wrap:wrap;flex-wrap:wrap;margin-right:-5px;margin-left:-5px}.form-row>.col,.form-row>[class*="col-"]{padding-right:5px;padding-left:5px}.form-check{position:relative;display:block;padding-left:1.25rem}.form-check-input{position:absolute;margin-top:0.3rem;margin-left:-1.25rem}.form-check-input[disabled] ~ .form-check-label,.form-check-input:disabled ~ .form-check-label{color:#7A8288}.form-check-label{margin-bottom:0}.form-check-inline{display:-webkit-inline-box;display:-ms-inline-flexbox;display:inline-flex;-webkit-box-align:center;-ms-flex-align:center;align-items:center;padding-left:0;margin-right:0.75rem}.form-check-inline .form-check-input{position:static;margin-top:0;margin-right:0.3125rem;margin-left:0}.valid-feedback{display:none;width:100%;margin-top:0.25rem;font-size:80%;color:#62c462}.valid-tooltip{position:absolute;top:100%;z-index:5;display:none;max-width:100%;padding:0.25rem 0.5rem;margin-top:.1rem;font-size:0.8203125rem;line-height:1.5;color:#fff;background-color:rgba(98,196,98,0.9);border-radius:0.25rem}.was-validated :valid ~ .valid-feedback,.was-validated :valid ~ .valid-tooltip,.is-valid ~ .valid-feedback,.is-valid ~ .valid-tooltip{display:block}.was-validated .form-control:valid,.form-control.is-valid{border-color:#62c462;padding-right:calc(1.5em + 1.5rem);background-image:url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' width='8' height='8' viewBox='0 0 8 8'%3e%3cpath fill='%2362c462' d='M2.3 6.73L.6 4.53c-.4-1.04.46-1.4 1.1-.8l1.1 1.4 3.4-3.8c.6-.63 1.6-.27 1.2.7l-4 4.6c-.43.5-.8.4-1.1.1z'/%3e%3c/svg%3e");background-repeat:no-repeat;background-position:right calc(0.375em + 0.375rem) center;background-size:calc(0.75em + 0.75rem) calc(0.75em + 0.75rem)}.was-validated .form-control:valid:focus,.form-control.is-valid:focus{border-color:#62c462;-webkit-box-shadow:0 0 0 0.2rem rgba(98,196,98,0.25);box-shadow:0 0 0 0.2rem rgba(98,196,98,0.25)}.was-validated textarea.form-control:valid,textarea.form-control.is-valid{padding-right:calc(1.5em + 1.5rem);background-position:top calc(0.375em + 0.375rem) right calc(0.375em + 0.375rem)}.was-validated .custom-select:valid,.custom-select.is-valid{border-color:#62c462;padding-right:calc(0.75em + 3.125rem);background:url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' width='4' height='5' viewBox='0 0 4 5'%3e%3cpath fill='%233A3F44' d='M2 0L0 2h4zm0 5L0 3h4z'/%3e%3c/svg%3e") no-repeat right 1rem center/8px 10px,url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' width='8' height='8' viewBox='0 0 8 8'%3e%3cpath fill='%2362c462' d='M2.3 6.73L.6 4.53c-.4-1.04.46-1.4 1.1-.8l1.1 1.4 3.4-3.8c.6-.63 1.6-.27 1.2.7l-4 4.6c-.43.5-.8.4-1.1.1z'/%3e%3c/svg%3e") #fff no-repeat center right 2rem/calc(0.75em + 0.75rem) calc(0.75em + 0.75rem)}.was-validated .custom-select:valid:focus,.custom-select.is-valid:focus{border-color:#62c462;-webkit-box-shadow:0 0 0 0.2rem rgba(98,196,98,0.25);box-shadow:0 0 0 0.2rem rgba(98,196,98,0.25)}.was-validated .form-check-input:valid ~ .form-check-label,.form-check-input.is-valid ~ .form-check-label{color:#62c462}.was-validated .form-check-input:valid ~ .valid-feedback,.was-validated .form-check-input:valid ~ .valid-tooltip,.form-check-input.is-valid ~ .valid-feedback,.form-check-input.is-valid ~ .valid-tooltip{display:block}.was-validated .custom-control-input:valid ~ .custom-control-label,.custom-control-input.is-valid ~ .custom-control-label{color:#62c462}.was-validated .custom-control-input:valid ~ .custom-control-label::before,.custom-control-input.is-valid ~ .custom-control-label::before{border-color:#62c462}.was-validated .custom-control-input:valid:checked ~ .custom-control-label::before,.custom-control-input.is-valid:checked ~ .custom-control-label::before{border-color:#87d287;background-color:#87d287}.was-validated .custom-control-input:valid:focus ~ .custom-control-label::before,.custom-control-input.is-valid:focus ~ .custom-control-label::before{-webkit-box-shadow:0 0 0 0.2rem rgba(98,196,98,0.25);box-shadow:0 0 0 0.2rem rgba(98,196,98,0.25)}.was-validated .custom-control-input:valid:focus:not(:checked) ~ .custom-control-label::before,.custom-control-input.is-valid:focus:not(:checked) ~ .custom-control-label::before{border-color:#62c462}.was-validated .custom-file-input:valid ~ .custom-file-label,.custom-file-input.is-valid ~ .custom-file-label{border-color:#62c462}.was-validated .custom-file-input:valid:focus ~ .custom-file-label,.custom-file-input.is-valid:focus ~ .custom-file-label{border-color:#62c462;-webkit-box-shadow:0 0 0 0.2rem rgba(98,196,98,0.25);box-shadow:0 0 0 0.2rem rgba(98,196,98,0.25)}.invalid-feedback{display:none;width:100%;margin-top:0.25rem;font-size:80%;color:#ee5f5b}.invalid-tooltip{position:absolute;top:100%;z-index:5;display:none;max-width:100%;padding:0.25rem 0.5rem;margin-top:.1rem;font-size:0.8203125rem;line-height:1.5;color:#fff;background-color:rgba(238,95,91,0.9);border-radius:0.25rem}.was-validated :invalid ~ .invalid-feedback,.was-validated :invalid ~ .invalid-tooltip,.is-invalid ~ .invalid-feedback,.is-invalid ~ .invalid-tooltip{display:block}.was-validated .form-control:invalid,.form-control.is-invalid{border-color:#ee5f5b;padding-right:calc(1.5em + 1.5rem);background-image:url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' width='12' height='12' fill='none' stroke='%23ee5f5b' viewBox='0 0 12 12'%3e%3ccircle cx='6' cy='6' r='4.5'/%3e%3cpath stroke-linejoin='round' d='M5.8 3.6h.4L6 6.5z'/%3e%3ccircle cx='6' cy='8.2' r='.6' fill='%23ee5f5b' stroke='none'/%3e%3c/svg%3e");background-repeat:no-repeat;background-position:right calc(0.375em + 0.375rem) center;background-size:calc(0.75em + 0.75rem) calc(0.75em + 0.75rem)}.was-validated .form-control:invalid:focus,.form-control.is-invalid:focus{border-color:#ee5f5b;-webkit-box-shadow:0 0 0 0.2rem rgba(238,95,91,0.25);box-shadow:0 0 0 0.2rem rgba(238,95,91,0.25)}.was-validated textarea.form-control:invalid,textarea.form-control.is-invalid{padding-right:calc(1.5em + 1.5rem);background-position:top calc(0.375em + 0.375rem) right calc(0.375em + 0.375rem)}.was-validated .custom-select:invalid,.custom-select.is-invalid{border-color:#ee5f5b;padding-right:calc(0.75em + 3.125rem);background:url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' width='4' height='5' viewBox='0 0 4 5'%3e%3cpath fill='%233A3F44' d='M2 0L0 2h4zm0 5L0 3h4z'/%3e%3c/svg%3e") no-repeat right 1rem center/8px 10px,url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' width='12' height='12' fill='none' stroke='%23ee5f5b' viewBox='0 0 12 12'%3e%3ccircle cx='6' cy='6' r='4.5'/%3e%3cpath stroke-linejoin='round' d='M5.8 3.6h.4L6 6.5z'/%3e%3ccircle cx='6' cy='8.2' r='.6' fill='%23ee5f5b' stroke='none'/%3e%3c/svg%3e") #fff no-repeat center right 2rem/calc(0.75em + 0.75rem) calc(0.75em + 0.75rem)}.was-validated .custom-select:invalid:focus,.custom-select.is-invalid:focus{border-color:#ee5f5b;-webkit-box-shadow:0 0 0 0.2rem rgba(238,95,91,0.25);box-shadow:0 0 0 0.2rem rgba(238,95,91,0.25)}.was-validated .form-check-input:invalid ~ .form-check-label,.form-check-input.is-invalid ~ .form-check-label{color:#ee5f5b}.was-validated .form-check-input:invalid ~ .invalid-feedback,.was-validated .form-check-input:invalid ~ .invalid-tooltip,.form-check-input.is-invalid ~ .invalid-feedback,.form-check-input.is-invalid ~ .invalid-tooltip{display:block}.was-validated .custom-control-input:invalid ~ .custom-control-label,.custom-control-input.is-invalid ~ .custom-control-label{color:#ee5f5b}.was-validated .custom-control-input:invalid ~ .custom-control-label::before,.custom-control-input.is-invalid ~ .custom-control-label::before{border-color:#ee5f5b}.was-validated .custom-control-input:invalid:checked ~ .custom-control-label::before,.custom-control-input.is-invalid:checked ~ .custom-control-label::before{border-color:#f38c89;background-color:#f38c89}.was-validated .custom-control-input:invalid:focus ~ .custom-control-label::before,.custom-control-input.is-invalid:focus ~ .custom-control-label::before{-webkit-box-shadow:0 0 0 0.2rem rgba(238,95,91,0.25);box-shadow:0 0 0 0.2rem rgba(238,95,91,0.25)}.was-validated .custom-control-input:invalid:focus:not(:checked) ~ .custom-control-label::before,.custom-control-input.is-invalid:focus:not(:checked) ~ .custom-control-label::before{border-color:#ee5f5b}.was-validated .custom-file-input:invalid ~ .custom-file-label,.custom-file-input.is-invalid ~ .custom-file-label{border-color:#ee5f5b}.was-validated .custom-file-input:invalid:focus ~ .custom-file-label,.custom-file-input.is-invalid:focus ~ .custom-file-label{border-color:#ee5f5b;-webkit-box-shadow:0 0 0 0.2rem rgba(238,95,91,0.25);box-shadow:0 0 0 0.2rem rgba(238,95,91,0.25)}.form-inline{display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-orient:horizontal;-webkit-box-direction:normal;-ms-flex-flow:row wrap;flex-flow:row wrap;-webkit-box-align:center;-ms-flex-align:center;align-items:center}.form-inline .form-check{width:100%}@media (min-width: 576px){.form-inline label{display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-box-pack:center;-ms-flex-pack:center;justify-content:center;margin-bottom:0}.form-inline .form-group{display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-flex:0;-ms-flex:0 0 auto;flex:0 0 auto;-webkit-box-orient:horizontal;-webkit-box-direction:normal;-ms-flex-flow:row wrap;flex-flow:row wrap;-webkit-box-align:center;-ms-flex-align:center;align-items:center;margin-bottom:0}.form-inline .form-control{display:inline-block;width:auto;vertical-align:middle}.form-inline .form-control-plaintext{display:inline-block}.form-inline .input-group,.form-inline .custom-select{width:auto}.form-inline .form-check{display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-box-pack:center;-ms-flex-pack:center;justify-content:center;width:auto;padding-left:0}.form-inline .form-check-input{position:relative;-ms-flex-negative:0;flex-shrink:0;margin-top:0;margin-right:0.25rem;margin-left:0}.form-inline .custom-control{-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-box-pack:center;-ms-flex-pack:center;justify-content:center}.form-inline .custom-control-label{margin-bottom:0}}.btn{display:inline-block;font-weight:400;color:#aaa;text-align:center;vertical-align:middle;cursor:pointer;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;background-color:transparent;border:1px solid transparent;padding:0.75rem 1rem;font-size:0.9375rem;line-height:1.5;border-radius:0.25rem;-webkit-transition:color 0.15s ease-in-out, background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out;transition:color 0.15s ease-in-out, background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out;transition:color 0.15s ease-in-out, background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, box-shadow 0.15s ease-in-out;transition:color 0.15s ease-in-out, background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, box-shadow 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out}@media (prefers-reduced-motion: reduce){.btn{-webkit-transition:none;transition:none}}.btn:hover{color:#aaa;text-decoration:none}.btn:focus,.btn.focus{outline:0;-webkit-box-shadow:0 0 0 0.2rem rgba(58,63,68,0.25);box-shadow:0 0 0 0.2rem rgba(58,63,68,0.25)}.btn.disabled,.btn:disabled{opacity:0.65}a.btn.disabled,fieldset:disabled a.btn{pointer-events:none}.btn-primary{color:#fff;background-color:#3A3F44;border-color:#3A3F44}.btn-primary:hover{color:#fff;background-color:#282c2f;border-color:#232628}.btn-primary:focus,.btn-primary.focus{color:#fff;background-color:#282c2f;border-color:#232628;-webkit-box-shadow:0 0 0 0.2rem rgba(88,92,96,0.5);box-shadow:0 0 0 0.2rem rgba(88,92,96,0.5)}.btn-primary.disabled,.btn-primary:disabled{color:#fff;background-color:#3A3F44;border-color:#3A3F44}.btn-primary:not(:disabled):not(.disabled):active,.btn-primary:not(:disabled):not(.disabled).active,.show>.btn-primary.dropdown-toggle{color:#fff;background-color:#232628;border-color:#1d1f22}.btn-primary:not(:disabled):not(.disabled):active:focus,.btn-primary:not(:disabled):not(.disabled).active:focus,.show>.btn-primary.dropdown-toggle:focus{-webkit-box-shadow:0 0 0 0.2rem rgba(88,92,96,0.5);box-shadow:0 0 0 0.2rem rgba(88,92,96,0.5)}.btn-secondary{color:#fff;background-color:#7A8288;border-color:#7A8288}.btn-secondary:hover{color:#fff;background-color:#686f74;border-color:#62686d}.btn-secondary:focus,.btn-secondary.focus{color:#fff;background-color:#686f74;border-color:#62686d;-webkit-box-shadow:0 0 0 0.2rem rgba(142,149,154,0.5);box-shadow:0 0 0 0.2rem rgba(142,149,154,0.5)}.btn-secondary.disabled,.btn-secondary:disabled{color:#fff;background-color:#7A8288;border-color:#7A8288}.btn-secondary:not(:disabled):not(.disabled):active,.btn-secondary:not(:disabled):not(.disabled).active,.show>.btn-secondary.dropdown-toggle{color:#fff;background-color:#62686d;border-color:#5c6267}.btn-secondary:not(:disabled):not(.disabled):active:focus,.btn-secondary:not(:disabled):not(.disabled).active:focus,.show>.btn-secondary.dropdown-toggle:focus{-webkit-box-shadow:0 0 0 0.2rem rgba(142,149,154,0.5);box-shadow:0 0 0 0.2rem rgba(142,149,154,0.5)}.btn-success{color:#fff;background-color:#62c462;border-color:#62c462}.btn-success:hover{color:#fff;background-color:#46ba46;border-color:#42b142}.btn-success:focus,.btn-success.focus{color:#fff;background-color:#46ba46;border-color:#42b142;-webkit-box-shadow:0 0 0 0.2rem rgba(122,205,122,0.5);box-shadow:0 0 0 0.2rem rgba(122,205,122,0.5)}.btn-success.disabled,.btn-success:disabled{color:#fff;background-color:#62c462;border-color:#62c462}.btn-success:not(:disabled):not(.disabled):active,.btn-success:not(:disabled):not(.disabled).active,.show>.btn-success.dropdown-toggle{color:#fff;background-color:#42b142;border-color:#3fa73f}.btn-success:not(:disabled):not(.disabled):active:focus,.btn-success:not(:disabled):not(.disabled).active:focus,.show>.btn-success.dropdown-toggle:focus{-webkit-box-shadow:0 0 0 0.2rem rgba(122,205,122,0.5);box-shadow:0 0 0 0.2rem rgba(122,205,122,0.5)}.btn-info{color:#fff;background-color:#5bc0de;border-color:#5bc0de}.btn-info:hover{color:#fff;background-color:#3bb4d8;border-color:#31b0d5}.btn-info:focus,.btn-info.focus{color:#fff;background-color:#3bb4d8;border-color:#31b0d5;-webkit-box-shadow:0 0 0 0.2rem rgba(116,201,227,0.5);box-shadow:0 0 0 0.2rem rgba(116,201,227,0.5)}.btn-info.disabled,.btn-info:disabled{color:#fff;background-color:#5bc0de;border-color:#5bc0de}.btn-info:not(:disabled):not(.disabled):active,.btn-info:not(:disabled):not(.disabled).active,.show>.btn-info.dropdown-toggle{color:#fff;background-color:#31b0d5;border-color:#2aaacf}.btn-info:not(:disabled):not(.disabled):active:focus,.btn-info:not(:disabled):not(.disabled).active:focus,.show>.btn-info.dropdown-toggle:focus{-webkit-box-shadow:0 0 0 0.2rem rgba(116,201,227,0.5);box-shadow:0 0 0 0.2rem rgba(116,201,227,0.5)}.btn-warning{color:#fff;background-color:#f89406;border-color:#f89406}.btn-warning:hover{color:#fff;background-color:#d37e05;border-color:#c67605}.btn-warning:focus,.btn-warning.focus{color:#fff;background-color:#d37e05;border-color:#c67605;-webkit-box-shadow:0 0 0 0.2rem rgba(249,164,43,0.5);box-shadow:0 0 0 0.2rem rgba(249,164,43,0.5)}.btn-warning.disabled,.btn-warning:disabled{color:#fff;background-color:#f89406;border-color:#f89406}.btn-warning:not(:disabled):not(.disabled):active,.btn-warning:not(:disabled):not(.disabled).active,.show>.btn-warning.dropdown-toggle{color:#fff;background-color:#c67605;border-color:#ba6f04}.btn-warning:not(:disabled):not(.disabled):active:focus,.btn-warning:not(:disabled):not(.disabled).active:focus,.show>.btn-warning.dropdown-toggle:focus{-webkit-box-shadow:0 0 0 0.2rem rgba(249,164,43,0.5);box-shadow:0 0 0 0.2rem rgba(249,164,43,0.5)}.btn-danger{color:#fff;background-color:#ee5f5b;border-color:#ee5f5b}.btn-danger:hover{color:#fff;background-color:#ea3d38;border-color:#e9322d}.btn-danger:focus,.btn-danger.focus{color:#fff;background-color:#ea3d38;border-color:#e9322d;-webkit-box-shadow:0 0 0 0.2rem rgba(241,119,116,0.5);box-shadow:0 0 0 0.2rem rgba(241,119,116,0.5)}.btn-danger.disabled,.btn-danger:disabled{color:#fff;background-color:#ee5f5b;border-color:#ee5f5b}.btn-danger:not(:disabled):not(.disabled):active,.btn-danger:not(:disabled):not(.disabled).active,.show>.btn-danger.dropdown-toggle{color:#fff;background-color:#e9322d;border-color:#e82721}.btn-danger:not(:disabled):not(.disabled):active:focus,.btn-danger:not(:disabled):not(.disabled).active:focus,.show>.btn-danger.dropdown-toggle:focus{-webkit-box-shadow:0 0 0 0.2rem rgba(241,119,116,0.5);box-shadow:0 0 0 0.2rem rgba(241,119,116,0.5)}.btn-light{color:#272B30;background-color:#e9ecef;border-color:#e9ecef}.btn-light:hover{color:#272B30;background-color:#d3d9df;border-color:#cbd3da}.btn-light:focus,.btn-light.focus{color:#272B30;background-color:#d3d9df;border-color:#cbd3da;-webkit-box-shadow:0 0 0 0.2rem rgba(204,207,210,0.5);box-shadow:0 0 0 0.2rem rgba(204,207,210,0.5)}.btn-light.disabled,.btn-light:disabled{color:#272B30;background-color:#e9ecef;border-color:#e9ecef}.btn-light:not(:disabled):not(.disabled):active,.btn-light:not(:disabled):not(.disabled).active,.show>.btn-light.dropdown-toggle{color:#272B30;background-color:#cbd3da;border-color:#c4ccd4}.btn-light:not(:disabled):not(.disabled):active:focus,.btn-light:not(:disabled):not(.disabled).active:focus,.show>.btn-light.dropdown-toggle:focus{-webkit-box-shadow:0 0 0 0.2rem rgba(204,207,210,0.5);box-shadow:0 0 0 0.2rem rgba(204,207,210,0.5)}.btn-dark{color:#fff;background-color:#272B30;border-color:#272B30}.btn-dark:hover{color:#fff;background-color:#16181b;border-color:#101214}.btn-dark:focus,.btn-dark.focus{color:#fff;background-color:#16181b;border-color:#101214;-webkit-box-shadow:0 0 0 0.2rem rgba(71,75,79,0.5);box-shadow:0 0 0 0.2rem rgba(71,75,79,0.5)}.btn-dark.disabled,.btn-dark:disabled{color:#fff;background-color:#272B30;border-color:#272B30}.btn-dark:not(:disabled):not(.disabled):active,.btn-dark:not(:disabled):not(.disabled).active,.show>.btn-dark.dropdown-toggle{color:#fff;background-color:#101214;border-color:#0a0b0d}.btn-dark:not(:disabled):not(.disabled):active:focus,.btn-dark:not(:disabled):not(.disabled).active:focus,.show>.btn-dark.dropdown-toggle:focus{-webkit-box-shadow:0 0 0 0.2rem rgba(71,75,79,0.5);box-shadow:0 0 0 0.2rem rgba(71,75,79,0.5)}.btn-outline-primary{color:#3A3F44;border-color:#3A3F44}.btn-outline-primary:hover{color:#fff;background-color:#3A3F44;border-color:#3A3F44}.btn-outline-primary:focus,.btn-outline-primary.focus{-webkit-box-shadow:0 0 0 0.2rem rgba(58,63,68,0.5);box-shadow:0 0 0 0.2rem rgba(58,63,68,0.5)}.btn-outline-primary.disabled,.btn-outline-primary:disabled{color:#3A3F44;background-color:transparent}.btn-outline-primary:not(:disabled):not(.disabled):active,.btn-outline-primary:not(:disabled):not(.disabled).active,.show>.btn-outline-primary.dropdown-toggle{color:#fff;background-color:#3A3F44;border-color:#3A3F44}.btn-outline-primary:not(:disabled):not(.disabled):active:focus,.btn-outline-primary:not(:disabled):not(.disabled).active:focus,.show>.btn-outline-primary.dropdown-toggle:focus{-webkit-box-shadow:0 0 0 0.2rem rgba(58,63,68,0.5);box-shadow:0 0 0 0.2rem rgba(58,63,68,0.5)}.btn-outline-secondary{color:#7A8288;border-color:#7A8288}.btn-outline-secondary:hover{color:#fff;background-color:#7A8288;border-color:#7A8288}.btn-outline-secondary:focus,.btn-outline-secondary.focus{-webkit-box-shadow:0 0 0 0.2rem rgba(122,130,136,0.5);box-shadow:0 0 0 0.2rem rgba(122,130,136,0.5)}.btn-outline-secondary.disabled,.btn-outline-secondary:disabled{color:#7A8288;background-color:transparent}.btn-outline-secondary:not(:disabled):not(.disabled):active,.btn-outline-secondary:not(:disabled):not(.disabled).active,.show>.btn-outline-secondary.dropdown-toggle{color:#fff;background-color:#7A8288;border-color:#7A8288}.btn-outline-secondary:not(:disabled):not(.disabled):active:focus,.btn-outline-secondary:not(:disabled):not(.disabled).active:focus,.show>.btn-outline-secondary.dropdown-toggle:focus{-webkit-box-shadow:0 0 0 0.2rem rgba(122,130,136,0.5);box-shadow:0 0 0 0.2rem rgba(122,130,136,0.5)}.btn-outline-success{color:#62c462;border-color:#62c462}.btn-outline-success:hover{color:#fff;background-color:#62c462;border-color:#62c462}.btn-outline-success:focus,.btn-outline-success.focus{-webkit-box-shadow:0 0 0 0.2rem rgba(98,196,98,0.5);box-shadow:0 0 0 0.2rem rgba(98,196,98,0.5)}.btn-outline-success.disabled,.btn-outline-success:disabled{color:#62c462;background-color:transparent}.btn-outline-success:not(:disabled):not(.disabled):active,.btn-outline-success:not(:disabled):not(.disabled).active,.show>.btn-outline-success.dropdown-toggle{color:#fff;background-color:#62c462;border-color:#62c462}.btn-outline-success:not(:disabled):not(.disabled):active:focus,.btn-outline-success:not(:disabled):not(.disabled).active:focus,.show>.btn-outline-success.dropdown-toggle:focus{-webkit-box-shadow:0 0 0 0.2rem rgba(98,196,98,0.5);box-shadow:0 0 0 0.2rem rgba(98,196,98,0.5)}.btn-outline-info{color:#5bc0de;border-color:#5bc0de}.btn-outline-info:hover{color:#fff;background-color:#5bc0de;border-color:#5bc0de}.btn-outline-info:focus,.btn-outline-info.focus{-webkit-box-shadow:0 0 0 0.2rem rgba(91,192,222,0.5);box-shadow:0 0 0 0.2rem rgba(91,192,222,0.5)}.btn-outline-info.disabled,.btn-outline-info:disabled{color:#5bc0de;background-color:transparent}.btn-outline-info:not(:disabled):not(.disabled):active,.btn-outline-info:not(:disabled):not(.disabled).active,.show>.btn-outline-info.dropdown-toggle{color:#fff;background-color:#5bc0de;border-color:#5bc0de}.btn-outline-info:not(:disabled):not(.disabled):active:focus,.btn-outline-info:not(:disabled):not(.disabled).active:focus,.show>.btn-outline-info.dropdown-toggle:focus{-webkit-box-shadow:0 0 0 0.2rem rgba(91,192,222,0.5);box-shadow:0 0 0 0.2rem rgba(91,192,222,0.5)}.btn-outline-warning{color:#f89406;border-color:#f89406}.btn-outline-warning:hover{color:#fff;background-color:#f89406;border-color:#f89406}.btn-outline-warning:focus,.btn-outline-warning.focus{-webkit-box-shadow:0 0 0 0.2rem rgba(248,148,6,0.5);box-shadow:0 0 0 0.2rem rgba(248,148,6,0.5)}.btn-outline-warning.disabled,.btn-outline-warning:disabled{color:#f89406;background-color:transparent}.btn-outline-warning:not(:disabled):not(.disabled):active,.btn-outline-warning:not(:disabled):not(.disabled).active,.show>.btn-outline-warning.dropdown-toggle{color:#fff;background-color:#f89406;border-color:#f89406}.btn-outline-warning:not(:disabled):not(.disabled):active:focus,.btn-outline-warning:not(:disabled):not(.disabled).active:focus,.show>.btn-outline-warning.dropdown-toggle:focus{-webkit-box-shadow:0 0 0 0.2rem rgba(248,148,6,0.5);box-shadow:0 0 0 0.2rem rgba(248,148,6,0.5)}.btn-outline-danger{color:#ee5f5b;border-color:#ee5f5b}.btn-outline-danger:hover{color:#fff;background-color:#ee5f5b;border-color:#ee5f5b}.btn-outline-danger:focus,.btn-outline-danger.focus{-webkit-box-shadow:0 0 0 0.2rem rgba(238,95,91,0.5);box-shadow:0 0 0 0.2rem rgba(238,95,91,0.5)}.btn-outline-danger.disabled,.btn-outline-danger:disabled{color:#ee5f5b;background-color:transparent}.btn-outline-danger:not(:disabled):not(.disabled):active,.btn-outline-danger:not(:disabled):not(.disabled).active,.show>.btn-outline-danger.dropdown-toggle{color:#fff;background-color:#ee5f5b;border-color:#ee5f5b}.btn-outline-danger:not(:disabled):not(.disabled):active:focus,.btn-outline-danger:not(:disabled):not(.disabled).active:focus,.show>.btn-outline-danger.dropdown-toggle:focus{-webkit-box-shadow:0 0 0 0.2rem rgba(238,95,91,0.5);box-shadow:0 0 0 0.2rem rgba(238,95,91,0.5)}.btn-outline-light{color:#e9ecef;border-color:#e9ecef}.btn-outline-light:hover{color:#272B30;background-color:#e9ecef;border-color:#e9ecef}.btn-outline-light:focus,.btn-outline-light.focus{-webkit-box-shadow:0 0 0 0.2rem rgba(233,236,239,0.5);box-shadow:0 0 0 0.2rem rgba(233,236,239,0.5)}.btn-outline-light.disabled,.btn-outline-light:disabled{color:#e9ecef;background-color:transparent}.btn-outline-light:not(:disabled):not(.disabled):active,.btn-outline-light:not(:disabled):not(.disabled).active,.show>.btn-outline-light.dropdown-toggle{color:#272B30;background-color:#e9ecef;border-color:#e9ecef}.btn-outline-light:not(:disabled):not(.disabled):active:focus,.btn-outline-light:not(:disabled):not(.disabled).active:focus,.show>.btn-outline-light.dropdown-toggle:focus{-webkit-box-shadow:0 0 0 0.2rem rgba(233,236,239,0.5);box-shadow:0 0 0 0.2rem rgba(233,236,239,0.5)}.btn-outline-dark{color:#272B30;border-color:#272B30}.btn-outline-dark:hover{color:#fff;background-color:#272B30;border-color:#272B30}.btn-outline-dark:focus,.btn-outline-dark.focus{-webkit-box-shadow:0 0 0 0.2rem rgba(39,43,48,0.5);box-shadow:0 0 0 0.2rem rgba(39,43,48,0.5)}.btn-outline-dark.disabled,.btn-outline-dark:disabled{color:#272B30;background-color:transparent}.btn-outline-dark:not(:disabled):not(.disabled):active,.btn-outline-dark:not(:disabled):not(.disabled).active,.show>.btn-outline-dark.dropdown-toggle{color:#fff;background-color:#272B30;border-color:#272B30}.btn-outline-dark:not(:disabled):not(.disabled):active:focus,.btn-outline-dark:not(:disabled):not(.disabled).active:focus,.show>.btn-outline-dark.dropdown-toggle:focus{-webkit-box-shadow:0 0 0 0.2rem rgba(39,43,48,0.5);box-shadow:0 0 0 0.2rem rgba(39,43,48,0.5)}.btn-link{font-weight:400;color:#fff;text-decoration:none}.btn-link:hover{color:#d9d9d9;text-decoration:underline}.btn-link:focus,.btn-link.focus{text-decoration:underline;-webkit-box-shadow:none;box-shadow:none}.btn-link:disabled,.btn-link.disabled{color:#7A8288;pointer-events:none}.btn-lg,.btn-group-lg>.btn{padding:0.5rem 1rem;font-size:1.171875rem;line-height:1.5;border-radius:0.3rem}.btn-sm,.btn-group-sm>.btn{padding:0.25rem 0.5rem;font-size:0.8203125rem;line-height:1.5;border-radius:0.2rem}.btn-block{display:block;width:100%}.btn-block+.btn-block{margin-top:0.5rem}input[type="submit"].btn-block,input[type="reset"].btn-block,input[type="button"].btn-block{width:100%}.fade{-webkit-transition:opacity 0.15s linear;transition:opacity 0.15s linear}@media (prefers-reduced-motion: reduce){.fade{-webkit-transition:none;transition:none}}.fade:not(.show){opacity:0}.collapse:not(.show){display:none}.collapsing{position:relative;height:0;overflow:hidden;-webkit-transition:height 0.35s ease;transition:height 0.35s ease}@media (prefers-reduced-motion: reduce){.collapsing{-webkit-transition:none;transition:none}}.dropup,.dropright,.dropdown,.dropleft{position:relative}.dropdown-toggle{white-space:nowrap}.dropdown-toggle::after{display:inline-block;margin-left:0.255em;vertical-align:0.255em;content:"";border-top:0.3em solid;border-right:0.3em solid transparent;border-bottom:0;border-left:0.3em solid transparent}.dropdown-toggle:empty::after{margin-left:0}.dropdown-menu{position:absolute;top:100%;left:0;z-index:1000;display:none;float:left;min-width:10rem;padding:0.5rem 0;margin:0.125rem 0 0;font-size:0.9375rem;color:#aaa;text-align:left;list-style:none;background-color:#3A3F44;background-clip:padding-box;border:1px solid rgba(0,0,0,0.6);border-radius:0.25rem}.dropdown-menu-left{right:auto;left:0}.dropdown-menu-right{right:0;left:auto}@media (min-width: 576px){.dropdown-menu-sm-left{right:auto;left:0}.dropdown-menu-sm-right{right:0;left:auto}}@media (min-width: 768px){.dropdown-menu-md-left{right:auto;left:0}.dropdown-menu-md-right{right:0;left:auto}}@media (min-width: 992px){.dropdown-menu-lg-left{right:auto;left:0}.dropdown-menu-lg-right{right:0;left:auto}}@media (min-width: 1200px){.dropdown-menu-xl-left{right:auto;left:0}.dropdown-menu-xl-right{right:0;left:auto}}.dropup .dropdown-menu{top:auto;bottom:100%;margin-top:0;margin-bottom:0.125rem}.dropup .dropdown-toggle::after{display:inline-block;margin-left:0.255em;vertical-align:0.255em;content:"";border-top:0;border-right:0.3em solid transparent;border-bottom:0.3em solid;border-left:0.3em solid transparent}.dropup .dropdown-toggle:empty::after{margin-left:0}.dropright .dropdown-menu{top:0;right:auto;left:100%;margin-top:0;margin-left:0.125rem}.dropright .dropdown-toggle::after{display:inline-block;margin-left:0.255em;vertical-align:0.255em;content:"";border-top:0.3em solid transparent;border-right:0;border-bottom:0.3em solid transparent;border-left:0.3em solid}.dropright .dropdown-toggle:empty::after{margin-left:0}.dropright .dropdown-toggle::after{vertical-align:0}.dropleft .dropdown-menu{top:0;right:100%;left:auto;margin-top:0;margin-right:0.125rem}.dropleft .dropdown-toggle::after{display:inline-block;margin-left:0.255em;vertical-align:0.255em;content:""}.dropleft .dropdown-toggle::after{display:none}.dropleft .dropdown-toggle::before{display:inline-block;margin-right:0.255em;vertical-align:0.255em;content:"";border-top:0.3em solid transparent;border-right:0.3em solid;border-bottom:0.3em solid transparent}.dropleft .dropdown-toggle:empty::after{margin-left:0}.dropleft .dropdown-toggle::before{vertical-align:0}.dropdown-menu[x-placement^="top"],.dropdown-menu[x-placement^="right"],.dropdown-menu[x-placement^="bottom"],.dropdown-menu[x-placement^="left"]{right:auto;bottom:auto}.dropdown-divider{height:0;margin:0.5rem 0;overflow:hidden;border-top:1px solid rgba(0,0,0,0.15)}.dropdown-item{display:block;width:100%;padding:0.25rem 1.5rem;clear:both;font-weight:400;color:#aaa;text-align:inherit;white-space:nowrap;background-color:transparent;border:0}.dropdown-item:hover,.dropdown-item:focus{color:#fff;text-decoration:none;background-color:#272B30}.dropdown-item.active,.dropdown-item:active{color:#fff;text-decoration:none;background-color:#3A3F44}.dropdown-item.disabled,.dropdown-item:disabled{color:#7A8288;pointer-events:none;background-color:transparent}.dropdown-menu.show{display:block}.dropdown-header{display:block;padding:0.5rem 1.5rem;margin-bottom:0;font-size:0.8203125rem;color:#7A8288;white-space:nowrap}.dropdown-item-text{display:block;padding:0.25rem 1.5rem;color:#aaa}.btn-group,.btn-group-vertical{position:relative;display:-webkit-inline-box;display:-ms-inline-flexbox;display:inline-flex;vertical-align:middle}.btn-group>.btn,.btn-group-vertical>.btn{position:relative;-webkit-box-flex:1;-ms-flex:1 1 auto;flex:1 1 auto}.btn-group>.btn:hover,.btn-group-vertical>.btn:hover{z-index:1}.btn-group>.btn:focus,.btn-group>.btn:active,.btn-group>.btn.active,.btn-group-vertical>.btn:focus,.btn-group-vertical>.btn:active,.btn-group-vertical>.btn.active{z-index:1}.btn-toolbar{display:-webkit-box;display:-ms-flexbox;display:flex;-ms-flex-wrap:wrap;flex-wrap:wrap;-webkit-box-pack:start;-ms-flex-pack:start;justify-content:flex-start}.btn-toolbar .input-group{width:auto}.btn-group>.btn:not(:first-child),.btn-group>.btn-group:not(:first-child){margin-left:-1px}.btn-group>.btn:not(:last-child):not(.dropdown-toggle),.btn-group>.btn-group:not(:last-child)>.btn{border-top-right-radius:0;border-bottom-right-radius:0}.btn-group>.btn:not(:first-child),.btn-group>.btn-group:not(:first-child)>.btn{border-top-left-radius:0;border-bottom-left-radius:0}.dropdown-toggle-split{padding-right:0.75rem;padding-left:0.75rem}.dropdown-toggle-split::after,.dropup .dropdown-toggle-split::after,.dropright .dropdown-toggle-split::after{margin-left:0}.dropleft .dropdown-toggle-split::before{margin-right:0}.btn-sm+.dropdown-toggle-split,.btn-group-sm>.btn+.dropdown-toggle-split{padding-right:0.375rem;padding-left:0.375rem}.btn-lg+.dropdown-toggle-split,.btn-group-lg>.btn+.dropdown-toggle-split{padding-right:0.75rem;padding-left:0.75rem}.btn-group-vertical{-webkit-box-orient:vertical;-webkit-box-direction:normal;-ms-flex-direction:column;flex-direction:column;-webkit-box-align:start;-ms-flex-align:start;align-items:flex-start;-webkit-box-pack:center;-ms-flex-pack:center;justify-content:center}.btn-group-vertical>.btn,.btn-group-vertical>.btn-group{width:100%}.btn-group-vertical>.btn:not(:first-child),.btn-group-vertical>.btn-group:not(:first-child){margin-top:-1px}.btn-group-vertical>.btn:not(:last-child):not(.dropdown-toggle),.btn-group-vertical>.btn-group:not(:last-child)>.btn{border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn:not(:first-child),.btn-group-vertical>.btn-group:not(:first-child)>.btn{border-top-left-radius:0;border-top-right-radius:0}.btn-group-toggle>.btn,.btn-group-toggle>.btn-group>.btn{margin-bottom:0}.btn-group-toggle>.btn input[type="radio"],.btn-group-toggle>.btn input[type="checkbox"],.btn-group-toggle>.btn-group>.btn input[type="radio"],.btn-group-toggle>.btn-group>.btn input[type="checkbox"]{position:absolute;clip:rect(0, 0, 0, 0);pointer-events:none}.input-group{position:relative;display:-webkit-box;display:-ms-flexbox;display:flex;-ms-flex-wrap:wrap;flex-wrap:wrap;-webkit-box-align:stretch;-ms-flex-align:stretch;align-items:stretch;width:100%}.input-group>.form-control,.input-group>.form-control-plaintext,.input-group>.custom-select,.input-group>.custom-file{position:relative;-webkit-box-flex:1;-ms-flex:1 1 0%;flex:1 1 0%;min-width:0;margin-bottom:0}.input-group>.form-control+.form-control,.input-group>.form-control+.custom-select,.input-group>.form-control+.custom-file,.input-group>.form-control-plaintext+.form-control,.input-group>.form-control-plaintext+.custom-select,.input-group>.form-control-plaintext+.custom-file,.input-group>.custom-select+.form-control,.input-group>.custom-select+.custom-select,.input-group>.custom-select+.custom-file,.input-group>.custom-file+.form-control,.input-group>.custom-file+.custom-select,.input-group>.custom-file+.custom-file{margin-left:-1px}.input-group>.form-control:focus,.input-group>.custom-select:focus,.input-group>.custom-file .custom-file-input:focus ~ .custom-file-label{z-index:3}.input-group>.custom-file .custom-file-input:focus{z-index:4}.input-group>.form-control:not(:last-child),.input-group>.custom-select:not(:last-child){border-top-right-radius:0;border-bottom-right-radius:0}.input-group>.form-control:not(:first-child),.input-group>.custom-select:not(:first-child){border-top-left-radius:0;border-bottom-left-radius:0}.input-group>.custom-file{display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-align:center;-ms-flex-align:center;align-items:center}.input-group>.custom-file:not(:last-child) .custom-file-label,.input-group>.custom-file:not(:last-child) .custom-file-label::after{border-top-right-radius:0;border-bottom-right-radius:0}.input-group>.custom-file:not(:first-child) .custom-file-label{border-top-left-radius:0;border-bottom-left-radius:0}.input-group-prepend,.input-group-append{display:-webkit-box;display:-ms-flexbox;display:flex}.input-group-prepend .btn,.input-group-append .btn{position:relative;z-index:2}.input-group-prepend .btn:focus,.input-group-append .btn:focus{z-index:3}.input-group-prepend .btn+.btn,.input-group-prepend .btn+.input-group-text,.input-group-prepend .input-group-text+.input-group-text,.input-group-prepend .input-group-text+.btn,.input-group-append .btn+.btn,.input-group-append .btn+.input-group-text,.input-group-append .input-group-text+.input-group-text,.input-group-append .input-group-text+.btn{margin-left:-1px}.input-group-prepend{margin-right:-1px}.input-group-append{margin-left:-1px}.input-group-text{display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-align:center;-ms-flex-align:center;align-items:center;padding:0.75rem 1rem;margin-bottom:0;font-size:0.9375rem;font-weight:400;line-height:1.5;color:#52575C;text-align:center;white-space:nowrap;background-color:#e9ecef;border:1px solid #ced4da;border-radius:0.25rem}.input-group-text input[type="radio"],.input-group-text input[type="checkbox"]{margin-top:0}.input-group-lg>.form-control:not(textarea),.input-group-lg>.custom-select{height:calc(1.5em + 1rem + 2px)}.input-group-lg>.form-control,.input-group-lg>.custom-select,.input-group-lg>.input-group-prepend>.input-group-text,.input-group-lg>.input-group-append>.input-group-text,.input-group-lg>.input-group-prepend>.btn,.input-group-lg>.input-group-append>.btn{padding:0.5rem 1rem;font-size:1.171875rem;line-height:1.5;border-radius:0.3rem}.input-group-sm>.form-control:not(textarea),.input-group-sm>.custom-select{height:calc(1.5em + 0.5rem + 2px)}.input-group-sm>.form-control,.input-group-sm>.custom-select,.input-group-sm>.input-group-prepend>.input-group-text,.input-group-sm>.input-group-append>.input-group-text,.input-group-sm>.input-group-prepend>.btn,.input-group-sm>.input-group-append>.btn{padding:0.25rem 0.5rem;font-size:0.8203125rem;line-height:1.5;border-radius:0.2rem}.input-group-lg>.custom-select,.input-group-sm>.custom-select{padding-right:2rem}.input-group>.input-group-prepend>.btn,.input-group>.input-group-prepend>.input-group-text,.input-group>.input-group-append:not(:last-child)>.btn,.input-group>.input-group-append:not(:last-child)>.input-group-text,.input-group>.input-group-append:last-child>.btn:not(:last-child):not(.dropdown-toggle),.input-group>.input-group-append:last-child>.input-group-text:not(:last-child){border-top-right-radius:0;border-bottom-right-radius:0}.input-group>.input-group-append>.btn,.input-group>.input-group-append>.input-group-text,.input-group>.input-group-prepend:not(:first-child)>.btn,.input-group>.input-group-prepend:not(:first-child)>.input-group-text,.input-group>.input-group-prepend:first-child>.btn:not(:first-child),.input-group>.input-group-prepend:first-child>.input-group-text:not(:first-child){border-top-left-radius:0;border-bottom-left-radius:0}.custom-control{position:relative;display:block;min-height:1.40625rem;padding-left:1.5rem}.custom-control-inline{display:-webkit-inline-box;display:-ms-inline-flexbox;display:inline-flex;margin-right:1rem}.custom-control-input{position:absolute;left:0;z-index:-1;width:1rem;height:1.203125rem;opacity:0}.custom-control-input:checked ~ .custom-control-label::before{color:#fff;border-color:#3A3F44;background-color:#3A3F44}.custom-control-input:focus ~ .custom-control-label::before{-webkit-box-shadow:0 0 0 0.2rem rgba(58,63,68,0.25);box-shadow:0 0 0 0.2rem rgba(58,63,68,0.25)}.custom-control-input:focus:not(:checked) ~ .custom-control-label::before{border-color:#757f89}.custom-control-input:not(:disabled):active ~ .custom-control-label::before{color:#fff;background-color:#9098a0;border-color:#9098a0}.custom-control-input[disabled] ~ .custom-control-label,.custom-control-input:disabled ~ .custom-control-label{color:#7A8288}.custom-control-input[disabled] ~ .custom-control-label::before,.custom-control-input:disabled ~ .custom-control-label::before{background-color:#ccc}.custom-control-label{position:relative;margin-bottom:0;vertical-align:top}.custom-control-label::before{position:absolute;top:0.203125rem;left:-1.5rem;display:block;width:1rem;height:1rem;pointer-events:none;content:"";background-color:#fff;border:#999 solid 1px}.custom-control-label::after{position:absolute;top:0.203125rem;left:-1.5rem;display:block;width:1rem;height:1rem;content:"";background:no-repeat 50% / 50% 50%}.custom-checkbox .custom-control-label::before{border-radius:0.25rem}.custom-checkbox .custom-control-input:checked ~ .custom-control-label::after{background-image:url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' width='8' height='8' viewBox='0 0 8 8'%3e%3cpath fill='%23fff' d='M6.564.75l-3.59 3.612-1.538-1.55L0 4.26l2.974 2.99L8 2.193z'/%3e%3c/svg%3e")}.custom-checkbox .custom-control-input:indeterminate ~ .custom-control-label::before{border-color:#3A3F44;background-color:#3A3F44}.custom-checkbox .custom-control-input:indeterminate ~ .custom-control-label::after{background-image:url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' width='4' height='4' viewBox='0 0 4 4'%3e%3cpath stroke='%23fff' d='M0 2h4'/%3e%3c/svg%3e")}.custom-checkbox .custom-control-input:disabled:checked ~ .custom-control-label::before{background-color:rgba(58,63,68,0.5)}.custom-checkbox .custom-control-input:disabled:indeterminate ~ .custom-control-label::before{background-color:rgba(58,63,68,0.5)}.custom-radio .custom-control-label::before{border-radius:50%}.custom-radio .custom-control-input:checked ~ .custom-control-label::after{background-image:url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' width='12' height='12' viewBox='-4 -4 8 8'%3e%3ccircle r='3' fill='%23fff'/%3e%3c/svg%3e")}.custom-radio .custom-control-input:disabled:checked ~ .custom-control-label::before{background-color:rgba(58,63,68,0.5)}.custom-switch{padding-left:2.25rem}.custom-switch .custom-control-label::before{left:-2.25rem;width:1.75rem;pointer-events:all;border-radius:0.5rem}.custom-switch .custom-control-label::after{top:calc(0.203125rem + 2px);left:calc(-2.25rem + 2px);width:calc(1rem - 4px);height:calc(1rem - 4px);background-color:#999;border-radius:0.5rem;-webkit-transition:background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, -webkit-transform 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out;transition:background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, -webkit-transform 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out;transition:transform 0.15s ease-in-out, background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, box-shadow 0.15s ease-in-out;transition:transform 0.15s ease-in-out, background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, box-shadow 0.15s ease-in-out, -webkit-transform 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out}@media (prefers-reduced-motion: reduce){.custom-switch .custom-control-label::after{-webkit-transition:none;transition:none}}.custom-switch .custom-control-input:checked ~ .custom-control-label::after{background-color:#fff;-webkit-transform:translateX(0.75rem);transform:translateX(0.75rem)}.custom-switch .custom-control-input:disabled:checked ~ .custom-control-label::before{background-color:rgba(58,63,68,0.5)}.custom-select{display:inline-block;width:100%;height:calc(1.5em + 1.5rem + 2px);padding:0.75rem 2rem 0.75rem 1rem;font-size:0.9375rem;font-weight:400;line-height:1.5;color:#52575C;vertical-align:middle;background:#fff url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' width='4' height='5' viewBox='0 0 4 5'%3e%3cpath fill='%233A3F44' d='M2 0L0 2h4zm0 5L0 3h4z'/%3e%3c/svg%3e") no-repeat right 1rem center/8px 10px;border:1px solid #ced4da;border-radius:0.25rem;-webkit-appearance:none;-moz-appearance:none;appearance:none}.custom-select:focus{border-color:#757f89;outline:0;-webkit-box-shadow:0 0 0 0.2rem rgba(58,63,68,0.25);box-shadow:0 0 0 0.2rem rgba(58,63,68,0.25)}.custom-select:focus::-ms-value{color:#52575C;background-color:#fff}.custom-select[multiple],.custom-select[size]:not([size="1"]){height:auto;padding-right:1rem;background-image:none}.custom-select:disabled{color:#7A8288;background-color:#e9ecef}.custom-select::-ms-expand{display:none}.custom-select:-moz-focusring{color:transparent;text-shadow:0 0 0 #52575C}.custom-select-sm{height:calc(1.5em + 0.5rem + 2px);padding-top:0.25rem;padding-bottom:0.25rem;padding-left:0.5rem;font-size:0.8203125rem}.custom-select-lg{height:calc(1.5em + 1rem + 2px);padding-top:0.5rem;padding-bottom:0.5rem;padding-left:1rem;font-size:1.171875rem}.custom-file{position:relative;display:inline-block;width:100%;height:calc(1.5em + 1.5rem + 2px);margin-bottom:0}.custom-file-input{position:relative;z-index:2;width:100%;height:calc(1.5em + 1.5rem + 2px);margin:0;opacity:0}.custom-file-input:focus ~ .custom-file-label{border-color:#757f89;-webkit-box-shadow:0 0 0 0.2rem rgba(58,63,68,0.25);box-shadow:0 0 0 0.2rem rgba(58,63,68,0.25)}.custom-file-input[disabled] ~ .custom-file-label,.custom-file-input:disabled ~ .custom-file-label{background-color:#ccc}.custom-file-input:lang(en) ~ .custom-file-label::after{content:"Browse"}.custom-file-input ~ .custom-file-label[data-browse]::after{content:attr(data-browse)}.custom-file-label{position:absolute;top:0;right:0;left:0;z-index:1;height:calc(1.5em + 1.5rem + 2px);padding:0.75rem 1rem;font-weight:400;line-height:1.5;color:#52575C;background-color:#fff;border:1px solid #ced4da;border-radius:0.25rem}.custom-file-label::after{position:absolute;top:0;right:0;bottom:0;z-index:3;display:block;height:calc(1.5em + 1.5rem);padding:0.75rem 1rem;line-height:1.5;color:#52575C;content:"Browse";background-color:#e9ecef;border-left:inherit;border-radius:0 0.25rem 0.25rem 0}.custom-range{width:100%;height:1.4rem;padding:0;background-color:transparent;-webkit-appearance:none;-moz-appearance:none;appearance:none}.custom-range:focus{outline:none}.custom-range:focus::-webkit-slider-thumb{-webkit-box-shadow:0 0 0 1px #272B30,0 0 0 0.2rem rgba(58,63,68,0.25);box-shadow:0 0 0 1px #272B30,0 0 0 0.2rem rgba(58,63,68,0.25)}.custom-range:focus::-moz-range-thumb{box-shadow:0 0 0 1px #272B30,0 0 0 0.2rem rgba(58,63,68,0.25)}.custom-range:focus::-ms-thumb{box-shadow:0 0 0 1px #272B30,0 0 0 0.2rem rgba(58,63,68,0.25)}.custom-range::-moz-focus-outer{border:0}.custom-range::-webkit-slider-thumb{width:1rem;height:1rem;margin-top:-0.25rem;background-color:#3A3F44;border:0;border-radius:1rem;-webkit-transition:background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out;transition:background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out;transition:background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, box-shadow 0.15s ease-in-out;transition:background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, box-shadow 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out;-webkit-appearance:none;appearance:none}@media (prefers-reduced-motion: reduce){.custom-range::-webkit-slider-thumb{-webkit-transition:none;transition:none}}.custom-range::-webkit-slider-thumb:active{background-color:#9098a0}.custom-range::-webkit-slider-runnable-track{width:100%;height:0.5rem;color:transparent;cursor:pointer;background-color:#dee2e6;border-color:transparent;border-radius:1rem}.custom-range::-moz-range-thumb{width:1rem;height:1rem;background-color:#3A3F44;border:0;border-radius:1rem;-webkit-transition:background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out;transition:background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out;transition:background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, box-shadow 0.15s ease-in-out;transition:background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, box-shadow 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out;-moz-appearance:none;appearance:none}@media (prefers-reduced-motion: reduce){.custom-range::-moz-range-thumb{-webkit-transition:none;transition:none}}.custom-range::-moz-range-thumb:active{background-color:#9098a0}.custom-range::-moz-range-track{width:100%;height:0.5rem;color:transparent;cursor:pointer;background-color:#dee2e6;border-color:transparent;border-radius:1rem}.custom-range::-ms-thumb{width:1rem;height:1rem;margin-top:0;margin-right:0.2rem;margin-left:0.2rem;background-color:#3A3F44;border:0;border-radius:1rem;-webkit-transition:background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out;transition:background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out;transition:background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, box-shadow 0.15s ease-in-out;transition:background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, box-shadow 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out;appearance:none}@media (prefers-reduced-motion: reduce){.custom-range::-ms-thumb{-webkit-transition:none;transition:none}}.custom-range::-ms-thumb:active{background-color:#9098a0}.custom-range::-ms-track{width:100%;height:0.5rem;color:transparent;cursor:pointer;background-color:transparent;border-color:transparent;border-width:0.5rem}.custom-range::-ms-fill-lower{background-color:#dee2e6;border-radius:1rem}.custom-range::-ms-fill-upper{margin-right:15px;background-color:#dee2e6;border-radius:1rem}.custom-range:disabled::-webkit-slider-thumb{background-color:#999}.custom-range:disabled::-webkit-slider-runnable-track{cursor:default}.custom-range:disabled::-moz-range-thumb{background-color:#999}.custom-range:disabled::-moz-range-track{cursor:default}.custom-range:disabled::-ms-thumb{background-color:#999}.custom-control-label::before,.custom-file-label,.custom-select{-webkit-transition:background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out;transition:background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out;transition:background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, box-shadow 0.15s ease-in-out;transition:background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, box-shadow 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out}@media (prefers-reduced-motion: reduce){.custom-control-label::before,.custom-file-label,.custom-select{-webkit-transition:none;transition:none}}.nav{display:-webkit-box;display:-ms-flexbox;display:flex;-ms-flex-wrap:wrap;flex-wrap:wrap;padding-left:0;margin-bottom:0;list-style:none}.nav-link{display:block;padding:0.5rem 1rem}.nav-link:hover,.nav-link:focus{text-decoration:none}.nav-link.disabled{color:#7A8288;pointer-events:none;cursor:default}.nav-tabs{border-bottom:1px solid rgba(0,0,0,0.6)}.nav-tabs .nav-item{margin-bottom:-1px}.nav-tabs .nav-link{border:1px solid transparent;border-top-left-radius:0.25rem;border-top-right-radius:0.25rem}.nav-tabs .nav-link:hover,.nav-tabs .nav-link:focus{border-color:rgba(0,0,0,0.6)}.nav-tabs .nav-link.disabled{color:#7A8288;background-color:transparent;border-color:transparent}.nav-tabs .nav-link.active,.nav-tabs .nav-item.show .nav-link{color:#fff;background-color:#272B30;border-color:rgba(0,0,0,0.6)}.nav-tabs .dropdown-menu{margin-top:-1px;border-top-left-radius:0;border-top-right-radius:0}.nav-pills .nav-link{border-radius:0.25rem}.nav-pills .nav-link.active,.nav-pills .show>.nav-link{color:#fff;background-color:#3A3F44}.nav-fill .nav-item{-webkit-box-flex:1;-ms-flex:1 1 auto;flex:1 1 auto;text-align:center}.nav-justified .nav-item{-ms-flex-preferred-size:0;flex-basis:0;-webkit-box-flex:1;-ms-flex-positive:1;flex-grow:1;text-align:center}.tab-content>.tab-pane{display:none}.tab-content>.active{display:block}.navbar{position:relative;display:-webkit-box;display:-ms-flexbox;display:flex;-ms-flex-wrap:wrap;flex-wrap:wrap;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-box-pack:justify;-ms-flex-pack:justify;justify-content:space-between;padding:0 1rem}.navbar .container,.navbar .container-fluid,.navbar .container-sm,.navbar .container-md,.navbar .container-lg,.navbar .container-xl{display:-webkit-box;display:-ms-flexbox;display:flex;-ms-flex-wrap:wrap;flex-wrap:wrap;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-box-pack:justify;-ms-flex-pack:justify;justify-content:space-between}.navbar-brand{display:inline-block;padding-top:0.32421875rem;padding-bottom:0.32421875rem;margin-right:1rem;font-size:1.171875rem;line-height:inherit;white-space:nowrap}.navbar-brand:hover,.navbar-brand:focus{text-decoration:none}.navbar-nav{display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-orient:vertical;-webkit-box-direction:normal;-ms-flex-direction:column;flex-direction:column;padding-left:0;margin-bottom:0;list-style:none}.navbar-nav .nav-link{padding-right:0;padding-left:0}.navbar-nav .dropdown-menu{position:static;float:none}.navbar-text{display:inline-block;padding-top:0.5rem;padding-bottom:0.5rem}.navbar-collapse{-ms-flex-preferred-size:100%;flex-basis:100%;-webkit-box-flex:1;-ms-flex-positive:1;flex-grow:1;-webkit-box-align:center;-ms-flex-align:center;align-items:center}.navbar-toggler{padding:0.25rem 0.75rem;font-size:1.171875rem;line-height:1;background-color:transparent;border:1px solid transparent;border-radius:0.25rem}.navbar-toggler:hover,.navbar-toggler:focus{text-decoration:none}.navbar-toggler-icon{display:inline-block;width:1.5em;height:1.5em;vertical-align:middle;content:"";background:no-repeat center center;background-size:100% 100%}@media (max-width: 575.98px){.navbar-expand-sm>.container,.navbar-expand-sm>.container-fluid,.navbar-expand-sm>.container-sm,.navbar-expand-sm>.container-md,.navbar-expand-sm>.container-lg,.navbar-expand-sm>.container-xl{padding-right:0;padding-left:0}}@media (min-width: 576px){.navbar-expand-sm{-webkit-box-orient:horizontal;-webkit-box-direction:normal;-ms-flex-flow:row nowrap;flex-flow:row nowrap;-webkit-box-pack:start;-ms-flex-pack:start;justify-content:flex-start}.navbar-expand-sm .navbar-nav{-webkit-box-orient:horizontal;-webkit-box-direction:normal;-ms-flex-direction:row;flex-direction:row}.navbar-expand-sm .navbar-nav .dropdown-menu{position:absolute}.navbar-expand-sm .navbar-nav .nav-link{padding-right:0.5rem;padding-left:0.5rem}.navbar-expand-sm>.container,.navbar-expand-sm>.container-fluid,.navbar-expand-sm>.container-sm,.navbar-expand-sm>.container-md,.navbar-expand-sm>.container-lg,.navbar-expand-sm>.container-xl{-ms-flex-wrap:nowrap;flex-wrap:nowrap}.navbar-expand-sm .navbar-collapse{display:-webkit-box !important;display:-ms-flexbox !important;display:flex !important;-ms-flex-preferred-size:auto;flex-basis:auto}.navbar-expand-sm .navbar-toggler{display:none}}@media (max-width: 767.98px){.navbar-expand-md>.container,.navbar-expand-md>.container-fluid,.navbar-expand-md>.container-sm,.navbar-expand-md>.container-md,.navbar-expand-md>.container-lg,.navbar-expand-md>.container-xl{padding-right:0;padding-left:0}}@media (min-width: 768px){.navbar-expand-md{-webkit-box-orient:horizontal;-webkit-box-direction:normal;-ms-flex-flow:row nowrap;flex-flow:row nowrap;-webkit-box-pack:start;-ms-flex-pack:start;justify-content:flex-start}.navbar-expand-md .navbar-nav{-webkit-box-orient:horizontal;-webkit-box-direction:normal;-ms-flex-direction:row;flex-direction:row}.navbar-expand-md .navbar-nav .dropdown-menu{position:absolute}.navbar-expand-md .navbar-nav .nav-link{padding-right:0.5rem;padding-left:0.5rem}.navbar-expand-md>.container,.navbar-expand-md>.container-fluid,.navbar-expand-md>.container-sm,.navbar-expand-md>.container-md,.navbar-expand-md>.container-lg,.navbar-expand-md>.container-xl{-ms-flex-wrap:nowrap;flex-wrap:nowrap}.navbar-expand-md .navbar-collapse{display:-webkit-box !important;display:-ms-flexbox !important;display:flex !important;-ms-flex-preferred-size:auto;flex-basis:auto}.navbar-expand-md .navbar-toggler{display:none}}@media (max-width: 991.98px){.navbar-expand-lg>.container,.navbar-expand-lg>.container-fluid,.navbar-expand-lg>.container-sm,.navbar-expand-lg>.container-md,.navbar-expand-lg>.container-lg,.navbar-expand-lg>.container-xl{padding-right:0;padding-left:0}}@media (min-width: 992px){.navbar-expand-lg{-webkit-box-orient:horizontal;-webkit-box-direction:normal;-ms-flex-flow:row nowrap;flex-flow:row nowrap;-webkit-box-pack:start;-ms-flex-pack:start;justify-content:flex-start}.navbar-expand-lg .navbar-nav{-webkit-box-orient:horizontal;-webkit-box-direction:normal;-ms-flex-direction:row;flex-direction:row}.navbar-expand-lg .navbar-nav .dropdown-menu{position:absolute}.navbar-expand-lg .navbar-nav .nav-link{padding-right:0.5rem;padding-left:0.5rem}.navbar-expand-lg>.container,.navbar-expand-lg>.container-fluid,.navbar-expand-lg>.container-sm,.navbar-expand-lg>.container-md,.navbar-expand-lg>.container-lg,.navbar-expand-lg>.container-xl{-ms-flex-wrap:nowrap;flex-wrap:nowrap}.navbar-expand-lg .navbar-collapse{display:-webkit-box !important;display:-ms-flexbox !important;display:flex !important;-ms-flex-preferred-size:auto;flex-basis:auto}.navbar-expand-lg .navbar-toggler{display:none}}@media (max-width: 1199.98px){.navbar-expand-xl>.container,.navbar-expand-xl>.container-fluid,.navbar-expand-xl>.container-sm,.navbar-expand-xl>.container-md,.navbar-expand-xl>.container-lg,.navbar-expand-xl>.container-xl{padding-right:0;padding-left:0}}@media (min-width: 1200px){.navbar-expand-xl{-webkit-box-orient:horizontal;-webkit-box-direction:normal;-ms-flex-flow:row nowrap;flex-flow:row nowrap;-webkit-box-pack:start;-ms-flex-pack:start;justify-content:flex-start}.navbar-expand-xl .navbar-nav{-webkit-box-orient:horizontal;-webkit-box-direction:normal;-ms-flex-direction:row;flex-direction:row}.navbar-expand-xl .navbar-nav .dropdown-menu{position:absolute}.navbar-expand-xl .navbar-nav .nav-link{padding-right:0.5rem;padding-left:0.5rem}.navbar-expand-xl>.container,.navbar-expand-xl>.container-fluid,.navbar-expand-xl>.container-sm,.navbar-expand-xl>.container-md,.navbar-expand-xl>.container-lg,.navbar-expand-xl>.container-xl{-ms-flex-wrap:nowrap;flex-wrap:nowrap}.navbar-expand-xl .navbar-collapse{display:-webkit-box !important;display:-ms-flexbox !important;display:flex !important;-ms-flex-preferred-size:auto;flex-basis:auto}.navbar-expand-xl .navbar-toggler{display:none}}.navbar-expand{-webkit-box-orient:horizontal;-webkit-box-direction:normal;-ms-flex-flow:row nowrap;flex-flow:row nowrap;-webkit-box-pack:start;-ms-flex-pack:start;justify-content:flex-start}.navbar-expand>.container,.navbar-expand>.container-fluid,.navbar-expand>.container-sm,.navbar-expand>.container-md,.navbar-expand>.container-lg,.navbar-expand>.container-xl{padding-right:0;padding-left:0}.navbar-expand .navbar-nav{-webkit-box-orient:horizontal;-webkit-box-direction:normal;-ms-flex-direction:row;flex-direction:row}.navbar-expand .navbar-nav .dropdown-menu{position:absolute}.navbar-expand .navbar-nav .nav-link{padding-right:0.5rem;padding-left:0.5rem}.navbar-expand>.container,.navbar-expand>.container-fluid,.navbar-expand>.container-sm,.navbar-expand>.container-md,.navbar-expand>.container-lg,.navbar-expand>.container-xl{-ms-flex-wrap:nowrap;flex-wrap:nowrap}.navbar-expand .navbar-collapse{display:-webkit-box !important;display:-ms-flexbox !important;display:flex !important;-ms-flex-preferred-size:auto;flex-basis:auto}.navbar-expand .navbar-toggler{display:none}.navbar-light .navbar-brand{color:#3A3F44}.navbar-light .navbar-brand:hover,.navbar-light .navbar-brand:focus{color:#3A3F44}.navbar-light .navbar-nav .nav-link{color:rgba(0,0,0,0.5)}.navbar-light .navbar-nav .nav-link:hover,.navbar-light .navbar-nav .nav-link:focus{color:#3A3F44}.navbar-light .navbar-nav .nav-link.disabled{color:rgba(0,0,0,0.3)}.navbar-light .navbar-nav .show>.nav-link,.navbar-light .navbar-nav .active>.nav-link,.navbar-light .navbar-nav .nav-link.show,.navbar-light .navbar-nav .nav-link.active{color:#3A3F44}.navbar-light .navbar-toggler{color:rgba(0,0,0,0.5);border-color:rgba(0,0,0,0.1)}.navbar-light .navbar-toggler-icon{background-image:url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' width='30' height='30' viewBox='0 0 30 30'%3e%3cpath stroke='rgba(0, 0, 0, 0.5)' stroke-linecap='round' stroke-miterlimit='10' stroke-width='2' d='M4 7h22M4 15h22M4 23h22'/%3e%3c/svg%3e")}.navbar-light .navbar-text{color:rgba(0,0,0,0.5)}.navbar-light .navbar-text a{color:#3A3F44}.navbar-light .navbar-text a:hover,.navbar-light .navbar-text a:focus{color:#3A3F44}.navbar-dark .navbar-brand{color:#fff}.navbar-dark .navbar-brand:hover,.navbar-dark .navbar-brand:focus{color:#fff}.navbar-dark .navbar-nav .nav-link{color:rgba(255,255,255,0.5)}.navbar-dark .navbar-nav .nav-link:hover,.navbar-dark .navbar-nav .nav-link:focus{color:#fff}.navbar-dark .navbar-nav .nav-link.disabled{color:rgba(255,255,255,0.25)}.navbar-dark .navbar-nav .show>.nav-link,.navbar-dark .navbar-nav .active>.nav-link,.navbar-dark .navbar-nav .nav-link.show,.navbar-dark .navbar-nav .nav-link.active{color:#fff}.navbar-dark .navbar-toggler{color:rgba(255,255,255,0.5);border-color:rgba(255,255,255,0.1)}.navbar-dark .navbar-toggler-icon{background-image:url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' width='30' height='30' viewBox='0 0 30 30'%3e%3cpath stroke='rgba(255, 255, 255, 0.5)' stroke-linecap='round' stroke-miterlimit='10' stroke-width='2' d='M4 7h22M4 15h22M4 23h22'/%3e%3c/svg%3e")}.navbar-dark .navbar-text{color:rgba(255,255,255,0.5)}.navbar-dark .navbar-text a{color:#fff}.navbar-dark .navbar-text a:hover,.navbar-dark .navbar-text a:focus{color:#fff}.card{position:relative;display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-orient:vertical;-webkit-box-direction:normal;-ms-flex-direction:column;flex-direction:column;min-width:0;word-wrap:break-word;background-color:#32383e;background-clip:border-box;border:1px solid rgba(0,0,0,0.6);border-radius:0.25rem}.card>hr{margin-right:0;margin-left:0}.card>.list-group:first-child .list-group-item:first-child{border-top-left-radius:0.25rem;border-top-right-radius:0.25rem}.card>.list-group:last-child .list-group-item:last-child{border-bottom-right-radius:0.25rem;border-bottom-left-radius:0.25rem}.card-body{-webkit-box-flex:1;-ms-flex:1 1 auto;flex:1 1 auto;min-height:1px;padding:1.25rem}.card-title{margin-bottom:0.75rem}.card-subtitle{margin-top:-0.375rem;margin-bottom:0}.card-text:last-child{margin-bottom:0}.card-link:hover{text-decoration:none}.card-link+.card-link{margin-left:1.25rem}.card-header{padding:0.75rem 1.25rem;margin-bottom:0;background-color:#515960;border-bottom:1px solid rgba(0,0,0,0.6)}.card-header:first-child{border-radius:calc(0.25rem - 1px) calc(0.25rem - 1px) 0 0}.card-header+.list-group .list-group-item:first-child{border-top:0}.card-footer{padding:0.75rem 1.25rem;background-color:#515960;border-top:1px solid rgba(0,0,0,0.6)}.card-footer:last-child{border-radius:0 0 calc(0.25rem - 1px) calc(0.25rem - 1px)}.card-header-tabs{margin-right:-0.625rem;margin-bottom:-0.75rem;margin-left:-0.625rem;border-bottom:0}.card-header-pills{margin-right:-0.625rem;margin-left:-0.625rem}.card-img-overlay{position:absolute;top:0;right:0;bottom:0;left:0;padding:1.25rem}.card-img,.card-img-top,.card-img-bottom{-ms-flex-negative:0;flex-shrink:0;width:100%}.card-img,.card-img-top{border-top-left-radius:calc(0.25rem - 1px);border-top-right-radius:calc(0.25rem - 1px)}.card-img,.card-img-bottom{border-bottom-right-radius:calc(0.25rem - 1px);border-bottom-left-radius:calc(0.25rem - 1px)}.card-deck .card{margin-bottom:15px}@media (min-width: 576px){.card-deck{display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-orient:horizontal;-webkit-box-direction:normal;-ms-flex-flow:row wrap;flex-flow:row wrap;margin-right:-15px;margin-left:-15px}.card-deck .card{-webkit-box-flex:1;-ms-flex:1 0 0%;flex:1 0 0%;margin-right:15px;margin-bottom:0;margin-left:15px}}.card-group>.card{margin-bottom:15px}@media (min-width: 576px){.card-group{display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-orient:horizontal;-webkit-box-direction:normal;-ms-flex-flow:row wrap;flex-flow:row wrap}.card-group>.card{-webkit-box-flex:1;-ms-flex:1 0 0%;flex:1 0 0%;margin-bottom:0}.card-group>.card+.card{margin-left:0;border-left:0}.card-group>.card:not(:last-child){border-top-right-radius:0;border-bottom-right-radius:0}.card-group>.card:not(:last-child) .card-img-top,.card-group>.card:not(:last-child) .card-header{border-top-right-radius:0}.card-group>.card:not(:last-child) .card-img-bottom,.card-group>.card:not(:last-child) .card-footer{border-bottom-right-radius:0}.card-group>.card:not(:first-child){border-top-left-radius:0;border-bottom-left-radius:0}.card-group>.card:not(:first-child) .card-img-top,.card-group>.card:not(:first-child) .card-header{border-top-left-radius:0}.card-group>.card:not(:first-child) .card-img-bottom,.card-group>.card:not(:first-child) .card-footer{border-bottom-left-radius:0}}.card-columns .card{margin-bottom:0.75rem}@media (min-width: 576px){.card-columns{-webkit-column-count:3;column-count:3;-webkit-column-gap:1.25rem;column-gap:1.25rem;orphans:1;widows:1}.card-columns .card{display:inline-block;width:100%}}.accordion>.card{overflow:hidden}.accordion>.card:not(:last-of-type){border-bottom:0;border-bottom-right-radius:0;border-bottom-left-radius:0}.accordion>.card:not(:first-of-type){border-top-left-radius:0;border-top-right-radius:0}.accordion>.card>.card-header{border-radius:0;margin-bottom:-1px}.breadcrumb{display:-webkit-box;display:-ms-flexbox;display:flex;-ms-flex-wrap:wrap;flex-wrap:wrap;padding:0.75rem 1rem;margin-bottom:1rem;list-style:none;background-color:#e9ecef;border-radius:0.25rem}.breadcrumb-item+.breadcrumb-item{padding-left:0.5rem}.breadcrumb-item+.breadcrumb-item::before{display:inline-block;padding-right:0.5rem;color:#7A8288;content:"/"}.breadcrumb-item+.breadcrumb-item:hover::before{text-decoration:underline}.breadcrumb-item+.breadcrumb-item:hover::before{text-decoration:none}.breadcrumb-item.active{color:#999}.pagination{display:-webkit-box;display:-ms-flexbox;display:flex;padding-left:0;list-style:none;border-radius:0.25rem}.page-link{position:relative;display:block;padding:0.5rem 0.75rem;margin-left:-1px;line-height:1.25;color:#fff;background-color:transparent;border:1px solid rgba(0,0,0,0.6)}.page-link:hover{z-index:2;color:#fff;text-decoration:none;background-color:transparent;border-color:rgba(0,0,0,0.6)}.page-link:focus{z-index:3;outline:0;-webkit-box-shadow:0 0 0 0.2rem rgba(58,63,68,0.25);box-shadow:0 0 0 0.2rem rgba(58,63,68,0.25)}.page-item:first-child .page-link{margin-left:0;border-top-left-radius:0.25rem;border-bottom-left-radius:0.25rem}.page-item:last-child .page-link{border-top-right-radius:0.25rem;border-bottom-right-radius:0.25rem}.page-item.active .page-link{z-index:3;color:#fff;background-color:transparent;border-color:rgba(0,0,0,0.6)}.page-item.disabled .page-link{color:#7A8288;pointer-events:none;cursor:auto;background-color:transparent;border-color:rgba(0,0,0,0.6)}.pagination-lg .page-link{padding:0.75rem 1.5rem;font-size:1.171875rem;line-height:1.5}.pagination-lg .page-item:first-child .page-link{border-top-left-radius:0.3rem;border-bottom-left-radius:0.3rem}.pagination-lg .page-item:last-child .page-link{border-top-right-radius:0.3rem;border-bottom-right-radius:0.3rem}.pagination-sm .page-link{padding:0.25rem 0.5rem;font-size:0.8203125rem;line-height:1.5}.pagination-sm .page-item:first-child .page-link{border-top-left-radius:0.2rem;border-bottom-left-radius:0.2rem}.pagination-sm .page-item:last-child .page-link{border-top-right-radius:0.2rem;border-bottom-right-radius:0.2rem}.badge{display:inline-block;padding:0.25em 0.4em;font-size:75%;font-weight:700;line-height:1;text-align:center;white-space:nowrap;vertical-align:baseline;border-radius:0.25rem;-webkit-transition:color 0.15s ease-in-out, background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out;transition:color 0.15s ease-in-out, background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out;transition:color 0.15s ease-in-out, background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, box-shadow 0.15s ease-in-out;transition:color 0.15s ease-in-out, background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, box-shadow 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out}@media (prefers-reduced-motion: reduce){.badge{-webkit-transition:none;transition:none}}a.badge:hover,a.badge:focus{text-decoration:none}.badge:empty{display:none}.btn .badge{position:relative;top:-1px}.badge-pill{padding-right:0.6em;padding-left:0.6em;border-radius:10rem}.badge-primary{color:#fff;background-color:#3A3F44}a.badge-primary:hover,a.badge-primary:focus{color:#fff;background-color:#232628}a.badge-primary:focus,a.badge-primary.focus{outline:0;-webkit-box-shadow:0 0 0 0.2rem rgba(58,63,68,0.5);box-shadow:0 0 0 0.2rem rgba(58,63,68,0.5)}.badge-secondary{color:#fff;background-color:#7A8288}a.badge-secondary:hover,a.badge-secondary:focus{color:#fff;background-color:#62686d}a.badge-secondary:focus,a.badge-secondary.focus{outline:0;-webkit-box-shadow:0 0 0 0.2rem rgba(122,130,136,0.5);box-shadow:0 0 0 0.2rem rgba(122,130,136,0.5)}.badge-success{color:#fff;background-color:#62c462}a.badge-success:hover,a.badge-success:focus{color:#fff;background-color:#42b142}a.badge-success:focus,a.badge-success.focus{outline:0;-webkit-box-shadow:0 0 0 0.2rem rgba(98,196,98,0.5);box-shadow:0 0 0 0.2rem rgba(98,196,98,0.5)}.badge-info{color:#fff;background-color:#5bc0de}a.badge-info:hover,a.badge-info:focus{color:#fff;background-color:#31b0d5}a.badge-info:focus,a.badge-info.focus{outline:0;-webkit-box-shadow:0 0 0 0.2rem rgba(91,192,222,0.5);box-shadow:0 0 0 0.2rem rgba(91,192,222,0.5)}.badge-warning{color:#fff;background-color:#f89406}a.badge-warning:hover,a.badge-warning:focus{color:#fff;background-color:#c67605}a.badge-warning:focus,a.badge-warning.focus{outline:0;-webkit-box-shadow:0 0 0 0.2rem rgba(248,148,6,0.5);box-shadow:0 0 0 0.2rem rgba(248,148,6,0.5)}.badge-danger{color:#fff;background-color:#ee5f5b}a.badge-danger:hover,a.badge-danger:focus{color:#fff;background-color:#e9322d}a.badge-danger:focus,a.badge-danger.focus{outline:0;-webkit-box-shadow:0 0 0 0.2rem rgba(238,95,91,0.5);box-shadow:0 0 0 0.2rem rgba(238,95,91,0.5)}.badge-light{color:#272B30;background-color:#e9ecef}a.badge-light:hover,a.badge-light:focus{color:#272B30;background-color:#cbd3da}a.badge-light:focus,a.badge-light.focus{outline:0;-webkit-box-shadow:0 0 0 0.2rem rgba(233,236,239,0.5);box-shadow:0 0 0 0.2rem rgba(233,236,239,0.5)}.badge-dark{color:#fff;background-color:#272B30}a.badge-dark:hover,a.badge-dark:focus{color:#fff;background-color:#101214}a.badge-dark:focus,a.badge-dark.focus{outline:0;-webkit-box-shadow:0 0 0 0.2rem rgba(39,43,48,0.5);box-shadow:0 0 0 0.2rem rgba(39,43,48,0.5)}.jumbotron{padding:2rem 1rem;margin-bottom:2rem;background-color:#1c1e22;border-radius:0.3rem}@media (min-width: 576px){.jumbotron{padding:4rem 2rem}}.jumbotron-fluid{padding-right:0;padding-left:0;border-radius:0}.alert{position:relative;padding:0.75rem 1.25rem;margin-bottom:1rem;border:1px solid transparent;border-radius:0.25rem}.alert-heading{color:inherit}.alert-link{font-weight:700}.alert-dismissible{padding-right:3.90625rem}.alert-dismissible .close{position:absolute;top:0;right:0;padding:0.75rem 1.25rem;color:inherit}.alert-primary{color:#1e2123;background-color:#d8d9da;border-color:#c8c9cb}.alert-primary hr{border-top-color:#bbbcbf}.alert-primary .alert-link{color:#060708}.alert-secondary{color:#3f4447;background-color:#e4e6e7;border-color:#dadcde}.alert-secondary hr{border-top-color:#cdcfd2}.alert-secondary .alert-link{color:#272a2c}.alert-success{color:#336633;background-color:#e0f3e0;border-color:#d3eed3}.alert-success hr{border-top-color:#c1e7c1}.alert-success .alert-link{color:#224422}.alert-info{color:#2f6473;background-color:#def2f8;border-color:#d1edf6}.alert-info hr{border-top-color:#bce5f2}.alert-info .alert-link{color:#20454f}.alert-warning{color:#814d03;background-color:#feeacd;border-color:#fde1b9}.alert-warning hr{border-top-color:#fcd6a0}.alert-warning .alert-link{color:#4f2f02}.alert-danger{color:#7c312f;background-color:#fcdfde;border-color:#fad2d1}.alert-danger hr{border-top-color:#f8bcba}.alert-danger .alert-link{color:#572221}.alert-light{color:#797b7c;background-color:#fbfbfc;border-color:#f9fafb}.alert-light hr{border-top-color:#eaedf1}.alert-light .alert-link{color:#606162}.alert-dark{color:#141619;background-color:#d4d5d6;border-color:#c3c4c5}.alert-dark hr{border-top-color:#b6b7b8}.alert-dark .alert-link{color:black}@-webkit-keyframes progress-bar-stripes{from{background-position:1rem 0}to{background-position:0 0}}@keyframes progress-bar-stripes{from{background-position:1rem 0}to{background-position:0 0}}.progress{display:-webkit-box;display:-ms-flexbox;display:flex;height:1rem;overflow:hidden;font-size:0.703125rem;background-color:#1c1e22;border-radius:0.25rem}.progress-bar{display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-orient:vertical;-webkit-box-direction:normal;-ms-flex-direction:column;flex-direction:column;-webkit-box-pack:center;-ms-flex-pack:center;justify-content:center;overflow:hidden;color:#7A8288;text-align:center;white-space:nowrap;background-color:#3A3F44;-webkit-transition:width 0.6s ease;transition:width 0.6s ease}@media (prefers-reduced-motion: reduce){.progress-bar{-webkit-transition:none;transition:none}}.progress-bar-striped{background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-size:1rem 1rem}.progress-bar-animated{-webkit-animation:progress-bar-stripes 1s linear infinite;animation:progress-bar-stripes 1s linear infinite}@media (prefers-reduced-motion: reduce){.progress-bar-animated{-webkit-animation:none;animation:none}}.media{display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-align:start;-ms-flex-align:start;align-items:flex-start}.media-body{-webkit-box-flex:1;-ms-flex:1;flex:1}.list-group{display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-orient:vertical;-webkit-box-direction:normal;-ms-flex-direction:column;flex-direction:column;padding-left:0;margin-bottom:0}.list-group-item-action{width:100%;color:#fff;text-align:inherit}.list-group-item-action:hover,.list-group-item-action:focus{z-index:1;color:#fff;text-decoration:none;background-color:#3e444c}.list-group-item-action:active{color:#aaa;background-color:#e9ecef}.list-group-item{position:relative;display:block;padding:0.75rem 1.25rem;background-color:#32383e;border:1px solid rgba(0,0,0,0.6)}.list-group-item:first-child{border-top-left-radius:0.25rem;border-top-right-radius:0.25rem}.list-group-item:last-child{border-bottom-right-radius:0.25rem;border-bottom-left-radius:0.25rem}.list-group-item.disabled,.list-group-item:disabled{color:#52575C;pointer-events:none;background-color:#32383e}.list-group-item.active{z-index:2;color:#fff;background-color:#3e444c;border-color:rgba(0,0,0,0.6)}.list-group-item+.list-group-item{border-top-width:0}.list-group-item+.list-group-item.active{margin-top:-1px;border-top-width:1px}.list-group-horizontal{-webkit-box-orient:horizontal;-webkit-box-direction:normal;-ms-flex-direction:row;flex-direction:row}.list-group-horizontal .list-group-item:first-child{border-bottom-left-radius:0.25rem;border-top-right-radius:0}.list-group-horizontal .list-group-item:last-child{border-top-right-radius:0.25rem;border-bottom-left-radius:0}.list-group-horizontal .list-group-item.active{margin-top:0}.list-group-horizontal .list-group-item+.list-group-item{border-top-width:1px;border-left-width:0}.list-group-horizontal .list-group-item+.list-group-item.active{margin-left:-1px;border-left-width:1px}@media (min-width: 576px){.list-group-horizontal-sm{-webkit-box-orient:horizontal;-webkit-box-direction:normal;-ms-flex-direction:row;flex-direction:row}.list-group-horizontal-sm .list-group-item:first-child{border-bottom-left-radius:0.25rem;border-top-right-radius:0}.list-group-horizontal-sm .list-group-item:last-child{border-top-right-radius:0.25rem;border-bottom-left-radius:0}.list-group-horizontal-sm .list-group-item.active{margin-top:0}.list-group-horizontal-sm .list-group-item+.list-group-item{border-top-width:1px;border-left-width:0}.list-group-horizontal-sm .list-group-item+.list-group-item.active{margin-left:-1px;border-left-width:1px}}@media (min-width: 768px){.list-group-horizontal-md{-webkit-box-orient:horizontal;-webkit-box-direction:normal;-ms-flex-direction:row;flex-direction:row}.list-group-horizontal-md .list-group-item:first-child{border-bottom-left-radius:0.25rem;border-top-right-radius:0}.list-group-horizontal-md .list-group-item:last-child{border-top-right-radius:0.25rem;border-bottom-left-radius:0}.list-group-horizontal-md .list-group-item.active{margin-top:0}.list-group-horizontal-md .list-group-item+.list-group-item{border-top-width:1px;border-left-width:0}.list-group-horizontal-md .list-group-item+.list-group-item.active{margin-left:-1px;border-left-width:1px}}@media (min-width: 992px){.list-group-horizontal-lg{-webkit-box-orient:horizontal;-webkit-box-direction:normal;-ms-flex-direction:row;flex-direction:row}.list-group-horizontal-lg .list-group-item:first-child{border-bottom-left-radius:0.25rem;border-top-right-radius:0}.list-group-horizontal-lg .list-group-item:last-child{border-top-right-radius:0.25rem;border-bottom-left-radius:0}.list-group-horizontal-lg .list-group-item.active{margin-top:0}.list-group-horizontal-lg .list-group-item+.list-group-item{border-top-width:1px;border-left-width:0}.list-group-horizontal-lg .list-group-item+.list-group-item.active{margin-left:-1px;border-left-width:1px}}@media (min-width: 1200px){.list-group-horizontal-xl{-webkit-box-orient:horizontal;-webkit-box-direction:normal;-ms-flex-direction:row;flex-direction:row}.list-group-horizontal-xl .list-group-item:first-child{border-bottom-left-radius:0.25rem;border-top-right-radius:0}.list-group-horizontal-xl .list-group-item:last-child{border-top-right-radius:0.25rem;border-bottom-left-radius:0}.list-group-horizontal-xl .list-group-item.active{margin-top:0}.list-group-horizontal-xl .list-group-item+.list-group-item{border-top-width:1px;border-left-width:0}.list-group-horizontal-xl .list-group-item+.list-group-item.active{margin-left:-1px;border-left-width:1px}}.list-group-flush .list-group-item{border-right-width:0;border-left-width:0;border-radius:0}.list-group-flush .list-group-item:first-child{border-top-width:0}.list-group-flush:last-child .list-group-item:last-child{border-bottom-width:0}.list-group-item-primary{color:#1e2123;background-color:#c8c9cb}.list-group-item-primary.list-group-item-action:hover,.list-group-item-primary.list-group-item-action:focus{color:#1e2123;background-color:#bbbcbf}.list-group-item-primary.list-group-item-action.active{color:#fff;background-color:#1e2123;border-color:#1e2123}.list-group-item-secondary{color:#3f4447;background-color:#dadcde}.list-group-item-secondary.list-group-item-action:hover,.list-group-item-secondary.list-group-item-action:focus{color:#3f4447;background-color:#cdcfd2}.list-group-item-secondary.list-group-item-action.active{color:#fff;background-color:#3f4447;border-color:#3f4447}.list-group-item-success{color:#336633;background-color:#d3eed3}.list-group-item-success.list-group-item-action:hover,.list-group-item-success.list-group-item-action:focus{color:#336633;background-color:#c1e7c1}.list-group-item-success.list-group-item-action.active{color:#fff;background-color:#336633;border-color:#336633}.list-group-item-info{color:#2f6473;background-color:#d1edf6}.list-group-item-info.list-group-item-action:hover,.list-group-item-info.list-group-item-action:focus{color:#2f6473;background-color:#bce5f2}.list-group-item-info.list-group-item-action.active{color:#fff;background-color:#2f6473;border-color:#2f6473}.list-group-item-warning{color:#814d03;background-color:#fde1b9}.list-group-item-warning.list-group-item-action:hover,.list-group-item-warning.list-group-item-action:focus{color:#814d03;background-color:#fcd6a0}.list-group-item-warning.list-group-item-action.active{color:#fff;background-color:#814d03;border-color:#814d03}.list-group-item-danger{color:#7c312f;background-color:#fad2d1}.list-group-item-danger.list-group-item-action:hover,.list-group-item-danger.list-group-item-action:focus{color:#7c312f;background-color:#f8bcba}.list-group-item-danger.list-group-item-action.active{color:#fff;background-color:#7c312f;border-color:#7c312f}.list-group-item-light{color:#797b7c;background-color:#f9fafb}.list-group-item-light.list-group-item-action:hover,.list-group-item-light.list-group-item-action:focus{color:#797b7c;background-color:#eaedf1}.list-group-item-light.list-group-item-action.active{color:#fff;background-color:#797b7c;border-color:#797b7c}.list-group-item-dark{color:#141619;background-color:#c3c4c5}.list-group-item-dark.list-group-item-action:hover,.list-group-item-dark.list-group-item-action:focus{color:#141619;background-color:#b6b7b8}.list-group-item-dark.list-group-item-action.active{color:#fff;background-color:#141619;border-color:#141619}.close{float:right;font-size:1.40625rem;font-weight:700;line-height:1;color:#000;text-shadow:0 1px 0 #fff;opacity:.5}.close:hover{color:#000;text-decoration:none}.close:not(:disabled):not(.disabled):hover,.close:not(:disabled):not(.disabled):focus{opacity:.75}button.close{padding:0;background-color:transparent;border:0;-webkit-appearance:none;-moz-appearance:none;appearance:none}a.close.disabled{pointer-events:none}.toast{max-width:350px;overflow:hidden;font-size:0.875rem;background-color:#32383e;background-clip:padding-box;border:1px solid rgba(0,0,0,0.2);-webkit-box-shadow:0 0.25rem 0.75rem rgba(0,0,0,0.1);box-shadow:0 0.25rem 0.75rem rgba(0,0,0,0.1);-webkit-backdrop-filter:blur(10px);backdrop-filter:blur(10px);opacity:0;border-radius:0.25rem}.toast:not(:last-child){margin-bottom:0.75rem}.toast.showing{opacity:1}.toast.show{display:block;opacity:1}.toast.hide{display:none}.toast-header{display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-align:center;-ms-flex-align:center;align-items:center;padding:0.25rem 0.75rem;color:#aaa;background-color:#32383e;background-clip:padding-box;border-bottom:1px solid rgba(0,0,0,0.2)}.toast-body{padding:0.75rem}.modal-open{overflow:hidden}.modal-open .modal{overflow-x:hidden;overflow-y:auto}.modal{position:fixed;top:0;left:0;z-index:1050;display:none;width:100%;height:100%;overflow:hidden;outline:0}.modal-dialog{position:relative;width:auto;margin:0.5rem;pointer-events:none}.modal.fade .modal-dialog{-webkit-transition:-webkit-transform 0.3s ease-out;transition:-webkit-transform 0.3s ease-out;transition:transform 0.3s ease-out;transition:transform 0.3s ease-out, -webkit-transform 0.3s ease-out;-webkit-transform:translate(0, -50px);transform:translate(0, -50px)}@media (prefers-reduced-motion: reduce){.modal.fade .modal-dialog{-webkit-transition:none;transition:none}}.modal.show .modal-dialog{-webkit-transform:none;transform:none}.modal.modal-static .modal-dialog{-webkit-transform:scale(1.02);transform:scale(1.02)}.modal-dialog-scrollable{display:-webkit-box;display:-ms-flexbox;display:flex;max-height:calc(100% - 1rem)}.modal-dialog-scrollable .modal-content{max-height:calc(100vh - 1rem);overflow:hidden}.modal-dialog-scrollable .modal-header,.modal-dialog-scrollable .modal-footer{-ms-flex-negative:0;flex-shrink:0}.modal-dialog-scrollable .modal-body{overflow-y:auto}.modal-dialog-centered{display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-align:center;-ms-flex-align:center;align-items:center;min-height:calc(100% - 1rem)}.modal-dialog-centered::before{display:block;height:calc(100vh - 1rem);content:""}.modal-dialog-centered.modal-dialog-scrollable{-webkit-box-orient:vertical;-webkit-box-direction:normal;-ms-flex-direction:column;flex-direction:column;-webkit-box-pack:center;-ms-flex-pack:center;justify-content:center;height:100%}.modal-dialog-centered.modal-dialog-scrollable .modal-content{max-height:none}.modal-dialog-centered.modal-dialog-scrollable::before{content:none}.modal-content{position:relative;display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-orient:vertical;-webkit-box-direction:normal;-ms-flex-direction:column;flex-direction:column;width:100%;pointer-events:auto;background-color:#32383e;background-clip:padding-box;border:1px solid rgba(0,0,0,0.2);border-radius:0.3rem;outline:0}.modal-backdrop{position:fixed;top:0;left:0;z-index:1040;width:100vw;height:100vh;background-color:#000}.modal-backdrop.fade{opacity:0}.modal-backdrop.show{opacity:0.5}.modal-header{display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-align:start;-ms-flex-align:start;align-items:flex-start;-webkit-box-pack:justify;-ms-flex-pack:justify;justify-content:space-between;padding:1rem 1rem;border-bottom:1px solid rgba(0,0,0,0.2);border-top-left-radius:calc(0.3rem - 1px);border-top-right-radius:calc(0.3rem - 1px)}.modal-header .close{padding:1rem 1rem;margin:-1rem -1rem -1rem auto}.modal-title{margin-bottom:0;line-height:1.5}.modal-body{position:relative;-webkit-box-flex:1;-ms-flex:1 1 auto;flex:1 1 auto;padding:1rem}.modal-footer{display:-webkit-box;display:-ms-flexbox;display:flex;-ms-flex-wrap:wrap;flex-wrap:wrap;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-box-pack:end;-ms-flex-pack:end;justify-content:flex-end;padding:0.75rem;border-top:1px solid rgba(0,0,0,0.2);border-bottom-right-radius:calc(0.3rem - 1px);border-bottom-left-radius:calc(0.3rem - 1px)}.modal-footer>*{margin:0.25rem}.modal-scrollbar-measure{position:absolute;top:-9999px;width:50px;height:50px;overflow:scroll}@media (min-width: 576px){.modal-dialog{max-width:500px;margin:1.75rem auto}.modal-dialog-scrollable{max-height:calc(100% - 3.5rem)}.modal-dialog-scrollable .modal-content{max-height:calc(100vh - 3.5rem)}.modal-dialog-centered{min-height:calc(100% - 3.5rem)}.modal-dialog-centered::before{height:calc(100vh - 3.5rem)}.modal-sm{max-width:300px}}@media (min-width: 992px){.modal-lg,.modal-xl{max-width:800px}}@media (min-width: 1200px){.modal-xl{max-width:1140px}}.tooltip{position:absolute;z-index:1070;display:block;margin:0;font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, "Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji";font-style:normal;font-weight:400;line-height:1.5;text-align:left;text-align:start;text-decoration:none;text-shadow:none;text-transform:none;letter-spacing:normal;word-break:normal;word-spacing:normal;white-space:normal;line-break:auto;font-size:0.8203125rem;word-wrap:break-word;opacity:0}.tooltip.show{opacity:0.9}.tooltip .arrow{position:absolute;display:block;width:0.8rem;height:0.4rem}.tooltip .arrow::before{position:absolute;content:"";border-color:transparent;border-style:solid}.bs-tooltip-top,.bs-tooltip-auto[x-placement^="top"]{padding:0.4rem 0}.bs-tooltip-top .arrow,.bs-tooltip-auto[x-placement^="top"] .arrow{bottom:0}.bs-tooltip-top .arrow::before,.bs-tooltip-auto[x-placement^="top"] .arrow::before{top:0;border-width:0.4rem 0.4rem 0;border-top-color:#000}.bs-tooltip-right,.bs-tooltip-auto[x-placement^="right"]{padding:0 0.4rem}.bs-tooltip-right .arrow,.bs-tooltip-auto[x-placement^="right"] .arrow{left:0;width:0.4rem;height:0.8rem}.bs-tooltip-right .arrow::before,.bs-tooltip-auto[x-placement^="right"] .arrow::before{right:0;border-width:0.4rem 0.4rem 0.4rem 0;border-right-color:#000}.bs-tooltip-bottom,.bs-tooltip-auto[x-placement^="bottom"]{padding:0.4rem 0}.bs-tooltip-bottom .arrow,.bs-tooltip-auto[x-placement^="bottom"] .arrow{top:0}.bs-tooltip-bottom .arrow::before,.bs-tooltip-auto[x-placement^="bottom"] .arrow::before{bottom:0;border-width:0 0.4rem 0.4rem;border-bottom-color:#000}.bs-tooltip-left,.bs-tooltip-auto[x-placement^="left"]{padding:0 0.4rem}.bs-tooltip-left .arrow,.bs-tooltip-auto[x-placement^="left"] .arrow{right:0;width:0.4rem;height:0.8rem}.bs-tooltip-left .arrow::before,.bs-tooltip-auto[x-placement^="left"] .arrow::before{left:0;border-width:0.4rem 0 0.4rem 0.4rem;border-left-color:#000}.tooltip-inner{max-width:200px;padding:0.25rem 0.5rem;color:#fff;text-align:center;background-color:#000;border-radius:0.25rem}.popover{position:absolute;top:0;left:0;z-index:1060;display:block;max-width:276px;font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, "Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji";font-style:normal;font-weight:400;line-height:1.5;text-align:left;text-align:start;text-decoration:none;text-shadow:none;text-transform:none;letter-spacing:normal;word-break:normal;word-spacing:normal;white-space:normal;line-break:auto;font-size:0.8203125rem;word-wrap:break-word;background-color:#32383e;background-clip:padding-box;border:1px solid rgba(0,0,0,0.2);border-radius:0.3rem}.popover .arrow{position:absolute;display:block;width:1rem;height:0.5rem;margin:0 0.3rem}.popover .arrow::before,.popover .arrow::after{position:absolute;display:block;content:"";border-color:transparent;border-style:solid}.bs-popover-top,.bs-popover-auto[x-placement^="top"]{margin-bottom:0.5rem}.bs-popover-top>.arrow,.bs-popover-auto[x-placement^="top"]>.arrow{bottom:calc(-0.5rem - 1px)}.bs-popover-top>.arrow::before,.bs-popover-auto[x-placement^="top"]>.arrow::before{bottom:0;border-width:0.5rem 0.5rem 0;border-top-color:rgba(0,0,0,0.25)}.bs-popover-top>.arrow::after,.bs-popover-auto[x-placement^="top"]>.arrow::after{bottom:1px;border-width:0.5rem 0.5rem 0;border-top-color:#32383e}.bs-popover-right,.bs-popover-auto[x-placement^="right"]{margin-left:0.5rem}.bs-popover-right>.arrow,.bs-popover-auto[x-placement^="right"]>.arrow{left:calc(-0.5rem - 1px);width:0.5rem;height:1rem;margin:0.3rem 0}.bs-popover-right>.arrow::before,.bs-popover-auto[x-placement^="right"]>.arrow::before{left:0;border-width:0.5rem 0.5rem 0.5rem 0;border-right-color:rgba(0,0,0,0.25)}.bs-popover-right>.arrow::after,.bs-popover-auto[x-placement^="right"]>.arrow::after{left:1px;border-width:0.5rem 0.5rem 0.5rem 0;border-right-color:#32383e}.bs-popover-bottom,.bs-popover-auto[x-placement^="bottom"]{margin-top:0.5rem}.bs-popover-bottom>.arrow,.bs-popover-auto[x-placement^="bottom"]>.arrow{top:calc(-0.5rem - 1px)}.bs-popover-bottom>.arrow::before,.bs-popover-auto[x-placement^="bottom"]>.arrow::before{top:0;border-width:0 0.5rem 0.5rem 0.5rem;border-bottom-color:rgba(0,0,0,0.25)}.bs-popover-bottom>.arrow::after,.bs-popover-auto[x-placement^="bottom"]>.arrow::after{top:1px;border-width:0 0.5rem 0.5rem 0.5rem;border-bottom-color:#32383e}.bs-popover-bottom .popover-header::before,.bs-popover-auto[x-placement^="bottom"] .popover-header::before{position:absolute;top:0;left:50%;display:block;width:1rem;margin-left:-0.5rem;content:"";border-bottom:1px solid #2c3036}.bs-popover-left,.bs-popover-auto[x-placement^="left"]{margin-right:0.5rem}.bs-popover-left>.arrow,.bs-popover-auto[x-placement^="left"]>.arrow{right:calc(-0.5rem - 1px);width:0.5rem;height:1rem;margin:0.3rem 0}.bs-popover-left>.arrow::before,.bs-popover-auto[x-placement^="left"]>.arrow::before{right:0;border-width:0.5rem 0 0.5rem 0.5rem;border-left-color:rgba(0,0,0,0.25)}.bs-popover-left>.arrow::after,.bs-popover-auto[x-placement^="left"]>.arrow::after{right:1px;border-width:0.5rem 0 0.5rem 0.5rem;border-left-color:#32383e}.popover-header{padding:0.5rem 0.75rem;margin-bottom:0;font-size:0.9375rem;background-color:#2c3036;border-bottom:1px solid #202328;border-top-left-radius:calc(0.3rem - 1px);border-top-right-radius:calc(0.3rem - 1px)}.popover-header:empty{display:none}.popover-body{padding:0.5rem 0.75rem;color:#aaa}.carousel{position:relative}.carousel.pointer-event{-ms-touch-action:pan-y;touch-action:pan-y}.carousel-inner{position:relative;width:100%;overflow:hidden}.carousel-inner::after{display:block;clear:both;content:""}.carousel-item{position:relative;display:none;float:left;width:100%;margin-right:-100%;-webkit-backface-visibility:hidden;backface-visibility:hidden;-webkit-transition:-webkit-transform 0.6s ease-in-out;transition:-webkit-transform 0.6s ease-in-out;transition:transform 0.6s ease-in-out;transition:transform 0.6s ease-in-out, -webkit-transform 0.6s ease-in-out}@media (prefers-reduced-motion: reduce){.carousel-item{-webkit-transition:none;transition:none}}.carousel-item.active,.carousel-item-next,.carousel-item-prev{display:block}.carousel-item-next:not(.carousel-item-left),.active.carousel-item-right{-webkit-transform:translateX(100%);transform:translateX(100%)}.carousel-item-prev:not(.carousel-item-right),.active.carousel-item-left{-webkit-transform:translateX(-100%);transform:translateX(-100%)}.carousel-fade .carousel-item{opacity:0;-webkit-transition-property:opacity;transition-property:opacity;-webkit-transform:none;transform:none}.carousel-fade .carousel-item.active,.carousel-fade .carousel-item-next.carousel-item-left,.carousel-fade .carousel-item-prev.carousel-item-right{z-index:1;opacity:1}.carousel-fade .active.carousel-item-left,.carousel-fade .active.carousel-item-right{z-index:0;opacity:0;-webkit-transition:opacity 0s 0.6s;transition:opacity 0s 0.6s}@media (prefers-reduced-motion: reduce){.carousel-fade .active.carousel-item-left,.carousel-fade .active.carousel-item-right{-webkit-transition:none;transition:none}}.carousel-control-prev,.carousel-control-next{position:absolute;top:0;bottom:0;z-index:1;display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-box-pack:center;-ms-flex-pack:center;justify-content:center;width:15%;color:#fff;text-align:center;opacity:0.5;-webkit-transition:opacity 0.15s ease;transition:opacity 0.15s ease}@media (prefers-reduced-motion: reduce){.carousel-control-prev,.carousel-control-next{-webkit-transition:none;transition:none}}.carousel-control-prev:hover,.carousel-control-prev:focus,.carousel-control-next:hover,.carousel-control-next:focus{color:#fff;text-decoration:none;outline:0;opacity:0.9}.carousel-control-prev{left:0}.carousel-control-next{right:0}.carousel-control-prev-icon,.carousel-control-next-icon{display:inline-block;width:20px;height:20px;background:no-repeat 50% / 100% 100%}.carousel-control-prev-icon{background-image:url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' fill='%23fff' width='8' height='8' viewBox='0 0 8 8'%3e%3cpath d='M5.25 0l-4 4 4 4 1.5-1.5L4.25 4l2.5-2.5L5.25 0z'/%3e%3c/svg%3e")}.carousel-control-next-icon{background-image:url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' fill='%23fff' width='8' height='8' viewBox='0 0 8 8'%3e%3cpath d='M2.75 0l-1.5 1.5L3.75 4l-2.5 2.5L2.75 8l4-4-4-4z'/%3e%3c/svg%3e")}.carousel-indicators{position:absolute;right:0;bottom:0;left:0;z-index:15;display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-ms-flex-pack:center;justify-content:center;padding-left:0;margin-right:15%;margin-left:15%;list-style:none}.carousel-indicators li{-webkit-box-sizing:content-box;box-sizing:content-box;-webkit-box-flex:0;-ms-flex:0 1 auto;flex:0 1 auto;width:30px;height:3px;margin-right:3px;margin-left:3px;text-indent:-999px;cursor:pointer;background-color:#fff;background-clip:padding-box;border-top:10px solid transparent;border-bottom:10px solid transparent;opacity:.5;-webkit-transition:opacity 0.6s ease;transition:opacity 0.6s ease}@media (prefers-reduced-motion: reduce){.carousel-indicators li{-webkit-transition:none;transition:none}}.carousel-indicators .active{opacity:1}.carousel-caption{position:absolute;right:15%;bottom:20px;left:15%;z-index:10;padding-top:20px;padding-bottom:20px;color:#fff;text-align:center}@-webkit-keyframes spinner-border{to{-webkit-transform:rotate(360deg);transform:rotate(360deg)}}@keyframes spinner-border{to{-webkit-transform:rotate(360deg);transform:rotate(360deg)}}.spinner-border{display:inline-block;width:2rem;height:2rem;vertical-align:text-bottom;border:0.25em solid currentColor;border-right-color:transparent;border-radius:50%;-webkit-animation:spinner-border .75s linear infinite;animation:spinner-border .75s linear infinite}.spinner-border-sm{width:1rem;height:1rem;border-width:0.2em}@-webkit-keyframes spinner-grow{0%{-webkit-transform:scale(0);transform:scale(0)}50%{opacity:1}}@keyframes spinner-grow{0%{-webkit-transform:scale(0);transform:scale(0)}50%{opacity:1}}.spinner-grow{display:inline-block;width:2rem;height:2rem;vertical-align:text-bottom;background-color:currentColor;border-radius:50%;opacity:0;-webkit-animation:spinner-grow .75s linear infinite;animation:spinner-grow .75s linear infinite}.spinner-grow-sm{width:1rem;height:1rem}.align-baseline{vertical-align:baseline !important}.align-top{vertical-align:top !important}.align-middle{vertical-align:middle !important}.align-bottom{vertical-align:bottom !important}.align-text-bottom{vertical-align:text-bottom !important}.align-text-top{vertical-align:text-top !important}.bg-primary{background-color:#3A3F44 !important}a.bg-primary:hover,a.bg-primary:focus,button.bg-primary:hover,button.bg-primary:focus{background-color:#232628 !important}.bg-secondary{background-color:#7A8288 !important}a.bg-secondary:hover,a.bg-secondary:focus,button.bg-secondary:hover,button.bg-secondary:focus{background-color:#62686d !important}.bg-success{background-color:#62c462 !important}a.bg-success:hover,a.bg-success:focus,button.bg-success:hover,button.bg-success:focus{background-color:#42b142 !important}.bg-info{background-color:#5bc0de !important}a.bg-info:hover,a.bg-info:focus,button.bg-info:hover,button.bg-info:focus{background-color:#31b0d5 !important}.bg-warning{background-color:#f89406 !important}a.bg-warning:hover,a.bg-warning:focus,button.bg-warning:hover,button.bg-warning:focus{background-color:#c67605 !important}.bg-danger{background-color:#ee5f5b !important}a.bg-danger:hover,a.bg-danger:focus,button.bg-danger:hover,button.bg-danger:focus{background-color:#e9322d !important}.bg-light{background-color:#e9ecef !important}a.bg-light:hover,a.bg-light:focus,button.bg-light:hover,button.bg-light:focus{background-color:#cbd3da !important}.bg-dark{background-color:#272B30 !important}a.bg-dark:hover,a.bg-dark:focus,button.bg-dark:hover,button.bg-dark:focus{background-color:#101214 !important}.bg-white{background-color:#fff !important}.bg-transparent{background-color:transparent !important}.border{border:1px solid #dee2e6 !important}.border-top{border-top:1px solid #dee2e6 !important}.border-right{border-right:1px solid #dee2e6 !important}.border-bottom{border-bottom:1px solid #dee2e6 !important}.border-left{border-left:1px solid #dee2e6 !important}.border-0{border:0 !important}.border-top-0{border-top:0 !important}.border-right-0{border-right:0 !important}.border-bottom-0{border-bottom:0 !important}.border-left-0{border-left:0 !important}.border-primary{border-color:#3A3F44 !important}.border-secondary{border-color:#7A8288 !important}.border-success{border-color:#62c462 !important}.border-info{border-color:#5bc0de !important}.border-warning{border-color:#f89406 !important}.border-danger{border-color:#ee5f5b !important}.border-light{border-color:#e9ecef !important}.border-dark{border-color:#272B30 !important}.border-white{border-color:#fff !important}.rounded-sm{border-radius:0.2rem !important}.rounded{border-radius:0.25rem !important}.rounded-top{border-top-left-radius:0.25rem !important;border-top-right-radius:0.25rem !important}.rounded-right{border-top-right-radius:0.25rem !important;border-bottom-right-radius:0.25rem !important}.rounded-bottom{border-bottom-right-radius:0.25rem !important;border-bottom-left-radius:0.25rem !important}.rounded-left{border-top-left-radius:0.25rem !important;border-bottom-left-radius:0.25rem !important}.rounded-lg{border-radius:0.3rem !important}.rounded-circle{border-radius:50% !important}.rounded-pill{border-radius:50rem !important}.rounded-0{border-radius:0 !important}.clearfix::after{display:block;clear:both;content:""}.d-none{display:none !important}.d-inline{display:inline !important}.d-inline-block{display:inline-block !important}.d-block{display:block !important}.d-table{display:table !important}.d-table-row{display:table-row !important}.d-table-cell{display:table-cell !important}.d-flex{display:-webkit-box !important;display:-ms-flexbox !important;display:flex !important}.d-inline-flex{display:-webkit-inline-box !important;display:-ms-inline-flexbox !important;display:inline-flex !important}@media (min-width: 576px){.d-sm-none{display:none !important}.d-sm-inline{display:inline !important}.d-sm-inline-block{display:inline-block !important}.d-sm-block{display:block !important}.d-sm-table{display:table !important}.d-sm-table-row{display:table-row !important}.d-sm-table-cell{display:table-cell !important}.d-sm-flex{display:-webkit-box !important;display:-ms-flexbox !important;display:flex !important}.d-sm-inline-flex{display:-webkit-inline-box !important;display:-ms-inline-flexbox !important;display:inline-flex !important}}@media (min-width: 768px){.d-md-none{display:none !important}.d-md-inline{display:inline !important}.d-md-inline-block{display:inline-block !important}.d-md-block{display:block !important}.d-md-table{display:table !important}.d-md-table-row{display:table-row !important}.d-md-table-cell{display:table-cell !important}.d-md-flex{display:-webkit-box !important;display:-ms-flexbox !important;display:flex !important}.d-md-inline-flex{display:-webkit-inline-box !important;display:-ms-inline-flexbox !important;display:inline-flex !important}}@media (min-width: 992px){.d-lg-none{display:none !important}.d-lg-inline{display:inline !important}.d-lg-inline-block{display:inline-block !important}.d-lg-block{display:block !important}.d-lg-table{display:table !important}.d-lg-table-row{display:table-row !important}.d-lg-table-cell{display:table-cell !important}.d-lg-flex{display:-webkit-box !important;display:-ms-flexbox !important;display:flex !important}.d-lg-inline-flex{display:-webkit-inline-box !important;display:-ms-inline-flexbox !important;display:inline-flex !important}}@media (min-width: 1200px){.d-xl-none{display:none !important}.d-xl-inline{display:inline !important}.d-xl-inline-block{display:inline-block !important}.d-xl-block{display:block !important}.d-xl-table{display:table !important}.d-xl-table-row{display:table-row !important}.d-xl-table-cell{display:table-cell !important}.d-xl-flex{display:-webkit-box !important;display:-ms-flexbox !important;display:flex !important}.d-xl-inline-flex{display:-webkit-inline-box !important;display:-ms-inline-flexbox !important;display:inline-flex !important}}@media print{.d-print-none{display:none !important}.d-print-inline{display:inline !important}.d-print-inline-block{display:inline-block !important}.d-print-block{display:block !important}.d-print-table{display:table !important}.d-print-table-row{display:table-row !important}.d-print-table-cell{display:table-cell !important}.d-print-flex{display:-webkit-box !important;display:-ms-flexbox !important;display:flex !important}.d-print-inline-flex{display:-webkit-inline-box !important;display:-ms-inline-flexbox !important;display:inline-flex !important}}.embed-responsive{position:relative;display:block;width:100%;padding:0;overflow:hidden}.embed-responsive::before{display:block;content:""}.embed-responsive .embed-responsive-item,.embed-responsive iframe,.embed-responsive embed,.embed-responsive object,.embed-responsive video{position:absolute;top:0;bottom:0;left:0;width:100%;height:100%;border:0}.embed-responsive-21by9::before{padding-top:42.8571428571%}.embed-responsive-16by9::before{padding-top:56.25%}.embed-responsive-4by3::before{padding-top:75%}.embed-responsive-1by1::before{padding-top:100%}.flex-row{-webkit-box-orient:horizontal !important;-webkit-box-direction:normal !important;-ms-flex-direction:row !important;flex-direction:row !important}.flex-column{-webkit-box-orient:vertical !important;-webkit-box-direction:normal !important;-ms-flex-direction:column !important;flex-direction:column !important}.flex-row-reverse{-webkit-box-orient:horizontal !important;-webkit-box-direction:reverse !important;-ms-flex-direction:row-reverse !important;flex-direction:row-reverse !important}.flex-column-reverse{-webkit-box-orient:vertical !important;-webkit-box-direction:reverse !important;-ms-flex-direction:column-reverse !important;flex-direction:column-reverse !important}.flex-wrap{-ms-flex-wrap:wrap !important;flex-wrap:wrap !important}.flex-nowrap{-ms-flex-wrap:nowrap !important;flex-wrap:nowrap !important}.flex-wrap-reverse{-ms-flex-wrap:wrap-reverse !important;flex-wrap:wrap-reverse !important}.flex-fill{-webkit-box-flex:1 !important;-ms-flex:1 1 auto !important;flex:1 1 auto !important}.flex-grow-0{-webkit-box-flex:0 !important;-ms-flex-positive:0 !important;flex-grow:0 !important}.flex-grow-1{-webkit-box-flex:1 !important;-ms-flex-positive:1 !important;flex-grow:1 !important}.flex-shrink-0{-ms-flex-negative:0 !important;flex-shrink:0 !important}.flex-shrink-1{-ms-flex-negative:1 !important;flex-shrink:1 !important}.justify-content-start{-webkit-box-pack:start !important;-ms-flex-pack:start !important;justify-content:flex-start !important}.justify-content-end{-webkit-box-pack:end !important;-ms-flex-pack:end !important;justify-content:flex-end !important}.justify-content-center{-webkit-box-pack:center !important;-ms-flex-pack:center !important;justify-content:center !important}.justify-content-between{-webkit-box-pack:justify !important;-ms-flex-pack:justify !important;justify-content:space-between !important}.justify-content-around{-ms-flex-pack:distribute !important;justify-content:space-around !important}.align-items-start{-webkit-box-align:start !important;-ms-flex-align:start !important;align-items:flex-start !important}.align-items-end{-webkit-box-align:end !important;-ms-flex-align:end !important;align-items:flex-end !important}.align-items-center{-webkit-box-align:center !important;-ms-flex-align:center !important;align-items:center !important}.align-items-baseline{-webkit-box-align:baseline !important;-ms-flex-align:baseline !important;align-items:baseline !important}.align-items-stretch{-webkit-box-align:stretch !important;-ms-flex-align:stretch !important;align-items:stretch !important}.align-content-start{-ms-flex-line-pack:start !important;align-content:flex-start !important}.align-content-end{-ms-flex-line-pack:end !important;align-content:flex-end !important}.align-content-center{-ms-flex-line-pack:center !important;align-content:center !important}.align-content-between{-ms-flex-line-pack:justify !important;align-content:space-between !important}.align-content-around{-ms-flex-line-pack:distribute !important;align-content:space-around !important}.align-content-stretch{-ms-flex-line-pack:stretch !important;align-content:stretch !important}.align-self-auto{-ms-flex-item-align:auto !important;align-self:auto !important}.align-self-start{-ms-flex-item-align:start !important;align-self:flex-start !important}.align-self-end{-ms-flex-item-align:end !important;align-self:flex-end !important}.align-self-center{-ms-flex-item-align:center !important;align-self:center !important}.align-self-baseline{-ms-flex-item-align:baseline !important;align-self:baseline !important}.align-self-stretch{-ms-flex-item-align:stretch !important;align-self:stretch !important}@media (min-width: 576px){.flex-sm-row{-webkit-box-orient:horizontal !important;-webkit-box-direction:normal !important;-ms-flex-direction:row !important;flex-direction:row !important}.flex-sm-column{-webkit-box-orient:vertical !important;-webkit-box-direction:normal !important;-ms-flex-direction:column !important;flex-direction:column !important}.flex-sm-row-reverse{-webkit-box-orient:horizontal !important;-webkit-box-direction:reverse !important;-ms-flex-direction:row-reverse !important;flex-direction:row-reverse !important}.flex-sm-column-reverse{-webkit-box-orient:vertical !important;-webkit-box-direction:reverse !important;-ms-flex-direction:column-reverse !important;flex-direction:column-reverse !important}.flex-sm-wrap{-ms-flex-wrap:wrap !important;flex-wrap:wrap !important}.flex-sm-nowrap{-ms-flex-wrap:nowrap !important;flex-wrap:nowrap !important}.flex-sm-wrap-reverse{-ms-flex-wrap:wrap-reverse !important;flex-wrap:wrap-reverse !important}.flex-sm-fill{-webkit-box-flex:1 !important;-ms-flex:1 1 auto !important;flex:1 1 auto !important}.flex-sm-grow-0{-webkit-box-flex:0 !important;-ms-flex-positive:0 !important;flex-grow:0 !important}.flex-sm-grow-1{-webkit-box-flex:1 !important;-ms-flex-positive:1 !important;flex-grow:1 !important}.flex-sm-shrink-0{-ms-flex-negative:0 !important;flex-shrink:0 !important}.flex-sm-shrink-1{-ms-flex-negative:1 !important;flex-shrink:1 !important}.justify-content-sm-start{-webkit-box-pack:start !important;-ms-flex-pack:start !important;justify-content:flex-start !important}.justify-content-sm-end{-webkit-box-pack:end !important;-ms-flex-pack:end !important;justify-content:flex-end !important}.justify-content-sm-center{-webkit-box-pack:center !important;-ms-flex-pack:center !important;justify-content:center !important}.justify-content-sm-between{-webkit-box-pack:justify !important;-ms-flex-pack:justify !important;justify-content:space-between !important}.justify-content-sm-around{-ms-flex-pack:distribute !important;justify-content:space-around !important}.align-items-sm-start{-webkit-box-align:start !important;-ms-flex-align:start !important;align-items:flex-start !important}.align-items-sm-end{-webkit-box-align:end !important;-ms-flex-align:end !important;align-items:flex-end !important}.align-items-sm-center{-webkit-box-align:center !important;-ms-flex-align:center !important;align-items:center !important}.align-items-sm-baseline{-webkit-box-align:baseline !important;-ms-flex-align:baseline !important;align-items:baseline !important}.align-items-sm-stretch{-webkit-box-align:stretch !important;-ms-flex-align:stretch !important;align-items:stretch !important}.align-content-sm-start{-ms-flex-line-pack:start !important;align-content:flex-start !important}.align-content-sm-end{-ms-flex-line-pack:end !important;align-content:flex-end !important}.align-content-sm-center{-ms-flex-line-pack:center !important;align-content:center !important}.align-content-sm-between{-ms-flex-line-pack:justify !important;align-content:space-between !important}.align-content-sm-around{-ms-flex-line-pack:distribute !important;align-content:space-around !important}.align-content-sm-stretch{-ms-flex-line-pack:stretch !important;align-content:stretch !important}.align-self-sm-auto{-ms-flex-item-align:auto !important;align-self:auto !important}.align-self-sm-start{-ms-flex-item-align:start !important;align-self:flex-start !important}.align-self-sm-end{-ms-flex-item-align:end !important;align-self:flex-end !important}.align-self-sm-center{-ms-flex-item-align:center !important;align-self:center !important}.align-self-sm-baseline{-ms-flex-item-align:baseline !important;align-self:baseline !important}.align-self-sm-stretch{-ms-flex-item-align:stretch !important;align-self:stretch !important}}@media (min-width: 768px){.flex-md-row{-webkit-box-orient:horizontal !important;-webkit-box-direction:normal !important;-ms-flex-direction:row !important;flex-direction:row !important}.flex-md-column{-webkit-box-orient:vertical !important;-webkit-box-direction:normal !important;-ms-flex-direction:column !important;flex-direction:column !important}.flex-md-row-reverse{-webkit-box-orient:horizontal !important;-webkit-box-direction:reverse !important;-ms-flex-direction:row-reverse !important;flex-direction:row-reverse !important}.flex-md-column-reverse{-webkit-box-orient:vertical !important;-webkit-box-direction:reverse !important;-ms-flex-direction:column-reverse !important;flex-direction:column-reverse !important}.flex-md-wrap{-ms-flex-wrap:wrap !important;flex-wrap:wrap !important}.flex-md-nowrap{-ms-flex-wrap:nowrap !important;flex-wrap:nowrap !important}.flex-md-wrap-reverse{-ms-flex-wrap:wrap-reverse !important;flex-wrap:wrap-reverse !important}.flex-md-fill{-webkit-box-flex:1 !important;-ms-flex:1 1 auto !important;flex:1 1 auto !important}.flex-md-grow-0{-webkit-box-flex:0 !important;-ms-flex-positive:0 !important;flex-grow:0 !important}.flex-md-grow-1{-webkit-box-flex:1 !important;-ms-flex-positive:1 !important;flex-grow:1 !important}.flex-md-shrink-0{-ms-flex-negative:0 !important;flex-shrink:0 !important}.flex-md-shrink-1{-ms-flex-negative:1 !important;flex-shrink:1 !important}.justify-content-md-start{-webkit-box-pack:start !important;-ms-flex-pack:start !important;justify-content:flex-start !important}.justify-content-md-end{-webkit-box-pack:end !important;-ms-flex-pack:end !important;justify-content:flex-end !important}.justify-content-md-center{-webkit-box-pack:center !important;-ms-flex-pack:center !important;justify-content:center !important}.justify-content-md-between{-webkit-box-pack:justify !important;-ms-flex-pack:justify !important;justify-content:space-between !important}.justify-content-md-around{-ms-flex-pack:distribute !important;justify-content:space-around !important}.align-items-md-start{-webkit-box-align:start !important;-ms-flex-align:start !important;align-items:flex-start !important}.align-items-md-end{-webkit-box-align:end !important;-ms-flex-align:end !important;align-items:flex-end !important}.align-items-md-center{-webkit-box-align:center !important;-ms-flex-align:center !important;align-items:center !important}.align-items-md-baseline{-webkit-box-align:baseline !important;-ms-flex-align:baseline !important;align-items:baseline !important}.align-items-md-stretch{-webkit-box-align:stretch !important;-ms-flex-align:stretch !important;align-items:stretch !important}.align-content-md-start{-ms-flex-line-pack:start !important;align-content:flex-start !important}.align-content-md-end{-ms-flex-line-pack:end !important;align-content:flex-end !important}.align-content-md-center{-ms-flex-line-pack:center !important;align-content:center !important}.align-content-md-between{-ms-flex-line-pack:justify !important;align-content:space-between !important}.align-content-md-around{-ms-flex-line-pack:distribute !important;align-content:space-around !important}.align-content-md-stretch{-ms-flex-line-pack:stretch !important;align-content:stretch !important}.align-self-md-auto{-ms-flex-item-align:auto !important;align-self:auto !important}.align-self-md-start{-ms-flex-item-align:start !important;align-self:flex-start !important}.align-self-md-end{-ms-flex-item-align:end !important;align-self:flex-end !important}.align-self-md-center{-ms-flex-item-align:center !important;align-self:center !important}.align-self-md-baseline{-ms-flex-item-align:baseline !important;align-self:baseline !important}.align-self-md-stretch{-ms-flex-item-align:stretch !important;align-self:stretch !important}}@media (min-width: 992px){.flex-lg-row{-webkit-box-orient:horizontal !important;-webkit-box-direction:normal !important;-ms-flex-direction:row !important;flex-direction:row !important}.flex-lg-column{-webkit-box-orient:vertical !important;-webkit-box-direction:normal !important;-ms-flex-direction:column !important;flex-direction:column !important}.flex-lg-row-reverse{-webkit-box-orient:horizontal !important;-webkit-box-direction:reverse !important;-ms-flex-direction:row-reverse !important;flex-direction:row-reverse !important}.flex-lg-column-reverse{-webkit-box-orient:vertical !important;-webkit-box-direction:reverse !important;-ms-flex-direction:column-reverse !important;flex-direction:column-reverse !important}.flex-lg-wrap{-ms-flex-wrap:wrap !important;flex-wrap:wrap !important}.flex-lg-nowrap{-ms-flex-wrap:nowrap !important;flex-wrap:nowrap !important}.flex-lg-wrap-reverse{-ms-flex-wrap:wrap-reverse !important;flex-wrap:wrap-reverse !important}.flex-lg-fill{-webkit-box-flex:1 !important;-ms-flex:1 1 auto !important;flex:1 1 auto !important}.flex-lg-grow-0{-webkit-box-flex:0 !important;-ms-flex-positive:0 !important;flex-grow:0 !important}.flex-lg-grow-1{-webkit-box-flex:1 !important;-ms-flex-positive:1 !important;flex-grow:1 !important}.flex-lg-shrink-0{-ms-flex-negative:0 !important;flex-shrink:0 !important}.flex-lg-shrink-1{-ms-flex-negative:1 !important;flex-shrink:1 !important}.justify-content-lg-start{-webkit-box-pack:start !important;-ms-flex-pack:start !important;justify-content:flex-start !important}.justify-content-lg-end{-webkit-box-pack:end !important;-ms-flex-pack:end !important;justify-content:flex-end !important}.justify-content-lg-center{-webkit-box-pack:center !important;-ms-flex-pack:center !important;justify-content:center !important}.justify-content-lg-between{-webkit-box-pack:justify !important;-ms-flex-pack:justify !important;justify-content:space-between !important}.justify-content-lg-around{-ms-flex-pack:distribute !important;justify-content:space-around !important}.align-items-lg-start{-webkit-box-align:start !important;-ms-flex-align:start !important;align-items:flex-start !important}.align-items-lg-end{-webkit-box-align:end !important;-ms-flex-align:end !important;align-items:flex-end !important}.align-items-lg-center{-webkit-box-align:center !important;-ms-flex-align:center !important;align-items:center !important}.align-items-lg-baseline{-webkit-box-align:baseline !important;-ms-flex-align:baseline !important;align-items:baseline !important}.align-items-lg-stretch{-webkit-box-align:stretch !important;-ms-flex-align:stretch !important;align-items:stretch !important}.align-content-lg-start{-ms-flex-line-pack:start !important;align-content:flex-start !important}.align-content-lg-end{-ms-flex-line-pack:end !important;align-content:flex-end !important}.align-content-lg-center{-ms-flex-line-pack:center !important;align-content:center !important}.align-content-lg-between{-ms-flex-line-pack:justify !important;align-content:space-between !important}.align-content-lg-around{-ms-flex-line-pack:distribute !important;align-content:space-around !important}.align-content-lg-stretch{-ms-flex-line-pack:stretch !important;align-content:stretch !important}.align-self-lg-auto{-ms-flex-item-align:auto !important;align-self:auto !important}.align-self-lg-start{-ms-flex-item-align:start !important;align-self:flex-start !important}.align-self-lg-end{-ms-flex-item-align:end !important;align-self:flex-end !important}.align-self-lg-center{-ms-flex-item-align:center !important;align-self:center !important}.align-self-lg-baseline{-ms-flex-item-align:baseline !important;align-self:baseline !important}.align-self-lg-stretch{-ms-flex-item-align:stretch !important;align-self:stretch !important}}@media (min-width: 1200px){.flex-xl-row{-webkit-box-orient:horizontal !important;-webkit-box-direction:normal !important;-ms-flex-direction:row !important;flex-direction:row !important}.flex-xl-column{-webkit-box-orient:vertical !important;-webkit-box-direction:normal !important;-ms-flex-direction:column !important;flex-direction:column !important}.flex-xl-row-reverse{-webkit-box-orient:horizontal !important;-webkit-box-direction:reverse !important;-ms-flex-direction:row-reverse !important;flex-direction:row-reverse !important}.flex-xl-column-reverse{-webkit-box-orient:vertical !important;-webkit-box-direction:reverse !important;-ms-flex-direction:column-reverse !important;flex-direction:column-reverse !important}.flex-xl-wrap{-ms-flex-wrap:wrap !important;flex-wrap:wrap !important}.flex-xl-nowrap{-ms-flex-wrap:nowrap !important;flex-wrap:nowrap !important}.flex-xl-wrap-reverse{-ms-flex-wrap:wrap-reverse !important;flex-wrap:wrap-reverse !important}.flex-xl-fill{-webkit-box-flex:1 !important;-ms-flex:1 1 auto !important;flex:1 1 auto !important}.flex-xl-grow-0{-webkit-box-flex:0 !important;-ms-flex-positive:0 !important;flex-grow:0 !important}.flex-xl-grow-1{-webkit-box-flex:1 !important;-ms-flex-positive:1 !important;flex-grow:1 !important}.flex-xl-shrink-0{-ms-flex-negative:0 !important;flex-shrink:0 !important}.flex-xl-shrink-1{-ms-flex-negative:1 !important;flex-shrink:1 !important}.justify-content-xl-start{-webkit-box-pack:start !important;-ms-flex-pack:start !important;justify-content:flex-start !important}.justify-content-xl-end{-webkit-box-pack:end !important;-ms-flex-pack:end !important;justify-content:flex-end !important}.justify-content-xl-center{-webkit-box-pack:center !important;-ms-flex-pack:center !important;justify-content:center !important}.justify-content-xl-between{-webkit-box-pack:justify !important;-ms-flex-pack:justify !important;justify-content:space-between !important}.justify-content-xl-around{-ms-flex-pack:distribute !important;justify-content:space-around !important}.align-items-xl-start{-webkit-box-align:start !important;-ms-flex-align:start !important;align-items:flex-start !important}.align-items-xl-end{-webkit-box-align:end !important;-ms-flex-align:end !important;align-items:flex-end !important}.align-items-xl-center{-webkit-box-align:center !important;-ms-flex-align:center !important;align-items:center !important}.align-items-xl-baseline{-webkit-box-align:baseline !important;-ms-flex-align:baseline !important;align-items:baseline !important}.align-items-xl-stretch{-webkit-box-align:stretch !important;-ms-flex-align:stretch !important;align-items:stretch !important}.align-content-xl-start{-ms-flex-line-pack:start !important;align-content:flex-start !important}.align-content-xl-end{-ms-flex-line-pack:end !important;align-content:flex-end !important}.align-content-xl-center{-ms-flex-line-pack:center !important;align-content:center !important}.align-content-xl-between{-ms-flex-line-pack:justify !important;align-content:space-between !important}.align-content-xl-around{-ms-flex-line-pack:distribute !important;align-content:space-around !important}.align-content-xl-stretch{-ms-flex-line-pack:stretch !important;align-content:stretch !important}.align-self-xl-auto{-ms-flex-item-align:auto !important;align-self:auto !important}.align-self-xl-start{-ms-flex-item-align:start !important;align-self:flex-start !important}.align-self-xl-end{-ms-flex-item-align:end !important;align-self:flex-end !important}.align-self-xl-center{-ms-flex-item-align:center !important;align-self:center !important}.align-self-xl-baseline{-ms-flex-item-align:baseline !important;align-self:baseline !important}.align-self-xl-stretch{-ms-flex-item-align:stretch !important;align-self:stretch !important}}.float-left{float:left !important}.float-right{float:right !important}.float-none{float:none !important}@media (min-width: 576px){.float-sm-left{float:left !important}.float-sm-right{float:right !important}.float-sm-none{float:none !important}}@media (min-width: 768px){.float-md-left{float:left !important}.float-md-right{float:right !important}.float-md-none{float:none !important}}@media (min-width: 992px){.float-lg-left{float:left !important}.float-lg-right{float:right !important}.float-lg-none{float:none !important}}@media (min-width: 1200px){.float-xl-left{float:left !important}.float-xl-right{float:right !important}.float-xl-none{float:none !important}}.overflow-auto{overflow:auto !important}.overflow-hidden{overflow:hidden !important}.position-static{position:static !important}.position-relative{position:relative !important}.position-absolute{position:absolute !important}.position-fixed{position:fixed !important}.position-sticky{position:-webkit-sticky !important;position:sticky !important}.fixed-top{position:fixed;top:0;right:0;left:0;z-index:1030}.fixed-bottom{position:fixed;right:0;bottom:0;left:0;z-index:1030}@supports (position: -webkit-sticky) or (position: sticky){.sticky-top{position:-webkit-sticky;position:sticky;top:0;z-index:1020}}.sr-only{position:absolute;width:1px;height:1px;padding:0;margin:-1px;overflow:hidden;clip:rect(0, 0, 0, 0);white-space:nowrap;border:0}.sr-only-focusable:active,.sr-only-focusable:focus{position:static;width:auto;height:auto;overflow:visible;clip:auto;white-space:normal}.shadow-sm{-webkit-box-shadow:0 0.125rem 0.25rem rgba(0,0,0,0.075) !important;box-shadow:0 0.125rem 0.25rem rgba(0,0,0,0.075) !important}.shadow{-webkit-box-shadow:0 0.5rem 1rem rgba(0,0,0,0.15) !important;box-shadow:0 0.5rem 1rem rgba(0,0,0,0.15) !important}.shadow-lg{-webkit-box-shadow:0 1rem 3rem rgba(0,0,0,0.175) !important;box-shadow:0 1rem 3rem rgba(0,0,0,0.175) !important}.shadow-none{-webkit-box-shadow:none !important;box-shadow:none !important}.w-25{width:25% !important}.w-50{width:50% !important}.w-75{width:75% !important}.w-100{width:100% !important}.w-auto{width:auto !important}.h-25{height:25% !important}.h-50{height:50% !important}.h-75{height:75% !important}.h-100{height:100% !important}.h-auto{height:auto !important}.mw-100{max-width:100% !important}.mh-100{max-height:100% !important}.min-vw-100{min-width:100vw !important}.min-vh-100{min-height:100vh !important}.vw-100{width:100vw !important}.vh-100{height:100vh !important}.stretched-link::after{position:absolute;top:0;right:0;bottom:0;left:0;z-index:1;pointer-events:auto;content:"";background-color:rgba(0,0,0,0)}.m-0{margin:0 !important}.mt-0,.my-0{margin-top:0 !important}.mr-0,.mx-0{margin-right:0 !important}.mb-0,.my-0{margin-bottom:0 !important}.ml-0,.mx-0{margin-left:0 !important}.m-1{margin:0.25rem !important}.mt-1,.my-1{margin-top:0.25rem !important}.mr-1,.mx-1{margin-right:0.25rem !important}.mb-1,.my-1{margin-bottom:0.25rem !important}.ml-1,.mx-1{margin-left:0.25rem !important}.m-2{margin:0.5rem !important}.mt-2,.my-2{margin-top:0.5rem !important}.mr-2,.mx-2{margin-right:0.5rem !important}.mb-2,.my-2{margin-bottom:0.5rem !important}.ml-2,.mx-2{margin-left:0.5rem !important}.m-3{margin:1rem !important}.mt-3,.my-3{margin-top:1rem !important}.mr-3,.mx-3{margin-right:1rem !important}.mb-3,.my-3{margin-bottom:1rem !important}.ml-3,.mx-3{margin-left:1rem !important}.m-4{margin:1.5rem !important}.mt-4,.my-4{margin-top:1.5rem !important}.mr-4,.mx-4{margin-right:1.5rem !important}.mb-4,.my-4{margin-bottom:1.5rem !important}.ml-4,.mx-4{margin-left:1.5rem !important}.m-5{margin:3rem !important}.mt-5,.my-5{margin-top:3rem !important}.mr-5,.mx-5{margin-right:3rem !important}.mb-5,.my-5{margin-bottom:3rem !important}.ml-5,.mx-5{margin-left:3rem !important}.p-0{padding:0 !important}.pt-0,.py-0{padding-top:0 !important}.pr-0,.px-0{padding-right:0 !important}.pb-0,.py-0{padding-bottom:0 !important}.pl-0,.px-0{padding-left:0 !important}.p-1{padding:0.25rem !important}.pt-1,.py-1{padding-top:0.25rem !important}.pr-1,.px-1{padding-right:0.25rem !important}.pb-1,.py-1{padding-bottom:0.25rem !important}.pl-1,.px-1{padding-left:0.25rem !important}.p-2{padding:0.5rem !important}.pt-2,.py-2{padding-top:0.5rem !important}.pr-2,.px-2{padding-right:0.5rem !important}.pb-2,.py-2{padding-bottom:0.5rem !important}.pl-2,.px-2{padding-left:0.5rem !important}.p-3{padding:1rem !important}.pt-3,.py-3{padding-top:1rem !important}.pr-3,.px-3{padding-right:1rem !important}.pb-3,.py-3{padding-bottom:1rem !important}.pl-3,.px-3{padding-left:1rem !important}.p-4{padding:1.5rem !important}.pt-4,.py-4{padding-top:1.5rem !important}.pr-4,.px-4{padding-right:1.5rem !important}.pb-4,.py-4{padding-bottom:1.5rem !important}.pl-4,.px-4{padding-left:1.5rem !important}.p-5{padding:3rem !important}.pt-5,.py-5{padding-top:3rem !important}.pr-5,.px-5{padding-right:3rem !important}.pb-5,.py-5{padding-bottom:3rem !important}.pl-5,.px-5{padding-left:3rem !important}.m-n1{margin:-0.25rem !important}.mt-n1,.my-n1{margin-top:-0.25rem !important}.mr-n1,.mx-n1{margin-right:-0.25rem !important}.mb-n1,.my-n1{margin-bottom:-0.25rem !important}.ml-n1,.mx-n1{margin-left:-0.25rem !important}.m-n2{margin:-0.5rem !important}.mt-n2,.my-n2{margin-top:-0.5rem !important}.mr-n2,.mx-n2{margin-right:-0.5rem !important}.mb-n2,.my-n2{margin-bottom:-0.5rem !important}.ml-n2,.mx-n2{margin-left:-0.5rem !important}.m-n3{margin:-1rem !important}.mt-n3,.my-n3{margin-top:-1rem !important}.mr-n3,.mx-n3{margin-right:-1rem !important}.mb-n3,.my-n3{margin-bottom:-1rem !important}.ml-n3,.mx-n3{margin-left:-1rem !important}.m-n4{margin:-1.5rem !important}.mt-n4,.my-n4{margin-top:-1.5rem !important}.mr-n4,.mx-n4{margin-right:-1.5rem !important}.mb-n4,.my-n4{margin-bottom:-1.5rem !important}.ml-n4,.mx-n4{margin-left:-1.5rem !important}.m-n5{margin:-3rem !important}.mt-n5,.my-n5{margin-top:-3rem !important}.mr-n5,.mx-n5{margin-right:-3rem !important}.mb-n5,.my-n5{margin-bottom:-3rem !important}.ml-n5,.mx-n5{margin-left:-3rem !important}.m-auto{margin:auto !important}.mt-auto,.my-auto{margin-top:auto !important}.mr-auto,.mx-auto{margin-right:auto !important}.mb-auto,.my-auto{margin-bottom:auto !important}.ml-auto,.mx-auto{margin-left:auto !important}@media (min-width: 576px){.m-sm-0{margin:0 !important}.mt-sm-0,.my-sm-0{margin-top:0 !important}.mr-sm-0,.mx-sm-0{margin-right:0 !important}.mb-sm-0,.my-sm-0{margin-bottom:0 !important}.ml-sm-0,.mx-sm-0{margin-left:0 !important}.m-sm-1{margin:0.25rem !important}.mt-sm-1,.my-sm-1{margin-top:0.25rem !important}.mr-sm-1,.mx-sm-1{margin-right:0.25rem !important}.mb-sm-1,.my-sm-1{margin-bottom:0.25rem !important}.ml-sm-1,.mx-sm-1{margin-left:0.25rem !important}.m-sm-2{margin:0.5rem !important}.mt-sm-2,.my-sm-2{margin-top:0.5rem !important}.mr-sm-2,.mx-sm-2{margin-right:0.5rem !important}.mb-sm-2,.my-sm-2{margin-bottom:0.5rem !important}.ml-sm-2,.mx-sm-2{margin-left:0.5rem !important}.m-sm-3{margin:1rem !important}.mt-sm-3,.my-sm-3{margin-top:1rem !important}.mr-sm-3,.mx-sm-3{margin-right:1rem !important}.mb-sm-3,.my-sm-3{margin-bottom:1rem !important}.ml-sm-3,.mx-sm-3{margin-left:1rem !important}.m-sm-4{margin:1.5rem !important}.mt-sm-4,.my-sm-4{margin-top:1.5rem !important}.mr-sm-4,.mx-sm-4{margin-right:1.5rem !important}.mb-sm-4,.my-sm-4{margin-bottom:1.5rem !important}.ml-sm-4,.mx-sm-4{margin-left:1.5rem !important}.m-sm-5{margin:3rem !important}.mt-sm-5,.my-sm-5{margin-top:3rem !important}.mr-sm-5,.mx-sm-5{margin-right:3rem !important}.mb-sm-5,.my-sm-5{margin-bottom:3rem !important}.ml-sm-5,.mx-sm-5{margin-left:3rem !important}.p-sm-0{padding:0 !important}.pt-sm-0,.py-sm-0{padding-top:0 !important}.pr-sm-0,.px-sm-0{padding-right:0 !important}.pb-sm-0,.py-sm-0{padding-bottom:0 !important}.pl-sm-0,.px-sm-0{padding-left:0 !important}.p-sm-1{padding:0.25rem !important}.pt-sm-1,.py-sm-1{padding-top:0.25rem !important}.pr-sm-1,.px-sm-1{padding-right:0.25rem !important}.pb-sm-1,.py-sm-1{padding-bottom:0.25rem !important}.pl-sm-1,.px-sm-1{padding-left:0.25rem !important}.p-sm-2{padding:0.5rem !important}.pt-sm-2,.py-sm-2{padding-top:0.5rem !important}.pr-sm-2,.px-sm-2{padding-right:0.5rem !important}.pb-sm-2,.py-sm-2{padding-bottom:0.5rem !important}.pl-sm-2,.px-sm-2{padding-left:0.5rem !important}.p-sm-3{padding:1rem !important}.pt-sm-3,.py-sm-3{padding-top:1rem !important}.pr-sm-3,.px-sm-3{padding-right:1rem !important}.pb-sm-3,.py-sm-3{padding-bottom:1rem !important}.pl-sm-3,.px-sm-3{padding-left:1rem !important}.p-sm-4{padding:1.5rem !important}.pt-sm-4,.py-sm-4{padding-top:1.5rem !important}.pr-sm-4,.px-sm-4{padding-right:1.5rem !important}.pb-sm-4,.py-sm-4{padding-bottom:1.5rem !important}.pl-sm-4,.px-sm-4{padding-left:1.5rem !important}.p-sm-5{padding:3rem !important}.pt-sm-5,.py-sm-5{padding-top:3rem !important}.pr-sm-5,.px-sm-5{padding-right:3rem !important}.pb-sm-5,.py-sm-5{padding-bottom:3rem !important}.pl-sm-5,.px-sm-5{padding-left:3rem !important}.m-sm-n1{margin:-0.25rem !important}.mt-sm-n1,.my-sm-n1{margin-top:-0.25rem !important}.mr-sm-n1,.mx-sm-n1{margin-right:-0.25rem !important}.mb-sm-n1,.my-sm-n1{margin-bottom:-0.25rem !important}.ml-sm-n1,.mx-sm-n1{margin-left:-0.25rem !important}.m-sm-n2{margin:-0.5rem !important}.mt-sm-n2,.my-sm-n2{margin-top:-0.5rem !important}.mr-sm-n2,.mx-sm-n2{margin-right:-0.5rem !important}.mb-sm-n2,.my-sm-n2{margin-bottom:-0.5rem !important}.ml-sm-n2,.mx-sm-n2{margin-left:-0.5rem !important}.m-sm-n3{margin:-1rem !important}.mt-sm-n3,.my-sm-n3{margin-top:-1rem !important}.mr-sm-n3,.mx-sm-n3{margin-right:-1rem !important}.mb-sm-n3,.my-sm-n3{margin-bottom:-1rem !important}.ml-sm-n3,.mx-sm-n3{margin-left:-1rem !important}.m-sm-n4{margin:-1.5rem !important}.mt-sm-n4,.my-sm-n4{margin-top:-1.5rem !important}.mr-sm-n4,.mx-sm-n4{margin-right:-1.5rem !important}.mb-sm-n4,.my-sm-n4{margin-bottom:-1.5rem !important}.ml-sm-n4,.mx-sm-n4{margin-left:-1.5rem !important}.m-sm-n5{margin:-3rem !important}.mt-sm-n5,.my-sm-n5{margin-top:-3rem !important}.mr-sm-n5,.mx-sm-n5{margin-right:-3rem !important}.mb-sm-n5,.my-sm-n5{margin-bottom:-3rem !important}.ml-sm-n5,.mx-sm-n5{margin-left:-3rem !important}.m-sm-auto{margin:auto !important}.mt-sm-auto,.my-sm-auto{margin-top:auto !important}.mr-sm-auto,.mx-sm-auto{margin-right:auto !important}.mb-sm-auto,.my-sm-auto{margin-bottom:auto !important}.ml-sm-auto,.mx-sm-auto{margin-left:auto !important}}@media (min-width: 768px){.m-md-0{margin:0 !important}.mt-md-0,.my-md-0{margin-top:0 !important}.mr-md-0,.mx-md-0{margin-right:0 !important}.mb-md-0,.my-md-0{margin-bottom:0 !important}.ml-md-0,.mx-md-0{margin-left:0 !important}.m-md-1{margin:0.25rem !important}.mt-md-1,.my-md-1{margin-top:0.25rem !important}.mr-md-1,.mx-md-1{margin-right:0.25rem !important}.mb-md-1,.my-md-1{margin-bottom:0.25rem !important}.ml-md-1,.mx-md-1{margin-left:0.25rem !important}.m-md-2{margin:0.5rem !important}.mt-md-2,.my-md-2{margin-top:0.5rem !important}.mr-md-2,.mx-md-2{margin-right:0.5rem !important}.mb-md-2,.my-md-2{margin-bottom:0.5rem !important}.ml-md-2,.mx-md-2{margin-left:0.5rem !important}.m-md-3{margin:1rem !important}.mt-md-3,.my-md-3{margin-top:1rem !important}.mr-md-3,.mx-md-3{margin-right:1rem !important}.mb-md-3,.my-md-3{margin-bottom:1rem !important}.ml-md-3,.mx-md-3{margin-left:1rem !important}.m-md-4{margin:1.5rem !important}.mt-md-4,.my-md-4{margin-top:1.5rem !important}.mr-md-4,.mx-md-4{margin-right:1.5rem !important}.mb-md-4,.my-md-4{margin-bottom:1.5rem !important}.ml-md-4,.mx-md-4{margin-left:1.5rem !important}.m-md-5{margin:3rem !important}.mt-md-5,.my-md-5{margin-top:3rem !important}.mr-md-5,.mx-md-5{margin-right:3rem !important}.mb-md-5,.my-md-5{margin-bottom:3rem !important}.ml-md-5,.mx-md-5{margin-left:3rem !important}.p-md-0{padding:0 !important}.pt-md-0,.py-md-0{padding-top:0 !important}.pr-md-0,.px-md-0{padding-right:0 !important}.pb-md-0,.py-md-0{padding-bottom:0 !important}.pl-md-0,.px-md-0{padding-left:0 !important}.p-md-1{padding:0.25rem !important}.pt-md-1,.py-md-1{padding-top:0.25rem !important}.pr-md-1,.px-md-1{padding-right:0.25rem !important}.pb-md-1,.py-md-1{padding-bottom:0.25rem !important}.pl-md-1,.px-md-1{padding-left:0.25rem !important}.p-md-2{padding:0.5rem !important}.pt-md-2,.py-md-2{padding-top:0.5rem !important}.pr-md-2,.px-md-2{padding-right:0.5rem !important}.pb-md-2,.py-md-2{padding-bottom:0.5rem !important}.pl-md-2,.px-md-2{padding-left:0.5rem !important}.p-md-3{padding:1rem !important}.pt-md-3,.py-md-3{padding-top:1rem !important}.pr-md-3,.px-md-3{padding-right:1rem !important}.pb-md-3,.py-md-3{padding-bottom:1rem !important}.pl-md-3,.px-md-3{padding-left:1rem !important}.p-md-4{padding:1.5rem !important}.pt-md-4,.py-md-4{padding-top:1.5rem !important}.pr-md-4,.px-md-4{padding-right:1.5rem !important}.pb-md-4,.py-md-4{padding-bottom:1.5rem !important}.pl-md-4,.px-md-4{padding-left:1.5rem !important}.p-md-5{padding:3rem !important}.pt-md-5,.py-md-5{padding-top:3rem !important}.pr-md-5,.px-md-5{padding-right:3rem !important}.pb-md-5,.py-md-5{padding-bottom:3rem !important}.pl-md-5,.px-md-5{padding-left:3rem !important}.m-md-n1{margin:-0.25rem !important}.mt-md-n1,.my-md-n1{margin-top:-0.25rem !important}.mr-md-n1,.mx-md-n1{margin-right:-0.25rem !important}.mb-md-n1,.my-md-n1{margin-bottom:-0.25rem !important}.ml-md-n1,.mx-md-n1{margin-left:-0.25rem !important}.m-md-n2{margin:-0.5rem !important}.mt-md-n2,.my-md-n2{margin-top:-0.5rem !important}.mr-md-n2,.mx-md-n2{margin-right:-0.5rem !important}.mb-md-n2,.my-md-n2{margin-bottom:-0.5rem !important}.ml-md-n2,.mx-md-n2{margin-left:-0.5rem !important}.m-md-n3{margin:-1rem !important}.mt-md-n3,.my-md-n3{margin-top:-1rem !important}.mr-md-n3,.mx-md-n3{margin-right:-1rem !important}.mb-md-n3,.my-md-n3{margin-bottom:-1rem !important}.ml-md-n3,.mx-md-n3{margin-left:-1rem !important}.m-md-n4{margin:-1.5rem !important}.mt-md-n4,.my-md-n4{margin-top:-1.5rem !important}.mr-md-n4,.mx-md-n4{margin-right:-1.5rem !important}.mb-md-n4,.my-md-n4{margin-bottom:-1.5rem !important}.ml-md-n4,.mx-md-n4{margin-left:-1.5rem !important}.m-md-n5{margin:-3rem !important}.mt-md-n5,.my-md-n5{margin-top:-3rem !important}.mr-md-n5,.mx-md-n5{margin-right:-3rem !important}.mb-md-n5,.my-md-n5{margin-bottom:-3rem !important}.ml-md-n5,.mx-md-n5{margin-left:-3rem !important}.m-md-auto{margin:auto !important}.mt-md-auto,.my-md-auto{margin-top:auto !important}.mr-md-auto,.mx-md-auto{margin-right:auto !important}.mb-md-auto,.my-md-auto{margin-bottom:auto !important}.ml-md-auto,.mx-md-auto{margin-left:auto !important}}@media (min-width: 992px){.m-lg-0{margin:0 !important}.mt-lg-0,.my-lg-0{margin-top:0 !important}.mr-lg-0,.mx-lg-0{margin-right:0 !important}.mb-lg-0,.my-lg-0{margin-bottom:0 !important}.ml-lg-0,.mx-lg-0{margin-left:0 !important}.m-lg-1{margin:0.25rem !important}.mt-lg-1,.my-lg-1{margin-top:0.25rem !important}.mr-lg-1,.mx-lg-1{margin-right:0.25rem !important}.mb-lg-1,.my-lg-1{margin-bottom:0.25rem !important}.ml-lg-1,.mx-lg-1{margin-left:0.25rem !important}.m-lg-2{margin:0.5rem !important}.mt-lg-2,.my-lg-2{margin-top:0.5rem !important}.mr-lg-2,.mx-lg-2{margin-right:0.5rem !important}.mb-lg-2,.my-lg-2{margin-bottom:0.5rem !important}.ml-lg-2,.mx-lg-2{margin-left:0.5rem !important}.m-lg-3{margin:1rem !important}.mt-lg-3,.my-lg-3{margin-top:1rem !important}.mr-lg-3,.mx-lg-3{margin-right:1rem !important}.mb-lg-3,.my-lg-3{margin-bottom:1rem !important}.ml-lg-3,.mx-lg-3{margin-left:1rem !important}.m-lg-4{margin:1.5rem !important}.mt-lg-4,.my-lg-4{margin-top:1.5rem !important}.mr-lg-4,.mx-lg-4{margin-right:1.5rem !important}.mb-lg-4,.my-lg-4{margin-bottom:1.5rem !important}.ml-lg-4,.mx-lg-4{margin-left:1.5rem !important}.m-lg-5{margin:3rem !important}.mt-lg-5,.my-lg-5{margin-top:3rem !important}.mr-lg-5,.mx-lg-5{margin-right:3rem !important}.mb-lg-5,.my-lg-5{margin-bottom:3rem !important}.ml-lg-5,.mx-lg-5{margin-left:3rem !important}.p-lg-0{padding:0 !important}.pt-lg-0,.py-lg-0{padding-top:0 !important}.pr-lg-0,.px-lg-0{padding-right:0 !important}.pb-lg-0,.py-lg-0{padding-bottom:0 !important}.pl-lg-0,.px-lg-0{padding-left:0 !important}.p-lg-1{padding:0.25rem !important}.pt-lg-1,.py-lg-1{padding-top:0.25rem !important}.pr-lg-1,.px-lg-1{padding-right:0.25rem !important}.pb-lg-1,.py-lg-1{padding-bottom:0.25rem !important}.pl-lg-1,.px-lg-1{padding-left:0.25rem !important}.p-lg-2{padding:0.5rem !important}.pt-lg-2,.py-lg-2{padding-top:0.5rem !important}.pr-lg-2,.px-lg-2{padding-right:0.5rem !important}.pb-lg-2,.py-lg-2{padding-bottom:0.5rem !important}.pl-lg-2,.px-lg-2{padding-left:0.5rem !important}.p-lg-3{padding:1rem !important}.pt-lg-3,.py-lg-3{padding-top:1rem !important}.pr-lg-3,.px-lg-3{padding-right:1rem !important}.pb-lg-3,.py-lg-3{padding-bottom:1rem !important}.pl-lg-3,.px-lg-3{padding-left:1rem !important}.p-lg-4{padding:1.5rem !important}.pt-lg-4,.py-lg-4{padding-top:1.5rem !important}.pr-lg-4,.px-lg-4{padding-right:1.5rem !important}.pb-lg-4,.py-lg-4{padding-bottom:1.5rem !important}.pl-lg-4,.px-lg-4{padding-left:1.5rem !important}.p-lg-5{padding:3rem !important}.pt-lg-5,.py-lg-5{padding-top:3rem !important}.pr-lg-5,.px-lg-5{padding-right:3rem !important}.pb-lg-5,.py-lg-5{padding-bottom:3rem !important}.pl-lg-5,.px-lg-5{padding-left:3rem !important}.m-lg-n1{margin:-0.25rem !important}.mt-lg-n1,.my-lg-n1{margin-top:-0.25rem !important}.mr-lg-n1,.mx-lg-n1{margin-right:-0.25rem !important}.mb-lg-n1,.my-lg-n1{margin-bottom:-0.25rem !important}.ml-lg-n1,.mx-lg-n1{margin-left:-0.25rem !important}.m-lg-n2{margin:-0.5rem !important}.mt-lg-n2,.my-lg-n2{margin-top:-0.5rem !important}.mr-lg-n2,.mx-lg-n2{margin-right:-0.5rem !important}.mb-lg-n2,.my-lg-n2{margin-bottom:-0.5rem !important}.ml-lg-n2,.mx-lg-n2{margin-left:-0.5rem !important}.m-lg-n3{margin:-1rem !important}.mt-lg-n3,.my-lg-n3{margin-top:-1rem !important}.mr-lg-n3,.mx-lg-n3{margin-right:-1rem !important}.mb-lg-n3,.my-lg-n3{margin-bottom:-1rem !important}.ml-lg-n3,.mx-lg-n3{margin-left:-1rem !important}.m-lg-n4{margin:-1.5rem !important}.mt-lg-n4,.my-lg-n4{margin-top:-1.5rem !important}.mr-lg-n4,.mx-lg-n4{margin-right:-1.5rem !important}.mb-lg-n4,.my-lg-n4{margin-bottom:-1.5rem !important}.ml-lg-n4,.mx-lg-n4{margin-left:-1.5rem !important}.m-lg-n5{margin:-3rem !important}.mt-lg-n5,.my-lg-n5{margin-top:-3rem !important}.mr-lg-n5,.mx-lg-n5{margin-right:-3rem !important}.mb-lg-n5,.my-lg-n5{margin-bottom:-3rem !important}.ml-lg-n5,.mx-lg-n5{margin-left:-3rem !important}.m-lg-auto{margin:auto !important}.mt-lg-auto,.my-lg-auto{margin-top:auto !important}.mr-lg-auto,.mx-lg-auto{margin-right:auto !important}.mb-lg-auto,.my-lg-auto{margin-bottom:auto !important}.ml-lg-auto,.mx-lg-auto{margin-left:auto !important}}@media (min-width: 1200px){.m-xl-0{margin:0 !important}.mt-xl-0,.my-xl-0{margin-top:0 !important}.mr-xl-0,.mx-xl-0{margin-right:0 !important}.mb-xl-0,.my-xl-0{margin-bottom:0 !important}.ml-xl-0,.mx-xl-0{margin-left:0 !important}.m-xl-1{margin:0.25rem !important}.mt-xl-1,.my-xl-1{margin-top:0.25rem !important}.mr-xl-1,.mx-xl-1{margin-right:0.25rem !important}.mb-xl-1,.my-xl-1{margin-bottom:0.25rem !important}.ml-xl-1,.mx-xl-1{margin-left:0.25rem !important}.m-xl-2{margin:0.5rem !important}.mt-xl-2,.my-xl-2{margin-top:0.5rem !important}.mr-xl-2,.mx-xl-2{margin-right:0.5rem !important}.mb-xl-2,.my-xl-2{margin-bottom:0.5rem !important}.ml-xl-2,.mx-xl-2{margin-left:0.5rem !important}.m-xl-3{margin:1rem !important}.mt-xl-3,.my-xl-3{margin-top:1rem !important}.mr-xl-3,.mx-xl-3{margin-right:1rem !important}.mb-xl-3,.my-xl-3{margin-bottom:1rem !important}.ml-xl-3,.mx-xl-3{margin-left:1rem !important}.m-xl-4{margin:1.5rem !important}.mt-xl-4,.my-xl-4{margin-top:1.5rem !important}.mr-xl-4,.mx-xl-4{margin-right:1.5rem !important}.mb-xl-4,.my-xl-4{margin-bottom:1.5rem !important}.ml-xl-4,.mx-xl-4{margin-left:1.5rem !important}.m-xl-5{margin:3rem !important}.mt-xl-5,.my-xl-5{margin-top:3rem !important}.mr-xl-5,.mx-xl-5{margin-right:3rem !important}.mb-xl-5,.my-xl-5{margin-bottom:3rem !important}.ml-xl-5,.mx-xl-5{margin-left:3rem !important}.p-xl-0{padding:0 !important}.pt-xl-0,.py-xl-0{padding-top:0 !important}.pr-xl-0,.px-xl-0{padding-right:0 !important}.pb-xl-0,.py-xl-0{padding-bottom:0 !important}.pl-xl-0,.px-xl-0{padding-left:0 !important}.p-xl-1{padding:0.25rem !important}.pt-xl-1,.py-xl-1{padding-top:0.25rem !important}.pr-xl-1,.px-xl-1{padding-right:0.25rem !important}.pb-xl-1,.py-xl-1{padding-bottom:0.25rem !important}.pl-xl-1,.px-xl-1{padding-left:0.25rem !important}.p-xl-2{padding:0.5rem !important}.pt-xl-2,.py-xl-2{padding-top:0.5rem !important}.pr-xl-2,.px-xl-2{padding-right:0.5rem !important}.pb-xl-2,.py-xl-2{padding-bottom:0.5rem !important}.pl-xl-2,.px-xl-2{padding-left:0.5rem !important}.p-xl-3{padding:1rem !important}.pt-xl-3,.py-xl-3{padding-top:1rem !important}.pr-xl-3,.px-xl-3{padding-right:1rem !important}.pb-xl-3,.py-xl-3{padding-bottom:1rem !important}.pl-xl-3,.px-xl-3{padding-left:1rem !important}.p-xl-4{padding:1.5rem !important}.pt-xl-4,.py-xl-4{padding-top:1.5rem !important}.pr-xl-4,.px-xl-4{padding-right:1.5rem !important}.pb-xl-4,.py-xl-4{padding-bottom:1.5rem !important}.pl-xl-4,.px-xl-4{padding-left:1.5rem !important}.p-xl-5{padding:3rem !important}.pt-xl-5,.py-xl-5{padding-top:3rem !important}.pr-xl-5,.px-xl-5{padding-right:3rem !important}.pb-xl-5,.py-xl-5{padding-bottom:3rem !important}.pl-xl-5,.px-xl-5{padding-left:3rem !important}.m-xl-n1{margin:-0.25rem !important}.mt-xl-n1,.my-xl-n1{margin-top:-0.25rem !important}.mr-xl-n1,.mx-xl-n1{margin-right:-0.25rem !important}.mb-xl-n1,.my-xl-n1{margin-bottom:-0.25rem !important}.ml-xl-n1,.mx-xl-n1{margin-left:-0.25rem !important}.m-xl-n2{margin:-0.5rem !important}.mt-xl-n2,.my-xl-n2{margin-top:-0.5rem !important}.mr-xl-n2,.mx-xl-n2{margin-right:-0.5rem !important}.mb-xl-n2,.my-xl-n2{margin-bottom:-0.5rem !important}.ml-xl-n2,.mx-xl-n2{margin-left:-0.5rem !important}.m-xl-n3{margin:-1rem !important}.mt-xl-n3,.my-xl-n3{margin-top:-1rem !important}.mr-xl-n3,.mx-xl-n3{margin-right:-1rem !important}.mb-xl-n3,.my-xl-n3{margin-bottom:-1rem !important}.ml-xl-n3,.mx-xl-n3{margin-left:-1rem !important}.m-xl-n4{margin:-1.5rem !important}.mt-xl-n4,.my-xl-n4{margin-top:-1.5rem !important}.mr-xl-n4,.mx-xl-n4{margin-right:-1.5rem !important}.mb-xl-n4,.my-xl-n4{margin-bottom:-1.5rem !important}.ml-xl-n4,.mx-xl-n4{margin-left:-1.5rem !important}.m-xl-n5{margin:-3rem !important}.mt-xl-n5,.my-xl-n5{margin-top:-3rem !important}.mr-xl-n5,.mx-xl-n5{margin-right:-3rem !important}.mb-xl-n5,.my-xl-n5{margin-bottom:-3rem !important}.ml-xl-n5,.mx-xl-n5{margin-left:-3rem !important}.m-xl-auto{margin:auto !important}.mt-xl-auto,.my-xl-auto{margin-top:auto !important}.mr-xl-auto,.mx-xl-auto{margin-right:auto !important}.mb-xl-auto,.my-xl-auto{margin-bottom:auto !important}.ml-xl-auto,.mx-xl-auto{margin-left:auto !important}}.text-monospace{font-family:SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", monospace !important}.text-justify{text-align:justify !important}.text-wrap{white-space:normal !important}.text-nowrap{white-space:nowrap !important}.text-truncate{overflow:hidden;text-overflow:ellipsis;white-space:nowrap}.text-left{text-align:left !important}.text-right{text-align:right !important}.text-center{text-align:center !important}@media (min-width: 576px){.text-sm-left{text-align:left !important}.text-sm-right{text-align:right !important}.text-sm-center{text-align:center !important}}@media (min-width: 768px){.text-md-left{text-align:left !important}.text-md-right{text-align:right !important}.text-md-center{text-align:center !important}}@media (min-width: 992px){.text-lg-left{text-align:left !important}.text-lg-right{text-align:right !important}.text-lg-center{text-align:center !important}}@media (min-width: 1200px){.text-xl-left{text-align:left !important}.text-xl-right{text-align:right !important}.text-xl-center{text-align:center !important}}.text-lowercase{text-transform:lowercase !important}.text-uppercase{text-transform:uppercase !important}.text-capitalize{text-transform:capitalize !important}.font-weight-light{font-weight:300 !important}.font-weight-lighter{font-weight:lighter !important}.font-weight-normal{font-weight:400 !important}.font-weight-bold{font-weight:700 !important}.font-weight-bolder{font-weight:bolder !important}.font-italic{font-style:italic !important}.text-white{color:#fff !important}.text-primary{color:#3A3F44 !important}a.text-primary:hover,a.text-primary:focus{color:#17191b !important}.text-secondary{color:#7A8288 !important}a.text-secondary:hover,a.text-secondary:focus{color:#565b60 !important}.text-success{color:#62c462 !important}a.text-success:hover,a.text-success:focus{color:#3b9e3b !important}.text-info{color:#5bc0de !important}a.text-info:hover,a.text-info:focus{color:#28a1c5 !important}.text-warning{color:#f89406 !important}a.text-warning:hover,a.text-warning:focus{color:#ad6704 !important}.text-danger{color:#ee5f5b !important}a.text-danger:hover,a.text-danger:focus{color:#e51d18 !important}.text-light{color:#e9ecef !important}a.text-light:hover,a.text-light:focus{color:#bdc6cf !important}.text-dark{color:#272B30 !important}a.text-dark:hover,a.text-dark:focus{color:#050506 !important}.text-body{color:#aaa !important}.text-muted{color:#7A8288 !important}.text-black-50{color:rgba(0,0,0,0.5) !important}.text-white-50{color:rgba(255,255,255,0.5) !important}.text-hide{font:0/0 a;color:transparent;text-shadow:none;background-color:transparent;border:0}.text-decoration-none{text-decoration:none !important}.text-break{word-break:break-word !important;overflow-wrap:break-word !important}.text-reset{color:inherit !important}.visible{visibility:visible !important}.invisible{visibility:hidden !important}@media print{*,*::before,*::after{text-shadow:none !important;-webkit-box-shadow:none !important;box-shadow:none !important}a:not(.btn){text-decoration:underline}abbr[title]::after{content:" (" attr(title) ")"}pre{white-space:pre-wrap !important}pre,blockquote{border:1px solid #999;page-break-inside:avoid}thead{display:table-header-group}tr,img{page-break-inside:avoid}p,h2,h3{orphans:3;widows:3}h2,h3{page-break-after:avoid}@page{size:a3}body{min-width:992px !important}.container{min-width:992px !important}.navbar{display:none}.badge{border:1px solid #000}.table{border-collapse:collapse !important}.table td,.table th{background-color:#fff !important}.table-bordered th,.table-bordered td{border:1px solid #dee2e6 !important}.table-dark{color:inherit}.table-dark th,.table-dark td,.table-dark thead th,.table-dark tbody+tbody{border-color:rgba(0,0,0,0.6)}.table .thead-dark th{color:inherit;border-color:rgba(0,0,0,0.6)}}.navbar{border:1px solid rgba(0,0,0,0.6);text-shadow:1px 1px 1px rgba(0,0,0,0.3)}.navbar .container{padding:0}.navbar .navbar-toggler{border-color:rgba(0,0,0,0.6)}.navbar-fixed-top{border-width:0 0 1px 0}.navbar-fixed-bottom{border-width:1px 0 0 0}.navbar .nav-link{padding:1rem;border-left:1px solid rgba(255,255,255,0.1);border-right:1px solid rgba(0,0,0,0.2)}.navbar .nav-link:hover,.navbar .nav-link:focus{background-image:-webkit-gradient(linear, left top, left bottom, from(#101112), color-stop(40%, #17191b), to(#1b1e20));background-image:linear-gradient(#101112, #17191b 40%, #1b1e20);background-repeat:no-repeat;-webkit-filter:none;filter:none;border-left:1px solid rgba(0,0,0,0.2)}.navbar-brand{padding:0.75rem 1rem calc(54px - 0.75rem - 30px);margin-right:0;border-right:1px solid rgba(0,0,0,0.2)}.navbar .nav-item.active .nav-link{background-color:rgba(0,0,0,0.3);border-left:1px solid rgba(0,0,0,0.2)}.navbar-nav .nav-item+.nav-item{margin-left:0}.navbar.bg-light{text-shadow:1px 1px 1px rgba(0,0,0,0.1)}.navbar.bg-light .nav-link:hover,.navbar.bg-light .nav-link:focus{background-image:-webkit-gradient(linear, left top, left bottom, from(#4e5458), color-stop(40%, #565b60), to(#5b6165));background-image:linear-gradient(#4e5458, #565b60 40%, #5b6165);background-repeat:no-repeat;-webkit-filter:none;filter:none;border-left:1px solid rgba(0,0,0,0.2)}@media (max-width: 576px){.navbar-expand-sm .navbar-brand,.navbar-expand-sm .nav-link{border:none !important}}@media (max-width: 768px){.navbar-expand-md .navbar-brand,.navbar-expand-md .nav-link{border:none !important}}@media (max-width: 992px){.navbar-expand-lg .navbar-brand,.navbar-expand-lg .nav-link{border:none !important}}.btn{border-color:rgba(0,0,0,0.6);text-shadow:1px 1px 1px rgba(0,0,0,0.3)}.btn:not([disabled]):not(.disabled).active,.btn.disabled{border-color:rgba(0,0,0,0.6);-webkit-box-shadow:none;box-shadow:none}.btn:hover,.btn:focus,.btn:not([disabled]):not(.disabled):active,.btn:not([disabled]):not(.disabled):active:hover,.btn:not([disabled]):not(.disabled).active:hover{border-color:rgba(0,0,0,0.6)}.btn-primary{background-image:-webkit-gradient(linear, left top, left bottom, from(#484e55), color-stop(60%, #3A3F44), to(#313539));background-image:linear-gradient(#484e55, #3A3F44 60%, #313539);background-repeat:no-repeat;-webkit-filter:none;filter:none}.btn-primary:not([disabled]):not(.disabled):hover,.btn-primary:not([disabled]):not(.disabled):focus,.btn-primary:not([disabled]):not(.disabled):active:hover,.btn-primary:not([disabled]):not(.disabled).active:hover{background-image:-webkit-gradient(linear, left top, left bottom, from(#101112), color-stop(40%, #17191b), to(#1b1e20));background-image:linear-gradient(#101112, #17191b 40%, #1b1e20);background-repeat:no-repeat;-webkit-filter:none;filter:none}.btn-secondary{background-image:-webkit-gradient(linear, left top, left bottom, from(#8a9196), color-stop(60%, #7A8288), to(#70787d));background-image:linear-gradient(#8a9196, #7A8288 60%, #70787d);background-repeat:no-repeat;-webkit-filter:none;filter:none}.btn-secondary:not([disabled]):not(.disabled):hover,.btn-secondary:not([disabled]):not(.disabled):focus,.btn-secondary:not([disabled]):not(.disabled):active,.btn-secondary:not([disabled]):not(.disabled).active{background-image:-webkit-gradient(linear, left top, left bottom, from(#4e5458), color-stop(40%, #565b60), to(#5b6165));background-image:linear-gradient(#4e5458, #565b60 40%, #5b6165);background-repeat:no-repeat;-webkit-filter:none;filter:none}.btn-success{background-image:-webkit-gradient(linear, left top, left bottom, from(#78cc78), color-stop(60%, #62c462), to(#53be53));background-image:linear-gradient(#78cc78, #62c462 60%, #53be53);background-repeat:no-repeat;-webkit-filter:none;filter:none;color:#fff}.btn-success:not([disabled]):not(.disabled):hover,.btn-success:not([disabled]):not(.disabled):focus,.btn-success:not([disabled]):not(.disabled):active,.btn-success:not([disabled]):not(.disabled).active{background-image:-webkit-gradient(linear, left top, left bottom, from(#379337), color-stop(40%, #3b9e3b), to(#3ea63e));background-image:linear-gradient(#379337, #3b9e3b 40%, #3ea63e);background-repeat:no-repeat;-webkit-filter:none;filter:none}.btn-info{background-image:-webkit-gradient(linear, left top, left bottom, from(#74cae3), color-stop(60%, #5bc0de), to(#4ab9db));background-image:linear-gradient(#74cae3, #5bc0de 60%, #4ab9db);background-repeat:no-repeat;-webkit-filter:none;filter:none;color:#fff}.btn-info:not([disabled]):not(.disabled):hover,.btn-info:not([disabled]):not(.disabled):focus,.btn-info:not([disabled]):not(.disabled):active,.btn-info:not([disabled]):not(.disabled).active{background-image:-webkit-gradient(linear, left top, left bottom, from(#2596b8), color-stop(40%, #28a1c5), to(#29a8cd));background-image:linear-gradient(#2596b8, #28a1c5 40%, #29a8cd);background-repeat:no-repeat;-webkit-filter:none;filter:none}.btn-warning{background-image:-webkit-gradient(linear, left top, left bottom, from(#faa123), color-stop(60%, #f89406), to(#e48806));background-image:linear-gradient(#faa123, #f89406 60%, #e48806);background-repeat:no-repeat;-webkit-filter:none;filter:none;color:#fff}.btn-warning:not([disabled]):not(.disabled):hover,.btn-warning:not([disabled]):not(.disabled):focus,.btn-warning:not([disabled]):not(.disabled):active,.btn-warning:not([disabled]):not(.disabled).active{background-image:-webkit-gradient(linear, left top, left bottom, from(#9e5f04), color-stop(40%, #ad6704), to(#b76d04));background-image:linear-gradient(#9e5f04, #ad6704 40%, #b76d04);background-repeat:no-repeat;-webkit-filter:none;filter:none}.btn-danger{background-image:-webkit-gradient(linear, left top, left bottom, from(#f17a77), color-stop(60%, #ee5f5b), to(#ec4d49));background-image:linear-gradient(#f17a77, #ee5f5b 60%, #ec4d49);background-repeat:no-repeat;-webkit-filter:none;filter:none}.btn-danger:not([disabled]):not(.disabled):hover,.btn-danger:not([disabled]):not(.disabled):focus,.btn-danger:not([disabled]):not(.disabled):active,.btn-danger:not([disabled]):not(.disabled).active{background-image:-webkit-gradient(linear, left top, left bottom, from(#d71c16), color-stop(40%, #e51d18), to(#e8241f));background-image:linear-gradient(#d71c16, #e51d18 40%, #e8241f);background-repeat:no-repeat;-webkit-filter:none;filter:none}.btn-link,.btn-link:hover{border-color:transparent}.btn-group .btn.active,.btn-group-vertical .btn.active{border-color:rgba(0,0,0,0.6)}h1,h2,h3,h4,h5,h6{text-shadow:-1px -1px 0 rgba(0,0,0,0.3)}.table-primary,.table-secondary,.table-success,.table-info,.table-warning,.table-danger{color:#fff}.table-primary,.table-primary>th,.table-primary>td{background-color:#3A3F44}.table-secondary,.table-secondary>th,.table-secondary>td{background-color:#7A8288}.table-light,.table-light>th,.table-light>td{background-color:#e9ecef}.table-dark,.table-dark>th,.table-dark>td{background-color:#272B30}.table-success,.table-success>th,.table-success>td{background-color:#62c462}.table-info,.table-info>th,.table-info>td{background-color:#5bc0de}.table-danger,.table-danger>th,.table-danger>td{background-color:#ee5f5b}.table-warning,.table-warning>th,.table-warning>td{background-color:#f89406}.table-active,.table-active>th,.table-active>td{background-color:rgba(255,255,255,0.075)}.table-hover .table-primary:hover,.table-hover .table-primary:hover>th,.table-hover .table-primary:hover>td{background-color:#2e3236}.table-hover .table-secondary:hover,.table-hover .table-secondary:hover>th,.table-hover .table-secondary:hover>td{background-color:#6e757b}.table-hover .table-light:hover,.table-hover .table-light:hover>th,.table-hover .table-light:hover>td{background-color:#dadfe4}.table-hover .table-dark:hover,.table-hover .table-dark:hover>th,.table-hover .table-dark:hover>td{background-color:#1c1e22}.table-hover .table-success:hover,.table-hover .table-success:hover>th,.table-hover .table-success:hover>td{background-color:#4fbd4f}.table-hover .table-info:hover,.table-hover .table-info:hover>th,.table-hover .table-info:hover>td{background-color:#46b8da}.table-hover .table-danger:hover,.table-hover .table-danger:hover>th,.table-hover .table-danger:hover>td{background-color:#ec4844}.table-hover .table-warning:hover,.table-hover .table-warning:hover>th,.table-hover .table-warning:hover>td{background-color:#df8505}.table-hover .table-active:hover,.table-hover .table-active:hover>th,.table-hover .table-active:hover>td{background-color:rgba(255,255,255,0.075)}legend{color:#fff}.input-group-addon{background-image:-webkit-gradient(linear, left top, left bottom, from(#8a9196), color-stop(60%, #7A8288), to(#70787d));background-image:linear-gradient(#8a9196, #7A8288 60%, #70787d);background-repeat:no-repeat;-webkit-filter:none;filter:none;text-shadow:1px 1px 1px rgba(0,0,0,0.3);color:#fff}.nav-tabs .nav-link{background-image:-webkit-gradient(linear, left top, left bottom, from(#101112), color-stop(40%, #17191b), to(#1b1e20));background-image:linear-gradient(#101112, #17191b 40%, #1b1e20);background-repeat:no-repeat;-webkit-filter:none;filter:none;border:1px solid rgba(0,0,0,0.6)}.nav-tabs .nav-link:not([disabled]):not(.disabled):hover,.nav-tabs .nav-link:not([disabled]):not(.disabled):focus,.nav-tabs .nav-link:not([disabled]):not(.disabled):active,.nav-tabs .nav-link:not([disabled]):not(.disabled).active{background-image:-webkit-gradient(linear, left top, left bottom, from(#484e55), color-stop(60%, #3A3F44), to(#313539));background-image:linear-gradient(#484e55, #3A3F44 60%, #313539);background-repeat:no-repeat;-webkit-filter:none;filter:none}.nav-tabs .nav-link.disabled{border:1px solid rgba(0,0,0,0.6)}.nav-tabs .nav-link,.nav-tabs .nav-link:hover{color:#fff}.nav-pills .nav-link{background-image:-webkit-gradient(linear, left top, left bottom, from(#484e55), color-stop(60%, #3A3F44), to(#313539));background-image:linear-gradient(#484e55, #3A3F44 60%, #313539);background-repeat:no-repeat;-webkit-filter:none;filter:none;border:1px solid rgba(0,0,0,0.6);text-shadow:1px 1px 1px rgba(0,0,0,0.3);color:#fff}.nav-pills .nav-link:hover{background-image:-webkit-gradient(linear, left top, left bottom, from(#101112), color-stop(40%, #17191b), to(#1b1e20));background-image:linear-gradient(#101112, #17191b 40%, #1b1e20);background-repeat:no-repeat;-webkit-filter:none;filter:none;border:1px solid rgba(0,0,0,0.6)}.nav-pills .nav-link.active,.nav-pills .nav-link:hover{background-color:transparent;background-image:-webkit-gradient(linear, left top, left bottom, from(#101112), color-stop(40%, #17191b), to(#1b1e20));background-image:linear-gradient(#101112, #17191b 40%, #1b1e20);background-repeat:no-repeat;-webkit-filter:none;filter:none;border:1px solid rgba(0,0,0,0.6)}.nav-pills .nav-link.disabled,.nav-pills .nav-link.disabled:hover{background-image:-webkit-gradient(linear, left top, left bottom, from(#484e55), color-stop(60%, #3A3F44), to(#313539));background-image:linear-gradient(#484e55, #3A3F44 60%, #313539);background-repeat:no-repeat;-webkit-filter:none;filter:none;color:#7A8288}.pagination .page-link{text-shadow:1px 1px 1px rgba(0,0,0,0.3);background-image:-webkit-gradient(linear, left top, left bottom, from(#484e55), color-stop(60%, #3A3F44), to(#313539));background-image:linear-gradient(#484e55, #3A3F44 60%, #313539);background-repeat:no-repeat;-webkit-filter:none;filter:none}.pagination .page-link:hover{background-image:-webkit-gradient(linear, left top, left bottom, from(#101112), color-stop(40%, #17191b), to(#1b1e20));background-image:linear-gradient(#101112, #17191b 40%, #1b1e20);background-repeat:no-repeat;-webkit-filter:none;filter:none;text-decoration:none}.pagination .page-item.active .page-link{background-image:-webkit-gradient(linear, left top, left bottom, from(#101112), color-stop(40%, #17191b), to(#1b1e20));background-image:linear-gradient(#101112, #17191b 40%, #1b1e20);background-repeat:no-repeat;-webkit-filter:none;filter:none}.pagination .page-item.disabled .page-link{background-image:-webkit-gradient(linear, left top, left bottom, from(#484e55), color-stop(60%, #3A3F44), to(#313539));background-image:linear-gradient(#484e55, #3A3F44 60%, #313539);background-repeat:no-repeat;-webkit-filter:none;filter:none}.breadcrumb{border:1px solid rgba(0,0,0,0.6);text-shadow:1px 1px 1px rgba(0,0,0,0.3);background-color:transparent;background-image:-webkit-gradient(linear, left top, left bottom, from(#484e55), color-stop(60%, #3A3F44), to(#313539));background-image:linear-gradient(#484e55, #3A3F44 60%, #313539);background-repeat:no-repeat;-webkit-filter:none;filter:none}.breadcrumb a,.breadcrumb a:hover{color:#fff}.alert .close{color:#000;text-decoration:none}.alert{border:none;color:#fff}.alert a,.alert .alert-link{color:#fff;text-decoration:underline}.alert-primary{background-color:#3A3F44}.alert-secondary{background-color:#7A8288}.alert-success{background-color:#62c462}.alert-info{background-color:#5bc0de}.alert-warning{background-color:#f89406}.alert-danger{background-color:#ee5f5b}.alert-light{background-color:#e9ecef}.alert-dark{background-color:#272B30}.alert-light,.alert-light a:not(.btn),.alert-light .alert-link{color:#272B30}.badge-success,.badge-warning,.badge-info{color:#fff}.jumbotron{border:1px solid rgba(0,0,0,0.6)}.list-group-item:hover{background-color:#1c1e22} diff --git a/file-upload/jquery-file-upload/index.html b/file-upload/jquery-file-upload/index.html index 40245be48..aa95a3d09 100644 --- a/file-upload/jquery-file-upload/index.html +++ b/file-upload/jquery-file-upload/index.html @@ -1,5 +1,5 @@ - + @@ -10,9 +10,9 @@ %SITE_NAME% - + - + - + - + - - + + - - + + - + - + - + - + - + - + - + - + - + - + - + diff --git a/file-upload/jquery-file-upload/index.php b/file-upload/jquery-file-upload/index.php index ca9a3aa18..725a522f2 100644 --- a/file-upload/jquery-file-upload/index.php +++ b/file-upload/jquery-file-upload/index.php @@ -1,5 +1,5 @@ /name-map-ui. \ No newline at end of file diff --git a/htadmin/docker-entrypoint.sh b/htadmin/docker-entrypoint.sh deleted file mode 100755 index b15497a7d..000000000 --- a/htadmin/docker-entrypoint.sh +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/bash - -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. - - -if [[ -z $SITE_NAME || -z $MALCOLM_USERNAME || -z $MALCOLM_PASSWORD ]] -then - echo "Please set the site name, username and (openssl-encrypted) password by adding the following arguments to docker run/create:" - echo " -e SITE_NAME='...'" - echo " -e MALCOLM_USERNAME='...'" - echo " -e MALCOLM_PASSWORD='...'" - exit 1 -fi - -if ! getent passwd "$MALCOLM_USERNAME" >/dev/null -then - # Make sure every container gets its own SSH host keys the first time around - rm -f /etc/ssh/ssh_host_* - dpkg-reconfigure openssh-server - - useradd -g www-data -d /var/www/upload/server/php/chroot -s /sbin/nologin "$MALCOLM_USERNAME" - usermod --password "$MALCOLM_PASSWORD" "$MALCOLM_USERNAME" - chown "$MALCOLM_USERNAME:www-data" /var/www/upload/server/php/chroot/files - chmod 775 /var/www/upload/server/php/chroot/files - - # This will break if $SITE_NAME contains a slash... - sed -i 's/%SITE_NAME%/'"$SITE_NAME"'/g' /var/www/upload/index.html - -else - echo "skipping one-time setup tasks" 1>&2 -fi - -exec "$@" diff --git a/htadmin/supervisord.conf b/htadmin/supervisord.conf index 984807c7a..c81749341 100644 --- a/htadmin/supervisord.conf +++ b/htadmin/supervisord.conf @@ -1,4 +1,4 @@ -; Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +; Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. [unix_http_server] file=/var/run/supervisor.sock ; (the path to the socket file) diff --git a/kibana/dashboards/024062a6-48d6-498f-a91a-3bf2da3a3cd3.json b/kibana/dashboards/024062a6-48d6-498f-a91a-3bf2da3a3cd3.json index 383df668a..d03881149 100644 --- a/kibana/dashboards/024062a6-48d6-498f-a91a-3bf2da3a3cd3.json +++ b/kibana/dashboards/024062a6-48d6-498f-a91a-3bf2da3a3cd3.json @@ -1,21 +1,21 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "024062a6-48d6-498f-a91a-3bf2da3a3cd3", "type": "dashboard", - "updated_at": "2019-12-18T16:20:03.894Z", - "version": "WzEyLDFd", + "updated_at": "2020-02-13T20:18:00.229Z", + "version": "Wzg4NCwxXQ==", "attributes": { "title": "X.509", "hits": 0, "description": "", - "panelsJSON": "[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"4\",\"gridData\":{\"w\":48,\"h\":68,\"x\":0,\"y\":96,\"i\":\"4\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"columns\":[\"zeek_x509.certificate_subject_full\",\"_id\"],\"sort\":[\"firstPacket\",\"desc\"]}},{\"panelIndex\":\"7\",\"gridData\":{\"w\":20,\"h\":20,\"x\":8,\"y\":8,\"i\":\"7\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{}},{\"panelIndex\":\"8\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":48,\"i\":\"8\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":72,\"i\":\"9\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"10\",\"gridData\":{\"w\":20,\"h\":20,\"x\":28,\"y\":8,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"panelIndex\":\"11\",\"gridData\":{\"w\":40,\"h\":20,\"x\":8,\"y\":28,\"i\":\"11\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"panelIndex\":\"12\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"12\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"}]", + "panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":48,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":8,\"w\":17,\"h\":20,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":48,\"w\":48,\"h\":19,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":67,\"w\":48,\"h\":19,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":25,\"y\":8,\"w\":23,\"h\":20,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":25,\"y\":28,\"w\":23,\"h\":20,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":28,\"w\":17,\"h\":20,\"i\":\"aa7075cb-f9ef-4453-8c5f-90eccc6883c7\"},\"panelIndex\":\"aa7075cb-f9ef-4453-8c5f-90eccc6883c7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":86,\"w\":48,\"h\":39,\"i\":\"2a9de8ad-b593-4bf3-9fc4-703580b95500\"},\"panelIndex\":\"2a9de8ad-b593-4bf3-9fc4-703580b95500\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"}}" + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Denver\"}}}}" } }, "references": [ @@ -31,38 +31,43 @@ }, { "name": "panel_2", - "type": "search", - "id": "858102a3-eec0-4ab3-82bb-a791e4eb364b" + "type": "visualization", + "id": "23d08a2e-2fa2-42df-bf75-dc5f3e5a79e7" }, { "name": "panel_3", "type": "visualization", - "id": "23d08a2e-2fa2-42df-bf75-dc5f3e5a79e7" + "id": "d608f7dd-efea-49c4-b61d-a09d2a29148c" }, { "name": "panel_4", "type": "visualization", - "id": "d608f7dd-efea-49c4-b61d-a09d2a29148c" + "id": "fabba18b-a1ed-4a90-a27c-bdcfed98eae1" }, { "name": "panel_5", "type": "visualization", - "id": "fabba18b-a1ed-4a90-a27c-bdcfed98eae1" + "id": "193088ad-5112-435f-9e9f-ec9127ff8665" }, { "name": "panel_6", "type": "visualization", - "id": "193088ad-5112-435f-9e9f-ec9127ff8665" + "id": "34d702ec-63e9-475d-ab0a-07d97ed4bd66" }, { "name": "panel_7", "type": "visualization", - "id": "34d702ec-63e9-475d-ab0a-07d97ed4bd66" + "id": "AWDHGklsxQT5EBNmq4wG" }, { "name": "panel_8", "type": "visualization", - "id": "AWDHGklsxQT5EBNmq4wG" + "id": "fa696510-4e9b-11ea-b504-97aa449f6abc" + }, + { + "name": "panel_9", + "type": "search", + "id": "858102a3-eec0-4ab3-82bb-a791e4eb364b" } ], "migrationVersion": { @@ -72,11 +77,11 @@ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", "type": "visualization", - "updated_at": "2019-12-18T16:21:02.636Z", - "version": "WzU5OCwxXQ==", + "updated_at": "2020-02-13T19:05:04.060Z", + "version": "WzgwMCwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -92,8 +97,8 @@ { "id": "0ce14883-eb54-4b30-aba0-b8b13021da11", "type": "visualization", - "updated_at": "2019-12-18T16:20:03.894Z", - "version": "WzQsMV0=", + "updated_at": "2020-02-13T19:04:04.463Z", + "version": "WzE3MCwxXQ==", "attributes": { "visState": "{\"title\":\"X.509 - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", "description": "", @@ -116,50 +121,14 @@ "visualization": "7.4.2" } }, - { - "id": "858102a3-eec0-4ab3-82bb-a791e4eb364b", - "type": "search", - "updated_at": "2019-12-18T16:20:03.894Z", - "version": "WzUsMV0=", - "attributes": { - "sort": [ - [ - "firstPacket", - "desc" - ] - ], - "hits": 0, - "description": "", - "title": "X.509 - Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"zeek.logType:x509\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "columns": [ - "host", - "zeek_x509.certificate_subject_full", - "_id" - ] - }, - "references": [ - { - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern", - "id": "sessions2-*" - } - ], - "migrationVersion": { - "search": "7.4.0" - } - }, { "id": "23d08a2e-2fa2-42df-bf75-dc5f3e5a79e7", "type": "visualization", - "updated_at": "2019-12-18T16:20:03.894Z", - "version": "WzYsMV0=", + "updated_at": "2020-02-13T19:04:04.463Z", + "version": "WzE3MSwxXQ==", "attributes": { "title": "X.509 - Certificate Signing Algorithm", - "visState": "{\"title\":\"X.509 - Certificate Signing Algorithm\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_x509.certificate_sig_alg\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Algorithm\"}}]}", + "visState": "{\"title\":\"X.509 - Certificate Signing Algorithm\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Algorithm\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_x509.certificate_sig_alg\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Algorithm\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -170,8 +139,8 @@ }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "858102a3-eec0-4ab3-82bb-a791e4eb364b" } ], @@ -182,8 +151,8 @@ { "id": "d608f7dd-efea-49c4-b61d-a09d2a29148c", "type": "visualization", - "updated_at": "2019-12-18T16:20:03.894Z", - "version": "WzcsMV0=", + "updated_at": "2020-02-13T19:04:04.463Z", + "version": "WzE3MiwxXQ==", "attributes": { "visState": "{\"title\":\"X.509 - Certificate Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_x509.certificate_subject_full\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Subject\"}}],\"listeners\":{}}", "description": "", @@ -209,8 +178,8 @@ { "id": "fabba18b-a1ed-4a90-a27c-bdcfed98eae1", "type": "visualization", - "updated_at": "2019-12-18T16:20:03.894Z", - "version": "WzgsMV0=", + "updated_at": "2020-02-13T19:04:04.463Z", + "version": "WzE3MywxXQ==", "attributes": { "visState": "{\"title\":\"X.509 - Certificate Issuer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_x509.certificate_issuer_full\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Issuer\"}}],\"listeners\":{}}", "description": "", @@ -236,8 +205,8 @@ { "id": "193088ad-5112-435f-9e9f-ec9127ff8665", "type": "visualization", - "updated_at": "2019-12-18T16:20:03.894Z", - "version": "WzksMV0=", + "updated_at": "2020-02-13T19:04:04.463Z", + "version": "WzE3NCwxXQ==", "attributes": { "visState": "{\"title\":\"X.509 - Certificate Key Length\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Key Length\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_x509.certificate_key_length\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Key Length\"}}],\"listeners\":{}}", "description": "", @@ -263,8 +232,8 @@ { "id": "34d702ec-63e9-475d-ab0a-07d97ed4bd66", "type": "visualization", - "updated_at": "2019-12-18T16:20:03.894Z", - "version": "WzEwLDFd", + "updated_at": "2020-02-13T19:04:04.463Z", + "version": "WzE3NSwxXQ==", "attributes": { "visState": "{\"title\":\"X.509 - Certificate Key Algorithm\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek_x509.certificate_key_alg\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Algorithm\"}}],\"listeners\":{}}", "description": "", @@ -290,8 +259,8 @@ { "id": "AWDHGklsxQT5EBNmq4wG", "type": "visualization", - "updated_at": "2019-12-18T16:20:03.894Z", - "version": "WzExLDFd", + "updated_at": "2020-02-13T19:04:04.463Z", + "version": "WzE3NiwxXQ==", "attributes": { "title": "X.509 - Log Count", "visState": "{\"title\":\"X.509 - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", @@ -313,6 +282,109 @@ "migrationVersion": { "visualization": "7.4.2" } + }, + { + "id": "fa696510-4e9b-11ea-b504-97aa449f6abc", + "type": "visualization", + "updated_at": "2020-02-13T20:04:01.633Z", + "version": "Wzg3MiwxXQ==", + "attributes": { + "title": "SSL - Relevant Notices", + "visState": "{\"title\":\"SSL - Relevant Notices\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":4,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Notice Category\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Notice Subcategory\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Source IP\",\"aggType\":\"terms\"},{\"accessor\":3,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"1\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Destination IP\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Notice Category\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.sub_category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Notice Subcategory\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"zeek_notice.category:(SSL OR CVE_2020_0601)\",\"language\":\"lucene\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "8f003748-a6f8-4244-9d4e-e38e4a48da4c" + } + ], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "858102a3-eec0-4ab3-82bb-a791e4eb364b", + "type": "search", + "updated_at": "2020-02-13T19:04:04.463Z", + "version": "WzE3NywxXQ==", + "attributes": { + "title": "X.509 - Logs", + "description": "", + "hits": 0, + "columns": [ + "zeek_x509.certificate_issuer.CN", + "zeek_x509.certificate_subject.CN", + "zeek_x509.certificate_sig_alg", + "zeek_x509.certificate_version", + "zeek.fuid" + ], + "sort": [ + [ + "firstPacket", + "desc" + ] + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:x509\",\"analyze_wildcard\":true,\"time_zone\":\"America/Denver\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "search": "7.4.0" + } + }, + { + "id": "8f003748-a6f8-4244-9d4e-e38e4a48da4c", + "type": "search", + "updated_at": "2020-02-13T19:05:00.984Z", + "version": "Wzc3NiwxXQ==", + "attributes": { + "title": "Notices - Logs", + "description": "", + "hits": 0, + "columns": [ + "zeek_notice.category", + "zeek_notice.sub_category", + "srcIp", + "dstIp", + "zeek.uid" + ], + "sort": [ + [ + "firstPacket", + "desc" + ] + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:notice\",\"default_field\":\"*\",\"time_zone\":\"America/Denver\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "search": "7.4.0" + } } ] } \ No newline at end of file diff --git a/kibana/dashboards/05e3e000-f118-11e9-acda-83a8e29e1a24.json b/kibana/dashboards/05e3e000-f118-11e9-acda-83a8e29e1a24.json index a0b5fb65e..633b2cfc5 100644 --- a/kibana/dashboards/05e3e000-f118-11e9-acda-83a8e29e1a24.json +++ b/kibana/dashboards/05e3e000-f118-11e9-acda-83a8e29e1a24.json @@ -1,5 +1,5 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "05e3e000-f118-11e9-acda-83a8e29e1a24", @@ -10,7 +10,7 @@ "title": "LDAP", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":27,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"4\"},\"panelIndex\":\"4\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":54,\"w\":48,\"h\":21,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":8,\"w\":18,\"h\":19,\"i\":\"6\"},\"panelIndex\":\"6\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":26,\"y\":8,\"w\":22,\"h\":19,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":27,\"w\":25,\"h\":27,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_6\"},{\"gridData\":{\"x\":25,\"y\":27,\"w\":23,\"h\":27,\"i\":\"9\"},\"version\":\"7.5.1\",\"panelIndex\":\"9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]", + "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":27,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"4\"},\"panelIndex\":\"4\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":54,\"w\":48,\"h\":21,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":8,\"w\":18,\"h\":19,\"i\":\"6\"},\"panelIndex\":\"6\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":26,\"y\":8,\"w\":22,\"h\":19,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":27,\"w\":25,\"h\":27,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_6\"},{\"gridData\":{\"x\":25,\"y\":27,\"w\":23,\"h\":27,\"i\":\"9\"},\"version\":\"7.6.2\",\"panelIndex\":\"9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, @@ -71,7 +71,7 @@ "version": "WzU5OCwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/kibana/dashboards/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b.json b/kibana/dashboards/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b.json index 0bb32110f..b3d27d4d0 100644 --- a/kibana/dashboards/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b.json +++ b/kibana/dashboards/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b.json @@ -1,21 +1,21 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b", "type": "dashboard", - "updated_at": "2019-12-18T16:20:05.966Z", - "version": "WzM0LDFd", + "updated_at": "2020-02-12T16:36:54.266Z", + "version": "WzkxNCwxXQ==", "attributes": { "title": "FTP", "hits": 0, "description": "", - "panelsJSON": "[{\"panelIndex\":\"2\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"2\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":16,\"h\":24,\"x\":20,\"y\":8,\"i\":\"6\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":32,\"i\":\"8\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":12,\"h\":24,\"x\":36,\"y\":8,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{}},{\"panelIndex\":\"10\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":56,\"i\":\"10\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"11\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":56,\"i\":\"11\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"12\",\"gridData\":{\"w\":16,\"h\":24,\"x\":8,\"y\":32,\"i\":\"12\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":80,\"i\":\"13\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\",\"embeddableConfig\":{\"columns\":[\"srcIp\",\"dstIp\",\"dstPort\",\"zeek.uid\",\"zeek_ftp.fuid\",\"_id\"],\"sort\":[\"firstPacket\",\"desc\"]}},{\"panelIndex\":\"14\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":56,\"i\":\"14\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"15\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"15\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\"},{\"panelIndex\":\"16\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":8,\"i\":\"16\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}}]", + "panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":47,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":20,\"y\":8,\"w\":16,\"h\":19,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":24,\"y\":27,\"w\":24,\"h\":20,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":36,\"y\":8,\"w\":12,\"h\":19,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":16,\"y\":47,\"w\":16,\"h\":21,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":32,\"y\":47,\"w\":16,\"h\":21,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":27,\"w\":16,\"h\":20,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":47,\"w\":16,\"h\":21,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":8,\"w\":12,\"h\":19,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":68,\"w\":48,\"h\":37,\"i\":\"8a83e818-c814-4c25-8740-932d60d2457d\"},\"panelIndex\":\"8a83e818-c814-4c25-8740-932d60d2457d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_11\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Denver\"}}}}" } }, "references": [ @@ -61,23 +61,23 @@ }, { "name": "panel_8", - "type": "search", - "id": "16375cb7-a30d-466c-a936-f0a3651f9adb" + "type": "visualization", + "id": "c5fd6f1b-20d7-4b10-bf12-0647e7f90e31" }, { "name": "panel_9", "type": "visualization", - "id": "c5fd6f1b-20d7-4b10-bf12-0647e7f90e31" + "id": "AWDG9sT_xQT5EBNmq4DI" }, { "name": "panel_10", "type": "visualization", - "id": "AWDG9sT_xQT5EBNmq4DI" + "id": "de354920-cb6d-4f9c-9527-d24d314f7681" }, { "name": "panel_11", - "type": "visualization", - "id": "de354920-cb6d-4f9c-9527-d24d314f7681" + "type": "search", + "id": "16375cb7-a30d-466c-a936-f0a3651f9adb" } ], "migrationVersion": { @@ -87,11 +87,11 @@ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", "type": "visualization", - "updated_at": "2019-12-18T16:21:02.636Z", - "version": "WzU5OCwxXQ==", + "updated_at": "2020-02-12T15:01:05.290Z", + "version": "Wzc5NiwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -107,8 +107,8 @@ { "id": "baba321a-1dff-4c11-a8e3-27a473aa89c2", "type": "visualization", - "updated_at": "2019-12-18T16:20:05.966Z", - "version": "WzIzLDFd", + "updated_at": "2020-02-12T15:00:06.636Z", + "version": "Wzk3LDFd", "attributes": { "visState": "{\"title\":\"FTP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", "description": "", @@ -134,8 +134,8 @@ { "id": "f62bf46a-59d2-4e7d-9916-a93b09ffb198", "type": "visualization", - "updated_at": "2019-12-18T16:20:05.966Z", - "version": "WzI0LDFd", + "updated_at": "2020-02-12T15:00:06.636Z", + "version": "Wzk4LDFd", "attributes": { "visState": "{\"title\":\"FTP - Argument\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ftp.arg\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Argument\"}}],\"listeners\":{}}", "description": "", @@ -161,8 +161,8 @@ { "id": "0c8976ab-d720-43b0-ba40-c5f1abdc86aa", "type": "visualization", - "updated_at": "2019-12-18T16:20:05.966Z", - "version": "WzI1LDFd", + "updated_at": "2020-02-12T15:00:06.636Z", + "version": "Wzk5LDFd", "attributes": { "visState": "{\"title\":\"FTP - Reply Message\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ftp.reply_msg\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Reply Message\"}}],\"listeners\":{}}", "description": "", @@ -188,8 +188,8 @@ { "id": "d77cf99c-45b3-4d2f-b348-dc08331ea6c1", "type": "visualization", - "updated_at": "2019-12-18T16:20:05.966Z", - "version": "WzI2LDFd", + "updated_at": "2020-02-12T15:00:06.636Z", + "version": "WzEwMCwxXQ==", "attributes": { "title": "FTP - Reply Code", "visState": "{\"title\":\"FTP - Reply Code\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_ftp.reply_code\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}", @@ -215,8 +215,8 @@ { "id": "2c30d743-052f-44bb-847c-dede4126a71d", "type": "visualization", - "updated_at": "2019-12-18T16:20:05.966Z", - "version": "WzI3LDFd", + "updated_at": "2020-02-12T15:00:06.636Z", + "version": "WzEwMSwxXQ==", "attributes": { "visState": "{\"title\":\"FTP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", @@ -242,8 +242,8 @@ { "id": "cf6a7cf7-0105-42d4-9e0c-c732361a7de9", "type": "visualization", - "updated_at": "2019-12-18T16:20:05.966Z", - "version": "WzI4LDFd", + "updated_at": "2020-02-12T15:00:06.636Z", + "version": "WzEwMiwxXQ==", "attributes": { "visState": "{\"title\":\"FTP - Destination Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", @@ -269,8 +269,8 @@ { "id": "9fe8ac77-cf19-473d-81cd-5fde544abed6", "type": "visualization", - "updated_at": "2019-12-18T16:20:05.966Z", - "version": "WzI5LDFd", + "updated_at": "2020-02-12T15:00:06.636Z", + "version": "WzEwMywxXQ==", "attributes": { "visState": "{\"title\":\"FTP - Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.user\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}}],\"listeners\":{}}", "description": "", @@ -293,50 +293,11 @@ "visualization": "7.4.2" } }, - { - "id": "16375cb7-a30d-466c-a936-f0a3651f9adb", - "type": "search", - "updated_at": "2019-12-18T16:20:05.966Z", - "version": "WzMwLDFd", - "attributes": { - "sort": [ - [ - "firstPacket", - "desc" - ] - ], - "hits": 0, - "description": "", - "title": "FTP - Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"zeek.logType:ftp\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "columns": [ - "srcIp", - "dstIp", - "dstPort", - "zeek.uid", - "zeek_ftp.fuid", - "_id" - ] - }, - "references": [ - { - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern", - "id": "sessions2-*" - } - ], - "migrationVersion": { - "search": "7.4.0" - } - }, { "id": "c5fd6f1b-20d7-4b10-bf12-0647e7f90e31", "type": "visualization", - "updated_at": "2019-12-18T16:20:05.966Z", - "version": "WzMxLDFd", + "updated_at": "2020-02-12T15:00:06.636Z", + "version": "WzEwNSwxXQ==", "attributes": { "visState": "{\"title\":\"FTP - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}", "description": "", @@ -362,8 +323,8 @@ { "id": "AWDG9sT_xQT5EBNmq4DI", "type": "visualization", - "updated_at": "2019-12-18T16:20:05.966Z", - "version": "WzMyLDFd", + "updated_at": "2020-02-12T15:00:06.636Z", + "version": "WzEwNiwxXQ==", "attributes": { "title": "FTP - Log Count", "visState": "{\"title\":\"FTP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", @@ -389,8 +350,8 @@ { "id": "de354920-cb6d-4f9c-9527-d24d314f7681", "type": "visualization", - "updated_at": "2019-12-18T16:20:05.966Z", - "version": "WzMzLDFd", + "updated_at": "2020-02-12T15:00:06.636Z", + "version": "WzEwNywxXQ==", "attributes": { "title": "FTP - Command", "visState": "{\"title\":\"FTP - Command\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ftp.command\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Command\"}}]}", @@ -412,6 +373,46 @@ "migrationVersion": { "visualization": "7.4.2" } + }, + { + "id": "16375cb7-a30d-466c-a936-f0a3651f9adb", + "type": "search", + "updated_at": "2020-02-12T16:36:18.461Z", + "version": "WzkxMiwxXQ==", + "attributes": { + "title": "FTP - Logs", + "description": "", + "hits": 0, + "columns": [ + "srcIp", + "dstIp", + "dstPort", + "zeek_ftp.command", + "zeek_ftp.reply_code", + "zeek.uid", + "zeek.fuid" + ], + "sort": [ + [ + "firstPacket", + "desc" + ] + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:ftp\",\"analyze_wildcard\":true,\"time_zone\":\"America/Denver\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "search": "7.4.0" + } } ] } \ No newline at end of file diff --git a/kibana/dashboards/0a490422-0ce9-44bf-9a2d-19329ddde8c3.json b/kibana/dashboards/0a490422-0ce9-44bf-9a2d-19329ddde8c3.json index 4241db2c8..4313edb07 100644 --- a/kibana/dashboards/0a490422-0ce9-44bf-9a2d-19329ddde8c3.json +++ b/kibana/dashboards/0a490422-0ce9-44bf-9a2d-19329ddde8c3.json @@ -1,21 +1,21 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "0a490422-0ce9-44bf-9a2d-19329ddde8c3", "type": "dashboard", - "updated_at": "2019-12-18T16:20:07.007Z", - "version": "WzQzLDFd", + "updated_at": "2020-02-12T15:44:07.661Z", + "version": "Wzg1MSwxXQ==", "attributes": { "title": "PE", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"gridData\":{\"w\":20,\"h\":16,\"x\":28,\"y\":8,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":20,\"h\":16,\"x\":8,\"y\":8,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":48,\"h\":28,\"x\":0,\"y\":48,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{\"columns\":[\"zeek_pe.fuid\",\"zeek_pe.machine\",\"zeek_pe.is_exe\",\"zeek_pe.is_64bit\",\"zeek_pe.subsystem\",\"_id\"],\"sort\":[\"firstPacket\",\"desc\"]}},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":24,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":24,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"}]", + "panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":43,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":28,\"y\":8,\"w\":20,\"h\":16,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":8,\"w\":20,\"h\":16,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":28,\"y\":24,\"w\":20,\"h\":19,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":24,\"w\":20,\"h\":19,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":43,\"w\":48,\"h\":39,\"i\":\"7a770e13-2143-46e8-8e54-ae3cf477c4c4\"},\"panelIndex\":\"7a770e13-2143-46e8-8e54-ae3cf477c4c4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]", "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Denver\"}}}}" } }, "references": [ @@ -41,23 +41,23 @@ }, { "name": "panel_4", - "type": "search", - "id": "13f6cda1-6b4d-4a7d-b72e-25eeabec8768" + "type": "visualization", + "id": "7c810b56-5297-4aed-abac-cff41dfa5c77" }, { "name": "panel_5", "type": "visualization", - "id": "7c810b56-5297-4aed-abac-cff41dfa5c77" + "id": "0b774699-b798-40ae-ae92-2ac2a619eeb9" }, { "name": "panel_6", "type": "visualization", - "id": "0b774699-b798-40ae-ae92-2ac2a619eeb9" + "id": "AWDHCUeZxQT5EBNmq4Xy" }, { "name": "panel_7", - "type": "visualization", - "id": "AWDHCUeZxQT5EBNmq4Xy" + "type": "search", + "id": "13f6cda1-6b4d-4a7d-b72e-25eeabec8768" } ], "migrationVersion": { @@ -67,11 +67,11 @@ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", "type": "visualization", - "updated_at": "2019-12-18T16:21:02.636Z", - "version": "WzU5OCwxXQ==", + "updated_at": "2020-02-12T15:01:05.290Z", + "version": "Wzc5NiwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -87,8 +87,8 @@ { "id": "a44daac6-37e2-4fef-8b78-32232c4f32e8", "type": "visualization", - "updated_at": "2019-12-18T16:20:07.007Z", - "version": "WzM2LDFd", + "updated_at": "2020-02-12T15:00:07.665Z", + "version": "WzExOCwxXQ==", "attributes": { "visState": "{\"title\":\"PE - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", "description": "", @@ -114,8 +114,8 @@ { "id": "6b1bf8b4-399b-4ef2-baeb-7f9b1740b657", "type": "visualization", - "updated_at": "2019-12-18T16:20:07.007Z", - "version": "WzM3LDFd", + "updated_at": "2020-02-12T15:00:07.665Z", + "version": "WzExOSwxXQ==", "attributes": { "title": "PE - OS", "visState": "{\"title\":\"PE - OS\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_pe.os\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}", @@ -141,8 +141,8 @@ { "id": "59b3dd10-2de5-40d2-88ea-caf2bd3da549", "type": "visualization", - "updated_at": "2019-12-18T16:20:07.007Z", - "version": "WzM4LDFd", + "updated_at": "2020-02-12T15:00:07.665Z", + "version": "WzEyMCwxXQ==", "attributes": { "title": "PE - Subsystem", "visState": "{\"title\":\"PE - Subsystem\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_pe.subsystem\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}", @@ -165,47 +165,11 @@ "visualization": "7.4.2" } }, - { - "id": "13f6cda1-6b4d-4a7d-b72e-25eeabec8768", - "type": "search", - "updated_at": "2019-12-18T16:20:07.007Z", - "version": "WzM5LDFd", - "attributes": { - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "hits": 0, - "description": "", - "title": "PE - Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"zeek.logType:pe\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "columns": [ - "zeek_pe.machine", - "zeek_pe.fuid", - "_id" - ] - }, - "references": [ - { - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern", - "id": "sessions2-*" - } - ], - "migrationVersion": { - "search": "7.4.0" - } - }, { "id": "7c810b56-5297-4aed-abac-cff41dfa5c77", "type": "visualization", - "updated_at": "2019-12-18T16:20:07.007Z", - "version": "WzQwLDFd", + "updated_at": "2020-02-12T15:00:07.665Z", + "version": "WzEyMiwxXQ==", "attributes": { "visState": "{\"title\":\"PE - Section Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_pe.section_names\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", "description": "", @@ -231,8 +195,8 @@ { "id": "0b774699-b798-40ae-ae92-2ac2a619eeb9", "type": "visualization", - "updated_at": "2019-12-18T16:20:07.007Z", - "version": "WzQxLDFd", + "updated_at": "2020-02-12T15:00:07.665Z", + "version": "WzEyMywxXQ==", "attributes": { "visState": "{\"title\":\"PE - Machine\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_pe.machine\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Machine\"}}],\"listeners\":{}}", "description": "", @@ -258,8 +222,8 @@ { "id": "AWDHCUeZxQT5EBNmq4Xy", "type": "visualization", - "updated_at": "2019-12-18T16:20:07.007Z", - "version": "WzQyLDFd", + "updated_at": "2020-02-12T15:00:07.665Z", + "version": "WzEyNCwxXQ==", "attributes": { "title": "PE - Log Count", "visState": "{\"title\":\"PE - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", @@ -281,6 +245,43 @@ "migrationVersion": { "visualization": "7.4.2" } + }, + { + "id": "13f6cda1-6b4d-4a7d-b72e-25eeabec8768", + "type": "search", + "updated_at": "2020-02-12T15:43:23.994Z", + "version": "Wzg1MCwxXQ==", + "attributes": { + "title": "PE - Logs", + "description": "", + "hits": 0, + "columns": [ + "zeek_pe.machine", + "zeek_pe.os", + "zeek_pe.subsystem", + "zeek.fuid" + ], + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:pe\",\"analyze_wildcard\":true,\"time_zone\":\"America/Denver\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "search": "7.4.0" + } } ] } \ No newline at end of file diff --git a/kibana/dashboards/0ad3d7c2-3441-485e-9dfe-dbb22e84e576.json b/kibana/dashboards/0ad3d7c2-3441-485e-9dfe-dbb22e84e576.json index 38a9ecabf..14af99a28 100644 --- a/kibana/dashboards/0ad3d7c2-3441-485e-9dfe-dbb22e84e576.json +++ b/kibana/dashboards/0ad3d7c2-3441-485e-9dfe-dbb22e84e576.json @@ -1,21 +1,21 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "0ad3d7c2-3441-485e-9dfe-dbb22e84e576", "type": "dashboard", - "updated_at": "2019-12-18T16:20:08.051Z", - "version": "WzU0LDFd", + "updated_at": "2020-02-04T14:45:22.131Z", + "version": "WzgxMiwxXQ==", "attributes": { "title": "Overview", "hits": 0, "description": "", - "panelsJSON": "[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":32,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"8\",\"gridData\":{\"w\":48,\"h\":64,\"x\":0,\"y\":132,\"i\":\"8\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{\"columns\":[\"srcIp\",\"srcPort\",\"dstIp\",\"dstPort\",\"_id\"],\"sort\":[\"firstPacket\",\"desc\"]}},{\"panelIndex\":\"12\",\"gridData\":{\"w\":28,\"h\":8,\"x\":20,\"y\":0,\"i\":\"12\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"19\",\"gridData\":{\"w\":48,\"h\":16,\"x\":0,\"y\":56,\"i\":\"19\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"21\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":8,\"i\":\"21\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"43\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":8,\"i\":\"43\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"32\",\"gridData\":{\"w\":12,\"h\":8,\"x\":8,\"y\":0,\"i\":\"32\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"}]", + "panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":26,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":19,\"y\":0,\"w\":29,\"h\":8,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":26,\"w\":36,\"h\":18,\"i\":\"19\"},\"panelIndex\":\"19\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":8,\"w\":11,\"h\":18,\"i\":\"21\"},\"panelIndex\":\"21\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":11,\"h\":8,\"i\":\"32\"},\"panelIndex\":\"32\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":36,\"y\":26,\"w\":12,\"h\":18,\"i\":\"43\"},\"panelIndex\":\"43\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":19,\"y\":8,\"w\":13,\"h\":18,\"i\":\"2aab2ae5-2520-4b78-9735-04c32b22b71e\"},\"panelIndex\":\"2aab2ae5-2520-4b78-9735-04c32b22b71e\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":32,\"y\":8,\"w\":16,\"h\":18,\"i\":\"e25371b4-5477-4d3f-9f68-df3399d1ef6a\"},\"panelIndex\":\"e25371b4-5477-4d3f-9f68-df3399d1ef6a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":44,\"w\":48,\"h\":27,\"i\":\"4c077648-488a-4fd8-9fcd-3042ec1bfa4d\"},\"panelIndex\":\"4c077648-488a-4fd8-9fcd-3042ec1bfa4d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Denver\"}}}}" } }, "references": [ @@ -26,23 +26,23 @@ }, { "name": "panel_1", - "type": "search", - "id": "c97bc964-5319-41e7-ad22-db28156a2ac1" + "type": "visualization", + "id": "470c6648-d66f-4fae-99af-061cab27065a" }, { "name": "panel_2", "type": "visualization", - "id": "470c6648-d66f-4fae-99af-061cab27065a" + "id": "3da52536-9455-4f8f-931a-14f4c04c636b" }, { "name": "panel_3", "type": "visualization", - "id": "3da52536-9455-4f8f-931a-14f4c04c636b" + "id": "f7aba7a6-4b09-4efe-ae42-68d5637212ce" }, { "name": "panel_4", "type": "visualization", - "id": "f7aba7a6-4b09-4efe-ae42-68d5637212ce" + "id": "AWDGyaGxxQT5EBNmq3K9" }, { "name": "panel_5", @@ -52,7 +52,17 @@ { "name": "panel_6", "type": "visualization", - "id": "AWDGyaGxxQT5EBNmq3K9" + "id": "750367f0-41f2-11ea-88fa-7151df485405" + }, + { + "name": "panel_7", + "type": "visualization", + "id": "77bd1870-46ce-11ea-91c3-61991161aaaf" + }, + { + "name": "panel_8", + "type": "search", + "id": "c97bc964-5319-41e7-ad22-db28156a2ac1" } ], "migrationVersion": { @@ -62,11 +72,11 @@ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", "type": "visualization", - "updated_at": "2019-12-18T16:21:02.636Z", - "version": "WzU5OCwxXQ==", + "updated_at": "2020-02-04T14:21:03.422Z", + "version": "Wzc4MCwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -79,50 +89,11 @@ "visualization": "7.4.2" } }, - { - "id": "c97bc964-5319-41e7-ad22-db28156a2ac1", - "type": "search", - "updated_at": "2019-12-18T16:20:53.365Z", - "version": "WzUyMSwxXQ==", - "attributes": { - "sort": [ - [ - "firstPacket", - "desc" - ] - ], - "hits": 0, - "description": "", - "title": "All Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "columns": [ - "srcIp", - "srcPort", - "dstIp", - "dstPort", - "zeek.uid", - "_id" - ] - }, - "references": [ - { - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern", - "id": "sessions2-*" - } - ], - "migrationVersion": { - "search": "7.4.0" - } - }, { "id": "470c6648-d66f-4fae-99af-061cab27065a", "type": "visualization", - "updated_at": "2019-12-18T16:20:08.051Z", - "version": "WzQ2LDFd", + "updated_at": "2020-02-04T14:20:08.110Z", + "version": "WzIxMiwxXQ==", "attributes": { "visState": "{\"title\":\"Total Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 30 seconds\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", "description": "", @@ -148,11 +119,11 @@ { "id": "3da52536-9455-4f8f-931a-14f4c04c636b", "type": "visualization", - "updated_at": "2019-12-18T16:20:08.051Z", - "version": "WzQ3LDFd", + "updated_at": "2020-02-04T14:40:30.216Z", + "version": "WzgwNiwxXQ==", "attributes": { "title": "Connections - Service By Destination Country", - "visState": "{\"title\":\"Connections - Service By Destination Country\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"zeek.destination_geo.country_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"\",\"row\":false}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.service\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Service\"}}]}", + "visState": "{\"title\":\"Connections - Service By Destination Country\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":3,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"},\"buckets\":[{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}],\"splitColumn\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"zeek.destination_geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":8,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"\",\"row\":false}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Service\"}}]}", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, @@ -163,8 +134,8 @@ }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "52570870-e9d4-444f-a3df-e44c6757ed9f" } ], @@ -175,8 +146,8 @@ { "id": "f7aba7a6-4b09-4efe-ae42-68d5637212ce", "type": "visualization", - "updated_at": "2019-12-18T16:20:08.051Z", - "version": "WzQ4LDFd", + "updated_at": "2020-02-04T14:20:08.110Z", + "version": "WzIxNCwxXQ==", "attributes": { "title": "Log Type", "visState": "{\"title\":\"Log Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.logType\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Log Type(s)\"}}]}", @@ -199,11 +170,37 @@ "visualization": "7.4.2" } }, + { + "id": "AWDGyaGxxQT5EBNmq3K9", + "type": "visualization", + "updated_at": "2020-02-04T14:20:08.110Z", + "version": "WzIxNSwxXQ==", + "attributes": { + "title": "Total Number of Logs", + "visState": "{\"title\":\"Total Number of Logs\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Total Number of Logs\"}}],\"listeners\":{}}", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "visualization": "7.4.2" + } + }, { "id": "6ec2abe4-c3b1-4cc1-8674-e80f8aee7ec5", "type": "visualization", - "updated_at": "2019-12-18T16:20:08.051Z", - "version": "WzQ5LDFd", + "updated_at": "2020-02-04T14:20:08.110Z", + "version": "WzIxNiwxXQ==", "attributes": { "title": "DNS - Queries", "visState": "{\"title\":\"DNS - Queries\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dns.query\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Query\"}}]}", @@ -219,7 +216,7 @@ { "type": "search", "name": "search_0", - "id": "6b8b8d7e-49eb-46b6-8bbf-cdbf295bccbd" + "id": "0b971165-4c39-42ed-b80d-8a8f5658a38e" } ], "migrationVersion": { @@ -227,18 +224,18 @@ } }, { - "id": "AWDGyaGxxQT5EBNmq3K9", + "id": "750367f0-41f2-11ea-88fa-7151df485405", "type": "visualization", - "updated_at": "2019-12-18T16:20:08.051Z", - "version": "WzUwLDFd", + "updated_at": "2020-02-04T14:37:31.909Z", + "version": "WzgwMywxXQ==", "attributes": { - "title": "Total Number of Logs", - "visState": "{\"title\":\"Total Number of Logs\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Total Number of Logs\"}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", + "title": "Application Protocol by Version", + "visState": "{\"title\":\"Application Protocol by Version\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":0,\"direction\":\"asc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Application Protocol\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.service_version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol Version\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"asc\"}}}}", "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -253,32 +250,100 @@ } }, { - "id": "52570870-e9d4-444f-a3df-e44c6757ed9f", + "id": "77bd1870-46ce-11ea-91c3-61991161aaaf", + "type": "visualization", + "updated_at": "2020-02-04T14:20:08.110Z", + "version": "WzIxNywxXQ==", + "attributes": { + "title": "Actions", + "visState": "{\"title\":\"Actions\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Protocol\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Action\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "c97bc964-5319-41e7-ad22-db28156a2ac1", "type": "search", - "updated_at": "2019-12-18T16:21:00.551Z", - "version": "WzU4MSwxXQ==", + "updated_at": "2020-02-04T14:44:15.353Z", + "version": "WzgwOSwxXQ==", "attributes": { + "title": "All Logs", + "description": "", + "hits": 0, + "columns": [ + "zeek.logType", + "zeek.service", + "zeek.action", + "srcIp", + "dstIp", + "dstPort", + "zeek.uid" + ], "sort": [ [ "firstPacket", "desc" ] ], - "hits": 0, - "description": "", - "title": "Connections - Logs", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"size\":10,\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType:*\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "search": "7.4.0" + } + }, + { + "id": "52570870-e9d4-444f-a3df-e44c6757ed9f", + "type": "search", + "updated_at": "2020-02-12T22:48:55.398Z", + "version": "WzgwMiwxXQ==", + "attributes": { + "title": "Connections - Logs", + "description": "", + "hits": 0, "columns": [ + "zeek.proto", + "zeek.service", "srcIp", "srcPort", "dstIp", "dstPort", - "zeek.uid", - "_id" - ] + "totBytes", + "zeek.uid" + ], + "sort": [ + [ + "firstPacket", + "desc" + ] + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true,\"time_zone\":\"America/Denver\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } }, "references": [ { @@ -292,32 +357,31 @@ } }, { - "id": "6b8b8d7e-49eb-46b6-8bbf-cdbf295bccbd", + "id": "0b971165-4c39-42ed-b80d-8a8f5658a38e", "type": "search", - "updated_at": "2019-12-18T16:20:08.051Z", - "version": "WzUzLDFd", + "updated_at": "2020-02-12T16:25:47.761Z", + "version": "WzkwMywxXQ==", "attributes": { + "title": "DNS - Logs", + "description": "", + "hits": 0, + "columns": [ + "srcIp", + "dstIp", + "zeek_dns.query", + "zeek_dns.answers", + "zeek.uid" + ], "sort": [ [ "firstPacket", "desc" ] ], - "hits": 0, - "description": "", - "title": "DNS - Logs", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"zeek.logType:dns\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "columns": [ - "srcIp", - "srcPort", - "dstIp", - "dstPort", - "zeek.uid", - "_id" - ] + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:dns\",\"time_zone\":\"America/Denver\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } }, "references": [ { diff --git a/kibana/dashboards/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0.json b/kibana/dashboards/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0.json index ed3430204..e43b08ee1 100644 --- a/kibana/dashboards/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0.json +++ b/kibana/dashboards/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0.json @@ -1,21 +1,21 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0", "type": "dashboard", - "updated_at": "2019-12-18T16:20:09.090Z", - "version": "WzU4LDFd", + "updated_at": "2020-02-13T15:36:58.939Z", + "version": "WzkzMiwxXQ==", "attributes": { "title": "Connections - Destination - Top Connection Duration", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{\"mapCenter\":[39.639537564366684,0.17578125],\"mapZoom\":2}},{\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}}]", + "panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":50,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"mapCenter\":null,\"mapZoom\":null},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":23,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":23,\"w\":8,\"h\":15,\"i\":\"2e33c0bf-ffb8-408b-ab32-0c6539074ea6\"},\"panelIndex\":\"2e33c0bf-ffb8-408b-ab32-0c6539074ea6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":38,\"w\":8,\"h\":12,\"i\":\"92ba4d29-ba43-4806-b545-79f60788c795\"},\"panelIndex\":\"92ba4d29-ba43-4806-b545-79f60788c795\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}" + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\",\"time_zone\":\"America/Denver\"}}}}" } }, "references": [ @@ -28,6 +28,16 @@ "name": "panel_1", "type": "visualization", "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3" + }, + { + "name": "panel_2", + "type": "visualization", + "id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49" + }, + { + "name": "panel_3", + "type": "visualization", + "id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5" } ], "migrationVersion": { @@ -37,8 +47,8 @@ { "id": "53854a54-2b8b-474e-a36c-bce80276004e", "type": "visualization", - "updated_at": "2019-12-18T16:20:09.090Z", - "version": "WzU1LDFd", + "updated_at": "2020-02-13T14:16:09.737Z", + "version": "WzEyMCwxXQ==", "attributes": { "visState": "{\"title\":\"Connections - Destination - Top Connection Duration\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek_conn.duration\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.destination_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}", "description": "", @@ -64,11 +74,67 @@ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", "type": "visualization", - "updated_at": "2019-12-18T16:21:02.636Z", - "version": "WzU5OCwxXQ==", + "updated_at": "2020-02-13T14:17:04.192Z", + "version": "Wzc3NiwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "references": [], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49", + "type": "visualization", + "updated_at": "2020-02-13T15:17:58.982Z", + "version": "Wzg5NywxXQ==", + "attributes": { + "title": "Connections - Protocol Filters", + "visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"zeek.proto\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"zeek.service\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "references": [ + { + "name": "control_0_index_pattern", + "type": "index-pattern", + "id": "sessions2-*" + }, + { + "name": "control_1_index_pattern", + "type": "index-pattern", + "id": "sessions2-*" + }, + { + "name": "control_2_index_pattern", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5", + "type": "visualization", + "updated_at": "2020-02-13T14:16:47.803Z", + "version": "WzYzMSwxXQ==", + "attributes": { + "title": "Connections - Maps", + "visState": "{\"title\":\"Connections - Maps\",\"type\":\"markdown\",\"params\":{\"fontSize\":10,\"markdown\":\"#### Coordinate Maps\\n[Source - Originator Bytes](/kibana/app/kibana#/dashboard/b50c8d17-6ed3-4de6-aed4-5181032810b2) ● [Destination - Responder Bytes](/kibana/app/kibana#/dashboard/d4fd6afd-15cb-42bf-8a25-03dd8e59b327) ● [Source - Sum of Total Bytes](/kibana/app/kibana#/dashboard/f394057d-1b16-4174-b994-7045f423a416) ● [Destination - Sum of Total Bytes](/kibana/app/kibana#/dashboard/60d78fbd-471c-4f59-a9e3-189b33a13644) ● [Source - Top Connection Duration](/kibana/app/kibana#/dashboard/e09a4b86-29b5-4256-bb3b-802ac9f90404) ● [Destination - Top Connection Duration](/kibana/app/kibana#/dashboard/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0) \\n#### Region Maps\\n[Source - Originator Bytes ](/kibana/app/kibana#/dashboard/d41fe630-3f98-11e9-a58e-8bdedb0915e8) ● [Destination - Responder Bytes ](/kibana/app/kibana#/dashboard/77fc9960-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Sum of Total Bytes ](/kibana/app/kibana#/dashboard/1ce42250-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Sum of Total Bytes ](/kibana/app/kibana#/dashboard/a16110b0-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Top Connection Duration ](/kibana/app/kibana#/dashboard/39abfe30-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Top Connection Duration ](/kibana/app/kibana#/dashboard/b9f247c0-3f99-11e9-a58e-8bdedb0915e8)\",\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -84,30 +150,32 @@ { "id": "52570870-e9d4-444f-a3df-e44c6757ed9f", "type": "search", - "updated_at": "2019-12-18T16:21:00.551Z", - "version": "WzU4MSwxXQ==", + "updated_at": "2020-02-13T14:17:02.148Z", + "version": "Wzc2MCwxXQ==", "attributes": { + "title": "Connections - Logs", + "description": "", + "hits": 0, + "columns": [ + "zeek.proto", + "zeek.service", + "srcIp", + "srcPort", + "dstIp", + "dstPort", + "totBytes", + "zeek.uid" + ], "sort": [ [ "firstPacket", "desc" ] ], - "hits": 0, - "description": "", - "title": "Connections - Logs", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"size\":10,\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "columns": [ - "srcIp", - "srcPort", - "dstIp", - "dstPort", - "zeek.uid", - "_id" - ] + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true,\"time_zone\":\"America/Denver\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } }, "references": [ { diff --git a/kibana/dashboards/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa.json b/kibana/dashboards/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa.json index a0c443d45..598fe93ec 100644 --- a/kibana/dashboards/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa.json +++ b/kibana/dashboards/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa.json @@ -1,21 +1,21 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa", "type": "dashboard", - "updated_at": "2019-12-18T16:20:10.133Z", - "version": "Wzc0LDFd", + "updated_at": "2020-02-12T19:07:43.219Z", + "version": "WzExMDAsMV0=", "attributes": { "title": "SIP", "hits": 0, "description": "", - "panelsJSON": "[{\"panelIndex\":\"1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":48,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"5\",\"gridData\":{\"x\":0,\"y\":72,\"w\":16,\"h\":24,\"i\":\"5\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"6\",\"gridData\":{\"x\":16,\"y\":72,\"w\":16,\"h\":24,\"i\":\"6\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"9\",\"gridData\":{\"x\":20,\"y\":8,\"w\":12,\"h\":16,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{}},{\"panelIndex\":\"11\",\"gridData\":{\"x\":0,\"y\":96,\"w\":48,\"h\":24,\"i\":\"11\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"13\",\"gridData\":{\"x\":20,\"y\":48,\"w\":28,\"h\":24,\"i\":\"13\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"14\",\"gridData\":{\"x\":32,\"y\":24,\"w\":16,\"h\":24,\"i\":\"14\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"15\",\"gridData\":{\"x\":0,\"y\":48,\"w\":20,\"h\":24,\"i\":\"15\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"16\",\"gridData\":{\"x\":8,\"y\":8,\"w\":12,\"h\":16,\"i\":\"16\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{}},{\"panelIndex\":\"17\",\"gridData\":{\"x\":0,\"y\":120,\"w\":48,\"h\":30,\"i\":\"17\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{\"columns\":[\"srcIp\",\"srcPort\",\"dstIp\",\"dstPort\",\"zeek.uid\",\"_id\"],\"sort\":[\"firstPacket\",\"desc\"]}},{\"panelIndex\":\"18\",\"gridData\":{\"x\":32,\"y\":8,\"w\":16,\"h\":16,\"i\":\"18\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"panelIndex\":\"19\",\"gridData\":{\"x\":32,\"y\":72,\"w\":16,\"h\":24,\"i\":\"19\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\"},{\"panelIndex\":\"20\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"20\"},\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_13\"},{\"panelIndex\":\"21\",\"gridData\":{\"x\":8,\"y\":24,\"w\":24,\"h\":24,\"i\":\"21\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_14\",\"embeddableConfig\":{}}]", + "panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":44,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":63,\"w\":17,\"h\":19,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":17,\"y\":63,\"w\":17,\"h\":19,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":20,\"y\":8,\"w\":12,\"h\":16,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":44,\"w\":23,\"h\":19,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":23,\"y\":44,\"w\":25,\"h\":19,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":25,\"y\":24,\"w\":23,\"h\":20,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":8,\"w\":12,\"h\":16,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":32,\"y\":8,\"w\":16,\"h\":16,\"i\":\"18\"},\"panelIndex\":\"18\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":34,\"y\":63,\"w\":14,\"h\":19,\"i\":\"19\"},\"panelIndex\":\"19\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"20\"},\"panelIndex\":\"20\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"panelRefName\":\"panel_11\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":24,\"w\":17,\"h\":20,\"i\":\"21\"},\"panelIndex\":\"21\",\"embeddableConfig\":{},\"panelRefName\":\"panel_12\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":82,\"w\":48,\"h\":32,\"i\":\"986e38d3-b2fb-44cb-b4b3-efaa2d46ff62\"},\"panelIndex\":\"986e38d3-b2fb-44cb-b4b3-efaa2d46ff62\",\"embeddableConfig\":{},\"panelRefName\":\"panel_13\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Denver\"}}}}" } }, "references": [ @@ -62,37 +62,32 @@ { "name": "panel_8", "type": "visualization", - "id": "c0520b7a-6fb5-4f07-aebc-56dcb406c7e3" + "id": "068db209-7174-4082-a758-68c6b09224c6" }, { "name": "panel_9", "type": "visualization", - "id": "068db209-7174-4082-a758-68c6b09224c6" + "id": "07d161d5-c6b3-4a51-bef7-d53a325e945a" }, { "name": "panel_10", - "type": "search", - "id": "78fb078f-c0fe-4462-b72c-bccfd8329ca3" + "type": "visualization", + "id": "46d7e33f-ec02-41ab-977c-7e164c80f6ef" }, { "name": "panel_11", "type": "visualization", - "id": "07d161d5-c6b3-4a51-bef7-d53a325e945a" + "id": "AWDHDNS4xQT5EBNmq4dF" }, { "name": "panel_12", "type": "visualization", - "id": "46d7e33f-ec02-41ab-977c-7e164c80f6ef" + "id": "fff2c100-32e4-402c-98cc-4a977010a427" }, { "name": "panel_13", - "type": "visualization", - "id": "AWDHDNS4xQT5EBNmq4dF" - }, - { - "name": "panel_14", - "type": "visualization", - "id": "fff2c100-32e4-402c-98cc-4a977010a427" + "type": "search", + "id": "78fb078f-c0fe-4462-b72c-bccfd8329ca3" } ], "migrationVersion": { @@ -102,11 +97,11 @@ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", "type": "visualization", - "updated_at": "2019-12-18T16:21:02.636Z", - "version": "WzU5OCwxXQ==", + "updated_at": "2020-02-12T15:01:05.290Z", + "version": "Wzc5NiwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -122,8 +117,8 @@ { "id": "00051443-ad3a-4c91-81a8-928096b8d5c2", "type": "visualization", - "updated_at": "2019-12-18T16:20:10.133Z", - "version": "WzYwLDFd", + "updated_at": "2020-02-12T15:00:10.763Z", + "version": "WzE2OCwxXQ==", "attributes": { "visState": "{\"title\":\"SIP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", "description": "", @@ -149,8 +144,8 @@ { "id": "2a9cf114-30d2-4b27-a71b-cde90dc26c9a", "type": "visualization", - "updated_at": "2019-12-18T16:20:10.133Z", - "version": "WzYxLDFd", + "updated_at": "2020-02-12T15:00:10.763Z", + "version": "WzE2OSwxXQ==", "attributes": { "visState": "{\"title\":\"SIP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", @@ -176,8 +171,8 @@ { "id": "d5c39a42-e7c1-447c-afce-53fea7e5d971", "type": "visualization", - "updated_at": "2019-12-18T16:20:10.133Z", - "version": "WzYyLDFd", + "updated_at": "2020-02-12T15:00:10.763Z", + "version": "WzE3MCwxXQ==", "attributes": { "visState": "{\"title\":\"SIP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", @@ -203,11 +198,11 @@ { "id": "72cf657f-b027-4d0b-814d-9bb3ebada4f6", "type": "visualization", - "updated_at": "2019-12-18T16:20:10.133Z", - "version": "WzYzLDFd", + "updated_at": "2020-02-12T18:51:05.966Z", + "version": "WzEwODMsMV0=", "attributes": { "title": "SIP - Destination Country", - "visState": "{\"title\":\"SIP - Destination Country\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.destination_geo.country_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}", + "visState": "{\"title\":\"SIP - Destination Country\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"zeek.destination_geo.country_name: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.destination_geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -218,8 +213,8 @@ }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "78fb078f-c0fe-4462-b72c-bccfd8329ca3" } ], @@ -230,8 +225,8 @@ { "id": "1968f84a-1b85-44ea-b9ba-c6af98aeb8bb", "type": "visualization", - "updated_at": "2019-12-18T16:20:10.133Z", - "version": "WzY0LDFd", + "updated_at": "2020-02-12T15:00:10.763Z", + "version": "WzE3MiwxXQ==", "attributes": { "visState": "{\"title\":\"SIP - Request Path\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_sip.request_path\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Request Path\"}}],\"listeners\":{}}", "description": "", @@ -257,8 +252,8 @@ { "id": "7eb073ce-5c1f-4319-9eb8-1bf25399dcd9", "type": "visualization", - "updated_at": "2019-12-18T16:20:10.133Z", - "version": "WzY1LDFd", + "updated_at": "2020-02-12T15:00:10.763Z", + "version": "WzE3MywxXQ==", "attributes": { "visState": "{\"title\":\"SIP - URI\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_sip.uri\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"URI\"}}],\"listeners\":{}}", "description": "", @@ -284,8 +279,8 @@ { "id": "f39d0316-33cd-4dc3-ad9d-bdf488f4e80c", "type": "visualization", - "updated_at": "2019-12-18T16:20:10.133Z", - "version": "WzY2LDFd", + "updated_at": "2020-02-12T15:00:10.763Z", + "version": "WzE3NCwxXQ==", "attributes": { "visState": "{\"title\":\"SIP - User Agent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_sip.user_agent\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"User Agent\"}}],\"listeners\":{}}", "description": "", @@ -308,41 +303,14 @@ "visualization": "7.4.2" } }, - { - "id": "c0520b7a-6fb5-4f07-aebc-56dcb406c7e3", - "type": "visualization", - "updated_at": "2019-12-18T16:20:10.133Z", - "version": "WzY3LDFd", - "attributes": { - "visState": "{\"title\":\"SIP - Content Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_sip.content_type\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Content Type\"}}],\"listeners\":{}}", - "description": "", - "title": "SIP - Content Type", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0" - }, - "references": [ - { - "type": "search", - "name": "search_0", - "id": "78fb078f-c0fe-4462-b72c-bccfd8329ca3" - } - ], - "migrationVersion": { - "visualization": "7.4.2" - } - }, { "id": "068db209-7174-4082-a758-68c6b09224c6", "type": "visualization", - "updated_at": "2019-12-18T16:20:10.133Z", - "version": "WzY4LDFd", + "updated_at": "2020-02-12T18:55:56.702Z", + "version": "WzEwODgsMV0=", "attributes": { "title": "SIP - Content Type", - "visState": "{\"title\":\"SIP - Content Type\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_sip.content_type\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}", + "visState": "{\"title\":\"SIP - Content Type\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"zeek_sip.content_type: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_sip.content_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Content Type\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -353,8 +321,8 @@ }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "78fb078f-c0fe-4462-b72c-bccfd8329ca3" } ], @@ -362,50 +330,11 @@ "visualization": "7.4.2" } }, - { - "id": "78fb078f-c0fe-4462-b72c-bccfd8329ca3", - "type": "search", - "updated_at": "2019-12-18T16:20:10.133Z", - "version": "WzY5LDFd", - "attributes": { - "sort": [ - [ - "firstPacket", - "desc" - ] - ], - "hits": 0, - "description": "", - "title": "SIP - Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"zeek.logType:sip\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "columns": [ - "srcIp", - "srcPort", - "dstIp", - "dstPort", - "zeek.uid", - "_id" - ] - }, - "references": [ - { - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern", - "id": "sessions2-*" - } - ], - "migrationVersion": { - "search": "7.4.0" - } - }, { "id": "07d161d5-c6b3-4a51-bef7-d53a325e945a", "type": "visualization", - "updated_at": "2019-12-18T16:20:10.133Z", - "version": "WzcwLDFd", + "updated_at": "2020-02-12T15:00:10.763Z", + "version": "WzE3OCwxXQ==", "attributes": { "visState": "{\"title\":\"SIP - Method\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek_sip.method\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Method\"}}],\"listeners\":{}}", "description": "", @@ -431,8 +360,8 @@ { "id": "46d7e33f-ec02-41ab-977c-7e164c80f6ef", "type": "visualization", - "updated_at": "2019-12-18T16:20:10.133Z", - "version": "WzcxLDFd", + "updated_at": "2020-02-12T15:00:10.763Z", + "version": "WzE3OSwxXQ==", "attributes": { "visState": "{\"title\":\"SIP - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", "description": "", @@ -458,8 +387,8 @@ { "id": "AWDHDNS4xQT5EBNmq4dF", "type": "visualization", - "updated_at": "2019-12-18T16:20:10.133Z", - "version": "WzcyLDFd", + "updated_at": "2020-02-12T15:00:10.763Z", + "version": "WzE4MCwxXQ==", "attributes": { "title": "SIP - Log Count", "visState": "{\"title\":\"SIP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", @@ -485,8 +414,8 @@ { "id": "fff2c100-32e4-402c-98cc-4a977010a427", "type": "visualization", - "updated_at": "2019-12-18T16:20:10.133Z", - "version": "WzczLDFd", + "updated_at": "2020-02-12T15:00:10.763Z", + "version": "WzE4MSwxXQ==", "attributes": { "title": "SIP - Status", "visState": "{\"title\":\"SIP - Status\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_sip.status_code\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Code\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_sip.status_msg\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Message\"}}]}", @@ -508,6 +437,46 @@ "migrationVersion": { "visualization": "7.4.2" } + }, + { + "id": "78fb078f-c0fe-4462-b72c-bccfd8329ca3", + "type": "search", + "updated_at": "2020-02-12T19:06:32.821Z", + "version": "WzEwOTksMV0=", + "attributes": { + "title": "SIP - Logs", + "description": "", + "hits": 0, + "columns": [ + "srcIp", + "dstIp", + "dstPort", + "zeek_sip.method", + "zeek_sip.content_type", + "zeek_sip.status_msg", + "zeek.uid" + ], + "sort": [ + [ + "firstPacket", + "desc" + ] + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:sip\",\"analyze_wildcard\":true,\"time_zone\":\"America/Denver\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "search": "7.4.0" + } } ] } \ No newline at end of file diff --git a/kibana/dashboards/11be6381-beef-40a7-bdce-88c5398392fc.json b/kibana/dashboards/11be6381-beef-40a7-bdce-88c5398392fc.json index 4068721e5..9e69559de 100644 --- a/kibana/dashboards/11be6381-beef-40a7-bdce-88c5398392fc.json +++ b/kibana/dashboards/11be6381-beef-40a7-bdce-88c5398392fc.json @@ -1,21 +1,21 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "11be6381-beef-40a7-bdce-88c5398392fc", "type": "dashboard", - "updated_at": "2019-12-18T16:20:11.180Z", - "version": "Wzg1LDFd", + "updated_at": "2020-02-12T21:18:49.326Z", + "version": "WzEyNzAsMV0=", "attributes": { "title": "Tunnels", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"gridData\":{\"w\":20,\"h\":20,\"x\":28,\"y\":8,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":48,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":48,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":72,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{\"columns\":[\"srcIp\",\"srcPort\",\"dstIp\",\"dstPort\",\"zeek.uid\",\"_id\"],\"sort\":[\"firstPacket\",\"desc\"]}},{\"gridData\":{\"w\":20,\"h\":20,\"x\":8,\"y\":8,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":40,\"h\":20,\"x\":8,\"y\":28,\"i\":\"12\"},\"panelIndex\":\"12\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":48,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"14\"},\"panelIndex\":\"14\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"}]", + "panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":48,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":31,\"y\":8,\"w\":17,\"h\":20,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":18,\"y\":48,\"w\":18,\"h\":19,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":48,\"w\":18,\"h\":19,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":8,\"w\":23,\"h\":20,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":28,\"w\":40,\"h\":20,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":36,\"y\":48,\"w\":12,\"h\":19,\"i\":\"bf1d77e6-2814-479a-8abc-6854aaba0d6d\"},\"panelIndex\":\"bf1d77e6-2814-479a-8abc-6854aaba0d6d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":67,\"w\":48,\"h\":36,\"i\":\"4c91cf0e-8f00-4682-88e9-e7a4da9cb818\"},\"panelIndex\":\"4c91cf0e-8f00-4682-88e9-e7a4da9cb818\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Denver\"}}}}" } }, "references": [ @@ -46,18 +46,18 @@ }, { "name": "panel_5", - "type": "search", - "id": "f166f708-f838-4c50-84cc-1fb99f7d7060" + "type": "visualization", + "id": "7b5a1e84-eb4d-4a4f-9b8b-e325ff81d89a" }, { "name": "panel_6", "type": "visualization", - "id": "7b5a1e84-eb4d-4a4f-9b8b-e325ff81d89a" + "id": "56a5dece-0790-4acc-b166-6628cf10a596" }, { "name": "panel_7", "type": "visualization", - "id": "56a5dece-0790-4acc-b166-6628cf10a596" + "id": "AWDHFYrqxQT5EBNmq4qT" }, { "name": "panel_8", @@ -66,8 +66,8 @@ }, { "name": "panel_9", - "type": "visualization", - "id": "AWDHFYrqxQT5EBNmq4qT" + "type": "search", + "id": "f166f708-f838-4c50-84cc-1fb99f7d7060" } ], "migrationVersion": { @@ -77,11 +77,11 @@ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", "type": "visualization", - "updated_at": "2019-12-18T16:21:02.636Z", - "version": "WzU5OCwxXQ==", + "updated_at": "2020-02-12T15:01:05.290Z", + "version": "Wzc5NiwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -97,8 +97,8 @@ { "id": "ea729cd0-2c77-4c5a-8ffa-11ff19d1e369", "type": "visualization", - "updated_at": "2019-12-18T16:20:11.180Z", - "version": "Wzc2LDFd", + "updated_at": "2020-02-12T15:00:11.808Z", + "version": "WzE5NCwxXQ==", "attributes": { "visState": "{\"title\":\"Tunnels - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", "description": "", @@ -124,8 +124,8 @@ { "id": "ab721f9e-240e-4343-b71c-9c04d2d704f5", "type": "visualization", - "updated_at": "2019-12-18T16:20:11.180Z", - "version": "Wzc3LDFd", + "updated_at": "2020-02-12T15:00:11.808Z", + "version": "WzE5NSwxXQ==", "attributes": { "title": "Tunnels - Type", "visState": "{\"title\":\"Tunnels - Type\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_tunnel.tunnel_type\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}]}", @@ -151,8 +151,8 @@ { "id": "018337e2-9178-4021-a36f-a1e7098b9b86", "type": "visualization", - "updated_at": "2019-12-18T16:20:11.180Z", - "version": "Wzc4LDFd", + "updated_at": "2020-02-12T15:00:11.808Z", + "version": "WzE5NiwxXQ==", "attributes": { "visState": "{\"title\":\"Tunnels - Destination Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", @@ -178,8 +178,8 @@ { "id": "8eb2b344-150b-4163-b6c1-e686bb7027d5", "type": "visualization", - "updated_at": "2019-12-18T16:20:11.180Z", - "version": "Wzc5LDFd", + "updated_at": "2020-02-12T15:00:11.808Z", + "version": "WzE5NywxXQ==", "attributes": { "visState": "{\"title\":\"Tunnels - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", @@ -202,50 +202,11 @@ "visualization": "7.4.2" } }, - { - "id": "f166f708-f838-4c50-84cc-1fb99f7d7060", - "type": "search", - "updated_at": "2019-12-18T16:20:11.180Z", - "version": "WzgwLDFd", - "attributes": { - "sort": [ - [ - "firstPacket", - "desc" - ] - ], - "hits": 0, - "description": "", - "title": "Tunnels - Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"zeek.logType:tunnel\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "columns": [ - "srcIp", - "srcPort", - "dstIp", - "dstPort", - "zeek.uid", - "_id" - ] - }, - "references": [ - { - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern", - "id": "sessions2-*" - } - ], - "migrationVersion": { - "search": "7.4.0" - } - }, { "id": "7b5a1e84-eb4d-4a4f-9b8b-e325ff81d89a", "type": "visualization", - "updated_at": "2019-12-18T16:20:11.180Z", - "version": "WzgxLDFd", + "updated_at": "2020-02-12T15:00:11.808Z", + "version": "WzE5OSwxXQ==", "attributes": { "visState": "{\"title\":\"Tunnels - Country\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Country\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.destination_geo.country_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}}],\"listeners\":{}}", "description": "", @@ -271,8 +232,8 @@ { "id": "56a5dece-0790-4acc-b166-6628cf10a596", "type": "visualization", - "updated_at": "2019-12-18T16:20:11.180Z", - "version": "WzgyLDFd", + "updated_at": "2020-02-12T15:00:11.808Z", + "version": "WzIwMCwxXQ==", "attributes": { "title": "Tunnels - Action", "visState": "{\"title\":\"Tunnels - Action\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek_tunnel.action\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Action\"}}]}", @@ -296,15 +257,15 @@ } }, { - "id": "f408c64e-1950-42b2-904a-cac7c4f11bc6", + "id": "AWDHFYrqxQT5EBNmq4qT", "type": "visualization", - "updated_at": "2019-12-18T16:20:11.180Z", - "version": "WzgzLDFd", + "updated_at": "2020-02-12T15:00:11.808Z", + "version": "WzIwMiwxXQ==", "attributes": { - "visState": "{\"title\":\"Tunnels - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}", + "title": "Tunnels - Log Count", + "visState": "{\"title\":\"Tunnels - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "description": "", - "title": "Tunnels - Destination Port", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "kibanaSavedObjectMeta": { "searchSourceJSON": "{\"filter\":[]}" @@ -323,15 +284,15 @@ } }, { - "id": "AWDHFYrqxQT5EBNmq4qT", + "id": "f408c64e-1950-42b2-904a-cac7c4f11bc6", "type": "visualization", - "updated_at": "2019-12-18T16:20:11.180Z", - "version": "Wzg0LDFd", + "updated_at": "2020-02-12T15:00:11.808Z", + "version": "WzIwMSwxXQ==", "attributes": { - "title": "Tunnels - Log Count", - "visState": "{\"title\":\"Tunnels - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", + "visState": "{\"title\":\"Tunnels - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}", "description": "", + "title": "Tunnels - Destination Port", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "kibanaSavedObjectMeta": { "searchSourceJSON": "{\"filter\":[]}" @@ -348,6 +309,46 @@ "migrationVersion": { "visualization": "7.4.2" } + }, + { + "id": "f166f708-f838-4c50-84cc-1fb99f7d7060", + "type": "search", + "updated_at": "2020-02-12T21:17:37.122Z", + "version": "WzEyNjgsMV0=", + "attributes": { + "title": "Tunnels - Logs", + "description": "", + "hits": 0, + "columns": [ + "srcIp", + "srcPort", + "dstIp", + "dstPort", + "zeek_tunnel.action", + "zeek_tunnel.tunnel_type", + "zeek.uid" + ], + "sort": [ + [ + "firstPacket", + "desc" + ] + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:tunnel\",\"analyze_wildcard\":true,\"time_zone\":\"America/Denver\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "search": "7.4.0" + } } ] } \ No newline at end of file diff --git a/kibana/dashboards/11ddd980-e388-11e9-b568-cf17de8e860c.json b/kibana/dashboards/11ddd980-e388-11e9-b568-cf17de8e860c.json index b7166dee4..924a764d4 100644 --- a/kibana/dashboards/11ddd980-e388-11e9-b568-cf17de8e860c.json +++ b/kibana/dashboards/11ddd980-e388-11e9-b568-cf17de8e860c.json @@ -1,21 +1,21 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "11ddd980-e388-11e9-b568-cf17de8e860c", "type": "dashboard", - "updated_at": "2019-12-18T16:20:12.222Z", - "version": "Wzk2LDFd", + "updated_at": "2020-02-12T18:05:52.591Z", + "version": "WzEwMDYsMV0=", "attributes": { "title": "QUIC", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"h\":56,\"i\":\"1\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"15\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"15\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":23,\"i\":\"16\",\"w\":48,\"x\":0,\"y\":69},\"panelIndex\":\"16\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"17\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"18\",\"w\":20,\"x\":8,\"y\":8},\"panelIndex\":\"18\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"19\",\"w\":20,\"x\":28,\"y\":8},\"panelIndex\":\"19\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"20\",\"w\":20,\"x\":8,\"y\":29},\"panelIndex\":\"20\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"21\",\"w\":20,\"x\":28,\"y\":29},\"panelIndex\":\"21\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"22\",\"w\":40,\"x\":8,\"y\":49},\"panelIndex\":\"22\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":13,\"i\":\"23\",\"w\":8,\"x\":0,\"y\":56},\"panelIndex\":\"23\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_9\"}]", + "panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":36,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":9,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":68,\"w\":48,\"h\":23,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":9,\"i\":\"17\"},\"panelIndex\":\"17\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":9,\"w\":20,\"h\":21,\"i\":\"18\"},\"panelIndex\":\"18\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":28,\"y\":9,\"w\":20,\"h\":21,\"i\":\"19\"},\"panelIndex\":\"19\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":30,\"w\":20,\"h\":19,\"i\":\"20\"},\"panelIndex\":\"20\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":28,\"y\":30,\"w\":20,\"h\":19,\"i\":\"21\"},\"panelIndex\":\"21\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":49,\"w\":48,\"h\":19,\"i\":\"22\"},\"panelIndex\":\"22\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":36,\"w\":8,\"h\":13,\"i\":\"23\"},\"panelIndex\":\"23\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"panelRefName\":\"panel_9\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Denver\"}}}}" } }, "references": [ @@ -77,11 +77,11 @@ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", "type": "visualization", - "updated_at": "2019-12-18T16:21:02.636Z", - "version": "WzU5OCwxXQ==", + "updated_at": "2020-02-12T15:01:05.290Z", + "version": "Wzc5NiwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -97,8 +97,8 @@ { "id": "a9a94150-e388-11e9-b568-cf17de8e860c", "type": "visualization", - "updated_at": "2019-12-18T16:20:12.222Z", - "version": "Wzg3LDFd", + "updated_at": "2020-02-12T15:00:12.835Z", + "version": "WzIxMSwxXQ==", "attributes": { "title": "QUIC - Log Count", "visState": "{\"title\":\"QUIC - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":false},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}", @@ -124,8 +124,8 @@ { "id": "69939d90-e388-11e9-b568-cf17de8e860c", "type": "search", - "updated_at": "2019-12-18T16:20:12.222Z", - "version": "Wzg4LDFd", + "updated_at": "2020-02-12T15:00:12.835Z", + "version": "WzIxMiwxXQ==", "attributes": { "title": "QUIC - Logs", "description": "", @@ -163,8 +163,8 @@ { "id": "42fea480-e389-11e9-b568-cf17de8e860c", "type": "visualization", - "updated_at": "2019-12-18T16:20:12.222Z", - "version": "Wzg5LDFd", + "updated_at": "2020-02-12T15:00:12.835Z", + "version": "WzIxMywxXQ==", "attributes": { "title": "QUIC - Log Count Over Time", "visState": "{\"title\":\"QUIC - Log Count Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\",\"mode\":\"relative\"},\"useNormalizedEsInterval\":true,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"quic.version\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"QUIC Version\"}}]}", @@ -190,8 +190,8 @@ { "id": "2648ad80-e38a-11e9-b568-cf17de8e860c", "type": "visualization", - "updated_at": "2019-12-18T16:20:12.222Z", - "version": "WzkwLDFd", + "updated_at": "2020-02-12T15:00:12.835Z", + "version": "WzIxNCwxXQ==", "attributes": { "title": "QUIC - Source IP Address", "visState": "{\"title\":\"QUIC - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"size\":500,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Address\"}}]}", @@ -217,8 +217,8 @@ { "id": "49d13470-e38a-11e9-b568-cf17de8e860c", "type": "visualization", - "updated_at": "2019-12-18T16:20:12.222Z", - "version": "WzkxLDFd", + "updated_at": "2020-02-12T15:00:12.835Z", + "version": "WzIxNSwxXQ==", "attributes": { "title": "QUIC - Destination IP Address", "visState": "{\"title\":\"QUIC - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"size\":500,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Address\"}}]}", @@ -244,8 +244,8 @@ { "id": "919cb8b0-e38a-11e9-b568-cf17de8e860c", "type": "visualization", - "updated_at": "2019-12-18T16:20:12.222Z", - "version": "WzkyLDFd", + "updated_at": "2020-02-12T15:00:12.835Z", + "version": "WzIxNiwxXQ==", "attributes": { "title": "QUIC - User Agent", "visState": "{\"title\":\"QUIC - User Agent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"quic.useragent\",\"size\":500,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"User Agent\"}}]}", @@ -271,8 +271,8 @@ { "id": "be8b4120-e38a-11e9-b568-cf17de8e860c", "type": "visualization", - "updated_at": "2019-12-18T16:20:12.222Z", - "version": "WzkzLDFd", + "updated_at": "2020-02-12T15:00:12.835Z", + "version": "WzIxNywxXQ==", "attributes": { "title": "QUIC - Server Name", "visState": "{\"title\":\"QUIC - Server Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"quic.host\",\"size\":500,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server Name\"}}]}", @@ -298,8 +298,8 @@ { "id": "2e6549a0-e38b-11e9-b568-cf17de8e860c", "type": "visualization", - "updated_at": "2019-12-18T16:20:12.222Z", - "version": "Wzk0LDFd", + "updated_at": "2020-02-12T15:00:12.835Z", + "version": "WzIxOCwxXQ==", "attributes": { "title": "QUIC - CYU Fingerprint", "visState": "{\"title\":\"QUIC - CYU Fingerprint\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_gquic.cyutags\",\"size\":500,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"CYU Fingerprint Tags\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_gquic.cyu\",\"size\":500,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"CYU Fingerprint MD5\"}}]}", @@ -325,8 +325,8 @@ { "id": "7a6b6a50-e38b-11e9-b568-cf17de8e860c", "type": "visualization", - "updated_at": "2019-12-18T16:20:12.222Z", - "version": "Wzk1LDFd", + "updated_at": "2020-02-12T15:00:12.835Z", + "version": "WzIxOSwxXQ==", "attributes": { "title": "QUIC - Version", "visState": "{\"title\":\"QUIC - Version\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"quic.version\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"QUIC Version\"}}]}", diff --git a/kibana/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json b/kibana/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json index e74245e43..8057cd32d 100644 --- a/kibana/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json +++ b/kibana/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json @@ -1,5 +1,5 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "152f29dc-51a2-4f53-93e9-6e92765567b8", @@ -10,7 +10,7 @@ "title": "Modbus", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"h\":53,\"i\":\"2\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"2\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_0\"},{\"gridData\":{\"h\":20,\"i\":\"11\",\"w\":20,\"x\":8,\"y\":33},\"panelIndex\":\"11\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":13,\"i\":\"12\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"12\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":13,\"i\":\"13\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"13\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":29,\"i\":\"14\",\"w\":48,\"x\":0,\"y\":73},\"panelIndex\":\"14\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"15\",\"w\":17,\"x\":8,\"y\":13},\"panelIndex\":\"15\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"16\",\"w\":23,\"x\":25,\"y\":13},\"panelIndex\":\"16\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"17\",\"w\":20,\"x\":28,\"y\":33},\"panelIndex\":\"17\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"18\",\"w\":27,\"x\":0,\"y\":53},\"panelIndex\":\"18\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"19\",\"w\":21,\"x\":27,\"y\":53},\"panelIndex\":\"19\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_9\"}]", + "panelsJSON": "[{\"gridData\":{\"h\":53,\"i\":\"2\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"2\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_0\"},{\"gridData\":{\"h\":20,\"i\":\"11\",\"w\":20,\"x\":8,\"y\":33},\"panelIndex\":\"11\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":13,\"i\":\"12\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"12\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":13,\"i\":\"13\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"13\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":29,\"i\":\"14\",\"w\":48,\"x\":0,\"y\":73},\"panelIndex\":\"14\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"15\",\"w\":17,\"x\":8,\"y\":13},\"panelIndex\":\"15\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"16\",\"w\":23,\"x\":25,\"y\":13},\"panelIndex\":\"16\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"17\",\"w\":20,\"x\":28,\"y\":33},\"panelIndex\":\"17\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"18\",\"w\":27,\"x\":0,\"y\":53},\"panelIndex\":\"18\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"19\",\"w\":21,\"x\":27,\"y\":53},\"panelIndex\":\"19\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_9\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, @@ -81,7 +81,7 @@ "version": "WzU5OCwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/kibana/dashboards/1ce42250-3f99-11e9-a58e-8bdedb0915e8.json b/kibana/dashboards/1ce42250-3f99-11e9-a58e-8bdedb0915e8.json index 9b664c906..8cabf76fe 100644 --- a/kibana/dashboards/1ce42250-3f99-11e9-a58e-8bdedb0915e8.json +++ b/kibana/dashboards/1ce42250-3f99-11e9-a58e-8bdedb0915e8.json @@ -1,21 +1,21 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "1ce42250-3f99-11e9-a58e-8bdedb0915e8", "type": "dashboard", - "updated_at": "2019-12-18T16:20:14.289Z", - "version": "WzExNCwxXQ==", + "updated_at": "2020-02-13T15:37:31.784Z", + "version": "WzkzNSwxXQ==", "attributes": { "title": "Connections - Source - Sum of Total Bytes (region map)", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":44,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_0\"},{\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":40,\"i\":\"3\"},\"version\":\"7.5.1\",\"panelIndex\":\"3\",\"embeddableConfig\":{\"mapCenter\":[0,0],\"mapZoom\":3},\"panelRefName\":\"panel_1\"}]", + "panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":23,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":50,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"mapCenter\":null,\"mapZoom\":3},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":23,\"w\":8,\"h\":15,\"i\":\"5cf06729-4907-4824-a561-a3c50a23136c\"},\"panelIndex\":\"5cf06729-4907-4824-a561-a3c50a23136c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":38,\"w\":8,\"h\":12,\"i\":\"b397c221-819d-4fdd-b3e1-3a424d643ef0\"},\"panelIndex\":\"b397c221-819d-4fdd-b3e1-3a424d643ef0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"}}" } }, "references": [ @@ -28,6 +28,16 @@ "name": "panel_1", "type": "visualization", "id": "997269c0-3f95-11e9-a58e-8bdedb0915e8" + }, + { + "name": "panel_2", + "type": "visualization", + "id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49" + }, + { + "name": "panel_3", + "type": "visualization", + "id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5" } ], "migrationVersion": { @@ -37,11 +47,11 @@ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", "type": "visualization", - "updated_at": "2019-12-18T16:21:02.636Z", - "version": "WzU5OCwxXQ==", + "updated_at": "2020-02-13T14:17:04.192Z", + "version": "Wzc3NiwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -57,12 +67,12 @@ { "id": "997269c0-3f95-11e9-a58e-8bdedb0915e8", "type": "visualization", - "updated_at": "2019-12-18T16:20:14.289Z", - "version": "WzExMiwxXQ==", + "updated_at": "2020-02-13T14:48:48.478Z", + "version": "Wzg3OCwxXQ==", "attributes": { "title": "Connections - Source - Sum of Total Bytes (region map)", - "visState": "{\"title\":\"Connections - Source - Sum of Total Bytes (region map)\",\"type\":\"region_map\",\"params\":{\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"emsHotLink\":null,\"isDisplayWarning\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapZoom\":3,\"outlineWeight\":1,\"selectedJoinField\":{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},\"selectedLayer\":{\"attribution\":\"https://exploratory.io/maps\",\"fields\":[{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},{\"description\":\"Country Code2\",\"name\":\"WB_A2\"},{\"description\":\"Country Name\",\"name\":\"NAME\"}],\"format\":{\"type\":\"geojson\"},\"isEMS\":false,\"layerId\":\"self_hosted.World (offline)\",\"meta\":{\"feature_collection_path\":\"data\"},\"name\":\"World (offline)\",\"url\":\"http://localhost:28991/world.geojson\"},\"showAllShapes\":true,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"totBytes\",\"customLabel\":\"Total Bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"srcGEO\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Originator Country\"}}]}", - "uiStateJSON": "{\"mapCenter\":[0,0],\"mapZoom\":3}", + "visState": "{\"title\":\"Connections - Source - Sum of Total Bytes (region map)\",\"type\":\"region_map\",\"params\":{\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"emsHotLink\":null,\"isDisplayWarning\":false,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapZoom\":3,\"outlineWeight\":1,\"selectedJoinField\":{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},\"selectedLayer\":{\"attribution\":\"https://exploratory.io/maps\",\"fields\":[{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},{\"description\":\"Country Code2\",\"name\":\"WB_A2\"},{\"description\":\"Country Name\",\"name\":\"NAME\"}],\"format\":{\"type\":\"geojson\"},\"isEMS\":false,\"layerId\":\"self_hosted.World (offline)\",\"meta\":{\"feature_collection_path\":\"data\"},\"name\":\"World (offline)\",\"url\":\"/world.geojson\"},\"showAllShapes\":true,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"origin\":\"elastic_maps_service\",\"id\":\"road_map\",\"minZoom\":0,\"maxZoom\":10,\"attribution\":\"OpenStreetMap contributors | OpenMapTiles | MapTiler | Elastic Maps Service\"}},\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Total Bytes\",\"aggType\":\"sum\"},\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Originator Country\",\"aggType\":\"terms\"}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"totBytes\",\"customLabel\":\"Total Bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"srcGEO\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Originator Country\"}}]}", + "uiStateJSON": "{\"mapCenter\":[37.87063517566466,16.347656250000004],\"mapZoom\":3}", "description": "", "version": 1, "kibanaSavedObjectMeta": { @@ -72,8 +82,8 @@ }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "52570870-e9d4-444f-a3df-e44c6757ed9f" } ], @@ -81,33 +91,91 @@ "visualization": "7.4.2" } }, + { + "id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49", + "type": "visualization", + "updated_at": "2020-02-13T15:17:58.982Z", + "version": "Wzg5NywxXQ==", + "attributes": { + "title": "Connections - Protocol Filters", + "visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"zeek.proto\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"zeek.service\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "references": [ + { + "name": "control_0_index_pattern", + "type": "index-pattern", + "id": "sessions2-*" + }, + { + "name": "control_1_index_pattern", + "type": "index-pattern", + "id": "sessions2-*" + }, + { + "name": "control_2_index_pattern", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5", + "type": "visualization", + "updated_at": "2020-02-13T14:16:47.803Z", + "version": "WzYzMSwxXQ==", + "attributes": { + "title": "Connections - Maps", + "visState": "{\"title\":\"Connections - Maps\",\"type\":\"markdown\",\"params\":{\"fontSize\":10,\"markdown\":\"#### Coordinate Maps\\n[Source - Originator Bytes](/kibana/app/kibana#/dashboard/b50c8d17-6ed3-4de6-aed4-5181032810b2) ● [Destination - Responder Bytes](/kibana/app/kibana#/dashboard/d4fd6afd-15cb-42bf-8a25-03dd8e59b327) ● [Source - Sum of Total Bytes](/kibana/app/kibana#/dashboard/f394057d-1b16-4174-b994-7045f423a416) ● [Destination - Sum of Total Bytes](/kibana/app/kibana#/dashboard/60d78fbd-471c-4f59-a9e3-189b33a13644) ● [Source - Top Connection Duration](/kibana/app/kibana#/dashboard/e09a4b86-29b5-4256-bb3b-802ac9f90404) ● [Destination - Top Connection Duration](/kibana/app/kibana#/dashboard/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0) \\n#### Region Maps\\n[Source - Originator Bytes ](/kibana/app/kibana#/dashboard/d41fe630-3f98-11e9-a58e-8bdedb0915e8) ● [Destination - Responder Bytes ](/kibana/app/kibana#/dashboard/77fc9960-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Sum of Total Bytes ](/kibana/app/kibana#/dashboard/1ce42250-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Sum of Total Bytes ](/kibana/app/kibana#/dashboard/a16110b0-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Top Connection Duration ](/kibana/app/kibana#/dashboard/39abfe30-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Top Connection Duration ](/kibana/app/kibana#/dashboard/b9f247c0-3f99-11e9-a58e-8bdedb0915e8)\",\"openLinksInNewTab\":false},\"aggs\":[]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "references": [], + "migrationVersion": { + "visualization": "7.4.2" + } + }, { "id": "52570870-e9d4-444f-a3df-e44c6757ed9f", "type": "search", - "updated_at": "2019-12-18T16:21:00.551Z", - "version": "WzU4MSwxXQ==", + "updated_at": "2020-02-13T14:17:02.148Z", + "version": "Wzc2MCwxXQ==", "attributes": { + "title": "Connections - Logs", + "description": "", + "hits": 0, + "columns": [ + "zeek.proto", + "zeek.service", + "srcIp", + "srcPort", + "dstIp", + "dstPort", + "totBytes", + "zeek.uid" + ], "sort": [ [ "firstPacket", "desc" ] ], - "hits": 0, - "description": "", - "title": "Connections - Logs", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"size\":10,\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "columns": [ - "srcIp", - "srcPort", - "dstIp", - "dstPort", - "zeek.uid", - "_id" - ] + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true,\"time_zone\":\"America/Denver\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } }, "references": [ { diff --git a/kibana/dashboards/1fff49f6-0199-4a0f-820b-721aff9ff1f1.json b/kibana/dashboards/1fff49f6-0199-4a0f-820b-721aff9ff1f1.json index 2cec97baf..baf63c89c 100644 --- a/kibana/dashboards/1fff49f6-0199-4a0f-820b-721aff9ff1f1.json +++ b/kibana/dashboards/1fff49f6-0199-4a0f-820b-721aff9ff1f1.json @@ -1,21 +1,21 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "1fff49f6-0199-4a0f-820b-721aff9ff1f1", "type": "dashboard", - "updated_at": "2019-12-18T16:20:15.324Z", - "version": "WzEyNSwxXQ==", + "updated_at": "2020-02-12T15:51:03.953Z", + "version": "Wzg2NCwxXQ==", "attributes": { "title": "Weird", "hits": 0, "description": "", - "panelsJSON": "[{\"panelIndex\":\"1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":80,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"5\",\"gridData\":{\"x\":8,\"y\":32,\"w\":14,\"h\":24,\"i\":\"5\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"6\",\"gridData\":{\"x\":22,\"y\":32,\"w\":14,\"h\":24,\"i\":\"6\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"8\",\"gridData\":{\"x\":8,\"y\":8,\"w\":16,\"h\":24,\"i\":\"8\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{}},{\"panelIndex\":\"9\",\"gridData\":{\"x\":0,\"y\":80,\"w\":48,\"h\":24,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{\"columns\":[\"srcIp\",\"srcPort\",\"dstIp\",\"dstPort\",\"zeek.uid\",\"_id\"],\"sort\":[\"firstPacket\",\"desc\"]}},{\"panelIndex\":\"10\",\"gridData\":{\"x\":8,\"y\":56,\"w\":40,\"h\":24,\"i\":\"10\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"12\",\"gridData\":{\"x\":36,\"y\":32,\"w\":12,\"h\":24,\"i\":\"12\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"13\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"13\"},\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"14\",\"gridData\":{\"x\":24,\"y\":8,\"w\":24,\"h\":24,\"i\":\"14\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{}}]", + "panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":66,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":27,\"w\":14,\"h\":20,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":22,\"y\":27,\"w\":14,\"h\":20,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":8,\"w\":16,\"h\":19,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":47,\"w\":40,\"h\":19,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":36,\"y\":27,\"w\":12,\"h\":20,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":24,\"y\":8,\"w\":24,\"h\":19,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":66,\"w\":48,\"h\":35,\"i\":\"781c60c8-791a-4f33-9f08-85820f16f4d1\"},\"panelIndex\":\"781c60c8-791a-4f33-9f08-85820f16f4d1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Denver\"}}}}" } }, "references": [ @@ -46,28 +46,28 @@ }, { "name": "panel_5", - "type": "search", - "id": "17236484-ab93-4497-8b85-bc7dfaeb2d71" + "type": "visualization", + "id": "a827f658-2190-4ec4-b330-96cdb93d97ed" }, { "name": "panel_6", "type": "visualization", - "id": "a827f658-2190-4ec4-b330-96cdb93d97ed" + "id": "64ffd0d9-a0d7-4db6-bce0-c69b48ff0da6" }, { "name": "panel_7", "type": "visualization", - "id": "64ffd0d9-a0d7-4db6-bce0-c69b48ff0da6" + "id": "AWDHGXk-xQT5EBNmq4uf" }, { "name": "panel_8", "type": "visualization", - "id": "AWDHGXk-xQT5EBNmq4uf" + "id": "429d2522-67c6-44f5-aae8-f464d5815195" }, { "name": "panel_9", - "type": "visualization", - "id": "429d2522-67c6-44f5-aae8-f464d5815195" + "type": "search", + "id": "17236484-ab93-4497-8b85-bc7dfaeb2d71" } ], "migrationVersion": { @@ -77,11 +77,11 @@ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", "type": "visualization", - "updated_at": "2019-12-18T16:21:02.636Z", - "version": "WzU5OCwxXQ==", + "updated_at": "2020-02-12T15:01:05.290Z", + "version": "Wzc5NiwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -97,8 +97,8 @@ { "id": "2789890f-3187-449c-b0d7-a351975cbe13", "type": "visualization", - "updated_at": "2019-12-18T16:20:15.324Z", - "version": "WzExNiwxXQ==", + "updated_at": "2020-02-12T15:00:15.936Z", + "version": "WzI2MCwxXQ==", "attributes": { "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"firstPacket per 12 hours\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Weird - Log Count Over Time\",\"type\":\"line\"}", "description": "", @@ -124,8 +124,8 @@ { "id": "259fa46e-2fde-41bb-b028-063a12cb4621", "type": "visualization", - "updated_at": "2019-12-18T16:20:15.324Z", - "version": "WzExNywxXQ==", + "updated_at": "2020-02-12T15:00:15.936Z", + "version": "WzI2MSwxXQ==", "attributes": { "visState": "{\"title\":\"Weird - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", @@ -151,8 +151,8 @@ { "id": "84786f08-b68a-4524-8d2d-d44221f99060", "type": "visualization", - "updated_at": "2019-12-18T16:20:15.324Z", - "version": "WzExOCwxXQ==", + "updated_at": "2020-02-12T15:00:15.936Z", + "version": "WzI2MiwxXQ==", "attributes": { "visState": "{\"title\":\"Weird - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", @@ -178,13 +178,13 @@ { "id": "c7fbd190-02fa-4eb5-ac5a-a4ad421a6a3b", "type": "visualization", - "updated_at": "2019-12-18T16:20:15.324Z", - "version": "WzExOSwxXQ==", + "updated_at": "2020-02-12T15:48:10.480Z", + "version": "Wzg1NywxXQ==", "attributes": { - "visState": "{\"title\":\"Weird - Notice Generated\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_weird.notice\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", - "description": "", "title": "Weird - Notice Generated", + "visState": "{\"title\":\"Weird - Notice Generated\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"zeek_weird.notice: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_weird.notice\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", "uiStateJSON": "{}", + "description": "", "version": 1, "kibanaSavedObjectMeta": { "searchSourceJSON": "{\"filter\":[]}" @@ -193,8 +193,8 @@ }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "17236484-ab93-4497-8b85-bc7dfaeb2d71" } ], @@ -202,50 +202,11 @@ "visualization": "7.4.2" } }, - { - "id": "17236484-ab93-4497-8b85-bc7dfaeb2d71", - "type": "search", - "updated_at": "2019-12-18T16:20:15.324Z", - "version": "WzEyMCwxXQ==", - "attributes": { - "sort": [ - [ - "firstPacket", - "desc" - ] - ], - "hits": 0, - "description": "", - "title": "Weird - Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"zeek.logType:weird\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "columns": [ - "srcIp", - "srcPort", - "dstIp", - "dstPort", - "zeek.uid", - "_id" - ] - }, - "references": [ - { - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern", - "id": "sessions2-*" - } - ], - "migrationVersion": { - "search": "7.4.0" - } - }, { "id": "a827f658-2190-4ec4-b330-96cdb93d97ed", "type": "visualization", - "updated_at": "2019-12-18T16:20:15.324Z", - "version": "WzEyMSwxXQ==", + "updated_at": "2020-02-12T15:00:15.936Z", + "version": "WzI2NSwxXQ==", "attributes": { "visState": "{\"title\":\"Weird - Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_weird.name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Type\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}],\"listeners\":{}}", "description": "", @@ -271,8 +232,8 @@ { "id": "64ffd0d9-a0d7-4db6-bce0-c69b48ff0da6", "type": "visualization", - "updated_at": "2019-12-18T16:20:15.324Z", - "version": "WzEyMiwxXQ==", + "updated_at": "2020-02-12T15:00:15.936Z", + "version": "WzI2NiwxXQ==", "attributes": { "visState": "{\"title\":\"Weird - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}", "description": "", @@ -298,8 +259,8 @@ { "id": "AWDHGXk-xQT5EBNmq4uf", "type": "visualization", - "updated_at": "2019-12-18T16:20:15.324Z", - "version": "WzEyMywxXQ==", + "updated_at": "2020-02-12T15:00:15.936Z", + "version": "WzI2NywxXQ==", "attributes": { "title": "Weird - Log Count", "visState": "{\"title\":\"Weird - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", @@ -325,8 +286,8 @@ { "id": "429d2522-67c6-44f5-aae8-f464d5815195", "type": "visualization", - "updated_at": "2019-12-18T16:20:15.324Z", - "version": "WzEyNCwxXQ==", + "updated_at": "2020-02-12T15:00:15.936Z", + "version": "WzI2OCwxXQ==", "attributes": { "title": "Weird - Name", "visState": "{\"title\":\"Weird - Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_weird.name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Name\"}}]}", @@ -348,6 +309,45 @@ "migrationVersion": { "visualization": "7.4.2" } + }, + { + "id": "17236484-ab93-4497-8b85-bc7dfaeb2d71", + "type": "search", + "updated_at": "2020-02-12T15:50:09.109Z", + "version": "Wzg2MiwxXQ==", + "attributes": { + "title": "Weird - Logs", + "description": "", + "hits": 0, + "columns": [ + "srcIp", + "srcPort", + "dstIp", + "dstPort", + "zeek_weird.name", + "zeek.uid" + ], + "sort": [ + [ + "firstPacket", + "desc" + ] + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:weird\",\"analyze_wildcard\":true,\"time_zone\":\"America/Denver\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "search": "7.4.0" + } } ] } \ No newline at end of file diff --git a/kibana/dashboards/29a1b290-eb98-11e9-a384-0fcf32210194.json b/kibana/dashboards/29a1b290-eb98-11e9-a384-0fcf32210194.json index 195bf3e2e..855e956eb 100644 --- a/kibana/dashboards/29a1b290-eb98-11e9-a384-0fcf32210194.json +++ b/kibana/dashboards/29a1b290-eb98-11e9-a384-0fcf32210194.json @@ -1,21 +1,21 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "29a1b290-eb98-11e9-a384-0fcf32210194", "type": "dashboard", - "updated_at": "2019-12-18T16:20:16.354Z", - "version": "WzEzOSwxXQ==", + "updated_at": "2020-02-12T21:30:25.616Z", + "version": "WzEyODcsMV0=", "attributes": { "title": "EtherNet/IP", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":74,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":15,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":15,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":74,\"w\":48,\"h\":24,\"i\":\"4\"},\"panelIndex\":\"4\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":30,\"y\":15,\"w\":18,\"h\":19,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":15,\"w\":22,\"h\":19,\"i\":\"6\"},\"panelIndex\":\"6\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":30,\"y\":34,\"w\":18,\"h\":20,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":34,\"w\":22,\"h\":20,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_7\"},{\"gridData\":{\"x\":8,\"y\":54,\"w\":22,\"h\":20,\"i\":\"9\"},\"version\":\"7.5.1\",\"panelIndex\":\"9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"gridData\":{\"x\":30,\"y\":54,\"w\":18,\"h\":20,\"i\":\"10\"},\"version\":\"7.5.1\",\"panelIndex\":\"10\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]", + "panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":34,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":15,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":15,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":77,\"w\":48,\"h\":24,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":30,\"y\":15,\"w\":18,\"h\":19,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":15,\"w\":22,\"h\":19,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":31,\"y\":34,\"w\":17,\"h\":22,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":34,\"w\":31,\"h\":22,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":56,\"w\":13,\"h\":21,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":13,\"y\":56,\"w\":18,\"h\":21,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":31,\"y\":56,\"w\":17,\"h\":21,\"i\":\"5c779394-cda6-4315-9bac-00c25d6c08a2\"},\"panelIndex\":\"5c779394-cda6-4315-9bac-00c25d6c08a2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"}}" + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}" } }, "references": [ @@ -68,6 +68,11 @@ "name": "panel_9", "type": "visualization", "id": "28722f10-eb9f-11e9-a384-0fcf32210194" + }, + { + "name": "panel_10", + "type": "visualization", + "id": "b65629c0-4dde-11ea-8336-d3388483188b" } ], "migrationVersion": { @@ -77,11 +82,11 @@ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", "type": "visualization", - "updated_at": "2019-12-18T16:21:02.636Z", - "version": "WzU5OCwxXQ==", + "updated_at": "2020-02-12T15:01:05.290Z", + "version": "Wzc5NiwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -97,8 +102,8 @@ { "id": "b2548270-eb98-11e9-a384-0fcf32210194", "type": "visualization", - "updated_at": "2019-12-18T16:20:16.354Z", - "version": "WzEyNywxXQ==", + "updated_at": "2020-02-12T15:00:16.963Z", + "version": "WzI3OSwxXQ==", "attributes": { "title": "EtherNet/IP - Log Count", "visState": "{\"title\":\"EtherNet/IP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Log Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}", @@ -128,8 +133,8 @@ { "id": "3c2b11d0-eb99-11e9-a384-0fcf32210194", "type": "visualization", - "updated_at": "2019-12-18T16:20:16.354Z", - "version": "WzEyOCwxXQ==", + "updated_at": "2020-02-12T15:00:16.963Z", + "version": "WzI4MCwxXQ==", "attributes": { "title": "EtherNet/IP - Logs Over Time", "visState": "{\"title\":\"EtherNet/IP - Logs Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\",\"mode\":\"relative\"},\"useNormalizedEsInterval\":true,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}", @@ -159,8 +164,8 @@ { "id": "dbcc6540-eb99-11e9-a384-0fcf32210194", "type": "search", - "updated_at": "2019-12-18T16:20:16.354Z", - "version": "WzEyOSwxXQ==", + "updated_at": "2020-02-12T15:00:16.963Z", + "version": "WzI4MSwxXQ==", "attributes": { "title": "EtherNet/IP and Related - Logs", "description": "", @@ -198,8 +203,8 @@ { "id": "9f3c4950-eb9a-11e9-a384-0fcf32210194", "type": "visualization", - "updated_at": "2019-12-18T16:20:16.354Z", - "version": "WzEzMCwxXQ==", + "updated_at": "2020-02-12T15:00:16.963Z", + "version": "WzI4MiwxXQ==", "attributes": { "title": "Common Industrial Protocol - Service", "visState": "{\"title\":\"Common Industrial Protocol - Service\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_cip.cip_service\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"CIP Service\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_cip.status\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Status\"}}]}", @@ -225,8 +230,8 @@ { "id": "7199bdb0-eb9b-11e9-a384-0fcf32210194", "type": "visualization", - "updated_at": "2019-12-18T16:20:16.354Z", - "version": "WzEzMSwxXQ==", + "updated_at": "2020-02-12T15:00:16.963Z", + "version": "WzI4MywxXQ==", "attributes": { "title": "EtherNet/IP - Product", "visState": "{\"title\":\"EtherNet/IP - Product\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_enip_list_identity.vendor\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Vendor\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_enip_list_identity.product_name\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Product\"}}]}", @@ -252,8 +257,8 @@ { "id": "f587d990-eb9b-11e9-a384-0fcf32210194", "type": "visualization", - "updated_at": "2019-12-18T16:20:16.354Z", - "version": "WzEzMiwxXQ==", + "updated_at": "2020-02-12T15:00:16.963Z", + "version": "WzI4NCwxXQ==", "attributes": { "title": "EtherNet/IP - Command", "visState": "{\"title\":\"EtherNet/IP - Command\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_enip.command\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Command\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_enip.status\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Status\"}}]}", @@ -279,8 +284,8 @@ { "id": "a0ef3e90-eb9c-11e9-a384-0fcf32210194", "type": "visualization", - "updated_at": "2019-12-18T16:20:16.354Z", - "version": "WzEzMywxXQ==", + "updated_at": "2020-02-12T15:00:16.963Z", + "version": "WzI4NSwxXQ==", "attributes": { "title": "EtherNet/IP - Product Revision", "visState": "{\"title\":\"EtherNet/IP - Product Revision\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_enip_list_identity.vendor\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Vendor\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_enip_list_identity.product_name\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Product\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_enip_list_identity.revision\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Revision\"}}]}", @@ -306,11 +311,11 @@ { "id": "0165b180-eb9f-11e9-a384-0fcf32210194", "type": "visualization", - "updated_at": "2019-12-18T16:20:16.354Z", - "version": "WzEzNCwxXQ==", + "updated_at": "2020-02-12T21:27:05.859Z", + "version": "WzEyODIsMV0=", "attributes": { "title": "EtherNet/IP - Source IP", - "visState": "{\"title\":\"EtherNet/IP - Source IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcPort\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source Port\"}}]}", + "visState": "{\"title\":\"EtherNet/IP - Source IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Source IP\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Source Port\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", "description": "", "version": 1, @@ -321,8 +326,8 @@ }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "dbcc6540-eb99-11e9-a384-0fcf32210194" } ], @@ -333,8 +338,8 @@ { "id": "28722f10-eb9f-11e9-a384-0fcf32210194", "type": "visualization", - "updated_at": "2019-12-18T16:20:16.354Z", - "version": "WzEzNSwxXQ==", + "updated_at": "2020-02-12T15:00:16.963Z", + "version": "WzI4NywxXQ==", "attributes": { "title": "EtherNet/IP - Destination IP", "visState": "{\"title\":\"EtherNet/IP - Destination IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"}}]}", @@ -357,11 +362,38 @@ "visualization": "7.4.2" } }, + { + "id": "b65629c0-4dde-11ea-8336-d3388483188b", + "type": "visualization", + "updated_at": "2020-02-12T21:29:12.540Z", + "version": "WzEyODUsMV0=", + "attributes": { + "title": "EtherNet/IP - Status", + "visState": "{\"title\":\"EtherNet/IP - Status\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Status\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_enip.status\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":8,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Status\"}}]}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "dbcc6540-eb99-11e9-a384-0fcf32210194" + } + ], + "migrationVersion": { + "visualization": "7.4.2" + } + }, { "id": "4c265380-eb97-11e9-a384-0fcf32210194", "type": "search", - "updated_at": "2019-12-18T16:20:16.354Z", - "version": "WzEzNiwxXQ==", + "updated_at": "2020-02-12T15:00:16.963Z", + "version": "WzI4OCwxXQ==", "attributes": { "title": "Common Industrial Protocol - Logs", "description": "", @@ -398,8 +430,8 @@ { "id": "c0c732e0-eb97-11e9-a384-0fcf32210194", "type": "search", - "updated_at": "2019-12-18T16:20:16.354Z", - "version": "WzEzNywxXQ==", + "updated_at": "2020-02-12T15:00:16.963Z", + "version": "WzI4OSwxXQ==", "attributes": { "title": "EtherNet/IP List Identity - Logs", "description": "", @@ -437,8 +469,8 @@ { "id": "7009cbb0-eb97-11e9-a384-0fcf32210194", "type": "search", - "updated_at": "2019-12-18T16:20:16.354Z", - "version": "WzEzOCwxXQ==", + "updated_at": "2020-02-12T15:00:16.963Z", + "version": "WzI5MCwxXQ==", "attributes": { "title": "EtherNet/IP - Logs", "description": "", diff --git a/kibana/dashboards/2bec1490-eb94-11e9-a384-0fcf32210194.json b/kibana/dashboards/2bec1490-eb94-11e9-a384-0fcf32210194.json index e8ab6848c..17a3da557 100644 --- a/kibana/dashboards/2bec1490-eb94-11e9-a384-0fcf32210194.json +++ b/kibana/dashboards/2bec1490-eb94-11e9-a384-0fcf32210194.json @@ -1,5 +1,5 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "2bec1490-eb94-11e9-a384-0fcf32210194", @@ -10,7 +10,7 @@ "title": "BACnet", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":73,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":73,\"w\":48,\"h\":19,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"4\"},\"panelIndex\":\"4\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":35,\"y\":8,\"w\":13,\"h\":25,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":8,\"w\":14,\"h\":25,\"i\":\"6\"},\"panelIndex\":\"6\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":22,\"y\":8,\"w\":13,\"h\":25,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":53,\"w\":40,\"h\":20,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":33,\"w\":20,\"h\":20,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":28,\"y\":33,\"w\":20,\"h\":20,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_9\"}]", + "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":73,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":73,\"w\":48,\"h\":19,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"4\"},\"panelIndex\":\"4\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":35,\"y\":8,\"w\":13,\"h\":25,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":8,\"w\":14,\"h\":25,\"i\":\"6\"},\"panelIndex\":\"6\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":22,\"y\":8,\"w\":13,\"h\":25,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":53,\"w\":40,\"h\":20,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":33,\"w\":20,\"h\":20,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":28,\"y\":33,\"w\":20,\"h\":20,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_9\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, @@ -81,7 +81,7 @@ "version": "WzU5OCwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/kibana/dashboards/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9.json b/kibana/dashboards/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9.json index 4fe6a2dc5..9b43021bf 100644 --- a/kibana/dashboards/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9.json +++ b/kibana/dashboards/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9.json @@ -1,21 +1,21 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "2cf94cd0-ecab-40a5-95a7-8419f3a39cd9", "type": "dashboard", - "updated_at": "2019-12-18T16:20:18.416Z", - "version": "WzE2NSwxXQ==", + "updated_at": "2020-02-12T16:29:41.134Z", + "version": "WzkwOSwxXQ==", "attributes": { "title": "DNS", "hits": 0, "description": "", - "panelsJSON": "[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":68,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"5\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":44,\"i\":\"5\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":44,\"i\":\"6\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"7\",\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":8,\"i\":\"7\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{}},{\"panelIndex\":\"10\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":92,\"i\":\"10\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"13\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"16\",\"gridData\":{\"w\":48,\"h\":64,\"x\":0,\"y\":116,\"i\":\"16\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{\"columns\":[\"srcIp\",\"srcPort\",\"dstIp\",\"dstPort\",\"zeek.uid\",\"_id\"],\"sort\":[\"firstPacket\",\"desc\"]}},{\"panelIndex\":\"17\",\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":8,\"i\":\"17\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"panelIndex\":\"23\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"23\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"24\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":68,\"i\":\"24\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{}},{\"panelIndex\":\"25\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":68,\"i\":\"25\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{}},{\"panelIndex\":\"26\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":20,\"i\":\"26\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"panelIndex\":\"27\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":20,\"i\":\"27\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\",\"embeddableConfig\":{}},{\"panelIndex\":\"28\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":20,\"i\":\"28\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_13\",\"embeddableConfig\":{}}]", + "panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":60,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":28,\"y\":40,\"w\":20,\"h\":20,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":40,\"w\":20,\"h\":20,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":8,\"w\":20,\"h\":12,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":79,\"w\":48,\"h\":18,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":28,\"y\":8,\"w\":20,\"h\":12,\"i\":\"17\"},\"panelIndex\":\"17\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"23\"},\"panelIndex\":\"23\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":31,\"y\":60,\"w\":17,\"h\":19,\"i\":\"25\"},\"panelIndex\":\"25\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":20,\"y\":20,\"w\":12,\"h\":20,\"i\":\"26\"},\"panelIndex\":\"26\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":20,\"w\":12,\"h\":20,\"i\":\"27\"},\"panelIndex\":\"27\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":32,\"y\":20,\"w\":16,\"h\":20,\"i\":\"28\"},\"panelIndex\":\"28\",\"embeddableConfig\":{},\"panelRefName\":\"panel_11\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":60,\"w\":31,\"h\":19,\"i\":\"df0ca665-47a8-45ea-b2a1-739badb538dc\"},\"panelIndex\":\"df0ca665-47a8-45ea-b2a1-739badb538dc\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}},\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"asc\"}}},\"panelRefName\":\"panel_12\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":97,\"w\":48,\"h\":41,\"i\":\"0b6ca6c5-38c1-4811-b40d-d1cd8229bb1f\"},\"panelIndex\":\"0b6ca6c5-38c1-4811-b40d-d1cd8229bb1f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_13\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Denver\"}}}}" } }, "references": [ @@ -51,43 +51,43 @@ }, { "name": "panel_6", - "type": "search", - "id": "0b971165-4c39-42ed-b80d-8a8f5658a38e" + "type": "visualization", + "id": "2699477d-e158-4174-97ee-e1438fed0fee" }, { "name": "panel_7", "type": "visualization", - "id": "2699477d-e158-4174-97ee-e1438fed0fee" + "id": "AWDG9Qx0xQT5EBNmq3_2" }, { "name": "panel_8", "type": "visualization", - "id": "AWDG9Qx0xQT5EBNmq3_2" + "id": "240930b9-d4ad-40b6-ae9f-f7c64ea9d0f7" }, { "name": "panel_9", "type": "visualization", - "id": "a9504c4e-ac9e-4a43-9499-982f883604b1" + "id": "4b82b26a-3ceb-41a0-b0b5-6fb6e876b1c8" }, { "name": "panel_10", "type": "visualization", - "id": "240930b9-d4ad-40b6-ae9f-f7c64ea9d0f7" + "id": "9d1204c9-7e26-44d3-a9be-eff725bf3f5b" }, { "name": "panel_11", "type": "visualization", - "id": "4b82b26a-3ceb-41a0-b0b5-6fb6e876b1c8" + "id": "7dbb6c65-f197-4237-825c-fd102163a3bf" }, { "name": "panel_12", "type": "visualization", - "id": "9d1204c9-7e26-44d3-a9be-eff725bf3f5b" + "id": "69241a80-421d-11ea-9084-41ab7c5fff2e" }, { "name": "panel_13", - "type": "visualization", - "id": "7dbb6c65-f197-4237-825c-fd102163a3bf" + "type": "search", + "id": "0b971165-4c39-42ed-b80d-8a8f5658a38e" } ], "migrationVersion": { @@ -97,11 +97,11 @@ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", "type": "visualization", - "updated_at": "2019-12-18T16:21:02.636Z", - "version": "WzU5OCwxXQ==", + "updated_at": "2020-02-12T15:01:05.290Z", + "version": "Wzc5NiwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -117,8 +117,8 @@ { "id": "a3d7ae56-264b-4e8f-9c45-242bff74179d", "type": "visualization", - "updated_at": "2019-12-18T16:20:53.365Z", - "version": "WzUyNSwxXQ==", + "updated_at": "2020-02-12T15:00:56.057Z", + "version": "WzcyMywxXQ==", "attributes": { "title": "DNS - Server", "visState": "{\"title\":\"DNS - Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}],\"listeners\":{}}", @@ -144,8 +144,8 @@ { "id": "6d4ea29d-53c8-472b-acc3-c9257a7f0e91", "type": "visualization", - "updated_at": "2019-12-18T16:20:18.416Z", - "version": "WzE1MywxXQ==", + "updated_at": "2020-02-12T15:00:19.037Z", + "version": "WzMyMCwxXQ==", "attributes": { "visState": "{\"title\":\"DNS - Client\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Client\"}}],\"listeners\":{}}", "description": "", @@ -171,11 +171,11 @@ { "id": "727d7b36-4153-4c51-b723-2700a3c815f1", "type": "visualization", - "updated_at": "2019-12-18T16:20:53.365Z", - "version": "WzUxOSwxXQ==", + "updated_at": "2020-02-12T16:19:22.378Z", + "version": "Wzg5NiwxXQ==", "attributes": { "title": "DNS - Query Class", - "visState": "{\"title\":\"DNS - Query Class\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_dns.qclass_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Query Class\"}}]}", + "visState": "{\"title\":\"DNS - Query Class\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Query Class\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_dns.qclass_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Query Class\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -186,8 +186,8 @@ }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "0b971165-4c39-42ed-b80d-8a8f5658a38e" } ], @@ -198,8 +198,8 @@ { "id": "8a3a0bd6-555d-45c6-bf3d-d2b8598e9926", "type": "visualization", - "updated_at": "2019-12-18T16:20:53.365Z", - "version": "WzUxMywxXQ==", + "updated_at": "2020-02-12T15:00:56.057Z", + "version": "WzcxMSwxXQ==", "attributes": { "visState": "{\"title\":\"DNS - Query/Answer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dns.query\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Query\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dns.answers\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Answer\"}}],\"listeners\":{}}", "description": "", @@ -225,8 +225,8 @@ { "id": "adb769dc-8ac5-46fa-abb3-d16c638d8279", "type": "visualization", - "updated_at": "2019-12-18T16:20:18.416Z", - "version": "WzE1NiwxXQ==", + "updated_at": "2020-02-12T15:00:19.037Z", + "version": "WzMyMywxXQ==", "attributes": { "visState": "{\"title\":\"DNS - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 30 minutes\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", "description": "", @@ -249,50 +249,11 @@ "visualization": "7.4.2" } }, - { - "id": "0b971165-4c39-42ed-b80d-8a8f5658a38e", - "type": "search", - "updated_at": "2019-12-18T16:20:53.365Z", - "version": "WzUzMCwxXQ==", - "attributes": { - "sort": [ - [ - "firstPacket", - "desc" - ] - ], - "hits": 0, - "description": "", - "title": "DNS - Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"zeek.logType:dns\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "columns": [ - "srcIp", - "srcPort", - "dstIp", - "dstPort", - "zeek.uid", - "_id" - ] - }, - "references": [ - { - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern", - "id": "sessions2-*" - } - ], - "migrationVersion": { - "search": "7.4.0" - } - }, { "id": "2699477d-e158-4174-97ee-e1438fed0fee", "type": "visualization", - "updated_at": "2019-12-18T16:20:18.416Z", - "version": "WzE1OCwxXQ==", + "updated_at": "2020-02-12T15:00:19.037Z", + "version": "WzMyNSwxXQ==", "attributes": { "visState": "{\"title\":\"DNS - Destination Port\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"dstPort\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"\"}}],\"listeners\":{}}", "description": "", @@ -318,8 +279,8 @@ { "id": "AWDG9Qx0xQT5EBNmq3_2", "type": "visualization", - "updated_at": "2019-12-18T16:20:18.416Z", - "version": "WzE1OSwxXQ==", + "updated_at": "2020-02-12T15:00:19.037Z", + "version": "WzMyNiwxXQ==", "attributes": { "title": "DNS - Log Count", "visState": "{\"title\":\"DNS - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", @@ -343,13 +304,13 @@ } }, { - "id": "a9504c4e-ac9e-4a43-9499-982f883604b1", + "id": "240930b9-d4ad-40b6-ae9f-f7c64ea9d0f7", "type": "visualization", - "updated_at": "2019-12-18T16:20:18.416Z", - "version": "WzE2MCwxXQ==", + "updated_at": "2020-02-12T15:00:19.037Z", + "version": "WzMyOCwxXQ==", "attributes": { - "title": "DNS - Queries", - "visState": "{\"title\":\"DNS - Queries\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dns.query\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Query\"}}]}", + "title": "DNS - Answers", + "visState": "{\"title\":\"DNS - Answers\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dns.answers\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Answer\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -370,13 +331,13 @@ } }, { - "id": "240930b9-d4ad-40b6-ae9f-f7c64ea9d0f7", + "id": "4b82b26a-3ceb-41a0-b0b5-6fb6e876b1c8", "type": "visualization", - "updated_at": "2019-12-18T16:20:18.416Z", - "version": "WzE2MSwxXQ==", + "updated_at": "2020-02-12T15:00:19.037Z", + "version": "WzMyOSwxXQ==", "attributes": { - "title": "DNS - Answers", - "visState": "{\"title\":\"DNS - Answers\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dns.answers\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Answer\"}}]}", + "title": "DNS - Response Code (Name)", + "visState": "{\"title\":\"DNS - Response Code (Name)\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dns.rcode_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Response Code (Name)\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -397,13 +358,13 @@ } }, { - "id": "4b82b26a-3ceb-41a0-b0b5-6fb6e876b1c8", + "id": "9d1204c9-7e26-44d3-a9be-eff725bf3f5b", "type": "visualization", - "updated_at": "2019-12-18T16:20:18.416Z", - "version": "WzE2MiwxXQ==", + "updated_at": "2020-02-12T15:00:19.037Z", + "version": "WzMzMCwxXQ==", "attributes": { - "title": "DNS - Response Code (Name)", - "visState": "{\"title\":\"DNS - Response Code (Name)\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dns.rcode_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Response Code (Name)\"}}]}", + "title": "DNS - Query Type", + "visState": "{\"title\":\"DNS - Query Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dns.qtype_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Query Type\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -424,14 +385,14 @@ } }, { - "id": "9d1204c9-7e26-44d3-a9be-eff725bf3f5b", + "id": "7dbb6c65-f197-4237-825c-fd102163a3bf", "type": "visualization", - "updated_at": "2019-12-18T16:20:18.416Z", - "version": "WzE2MywxXQ==", + "updated_at": "2020-02-12T16:18:56.439Z", + "version": "Wzg5NSwxXQ==", "attributes": { - "title": "DNS - Query Type", - "visState": "{\"title\":\"DNS - Query Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dns.qtype_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Query Type\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "title": "DNS - Protocol", + "visState": "{\"title\":\"DNS - Protocol\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Protocol\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.proto\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}}]}", + "uiStateJSON": "{}", "description": "", "version": 1, "kibanaSavedObjectMeta": { @@ -441,8 +402,8 @@ }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "0b971165-4c39-42ed-b80d-8a8f5658a38e" } ], @@ -451,31 +412,69 @@ } }, { - "id": "7dbb6c65-f197-4237-825c-fd102163a3bf", + "id": "69241a80-421d-11ea-9084-41ab7c5fff2e", "type": "visualization", - "updated_at": "2019-12-18T16:20:18.416Z", - "version": "WzE2NCwxXQ==", + "updated_at": "2020-02-12T15:00:43.723Z", + "version": "WzU3OSwxXQ==", "attributes": { - "title": "DNS - Protocol", - "visState": "{\"title\":\"DNS - Protocol\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.proto\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Protocol\"}}]}", - "uiStateJSON": "{}", + "title": "DNS Queries by Randomness", + "visState": "{\"title\":\"DNS Queries by Randomness\",\"type\":\"table\",\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dns.host\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"DNS Query\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.freq_score_v1\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Randomness Score (method 1)\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.freq_score_v2\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Randomness Score (method 2)\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}}}}", "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" + "searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}" }, "savedSearchRefName": "search_0" }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "0b971165-4c39-42ed-b80d-8a8f5658a38e" } ], "migrationVersion": { "visualization": "7.4.2" } + }, + { + "id": "0b971165-4c39-42ed-b80d-8a8f5658a38e", + "type": "search", + "updated_at": "2020-02-12T16:25:47.761Z", + "version": "WzkwMywxXQ==", + "attributes": { + "title": "DNS - Logs", + "description": "", + "hits": 0, + "columns": [ + "srcIp", + "dstIp", + "zeek_dns.query", + "zeek_dns.answers", + "zeek.uid" + ], + "sort": [ + [ + "firstPacket", + "desc" + ] + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:dns\",\"time_zone\":\"America/Denver\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "search": "7.4.0" + } } ] } \ No newline at end of file diff --git a/kibana/dashboards/2d98bb8e-214c-4374-837b-20e1bcd63a5e.json b/kibana/dashboards/2d98bb8e-214c-4374-837b-20e1bcd63a5e.json index 86f1a27ff..cf817918d 100644 --- a/kibana/dashboards/2d98bb8e-214c-4374-837b-20e1bcd63a5e.json +++ b/kibana/dashboards/2d98bb8e-214c-4374-837b-20e1bcd63a5e.json @@ -1,21 +1,21 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "2d98bb8e-214c-4374-837b-20e1bcd63a5e", "type": "dashboard", - "updated_at": "2019-12-18T16:20:19.440Z", - "version": "WzE3NCwxXQ==", + "updated_at": "2020-02-12T16:15:28.816Z", + "version": "Wzg5MiwxXQ==", "attributes": { "title": "DHCP", "hits": 0, "description": "", - "panelsJSON": "[{\"panelIndex\":\"2\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"2\"},\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"panelIndex\":\"3\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":60,\"i\":\"3\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"panelIndex\":\"4\",\"gridData\":{\"x\":0,\"y\":60,\"w\":48,\"h\":24,\"i\":\"4\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"columns\":[\"srcIp\",\"srcPort\",\"dstIp\",\"dstPort\",\"zeek.uid\",\"_id\"],\"sort\":[\"firstPacket\",\"desc\"]}},{\"panelIndex\":\"6\",\"gridData\":{\"x\":22,\"y\":36,\"w\":14,\"h\":24,\"i\":\"6\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"7\",\"gridData\":{\"x\":8,\"y\":36,\"w\":14,\"h\":24,\"i\":\"7\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"8\",\"gridData\":{\"x\":36,\"y\":36,\"w\":12,\"h\":24,\"i\":\"8\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"9\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"9\"},\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"10\",\"gridData\":{\"x\":8,\"y\":8,\"w\":40,\"h\":28,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}}]", + "panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":49,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":22,\"y\":28,\"w\":14,\"h\":21,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":28,\"w\":14,\"h\":21,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":36,\"y\":28,\"w\":12,\"h\":21,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":8,\"w\":40,\"h\":20,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":49,\"w\":48,\"h\":32,\"i\":\"6c78964f-d1c8-4790-bda7-8802a7ea8986\"},\"panelIndex\":\"6c78964f-d1c8-4790-bda7-8802a7ea8986\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Denver\"}}}}" } }, "references": [ @@ -31,33 +31,33 @@ }, { "name": "panel_2", - "type": "search", - "id": "20ff62a1-06d6-4738-b611-945628d80305" + "type": "visualization", + "id": "82fff513-b971-452e-a0fb-492c3091b771" }, { "name": "panel_3", "type": "visualization", - "id": "82fff513-b971-452e-a0fb-492c3091b771" + "id": "78b8c460-7dc9-4b76-9bc4-ea831c0d7802" }, { "name": "panel_4", "type": "visualization", - "id": "78b8c460-7dc9-4b76-9bc4-ea831c0d7802" + "id": "23975603-24ed-40f6-bb45-0780f4645d92" }, { "name": "panel_5", "type": "visualization", - "id": "23975603-24ed-40f6-bb45-0780f4645d92" + "id": "AWDG80RwxQT5EBNmq38x" }, { "name": "panel_6", "type": "visualization", - "id": "AWDG80RwxQT5EBNmq38x" + "id": "1d178ca4-f067-4f46-bbc7-777a3fd69d47" }, { "name": "panel_7", - "type": "visualization", - "id": "1d178ca4-f067-4f46-bbc7-777a3fd69d47" + "type": "search", + "id": "20ff62a1-06d6-4738-b611-945628d80305" } ], "migrationVersion": { @@ -67,8 +67,8 @@ { "id": "1c337cf4-8030-4760-9828-7c0f5305c5bb", "type": "visualization", - "updated_at": "2019-12-18T16:20:19.440Z", - "version": "WzE2NiwxXQ==", + "updated_at": "2020-02-12T15:00:20.062Z", + "version": "WzMzMywxXQ==", "attributes": { "visState": "{\"title\":\"DHCP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", "description": "", @@ -94,11 +94,11 @@ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", "type": "visualization", - "updated_at": "2019-12-18T16:21:02.636Z", - "version": "WzU5OCwxXQ==", + "updated_at": "2020-02-12T15:01:05.290Z", + "version": "Wzc5NiwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -111,50 +111,11 @@ "visualization": "7.4.2" } }, - { - "id": "20ff62a1-06d6-4738-b611-945628d80305", - "type": "search", - "updated_at": "2019-12-18T16:20:19.440Z", - "version": "WzE2OCwxXQ==", - "attributes": { - "sort": [ - [ - "firstPacket", - "desc" - ] - ], - "hits": 0, - "description": "", - "title": "DHCP - Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"zeek.logType:dhcp\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "columns": [ - "srcIp", - "srcPort", - "dstIp", - "dstPort", - "zeek.uid", - "_id" - ] - }, - "references": [ - { - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern", - "id": "sessions2-*" - } - ], - "migrationVersion": { - "search": "7.4.0" - } - }, { "id": "82fff513-b971-452e-a0fb-492c3091b771", "type": "visualization", - "updated_at": "2019-12-18T16:20:19.440Z", - "version": "WzE2OSwxXQ==", + "updated_at": "2020-02-12T15:00:20.062Z", + "version": "WzMzNiwxXQ==", "attributes": { "visState": "{\"title\":\"DHCP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", @@ -180,8 +141,8 @@ { "id": "78b8c460-7dc9-4b76-9bc4-ea831c0d7802", "type": "visualization", - "updated_at": "2019-12-18T16:20:19.440Z", - "version": "WzE3MCwxXQ==", + "updated_at": "2020-02-12T15:00:20.062Z", + "version": "WzMzNywxXQ==", "attributes": { "visState": "{\"title\":\"DHCP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", @@ -207,8 +168,8 @@ { "id": "23975603-24ed-40f6-bb45-0780f4645d92", "type": "visualization", - "updated_at": "2019-12-18T16:20:19.440Z", - "version": "WzE3MSwxXQ==", + "updated_at": "2020-02-12T15:00:20.062Z", + "version": "WzMzOCwxXQ==", "attributes": { "visState": "{\"title\":\"DHCP - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}", "description": "", @@ -234,8 +195,8 @@ { "id": "AWDG80RwxQT5EBNmq38x", "type": "visualization", - "updated_at": "2019-12-18T16:20:19.440Z", - "version": "WzE3MiwxXQ==", + "updated_at": "2020-02-12T15:00:20.062Z", + "version": "WzMzOSwxXQ==", "attributes": { "title": "DHCP - Log Count", "visState": "{\"title\":\"DHCP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", @@ -261,8 +222,8 @@ { "id": "1d178ca4-f067-4f46-bbc7-777a3fd69d47", "type": "visualization", - "updated_at": "2019-12-18T16:20:19.440Z", - "version": "WzE3MywxXQ==", + "updated_at": "2020-02-12T15:00:20.062Z", + "version": "WzM0MCwxXQ==", "attributes": { "title": "DHCP - IP to MAC Assignment", "visState": "{\"title\":\"DHCP - IP to MAC Assignment\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dhcp.assigned_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Assigned IP Address\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dhcp.mac\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MAC Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}]}", @@ -284,6 +245,46 @@ "migrationVersion": { "visualization": "7.4.2" } + }, + { + "id": "20ff62a1-06d6-4738-b611-945628d80305", + "type": "search", + "updated_at": "2020-02-12T16:14:50.059Z", + "version": "Wzg5MSwxXQ==", + "attributes": { + "title": "DHCP - Logs", + "description": "", + "hits": 0, + "columns": [ + "zeek_dhcp.mac", + "zeek_dhcp.assigned_ip", + "dstIp", + "zeek_dhcp.host_name", + "zeek_dhcp.domain", + "zeek_dhcp.msg_types", + "zeek.uid" + ], + "sort": [ + [ + "firstPacket", + "desc" + ] + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:dhcp\",\"time_zone\":\"America/Denver\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "search": "7.4.0" + } } ] } \ No newline at end of file diff --git a/kibana/dashboards/32587740-ef88-11e9-b38a-2db3ee640e88.json b/kibana/dashboards/32587740-ef88-11e9-b38a-2db3ee640e88.json index 77bb347ea..8bb872f9b 100644 --- a/kibana/dashboards/32587740-ef88-11e9-b38a-2db3ee640e88.json +++ b/kibana/dashboards/32587740-ef88-11e9-b38a-2db3ee640e88.json @@ -1,5 +1,5 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "32587740-ef88-11e9-b38a-2db3ee640e88", @@ -10,7 +10,7 @@ "title": "Tabular Data Stream - RPC", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":48,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":48,\"w\":48,\"h\":29,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"4\"},\"panelIndex\":\"4\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":27,\"w\":40,\"h\":21,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":8,\"w\":16,\"h\":19,\"i\":\"6\"},\"panelIndex\":\"6\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_5\"},{\"gridData\":{\"x\":24,\"y\":8,\"w\":24,\"h\":19,\"i\":\"7\"},\"version\":\"7.5.1\",\"panelIndex\":\"7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"}]", + "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":48,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":48,\"w\":48,\"h\":29,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"4\"},\"panelIndex\":\"4\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":27,\"w\":40,\"h\":21,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":8,\"w\":16,\"h\":19,\"i\":\"6\"},\"panelIndex\":\"6\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_5\"},{\"gridData\":{\"x\":24,\"y\":8,\"w\":24,\"h\":19,\"i\":\"7\"},\"version\":\"7.6.2\",\"panelIndex\":\"7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, @@ -66,7 +66,7 @@ "version": "WzU5OCwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/kibana/dashboards/36ed695f-edcc-47c1-b0ec-50d20c93ce0f.json b/kibana/dashboards/36ed695f-edcc-47c1-b0ec-50d20c93ce0f.json index 3f1afddfc..2704a75fb 100644 --- a/kibana/dashboards/36ed695f-edcc-47c1-b0ec-50d20c93ce0f.json +++ b/kibana/dashboards/36ed695f-edcc-47c1-b0ec-50d20c93ce0f.json @@ -1,5 +1,5 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "36ed695f-edcc-47c1-b0ec-50d20c93ce0f", @@ -10,7 +10,7 @@ "title": "Intel", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"gridData\":{\"w\":20,\"h\":16,\"x\":8,\"y\":8,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":24,\"i\":\"6\"},\"panelIndex\":\"6\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":72,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":72,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":24,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":28,\"h\":24,\"x\":20,\"y\":48,\"i\":\"12\"},\"panelIndex\":\"12\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":0,\"y\":48,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":96,\"i\":\"14\"},\"panelIndex\":\"14\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{\"columns\":[\"srcIp\",\"dstIp\",\"dstPort\",\"zeek.uid\",\"zeek_intel.fuid\",\"_id\"],\"sort\":[\"firstPacket\",\"desc\"]}},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":72,\"i\":\"15\"},\"panelIndex\":\"15\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\"},{\"gridData\":{\"w\":20,\"h\":16,\"x\":28,\"y\":8,\"i\":\"16\"},\"panelIndex\":\"16\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"17\"},\"panelIndex\":\"17\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\"}]", + "panelsJSON": "[{\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"gridData\":{\"w\":20,\"h\":16,\"x\":8,\"y\":8,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":24,\"i\":\"6\"},\"panelIndex\":\"6\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":72,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":72,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":24,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":28,\"h\":24,\"x\":20,\"y\":48,\"i\":\"12\"},\"panelIndex\":\"12\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":0,\"y\":48,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":96,\"i\":\"14\"},\"panelIndex\":\"14\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{\"columns\":[\"srcIp\",\"dstIp\",\"dstPort\",\"zeek.uid\",\"zeek.fuid\",\"_id\"],\"sort\":[\"firstPacket\",\"desc\"]}},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":72,\"i\":\"15\"},\"panelIndex\":\"15\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\"},{\"gridData\":{\"w\":20,\"h\":16,\"x\":28,\"y\":8,\"i\":\"16\"},\"panelIndex\":\"16\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"17\"},\"panelIndex\":\"17\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, @@ -96,7 +96,7 @@ "version": "WzU5OCwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -349,7 +349,7 @@ "dstIp", "dstPort", "zeek.uid", - "zeek_intel.fuid", + "zeek.fuid", "_id" ] }, diff --git a/kibana/dashboards/37041ee1-79c0-4684-a436-3173b0e89876.json b/kibana/dashboards/37041ee1-79c0-4684-a436-3173b0e89876.json index 85e63de5f..4f69a93fe 100644 --- a/kibana/dashboards/37041ee1-79c0-4684-a436-3173b0e89876.json +++ b/kibana/dashboards/37041ee1-79c0-4684-a436-3173b0e89876.json @@ -1,21 +1,21 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "37041ee1-79c0-4684-a436-3173b0e89876", "type": "dashboard", - "updated_at": "2019-12-18T16:20:22.627Z", - "version": "WzIxMiwxXQ==", + "updated_at": "2020-02-12T17:05:15.892Z", + "version": "WzkzNiwxXQ==", "attributes": { "title": "HTTP", "hits": 0, "description": "", - "panelsJSON": "[{\"panelIndex\":\"2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":52,\"i\":\"2\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"5\",\"gridData\":{\"x\":0,\"y\":88,\"w\":48,\"h\":24,\"i\":\"5\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"6\",\"gridData\":{\"x\":0,\"y\":112,\"w\":48,\"h\":24,\"i\":\"6\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"8\",\"gridData\":{\"x\":0,\"y\":136,\"w\":48,\"h\":24,\"i\":\"8\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"9\",\"gridData\":{\"x\":0,\"y\":216,\"w\":48,\"h\":36,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{\"columns\":[\"srcIp\",\"dstIp\",\"dstPort\",\"zeek_http.resp_fuids\",\"zeek.uid\",\"_id\"],\"sort\":[\"firstPacket\",\"desc\"]}},{\"panelIndex\":\"14\",\"gridData\":{\"x\":0,\"y\":52,\"w\":24,\"h\":24,\"i\":\"14\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"15\",\"gridData\":{\"x\":24,\"y\":52,\"w\":24,\"h\":24,\"i\":\"15\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"16\",\"gridData\":{\"x\":0,\"y\":188,\"w\":48,\"h\":28,\"i\":\"16\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"17\",\"gridData\":{\"x\":0,\"y\":160,\"w\":48,\"h\":28,\"i\":\"17\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"19\",\"gridData\":{\"x\":0,\"y\":76,\"w\":48,\"h\":12,\"i\":\"19\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{}},{\"panelIndex\":\"20\",\"gridData\":{\"x\":28,\"y\":8,\"w\":20,\"h\":20,\"i\":\"20\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"panelIndex\":\"21\",\"gridData\":{\"x\":8,\"y\":8,\"w\":20,\"h\":20,\"i\":\"21\"},\"embeddableConfig\":{\"vis\":{\"colors\":{\"Count\":\"#629E51\"}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\"},{\"panelIndex\":\"23\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"23\"},\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_13\"},{\"panelIndex\":\"24\",\"gridData\":{\"x\":8,\"y\":28,\"w\":40,\"h\":24,\"i\":\"24\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_14\",\"embeddableConfig\":{}}]", + "panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":58,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":19,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"legendOpen\":false,\"vis\":{\"legendOpen\":true}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":90,\"w\":24,\"h\":20,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":24,\"y\":90,\"w\":24,\"h\":20,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":130,\"w\":48,\"h\":20,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":58,\"w\":24,\"h\":20,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":24,\"y\":58,\"w\":24,\"h\":20,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":110,\"w\":48,\"h\":20,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":150,\"w\":48,\"h\":22,\"i\":\"17\"},\"panelIndex\":\"17\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":78,\"w\":48,\"h\":12,\"i\":\"19\"},\"panelIndex\":\"19\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":28,\"y\":19,\"w\":20,\"h\":20,\"i\":\"20\"},\"panelIndex\":\"20\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":19,\"w\":20,\"h\":20,\"i\":\"21\"},\"panelIndex\":\"21\",\"embeddableConfig\":{\"vis\":{\"colors\":{\"Count\":\"#629E51\"}}},\"panelRefName\":\"panel_11\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":7,\"i\":\"23\"},\"panelIndex\":\"23\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"panelRefName\":\"panel_12\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":39,\"w\":40,\"h\":19,\"i\":\"24\"},\"panelIndex\":\"24\",\"embeddableConfig\":{},\"panelRefName\":\"panel_13\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":7,\"w\":8,\"h\":12,\"i\":\"70661228-52d4-4ecf-a5a4-139d0ecdd662\"},\"panelIndex\":\"70661228-52d4-4ecf-a5a4-139d0ecdd662\",\"embeddableConfig\":{},\"panelRefName\":\"panel_14\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":172,\"w\":48,\"h\":42,\"i\":\"7337ff11-23e0-4f6e-981f-a043f15e60cf\"},\"panelIndex\":\"7337ff11-23e0-4f6e-981f-a043f15e60cf\",\"embeddableConfig\":{},\"panelRefName\":\"panel_15\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Denver\"}}}}" } }, "references": [ @@ -46,53 +46,58 @@ }, { "name": "panel_5", - "type": "search", - "id": "1762ad89-2039-4d70-8c2d-60b3e5a2c381" + "type": "visualization", + "id": "2c18f5be-4023-40fb-8de6-7b490045520b" }, { "name": "panel_6", "type": "visualization", - "id": "2c18f5be-4023-40fb-8de6-7b490045520b" + "id": "44d6d5ce-bdf6-46d3-ad97-a30ebda437fa" }, { "name": "panel_7", "type": "visualization", - "id": "44d6d5ce-bdf6-46d3-ad97-a30ebda437fa" + "id": "3c7d9915-8fea-4423-82b6-44499820de71" }, { "name": "panel_8", "type": "visualization", - "id": "3c7d9915-8fea-4423-82b6-44499820de71" + "id": "30bb6fc3-d33e-4aaf-b805-b8e10008e98b" }, { "name": "panel_9", "type": "visualization", - "id": "30bb6fc3-d33e-4aaf-b805-b8e10008e98b" + "id": "e22ccafa-aad2-4897-8a15-ca114f31464c" }, { "name": "panel_10", "type": "visualization", - "id": "e22ccafa-aad2-4897-8a15-ca114f31464c" + "id": "a6cacf2a-7cf5-4991-be10-474429651b51" }, { "name": "panel_11", "type": "visualization", - "id": "a6cacf2a-7cf5-4991-be10-474429651b51" + "id": "054326f5-92f3-4202-a7cf-cc0d3eb92ad4" }, { "name": "panel_12", "type": "visualization", - "id": "054326f5-92f3-4202-a7cf-cc0d3eb92ad4" + "id": "AWDG97t7xQT5EBNmq4E1" }, { "name": "panel_13", "type": "visualization", - "id": "AWDG97t7xQT5EBNmq4E1" + "id": "eedbcaaf-1713-4ec2-acbd-b1e32a34579a" }, { "name": "panel_14", "type": "visualization", - "id": "eedbcaaf-1713-4ec2-acbd-b1e32a34579a" + "id": "aa4a78f0-4db8-11ea-8336-d3388483188b" + }, + { + "name": "panel_15", + "type": "search", + "id": "1762ad89-2039-4d70-8c2d-60b3e5a2c381" } ], "migrationVersion": { @@ -102,11 +107,11 @@ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", "type": "visualization", - "updated_at": "2019-12-18T16:21:02.636Z", - "version": "WzU5OCwxXQ==", + "updated_at": "2020-02-12T15:01:05.290Z", + "version": "Wzc5NiwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -122,13 +127,13 @@ { "id": "3b8fee79-8f9d-450a-8362-024c84656efb", "type": "visualization", - "updated_at": "2019-12-18T16:20:22.627Z", - "version": "WzE5OCwxXQ==", + "updated_at": "2020-02-12T16:59:25.302Z", + "version": "WzkzMSwxXQ==", "attributes": { - "visState": "{\"title\":\"HTTP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", - "description": "", - "title": "HTTP - Log Count Over Time", + "title": "HTTP - Status Over Time", + "visState": "{\"title\":\"HTTP - Status Over Time\",\"type\":\"line\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"firstPacket per 12 hours\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD\"}},\"params\":{\"date\":true,\"interval\":\"P30D\",\"intervalESValue\":30,\"intervalESUnit\":\"d\",\"format\":\"YYYY-MM-DD\",\"bounds\":{\"min\":\"1976-02-12T16:47:29.688Z\",\"max\":\"2020-02-12T16:47:29.689Z\"}},\"label\":\"firstPacket per 30 days\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Status Code\",\"aggType\":\"terms\"}]},\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"labels\":{},\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-44y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek_http.status_code\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Status Code\"}}]}", "uiStateJSON": "{}", + "description": "", "version": 1, "kibanaSavedObjectMeta": { "searchSourceJSON": "{\"filter\":[]}" @@ -137,8 +142,8 @@ }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "1762ad89-2039-4d70-8c2d-60b3e5a2c381" } ], @@ -149,8 +154,8 @@ { "id": "c3c266ad-58c5-45f4-a463-180b531bd96e", "type": "visualization", - "updated_at": "2019-12-18T16:20:53.365Z", - "version": "WzUxNiwxXQ==", + "updated_at": "2020-02-12T15:00:56.057Z", + "version": "WzcxNCwxXQ==", "attributes": { "visState": "{\"title\":\"HTTP - Sites\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_http.host\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Site\"}}],\"listeners\":{}}", "description": "", @@ -176,8 +181,8 @@ { "id": "be7d9516-7555-407f-9971-0394c7e822e4", "type": "visualization", - "updated_at": "2019-12-18T16:20:53.365Z", - "version": "WzUxNywxXQ==", + "updated_at": "2020-02-12T15:00:56.057Z", + "version": "WzcxNSwxXQ==", "attributes": { "visState": "{\"title\":\"HTTP - Sites Hosting EXEs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_http.host\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Site\"}}],\"listeners\":{}}", "description": "", @@ -202,8 +207,8 @@ { "id": "9197cd63-7fe4-4c87-8fab-f7eaa8ca6252", "type": "visualization", - "updated_at": "2019-12-18T16:20:22.627Z", - "version": "WzIwMSwxXQ==", + "updated_at": "2020-02-12T15:00:23.157Z", + "version": "WzM2OCwxXQ==", "attributes": { "visState": "{\"title\":\"HTTP - URIs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_http.uri\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"URI\"}}],\"listeners\":{}}", "description": "", @@ -226,50 +231,11 @@ "visualization": "7.4.2" } }, - { - "id": "1762ad89-2039-4d70-8c2d-60b3e5a2c381", - "type": "search", - "updated_at": "2019-12-18T16:20:53.365Z", - "version": "WzUzMSwxXQ==", - "attributes": { - "sort": [ - [ - "firstPacket", - "desc" - ] - ], - "hits": 0, - "description": "", - "title": "HTTP - Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"zeek.logType:http\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "columns": [ - "srcIp", - "dstIp", - "dstPort", - "zeek_http.resp_fuids", - "zeek.uid", - "_id" - ] - }, - "references": [ - { - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern", - "id": "sessions2-*" - } - ], - "migrationVersion": { - "search": "7.4.0" - } - }, { "id": "2c18f5be-4023-40fb-8de6-7b490045520b", "type": "visualization", - "updated_at": "2019-12-18T16:20:53.365Z", - "version": "WzUxNCwxXQ==", + "updated_at": "2020-02-12T15:00:56.057Z", + "version": "WzcxMiwxXQ==", "attributes": { "visState": "{\"title\":\"HTTP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", @@ -295,8 +261,8 @@ { "id": "44d6d5ce-bdf6-46d3-ad97-a30ebda437fa", "type": "visualization", - "updated_at": "2019-12-18T16:20:53.365Z", - "version": "WzUxNSwxXQ==", + "updated_at": "2020-02-12T15:00:56.057Z", + "version": "WzcxMywxXQ==", "attributes": { "visState": "{\"title\":\"HTTP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", @@ -322,8 +288,8 @@ { "id": "3c7d9915-8fea-4423-82b6-44499820de71", "type": "visualization", - "updated_at": "2019-12-18T16:20:22.627Z", - "version": "WzIwNSwxXQ==", + "updated_at": "2020-02-12T15:00:23.157Z", + "version": "WzM3MiwxXQ==", "attributes": { "visState": "{\"title\":\"HTTP - User Agent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_http.user_agent\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"User Agent\"}}],\"listeners\":{}}", "description": "", @@ -349,8 +315,8 @@ { "id": "30bb6fc3-d33e-4aaf-b805-b8e10008e98b", "type": "visualization", - "updated_at": "2019-12-18T16:20:22.627Z", - "version": "WzIwNiwxXQ==", + "updated_at": "2020-02-12T15:00:23.157Z", + "version": "WzM3MywxXQ==", "attributes": { "visState": "{\"title\":\"HTTP - Referrer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_http.referrer\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", "description": "", @@ -376,8 +342,8 @@ { "id": "e22ccafa-aad2-4897-8a15-ca114f31464c", "type": "visualization", - "updated_at": "2019-12-18T16:20:53.365Z", - "version": "WzUyMiwxXQ==", + "updated_at": "2020-02-12T15:00:56.057Z", + "version": "WzcyMCwxXQ==", "attributes": { "visState": "{\"title\":\"HTTP - MIME Type\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":14,\"maxFontSize\":40},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_http.resp_mime_types\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}],\"listeners\":{}}", "description": "", @@ -403,8 +369,8 @@ { "id": "a6cacf2a-7cf5-4991-be10-474429651b51", "type": "visualization", - "updated_at": "2019-12-18T16:20:53.365Z", - "version": "WzUyMywxXQ==", + "updated_at": "2020-02-12T15:00:56.057Z", + "version": "WzcyMSwxXQ==", "attributes": { "title": "HTTP - Destination Port", "visState": "{\"title\":\"HTTP - Destination Port\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":75},\"title\":{\"text\":\"Port\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dstPort\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}]}", @@ -430,8 +396,8 @@ { "id": "054326f5-92f3-4202-a7cf-cc0d3eb92ad4", "type": "visualization", - "updated_at": "2019-12-18T16:20:22.627Z", - "version": "WzIwOSwxXQ==", + "updated_at": "2020-02-12T15:00:23.157Z", + "version": "WzM3NiwxXQ==", "attributes": { "title": "HTTP - Destination Country", "visState": "{\"title\":\"HTTP - Destination Country\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"Country\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":false,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.destination_geo.country_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}}]}", @@ -457,8 +423,8 @@ { "id": "AWDG97t7xQT5EBNmq4E1", "type": "visualization", - "updated_at": "2019-12-18T16:20:22.627Z", - "version": "WzIxMCwxXQ==", + "updated_at": "2020-02-12T15:00:23.157Z", + "version": "WzM3NywxXQ==", "attributes": { "title": "HTTP - Log Count", "visState": "{\"title\":\"HTTP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", @@ -484,8 +450,8 @@ { "id": "eedbcaaf-1713-4ec2-acbd-b1e32a34579a", "type": "visualization", - "updated_at": "2019-12-18T16:20:22.627Z", - "version": "WzIxMSwxXQ==", + "updated_at": "2020-02-12T15:00:23.157Z", + "version": "WzM3OCwxXQ==", "attributes": { "title": "HTTP - Status and Method", "visState": "{\"title\":\"HTTP - Status and Method\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_http.status_msg\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Status Message\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_http.method\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Method\"}}]}", @@ -507,6 +473,73 @@ "migrationVersion": { "visualization": "7.4.2" } + }, + { + "id": "aa4a78f0-4db8-11ea-8336-d3388483188b", + "type": "visualization", + "updated_at": "2020-02-12T16:57:54.485Z", + "version": "WzkyOSwxXQ==", + "attributes": { + "title": "HTTP - Unique Usernames and Passwords", + "visState": "{\"title\":\"HTTP - Unique Usernames and Passwords\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":48}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}}},{\"type\":\"vis_dimension\",\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{}}}]},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek.user\",\"customLabel\":\"Unique Usernames\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek.password\",\"customLabel\":\"Unique Cleartext Passwords\"}}]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "1762ad89-2039-4d70-8c2d-60b3e5a2c381" + } + ], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "1762ad89-2039-4d70-8c2d-60b3e5a2c381", + "type": "search", + "updated_at": "2020-02-12T17:03:57.675Z", + "version": "WzkzNSwxXQ==", + "attributes": { + "title": "HTTP - Logs", + "description": "", + "hits": 0, + "columns": [ + "srcIp", + "dstIp", + "dstPort", + "zeek_http.host", + "zeek_http.status_msg", + "zeek.uid", + "zeek.fuid" + ], + "sort": [ + [ + "firstPacket", + "desc" + ] + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:http\",\"analyze_wildcard\":true,\"time_zone\":\"America/Denver\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "search": "7.4.0" + } } ] } \ No newline at end of file diff --git a/kibana/dashboards/39abfe30-3f99-11e9-a58e-8bdedb0915e8.json b/kibana/dashboards/39abfe30-3f99-11e9-a58e-8bdedb0915e8.json index a035eaa8d..c35f56924 100644 --- a/kibana/dashboards/39abfe30-3f99-11e9-a58e-8bdedb0915e8.json +++ b/kibana/dashboards/39abfe30-3f99-11e9-a58e-8bdedb0915e8.json @@ -1,21 +1,21 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "39abfe30-3f99-11e9-a58e-8bdedb0915e8", "type": "dashboard", - "updated_at": "2019-12-18T16:20:23.645Z", - "version": "WzIxNiwxXQ==", + "updated_at": "2020-02-13T15:37:58.499Z", + "version": "WzkzNywxXQ==", "attributes": { "title": "Connections - Source - Top Connection Duration (region map)", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":44,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_0\"},{\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":40,\"i\":\"3\"},\"version\":\"7.5.1\",\"panelIndex\":\"3\",\"embeddableConfig\":{\"mapCenter\":[0,0],\"mapZoom\":3},\"panelRefName\":\"panel_1\"}]", + "panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":23,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":50,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"mapCenter\":null,\"mapZoom\":3},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":23,\"w\":8,\"h\":15,\"i\":\"2ed3d708-31cc-4504-87da-63a315c76e76\"},\"panelIndex\":\"2ed3d708-31cc-4504-87da-63a315c76e76\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":38,\"w\":8,\"h\":12,\"i\":\"35ff09b6-1039-4b4e-9469-296245630598\"},\"panelIndex\":\"35ff09b6-1039-4b4e-9469-296245630598\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"}}" } }, "references": [ @@ -28,6 +28,16 @@ "name": "panel_1", "type": "visualization", "id": "af00a490-3f96-11e9-a58e-8bdedb0915e8" + }, + { + "name": "panel_2", + "type": "visualization", + "id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49" + }, + { + "name": "panel_3", + "type": "visualization", + "id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5" } ], "migrationVersion": { @@ -37,11 +47,11 @@ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", "type": "visualization", - "updated_at": "2019-12-18T16:21:02.636Z", - "version": "WzU5OCwxXQ==", + "updated_at": "2020-02-13T14:17:04.192Z", + "version": "Wzc3NiwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -57,12 +67,12 @@ { "id": "af00a490-3f96-11e9-a58e-8bdedb0915e8", "type": "visualization", - "updated_at": "2019-12-18T16:20:23.645Z", - "version": "WzIxNCwxXQ==", + "updated_at": "2020-02-13T14:47:44.795Z", + "version": "Wzg3NCwxXQ==", "attributes": { "title": "Connections - Source - Top Connection Duration (region map)", - "visState": "{\"title\":\"Connections - Source - Top Connection Duration (region map)\",\"type\":\"region_map\",\"params\":{\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"emsHotLink\":null,\"isDisplayWarning\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapZoom\":3,\"outlineWeight\":1,\"selectedJoinField\":{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},\"selectedLayer\":{\"attribution\":\"https://exploratory.io/maps\",\"fields\":[{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},{\"description\":\"Country Code2\",\"name\":\"WB_A2\"},{\"description\":\"Country Name\",\"name\":\"NAME\"}],\"format\":{\"type\":\"geojson\"},\"isEMS\":false,\"layerId\":\"self_hosted.World (offline)\",\"meta\":{\"feature_collection_path\":\"data\"},\"name\":\"World (offline)\",\"url\":\"http://localhost:28991/world.geojson\"},\"showAllShapes\":true,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek_conn.duration\",\"customLabel\":\"Longest Session (seconds)\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"srcGEO\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Originator Country\"}}]}", - "uiStateJSON": "{\"mapCenter\":[0,0],\"mapZoom\":3}", + "visState": "{\"title\":\"Connections - Source - Top Connection Duration (region map)\",\"type\":\"region_map\",\"params\":{\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"emsHotLink\":null,\"isDisplayWarning\":false,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapZoom\":3,\"outlineWeight\":1,\"selectedJoinField\":{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},\"selectedLayer\":{\"attribution\":\"https://exploratory.io/maps\",\"fields\":[{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},{\"description\":\"Country Code2\",\"name\":\"WB_A2\"},{\"description\":\"Country Name\",\"name\":\"NAME\"}],\"format\":{\"type\":\"geojson\"},\"isEMS\":false,\"layerId\":\"self_hosted.World (offline)\",\"meta\":{\"feature_collection_path\":\"data\"},\"name\":\"World (offline)\",\"url\":\"/world.geojson\"},\"showAllShapes\":true,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"origin\":\"elastic_maps_service\",\"id\":\"road_map\",\"minZoom\":0,\"maxZoom\":10,\"attribution\":\"OpenStreetMap contributors | OpenMapTiles | MapTiler | Elastic Maps Service\"}},\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Longest Session (seconds)\",\"aggType\":\"max\"},\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Originator Country\",\"aggType\":\"terms\"}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek_conn.duration\",\"customLabel\":\"Longest Session (seconds)\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"srcGEO\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Originator Country\"}}]}", + "uiStateJSON": "{\"mapCenter\":[37.17328344112096,15.644531250000002],\"mapZoom\":3}", "description": "", "version": 1, "kibanaSavedObjectMeta": { @@ -72,8 +82,8 @@ }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "52570870-e9d4-444f-a3df-e44c6757ed9f" } ], @@ -81,33 +91,91 @@ "visualization": "7.4.2" } }, + { + "id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49", + "type": "visualization", + "updated_at": "2020-02-13T15:17:58.982Z", + "version": "Wzg5NywxXQ==", + "attributes": { + "title": "Connections - Protocol Filters", + "visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"zeek.proto\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"zeek.service\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "references": [ + { + "name": "control_0_index_pattern", + "type": "index-pattern", + "id": "sessions2-*" + }, + { + "name": "control_1_index_pattern", + "type": "index-pattern", + "id": "sessions2-*" + }, + { + "name": "control_2_index_pattern", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5", + "type": "visualization", + "updated_at": "2020-02-13T14:16:47.803Z", + "version": "WzYzMSwxXQ==", + "attributes": { + "title": "Connections - Maps", + "visState": "{\"title\":\"Connections - Maps\",\"type\":\"markdown\",\"params\":{\"fontSize\":10,\"markdown\":\"#### Coordinate Maps\\n[Source - Originator Bytes](/kibana/app/kibana#/dashboard/b50c8d17-6ed3-4de6-aed4-5181032810b2) ● [Destination - Responder Bytes](/kibana/app/kibana#/dashboard/d4fd6afd-15cb-42bf-8a25-03dd8e59b327) ● [Source - Sum of Total Bytes](/kibana/app/kibana#/dashboard/f394057d-1b16-4174-b994-7045f423a416) ● [Destination - Sum of Total Bytes](/kibana/app/kibana#/dashboard/60d78fbd-471c-4f59-a9e3-189b33a13644) ● [Source - Top Connection Duration](/kibana/app/kibana#/dashboard/e09a4b86-29b5-4256-bb3b-802ac9f90404) ● [Destination - Top Connection Duration](/kibana/app/kibana#/dashboard/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0) \\n#### Region Maps\\n[Source - Originator Bytes ](/kibana/app/kibana#/dashboard/d41fe630-3f98-11e9-a58e-8bdedb0915e8) ● [Destination - Responder Bytes ](/kibana/app/kibana#/dashboard/77fc9960-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Sum of Total Bytes ](/kibana/app/kibana#/dashboard/1ce42250-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Sum of Total Bytes ](/kibana/app/kibana#/dashboard/a16110b0-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Top Connection Duration ](/kibana/app/kibana#/dashboard/39abfe30-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Top Connection Duration ](/kibana/app/kibana#/dashboard/b9f247c0-3f99-11e9-a58e-8bdedb0915e8)\",\"openLinksInNewTab\":false},\"aggs\":[]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "references": [], + "migrationVersion": { + "visualization": "7.4.2" + } + }, { "id": "52570870-e9d4-444f-a3df-e44c6757ed9f", "type": "search", - "updated_at": "2019-12-18T16:21:00.551Z", - "version": "WzU4MSwxXQ==", + "updated_at": "2020-02-13T14:17:02.148Z", + "version": "Wzc2MCwxXQ==", "attributes": { + "title": "Connections - Logs", + "description": "", + "hits": 0, + "columns": [ + "zeek.proto", + "zeek.service", + "srcIp", + "srcPort", + "dstIp", + "dstPort", + "totBytes", + "zeek.uid" + ], "sort": [ [ "firstPacket", "desc" ] ], - "hits": 0, - "description": "", - "title": "Connections - Logs", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"size\":10,\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "columns": [ - "srcIp", - "srcPort", - "dstIp", - "dstPort", - "zeek.uid", - "_id" - ] + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true,\"time_zone\":\"America/Denver\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } }, "references": [ { diff --git a/kibana/dashboards/42e831b9-41a9-4f35-8b7d-e1566d368773.json b/kibana/dashboards/42e831b9-41a9-4f35-8b7d-e1566d368773.json index 15d8430fb..5666edf9c 100644 --- a/kibana/dashboards/42e831b9-41a9-4f35-8b7d-e1566d368773.json +++ b/kibana/dashboards/42e831b9-41a9-4f35-8b7d-e1566d368773.json @@ -1,131 +1,102 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "42e831b9-41a9-4f35-8b7d-e1566d368773", "type": "dashboard", - "updated_at": "2019-12-18T16:20:24.676Z", - "version": "WzIyOCwxXQ==", + "updated_at": "2020-02-13T19:57:16.243Z", + "version": "Wzg2OCwxXQ==", "attributes": { "title": "SMB", "hits": 0, "description": "", - "panelsJSON": "[{\"panelIndex\":\"1\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":104,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{\"columns\":[\"srcIp\",\"srcPort\",\"dstIp\",\"dstPort\",\"zeek.uid\",\"_id\"],\"sort\":[\"firstPacket\",\"desc\"]}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"panelIndex\":\"4\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"4\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"5\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":56,\"i\":\"5\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":56,\"i\":\"6\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":8,\"i\":\"8\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{}},{\"panelIndex\":\"9\",\"gridData\":{\"w\":24,\"h\":24,\"x\":8,\"y\":32,\"i\":\"9\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"10\",\"gridData\":{\"w\":24,\"h\":24,\"x\":8,\"y\":8,\"i\":\"10\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"11\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":80,\"i\":\"11\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"13\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"14\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":32,\"i\":\"14\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{}}]", + "panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":32,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":13,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":51,\"w\":24,\"h\":19,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":24,\"y\":51,\"w\":24,\"h\":19,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":21,\"y\":13,\"w\":12,\"h\":19,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":28,\"y\":32,\"w\":20,\"h\":19,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":32,\"w\":20,\"h\":19,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":70,\"w\":48,\"h\":20,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":13,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":32,\"w\":8,\"h\":19,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":13,\"w\":13,\"h\":19,\"i\":\"c9b45e56-7e2e-4949-ad5f-05504515cc70\"},\"panelIndex\":\"c9b45e56-7e2e-4949-ad5f-05504515cc70\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":33,\"y\":13,\"w\":15,\"h\":19,\"i\":\"67e0e34e-49ae-46da-a9a3-83ca7676bee0\"},\"panelIndex\":\"67e0e34e-49ae-46da-a9a3-83ca7676bee0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_11\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":90,\"w\":48,\"h\":42,\"i\":\"cf75e7f0-cce1-449c-a40d-15e8fa40325d\"},\"panelIndex\":\"cf75e7f0-cce1-449c-a40d-15e8fa40325d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_12\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}" } }, "references": [ { "name": "panel_0", - "type": "search", - "id": "e0cefef5-911e-4e38-a1ea-e67c982cb7c7" + "type": "visualization", + "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3" }, { "name": "panel_1", "type": "visualization", - "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3" + "id": "c4829cb4-ed05-4154-ab6c-9240f0ea0b04" }, { "name": "panel_2", "type": "visualization", - "id": "c4829cb4-ed05-4154-ab6c-9240f0ea0b04" + "id": "3b82d24e-d3dd-48fa-a539-98a46ccbfd49" }, { "name": "panel_3", "type": "visualization", - "id": "3b82d24e-d3dd-48fa-a539-98a46ccbfd49" + "id": "974779e2-ab49-4fe8-88db-bf5321664f1a" }, { "name": "panel_4", "type": "visualization", - "id": "974779e2-ab49-4fe8-88db-bf5321664f1a" + "id": "3282a033-fff4-41cb-abe6-d896b4a2e03d" }, { "name": "panel_5", "type": "visualization", - "id": "3282a033-fff4-41cb-abe6-d896b4a2e03d" + "id": "02359f84-0114-4d9d-8731-2b6820722e32" }, { "name": "panel_6", "type": "visualization", - "id": "02359f84-0114-4d9d-8731-2b6820722e32" + "id": "c8f1ff18-93e9-4ce9-a188-c947f7dadc05" }, { "name": "panel_7", "type": "visualization", - "id": "c8f1ff18-93e9-4ce9-a188-c947f7dadc05" + "id": "24b9dbff-7362-4982-9ce7-660001594ff9" }, { "name": "panel_8", "type": "visualization", - "id": "24b9dbff-7362-4982-9ce7-660001594ff9" + "id": "AWDHDfDkxQT5EBNmq4fQ" }, { "name": "panel_9", "type": "visualization", - "id": "AWDHDfDkxQT5EBNmq4fQ" + "id": "0fa8205d-717f-4385-a031-d15e5f1b6c08" }, { "name": "panel_10", "type": "visualization", - "id": "0fa8205d-717f-4385-a031-d15e5f1b6c08" - } - ], - "migrationVersion": { - "dashboard": "7.3.0" - } - }, - { - "id": "e0cefef5-911e-4e38-a1ea-e67c982cb7c7", - "type": "search", - "updated_at": "2019-12-18T16:20:24.676Z", - "version": "WzIxNywxXQ==", - "attributes": { - "sort": [ - [ - "firstPacket", - "desc" - ] - ], - "hits": 0, - "description": "", - "title": "SMB - Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query_string\":{\"query\":\"(zeek.logType:smb_mapping OR zeek.logType:smb_files)\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "id": "b9aaa580-4e9a-11ea-b504-97aa449f6abc" }, - "columns": [ - "srcIp", - "srcPort", - "dstIp", - "dstPort", - "zeek.uid", - "_id" - ] - }, - "references": [ { - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern", - "id": "sessions2-*" + "name": "panel_11", + "type": "visualization", + "id": "b74e39c0-49ca-11ea-812f-2bc51df4ea1e" + }, + { + "name": "panel_12", + "type": "search", + "id": "e0cefef5-911e-4e38-a1ea-e67c982cb7c7" } ], "migrationVersion": { - "search": "7.4.0" + "dashboard": "7.3.0" } }, { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", "type": "visualization", - "updated_at": "2019-12-18T16:21:02.636Z", - "version": "WzU5OCwxXQ==", + "updated_at": "2020-02-13T19:05:04.060Z", + "version": "WzgwMCwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -141,8 +112,8 @@ { "id": "c4829cb4-ed05-4154-ab6c-9240f0ea0b04", "type": "visualization", - "updated_at": "2019-12-18T16:20:24.676Z", - "version": "WzIxOSwxXQ==", + "updated_at": "2020-02-13T19:04:25.042Z", + "version": "WzM5MiwxXQ==", "attributes": { "visState": "{\"title\":\"SMB - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per minute\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", "description": "", @@ -168,8 +139,8 @@ { "id": "3b82d24e-d3dd-48fa-a539-98a46ccbfd49", "type": "visualization", - "updated_at": "2019-12-18T16:20:24.676Z", - "version": "WzIyMCwxXQ==", + "updated_at": "2020-02-13T19:04:25.042Z", + "version": "WzM5MywxXQ==", "attributes": { "visState": "{\"title\":\"SMB - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", @@ -195,8 +166,8 @@ { "id": "974779e2-ab49-4fe8-88db-bf5321664f1a", "type": "visualization", - "updated_at": "2019-12-18T16:20:24.676Z", - "version": "WzIyMSwxXQ==", + "updated_at": "2020-02-13T19:04:25.042Z", + "version": "WzM5NCwxXQ==", "attributes": { "visState": "{\"title\":\"SMB - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", @@ -222,12 +193,12 @@ { "id": "3282a033-fff4-41cb-abe6-d896b4a2e03d", "type": "visualization", - "updated_at": "2019-12-18T16:20:24.676Z", - "version": "WzIyMiwxXQ==", + "updated_at": "2020-02-13T19:04:25.042Z", + "version": "WzM5NSwxXQ==", "attributes": { - "title": "SMB - Action", - "visState": "{\"title\":\"SMB - Action\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_smb_files.action\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}", - "uiStateJSON": "{}", + "title": "SMB - Version", + "visState": "{\"title\":\"SMB - Version\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":true,\"values\":false,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"SMB Version\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.service_version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"SMB Version\"}}]}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, "kibanaSavedObjectMeta": { @@ -237,8 +208,8 @@ }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "e0cefef5-911e-4e38-a1ea-e67c982cb7c7" } ], @@ -249,8 +220,8 @@ { "id": "02359f84-0114-4d9d-8731-2b6820722e32", "type": "visualization", - "updated_at": "2019-12-18T16:20:24.676Z", - "version": "WzIyMywxXQ==", + "updated_at": "2020-02-13T19:04:25.042Z", + "version": "WzM5NiwxXQ==", "attributes": { "visState": "{\"title\":\"SMB - File Path\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_smb_files.path\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"File Path\"}}],\"listeners\":{}}", "description": "", @@ -276,8 +247,8 @@ { "id": "c8f1ff18-93e9-4ce9-a188-c947f7dadc05", "type": "visualization", - "updated_at": "2019-12-18T16:20:24.676Z", - "version": "WzIyNCwxXQ==", + "updated_at": "2020-02-13T19:04:25.042Z", + "version": "WzM5NywxXQ==", "attributes": { "visState": "{\"title\":\"SMB - File Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_smb_files.name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"File Name\"}}],\"listeners\":{}}", "description": "", @@ -303,10 +274,10 @@ { "id": "24b9dbff-7362-4982-9ce7-660001594ff9", "type": "visualization", - "updated_at": "2019-12-18T16:20:24.676Z", - "version": "WzIyNSwxXQ==", + "updated_at": "2020-02-13T19:04:25.042Z", + "version": "WzM5OCwxXQ==", "attributes": { - "visState": "{\"title\":\"SMB - File/Path Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_smb_files.path\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"File Path\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_smb_files.name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"File Name\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_smb_files.action\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Action\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"SMB - File/Path Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_smb_files.path\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"File Path\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_smb_files.name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"File Name\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.action\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Action\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}],\"listeners\":{}}", "description": "", "title": "SMB - File/Path Summary", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":5,\"direction\":\"desc\"}}}}", @@ -330,11 +301,11 @@ { "id": "AWDHDfDkxQT5EBNmq4fQ", "type": "visualization", - "updated_at": "2019-12-18T16:20:24.676Z", - "version": "WzIyNiwxXQ==", + "updated_at": "2020-02-13T19:04:25.042Z", + "version": "WzM5OSwxXQ==", "attributes": { "title": "SMB - Log Count", - "visState": "{\"title\":\"SMB - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", + "visState": "{\"title\":\"SMB - Log Count\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":100}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#FB9E00\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":30}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{}}}],\"bucket\":{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}}}},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"SMB Log Type\"}}]}", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "description": "", "version": 1, @@ -345,8 +316,8 @@ }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "e0cefef5-911e-4e38-a1ea-e67c982cb7c7" } ], @@ -357,11 +328,11 @@ { "id": "0fa8205d-717f-4385-a031-d15e5f1b6c08", "type": "visualization", - "updated_at": "2019-12-18T16:20:24.676Z", - "version": "WzIyNywxXQ==", + "updated_at": "2020-02-13T19:04:25.042Z", + "version": "WzQwMCwxXQ==", "attributes": { "title": "SMB - Destination Port", - "visState": "{\"title\":\"SMB - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}]}", + "visState": "{\"title\":\"SMB - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -372,14 +343,146 @@ }, "references": [ { + "name": "search_0", "type": "search", + "id": "e0cefef5-911e-4e38-a1ea-e67c982cb7c7" + } + ], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "b9aaa580-4e9a-11ea-b504-97aa449f6abc", + "type": "visualization", + "updated_at": "2020-02-13T19:55:03.507Z", + "version": "Wzg2NCwxXQ==", + "attributes": { + "title": "SMB - Relevant Notices", + "visState": "{\"title\":\"SMB - Relevant Notices\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":4,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Notice Category\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Notice Subcategory\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Source IP\",\"aggType\":\"terms\"},{\"accessor\":3,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"1\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Destination IP\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Notice Category\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.sub_category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Notice Subcategory\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"zeek_notice.category:(EternalSafety OR SMB OR ATTACK)\",\"language\":\"lucene\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { "name": "search_0", + "type": "search", + "id": "8f003748-a6f8-4244-9d4e-e38e4a48da4c" + } + ], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "b74e39c0-49ca-11ea-812f-2bc51df4ea1e", + "type": "visualization", + "updated_at": "2020-02-13T19:56:04.804Z", + "version": "Wzg2NiwxXQ==", + "attributes": { + "title": "SMB Action", + "visState": "{\"title\":\"SMB Action\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"zeek.action: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", "id": "e0cefef5-911e-4e38-a1ea-e67c982cb7c7" } ], "migrationVersion": { "visualization": "7.4.2" } + }, + { + "id": "e0cefef5-911e-4e38-a1ea-e67c982cb7c7", + "type": "search", + "updated_at": "2020-02-13T19:04:25.042Z", + "version": "WzQwMiwxXQ==", + "attributes": { + "title": "SMB - Logs", + "description": "", + "hits": 0, + "columns": [ + "zeek.logType", + "srcIp", + "dstIp", + "dstPort", + "zeek.service_version", + "zeek.action", + "zeek.uid" + ], + "sort": [ + [ + "firstPacket", + "desc" + ] + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:smb*\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "search": "7.4.0" + } + }, + { + "id": "8f003748-a6f8-4244-9d4e-e38e4a48da4c", + "type": "search", + "updated_at": "2020-02-13T19:05:00.984Z", + "version": "Wzc3NiwxXQ==", + "attributes": { + "title": "Notices - Logs", + "description": "", + "hits": 0, + "columns": [ + "zeek_notice.category", + "zeek_notice.sub_category", + "srcIp", + "dstIp", + "zeek.uid" + ], + "sort": [ + [ + "firstPacket", + "desc" + ] + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:notice\",\"default_field\":\"*\",\"time_zone\":\"America/Denver\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "search": "7.4.0" + } } ] } \ No newline at end of file diff --git a/kibana/dashboards/432af556-c5c0-4cc3-8166-b274b4e3a406.json b/kibana/dashboards/432af556-c5c0-4cc3-8166-b274b4e3a406.json index 15a302270..1d6ebd658 100644 --- a/kibana/dashboards/432af556-c5c0-4cc3-8166-b274b4e3a406.json +++ b/kibana/dashboards/432af556-c5c0-4cc3-8166-b274b4e3a406.json @@ -1,136 +1,97 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "432af556-c5c0-4cc3-8166-b274b4e3a406", "type": "dashboard", - "updated_at": "2019-12-18T16:20:25.704Z", - "version": "WzI0MSwxXQ==", + "updated_at": "2020-02-12T16:06:03.870Z", + "version": "Wzg4MCwxXQ==", "attributes": { "title": "DCE/RPC", "hits": 0, "description": "", - "panelsJSON": "[{\"panelIndex\":\"1\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":104,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{\"columns\":[\"srcIp\",\"srcPort\",\"dstIp\",\"dstPort\",\"zeek.uid\",\"_id\"],\"sort\":[\"firstPacket\",\"desc\"]}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"panelIndex\":\"4\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"4\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"5\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":32,\"i\":\"6\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":56,\"i\":\"8\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":56,\"i\":\"9\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"10\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":8,\"i\":\"10\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"11\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":80,\"i\":\"11\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"14\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"14\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"16\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":8,\"i\":\"16\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{}},{\"panelIndex\":\"17\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":80,\"i\":\"17\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}}]", + "panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":48,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":28,\"w\":20,\"h\":20,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":28,\"y\":28,\"w\":20,\"h\":20,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":48,\"w\":24,\"h\":21,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":24,\"y\":48,\"w\":24,\"h\":21,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":8,\"w\":20,\"h\":20,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":24,\"y\":69,\"w\":24,\"h\":21,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":28,\"y\":8,\"w\":20,\"h\":20,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":69,\"w\":24,\"h\":21,\"i\":\"17\"},\"panelIndex\":\"17\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":90,\"w\":48,\"h\":41,\"i\":\"b3cbd28a-4659-4e23-bf69-106fad9d565c\"},\"panelIndex\":\"b3cbd28a-4659-4e23-bf69-106fad9d565c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_11\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Denver\"}}}}" } }, "references": [ { "name": "panel_0", - "type": "search", - "id": "bc940221-83d5-416e-a353-dc8fc2f84141" - }, - { - "name": "panel_1", "type": "visualization", "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3" }, { - "name": "panel_2", + "name": "panel_1", "type": "visualization", "id": "64e82156-689a-41fc-974f-efe021d73dc0" }, { - "name": "panel_3", + "name": "panel_2", "type": "visualization", "id": "ea6fd4c1-04f0-450a-9b4b-ecb9db0117dc" }, { - "name": "panel_4", + "name": "panel_3", "type": "visualization", "id": "6f4a3352-abb1-4a5e-8665-ab86954aed7d" }, { - "name": "panel_5", + "name": "panel_4", "type": "visualization", "id": "8d57876a-ee4d-4843-8148-9ac644ce5b45" }, { - "name": "panel_6", + "name": "panel_5", "type": "visualization", "id": "d3858962-fc17-4d6f-b933-e94f7ffc9ae3" }, { - "name": "panel_7", + "name": "panel_6", "type": "visualization", "id": "52727beb-0e12-4ee5-a3d4-eebd93ee2dd3" }, { - "name": "panel_8", + "name": "panel_7", "type": "visualization", "id": "b57e74bf-8024-44cd-b755-7d73e19588c2" }, { - "name": "panel_9", + "name": "panel_8", "type": "visualization", "id": "AWDG8k4OxQT5EBNmq37a" }, { - "name": "panel_10", + "name": "panel_9", "type": "visualization", "id": "30c677f4-d593-440c-b420-56532602853b" }, { - "name": "panel_11", + "name": "panel_10", "type": "visualization", "id": "6b6bcbc1-6753-409f-86dd-f552195ccf03" - } - ], - "migrationVersion": { - "dashboard": "7.3.0" - } - }, - { - "id": "bc940221-83d5-416e-a353-dc8fc2f84141", - "type": "search", - "updated_at": "2019-12-18T16:20:25.704Z", - "version": "WzIyOSwxXQ==", - "attributes": { - "sort": [ - [ - "firstPacket", - "desc" - ] - ], - "hits": 0, - "description": "", - "title": "DCE/RPC - Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"zeek.logType:dce_rpc\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" }, - "columns": [ - "srcIp", - "srcPort", - "dstIp", - "dstPort", - "zeek.uid", - "_id" - ] - }, - "references": [ { - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern", - "id": "sessions2-*" + "name": "panel_11", + "type": "search", + "id": "bc940221-83d5-416e-a353-dc8fc2f84141" } ], "migrationVersion": { - "search": "7.4.0" + "dashboard": "7.3.0" } }, { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", "type": "visualization", - "updated_at": "2019-12-18T16:21:02.636Z", - "version": "WzU5OCwxXQ==", + "updated_at": "2020-02-12T15:01:05.290Z", + "version": "Wzc5NiwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -146,8 +107,8 @@ { "id": "64e82156-689a-41fc-974f-efe021d73dc0", "type": "visualization", - "updated_at": "2019-12-18T16:20:25.704Z", - "version": "WzIzMSwxXQ==", + "updated_at": "2020-02-12T15:00:26.285Z", + "version": "WzM5OSwxXQ==", "attributes": { "visState": "{\"title\":\"DCE/RPC - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 30 minutes\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", "description": "", @@ -173,8 +134,8 @@ { "id": "ea6fd4c1-04f0-450a-9b4b-ecb9db0117dc", "type": "visualization", - "updated_at": "2019-12-18T16:20:25.704Z", - "version": "WzIzMiwxXQ==", + "updated_at": "2020-02-12T15:00:26.285Z", + "version": "WzQwMCwxXQ==", "attributes": { "visState": "{\"title\":\"DCE/RPC - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", @@ -200,8 +161,8 @@ { "id": "6f4a3352-abb1-4a5e-8665-ab86954aed7d", "type": "visualization", - "updated_at": "2019-12-18T16:20:25.704Z", - "version": "WzIzMywxXQ==", + "updated_at": "2020-02-12T15:00:26.285Z", + "version": "WzQwMSwxXQ==", "attributes": { "visState": "{\"title\":\"DCE/RPC - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", @@ -227,8 +188,8 @@ { "id": "8d57876a-ee4d-4843-8148-9ac644ce5b45", "type": "visualization", - "updated_at": "2019-12-18T16:20:25.704Z", - "version": "WzIzNCwxXQ==", + "updated_at": "2020-02-12T15:00:26.285Z", + "version": "WzQwMiwxXQ==", "attributes": { "visState": "{\"title\":\"DCE/RPC - Endpoint\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dce_rpc.endpoint\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Endpoint\"}}],\"listeners\":{}}", "description": "", @@ -254,8 +215,8 @@ { "id": "d3858962-fc17-4d6f-b933-e94f7ffc9ae3", "type": "visualization", - "updated_at": "2019-12-18T16:20:25.704Z", - "version": "WzIzNSwxXQ==", + "updated_at": "2020-02-12T15:00:26.285Z", + "version": "WzQwMywxXQ==", "attributes": { "visState": "{\"title\":\"DCE/RPC - Named Pipe\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dce_rpc.named_pipe\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Named Pipe\"}}],\"listeners\":{}}", "description": "", @@ -281,8 +242,8 @@ { "id": "52727beb-0e12-4ee5-a3d4-eebd93ee2dd3", "type": "visualization", - "updated_at": "2019-12-18T16:20:25.704Z", - "version": "WzIzNiwxXQ==", + "updated_at": "2020-02-12T15:00:26.285Z", + "version": "WzQwNCwxXQ==", "attributes": { "visState": "{\"title\":\"DCE/RPC - Operation\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dce_rpc.operation\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Operation\"}}],\"listeners\":{}}", "description": "", @@ -308,8 +269,8 @@ { "id": "b57e74bf-8024-44cd-b755-7d73e19588c2", "type": "visualization", - "updated_at": "2019-12-18T16:20:25.704Z", - "version": "WzIzNywxXQ==", + "updated_at": "2020-02-12T15:00:26.285Z", + "version": "WzQwNSwxXQ==", "attributes": { "title": "DCE/RPC - Round Trip Time", "visState": "{\"title\":\"DCE/RPC - Round Trip Time\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dce_rpc.rtt\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Round Trip Time\"}}]}", @@ -335,8 +296,8 @@ { "id": "AWDG8k4OxQT5EBNmq37a", "type": "visualization", - "updated_at": "2019-12-18T16:20:25.704Z", - "version": "WzIzOCwxXQ==", + "updated_at": "2020-02-12T15:00:26.285Z", + "version": "WzQwNiwxXQ==", "attributes": { "title": "DCE/RPC - Log Count", "visState": "{\"title\":\"DCE/RPC - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", @@ -362,8 +323,8 @@ { "id": "30c677f4-d593-440c-b420-56532602853b", "type": "visualization", - "updated_at": "2019-12-18T16:20:25.704Z", - "version": "WzIzOSwxXQ==", + "updated_at": "2020-02-12T15:00:26.285Z", + "version": "WzQwNywxXQ==", "attributes": { "title": "DCE/RPC - Destination Port", "visState": "{\"title\":\"DCE/RPC - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}]}", @@ -389,8 +350,8 @@ { "id": "6b6bcbc1-6753-409f-86dd-f552195ccf03", "type": "visualization", - "updated_at": "2019-12-18T16:20:25.704Z", - "version": "WzI0MCwxXQ==", + "updated_at": "2020-02-12T15:00:26.285Z", + "version": "WzQwOCwxXQ==", "attributes": { "title": "DCE/RPC - Summary", "visState": "{\"title\":\"DCE/RPC - Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dce_rpc.endpoint\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Endpoint\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dce_rpc.operation\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Operation\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dce_rpc.named_pipe\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Named Pipe\"}}]}", @@ -412,6 +373,46 @@ "migrationVersion": { "visualization": "7.4.2" } + }, + { + "id": "bc940221-83d5-416e-a353-dc8fc2f84141", + "type": "search", + "updated_at": "2020-02-12T16:05:11.823Z", + "version": "Wzg3OCwxXQ==", + "attributes": { + "title": "DCE/RPC - Logs", + "description": "", + "hits": 0, + "columns": [ + "srcIp", + "srcPort", + "dstIp", + "dstPort", + "zeek_dce_rpc.operation", + "zeek_dce_rpc.endpoint", + "zeek.uid" + ], + "sort": [ + [ + "firstPacket", + "desc" + ] + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType:dce_rpc\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "search": "7.4.0" + } } ] } \ No newline at end of file diff --git a/kibana/dashboards/4a4bde20-4760-11ea-949c-bbb5a9feecbf.json b/kibana/dashboards/4a4bde20-4760-11ea-949c-bbb5a9feecbf.json new file mode 100644 index 000000000..5bbed629a --- /dev/null +++ b/kibana/dashboards/4a4bde20-4760-11ea-949c-bbb5a9feecbf.json @@ -0,0 +1,465 @@ +{ + "version": "7.6.2", + "objects": [ + { + "id": "4a4bde20-4760-11ea-949c-bbb5a9feecbf", + "type": "dashboard", + "updated_at": "2020-02-07T16:34:48.441Z", + "version": "WzgxNCwxXQ==", + "attributes": { + "title": "ICS/IoT Security Overview", + "hits": 0, + "description": "", + "panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":23,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":34,\"i\":\"02fde066-221d-4262-ae35-742f7bb8933c\"},\"panelIndex\":\"02fde066-221d-4262-ae35-742f7bb8933c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":16,\"i\":\"d94eb348-e32a-4aa9-a987-4c5b39b4b08a\"},\"panelIndex\":\"d94eb348-e32a-4aa9-a987-4c5b39b4b08a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":16,\"y\":16,\"w\":32,\"h\":18,\"i\":\"ed7f0280-cb4d-4c30-95e0-e160269de2fb\"},\"panelIndex\":\"ed7f0280-cb4d-4c30-95e0-e160269de2fb\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":5,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":5,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":23,\"w\":8,\"h\":11,\"i\":\"7077f7b2-0f10-4d3d-ad63-9611144c1edb\"},\"panelIndex\":\"7077f7b2-0f10-4d3d-ad63-9611144c1edb\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":34,\"w\":16,\"h\":18,\"i\":\"f339fb9a-7660-4b97-9245-14116c969ec9\"},\"panelIndex\":\"f339fb9a-7660-4b97-9245-14116c969ec9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":16,\"y\":34,\"w\":20,\"h\":37,\"i\":\"ab1a666c-19f2-4954-81b7-18554a95818f\"},\"panelIndex\":\"ab1a666c-19f2-4954-81b7-18554a95818f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":36,\"y\":34,\"w\":12,\"h\":18,\"i\":\"a56f7751-0030-44e1-8e62-3fb1018f4a7e\"},\"panelIndex\":\"a56f7751-0030-44e1-8e62-3fb1018f4a7e\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":52,\"w\":16,\"h\":19,\"i\":\"218c8873-ec71-4a2c-9c8d-5fa62afa2de1\"},\"panelIndex\":\"218c8873-ec71-4a2c-9c8d-5fa62afa2de1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":36,\"y\":52,\"w\":12,\"h\":19,\"i\":\"14a8b2bb-ca81-42a5-90aa-e70b5bd81d89\"},\"panelIndex\":\"14a8b2bb-ca81-42a5-90aa-e70b5bd81d89\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":71,\"w\":48,\"h\":27,\"i\":\"26e11cb0-ce55-4980-9fba-be104eda38a7\"},\"panelIndex\":\"26e11cb0-ce55-4980-9fba-be104eda38a7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"}]", + "optionsJSON": "{\"useMargins\":true}", + "version": 1, + "timeRestore": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Denver\"}}}}" + } + }, + "references": [ + { + "name": "panel_0", + "type": "visualization", + "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3" + }, + { + "name": "panel_1", + "type": "visualization", + "id": "31e06210-4761-11ea-949c-bbb5a9feecbf" + }, + { + "name": "panel_2", + "type": "visualization", + "id": "b614fcd0-4761-11ea-949c-bbb5a9feecbf" + }, + { + "name": "panel_3", + "type": "visualization", + "id": "71d832b0-4763-11ea-949c-bbb5a9feecbf" + }, + { + "name": "panel_4", + "type": "visualization", + "id": "adc09360-49c7-11ea-812f-2bc51df4ea1e" + }, + { + "name": "panel_5", + "type": "visualization", + "id": "f17fab90-4760-11ea-949c-bbb5a9feecbf" + }, + { + "name": "panel_6", + "type": "visualization", + "id": "0db533e0-47a0-11ea-86b0-e3b81eb90684" + }, + { + "name": "panel_7", + "type": "visualization", + "id": "60e83820-4762-11ea-949c-bbb5a9feecbf" + }, + { + "name": "panel_8", + "type": "visualization", + "id": "1c681a40-47a2-11ea-86b0-e3b81eb90684" + }, + { + "name": "panel_9", + "type": "visualization", + "id": "8253ab70-4762-11ea-949c-bbb5a9feecbf" + }, + { + "name": "panel_10", + "type": "search", + "id": "1dc3dfb0-4760-11ea-949c-bbb5a9feecbf" + } + ], + "migrationVersion": { + "dashboard": "7.3.0" + } + }, + { + "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", + "type": "visualization", + "updated_at": "2020-02-07T16:19:05.328Z", + "version": "Wzc5NCwxXQ==", + "attributes": { + "title": "Zeek Logs", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "references": [], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "31e06210-4761-11ea-949c-bbb5a9feecbf", + "type": "visualization", + "updated_at": "2020-02-07T16:18:27.234Z", + "version": "WzQxMCwxXQ==", + "attributes": { + "title": "ICS/IoT Log Counts", + "visState": "{\"title\":\"ICS/IoT Log Counts\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{}}}],\"bucket\":{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}}}},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "1dc3dfb0-4760-11ea-949c-bbb5a9feecbf" + } + ], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "b614fcd0-4761-11ea-949c-bbb5a9feecbf", + "type": "visualization", + "updated_at": "2020-02-07T16:18:27.234Z", + "version": "WzQxMSwxXQ==", + "attributes": { + "title": "ICS/IoT Traffic Over Time", + "visState": "{\"title\":\"ICS/IoT Traffic Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#34130C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD\"}},\"params\":{\"date\":true,\"interval\":\"P30D\",\"intervalESValue\":30,\"intervalESUnit\":\"d\",\"format\":\"YYYY-MM-DD\",\"bounds\":{\"min\":\"1976-02-04T15:18:33.141Z\",\"max\":\"2020-02-04T15:18:33.141Z\"}},\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-44y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}}]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "1dc3dfb0-4760-11ea-949c-bbb5a9feecbf" + } + ], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "71d832b0-4763-11ea-949c-bbb5a9feecbf", + "type": "visualization", + "updated_at": "2020-02-07T16:18:27.234Z", + "version": "WzQxMiwxXQ==", + "attributes": { + "title": "ICS/IoT External Traffic", + "visState": "{\"title\":\"ICS/IoT External Traffic\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":5,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":3,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":4,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Destination Country\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":499,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.source_geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Source Country\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.destination_geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Destination Country\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Destination Country\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"tags:(external_source OR external_destination)\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "1dc3dfb0-4760-11ea-949c-bbb5a9feecbf" + } + ], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "adc09360-49c7-11ea-812f-2bc51df4ea1e", + "type": "visualization", + "updated_at": "2020-02-07T16:34:15.061Z", + "version": "WzgxMywxXQ==", + "attributes": { + "title": "Network Layer", + "visState": "{\"title\":\"Network Layer\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"network.type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Network Layer\"}}]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "52570870-e9d4-444f-a3df-e44c6757ed9f" + } + ], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "f17fab90-4760-11ea-949c-bbb5a9feecbf", + "type": "visualization", + "updated_at": "2020-02-07T16:18:27.234Z", + "version": "WzQxNCwxXQ==", + "attributes": { + "title": "ICS/IoT Actions", + "visState": "{\"title\":\"ICS/IoT Actions\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Action\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "1dc3dfb0-4760-11ea-949c-bbb5a9feecbf" + } + ], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "0db533e0-47a0-11ea-86b0-e3b81eb90684", + "type": "visualization", + "updated_at": "2020-02-07T16:18:27.234Z", + "version": "WzQxNSwxXQ==", + "attributes": { + "title": "Non-ICS/IoT Protocols Observed", + "visState": "{\"title\":\"Non-ICS/IoT Protocols Observed\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":true,\"valueAxis\":\"ValueAxis-1\"},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":false,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#34130C\"},\"dimensions\":{\"x\":null,\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"series\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":30,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}}]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"NOT zeek.service:(bacnet OR cip OR dnp3* OR enip OR cotp OR modbus OR mqtt OR profinet* OR s7comm)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "60e83820-4762-11ea-949c-bbb5a9feecbf", + "type": "visualization", + "updated_at": "2020-02-07T16:18:27.234Z", + "version": "WzQxNiwxXQ==", + "attributes": { + "title": "ICS/IoT Source IP", + "visState": "{\"title\":\"ICS/IoT Source IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Protocol\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "1dc3dfb0-4760-11ea-949c-bbb5a9feecbf" + } + ], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "1c681a40-47a2-11ea-86b0-e3b81eb90684", + "type": "visualization", + "updated_at": "2020-02-07T16:18:27.234Z", + "version": "WzQxNywxXQ==", + "attributes": { + "title": "File Types by Transport", + "visState": "{\"title\":\"File Types by Transport\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":true,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.filetype\",\"orderBy\":\"_key\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"File Type\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_files.source\",\"orderBy\":\"_key\",\"order\":\"desc\",\"size\":50,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Transport\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "0aca5333-3b1c-4cda-afb4-f7dd86910459" + } + ], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "8253ab70-4762-11ea-949c-bbb5a9feecbf", + "type": "visualization", + "updated_at": "2020-02-07T16:18:27.234Z", + "version": "WzQxOCwxXQ==", + "attributes": { + "title": "ICS/IoT Destination IP", + "visState": "{\"title\":\"ICS/IoT Destination IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Protocol\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "1dc3dfb0-4760-11ea-949c-bbb5a9feecbf" + } + ], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "1dc3dfb0-4760-11ea-949c-bbb5a9feecbf", + "type": "search", + "updated_at": "2020-02-07T16:18:27.234Z", + "version": "WzQxOSwxXQ==", + "attributes": { + "title": "ICS/IoT Logs", + "description": "", + "hits": 0, + "columns": [ + "zeek.service", + "srcIp", + "srcPort", + "dstIp", + "dstPort", + "zeek.action", + "zeek.uid" + ], + "sort": [ + [ + "firstPacket", + "desc" + ] + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:(bacnet OR cip OR dnp3 OR enip* OR iso_cotp OR *modbus* OR mqtt* OR profinet* OR s7comm)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "search": "7.4.0" + } + }, + { + "id": "52570870-e9d4-444f-a3df-e44c6757ed9f", + "type": "search", + "updated_at": "2020-02-12T22:48:55.398Z", + "version": "WzgwMiwxXQ==", + "attributes": { + "title": "Connections - Logs", + "description": "", + "hits": 0, + "columns": [ + "zeek.proto", + "zeek.service", + "srcIp", + "srcPort", + "dstIp", + "dstPort", + "totBytes", + "zeek.uid" + ], + "sort": [ + [ + "firstPacket", + "desc" + ] + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true,\"time_zone\":\"America/Denver\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "search": "7.4.0" + } + }, + { + "id": "0aca5333-3b1c-4cda-afb4-f7dd86910459", + "type": "search", + "updated_at": "2020-02-07T16:18:44.769Z", + "version": "WzU4NywxXQ==", + "attributes": { + "sort": [ + [ + "firstPacket", + "desc" + ] + ], + "hits": 0, + "description": "", + "title": "Files - Logs", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:files\"}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + }, + "columns": [ + "zeek_files.tx_hosts", + "dstIp", + "zeek_files.source", + "zeek.uid", + "zeek.fuid", + "_id" + ] + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "search": "7.4.0" + } + } + ] +} \ No newline at end of file diff --git a/kibana/dashboards/4e5f106e-c60a-4226-8f64-d534abb912ab.json b/kibana/dashboards/4e5f106e-c60a-4226-8f64-d534abb912ab.json index d8e76e6f8..f6334c8ed 100644 --- a/kibana/dashboards/4e5f106e-c60a-4226-8f64-d534abb912ab.json +++ b/kibana/dashboards/4e5f106e-c60a-4226-8f64-d534abb912ab.json @@ -1,21 +1,21 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "4e5f106e-c60a-4226-8f64-d534abb912ab", "type": "dashboard", - "updated_at": "2019-12-18T16:20:26.725Z", - "version": "WzI1MiwxXQ==", + "updated_at": "2020-02-12T19:47:20.532Z", + "version": "WzExNjIsMV0=", "attributes": { "title": "SNMP", "hits": 0, "description": "", - "panelsJSON": "[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"5\",\"gridData\":{\"w\":16,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":12,\"h\":24,\"x\":24,\"y\":32,\"i\":\"6\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":8,\"i\":\"9\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"10\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":8,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{}},{\"panelIndex\":\"11\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":56,\"i\":\"11\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{\"columns\":[\"srcIp\",\"srcPort\",\"dstIp\",\"dstPort\",\"zeek.uid\",\"_id\"],\"sort\":[\"firstPacket\",\"desc\"]}},{\"panelIndex\":\"12\",\"gridData\":{\"w\":12,\"h\":24,\"x\":36,\"y\":32,\"i\":\"12\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"13\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"14\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":8,\"i\":\"14\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{}}]", + "panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":48,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":27,\"w\":14,\"h\":21,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":22,\"y\":27,\"w\":14,\"h\":21,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":37,\"y\":8,\"w\":11,\"h\":19,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":8,\"w\":14,\"h\":19,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":36,\"y\":27,\"w\":12,\"h\":21,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":22,\"y\":8,\"w\":15,\"h\":19,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":48,\"w\":48,\"h\":39,\"i\":\"3c17aeed-cffb-4aaf-a3b3-710de42d206c\"},\"panelIndex\":\"3c17aeed-cffb-4aaf-a3b3-710de42d206c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Denver\"}}}}" } }, "references": [ @@ -51,23 +51,23 @@ }, { "name": "panel_6", - "type": "search", - "id": "a7b5dae1-2f35-47c9-91ba-c8e8e66d10c8" + "type": "visualization", + "id": "9d7d51d5-9d5f-4fc1-a0fe-bffa6c7548a9" }, { "name": "panel_7", "type": "visualization", - "id": "9d7d51d5-9d5f-4fc1-a0fe-bffa6c7548a9" + "id": "AWDHD-LfxQT5EBNmq4iB" }, { "name": "panel_8", "type": "visualization", - "id": "AWDHD-LfxQT5EBNmq4iB" + "id": "72341dff-ce1a-4f9c-bf4b-5675409476a1" }, { "name": "panel_9", - "type": "visualization", - "id": "72341dff-ce1a-4f9c-bf4b-5675409476a1" + "type": "search", + "id": "a7b5dae1-2f35-47c9-91ba-c8e8e66d10c8" } ], "migrationVersion": { @@ -77,11 +77,11 @@ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", "type": "visualization", - "updated_at": "2019-12-18T16:21:02.636Z", - "version": "WzU5OCwxXQ==", + "updated_at": "2020-02-12T15:01:05.290Z", + "version": "Wzc5NiwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -97,8 +97,8 @@ { "id": "96dc7277-2123-4a0d-9311-571a6dd9bb0a", "type": "visualization", - "updated_at": "2019-12-18T16:20:26.725Z", - "version": "WzI0MywxXQ==", + "updated_at": "2020-02-12T15:00:28.340Z", + "version": "WzQyNSwxXQ==", "attributes": { "visState": "{\"title\":\"SNMP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", "description": "", @@ -124,8 +124,8 @@ { "id": "272670ef-2b43-45dc-b8ae-c7f2ead10348", "type": "visualization", - "updated_at": "2019-12-18T16:20:26.725Z", - "version": "WzI0NCwxXQ==", + "updated_at": "2020-02-12T15:00:28.340Z", + "version": "WzQyNiwxXQ==", "attributes": { "visState": "{\"title\":\"SNMP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", @@ -151,8 +151,8 @@ { "id": "cf0c69f3-7cc6-4c70-a33a-154e77ca547a", "type": "visualization", - "updated_at": "2019-12-18T16:20:26.725Z", - "version": "WzI0NSwxXQ==", + "updated_at": "2020-02-12T15:00:28.340Z", + "version": "WzQyNywxXQ==", "attributes": { "visState": "{\"title\":\"SNMP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", @@ -178,8 +178,8 @@ { "id": "f95dd65c-c240-4144-bd27-ff5692843e25", "type": "visualization", - "updated_at": "2019-12-18T16:20:26.725Z", - "version": "WzI0NiwxXQ==", + "updated_at": "2020-02-12T15:00:28.340Z", + "version": "WzQyOCwxXQ==", "attributes": { "visState": "{\"title\":\"SNMP - Session Duration\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_snmp.duration\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Duration\"}}],\"listeners\":{}}", "description": "", @@ -205,13 +205,13 @@ { "id": "14a4ae12-fc79-45a8-ad86-2c08a5118e37", "type": "visualization", - "updated_at": "2019-12-18T16:20:26.725Z", - "version": "WzI0NywxXQ==", + "updated_at": "2020-02-12T19:43:33.030Z", + "version": "WzExNDksMV0=", "attributes": { - "visState": "{\"title\":\"SNMP - Version\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_snmp.version\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", - "description": "", "title": "SNMP - Version", - "uiStateJSON": "{}", + "visState": "{\"title\":\"SNMP - Version\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":true,\"values\":false,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"zeek_snmp.version: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_snmp.version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"SNMP Version\"}}]}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", "version": 1, "kibanaSavedObjectMeta": { "searchSourceJSON": "{\"filter\":[]}" @@ -220,8 +220,8 @@ }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "a7b5dae1-2f35-47c9-91ba-c8e8e66d10c8" } ], @@ -229,50 +229,11 @@ "visualization": "7.4.2" } }, - { - "id": "a7b5dae1-2f35-47c9-91ba-c8e8e66d10c8", - "type": "search", - "updated_at": "2019-12-18T16:20:26.725Z", - "version": "WzI0OCwxXQ==", - "attributes": { - "sort": [ - [ - "firstPacket", - "desc" - ] - ], - "hits": 0, - "description": "", - "title": "SNMP - Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"zeek.logType:snmp\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "columns": [ - "srcIp", - "srcPort", - "dstIp", - "dstPort", - "zeek.uid", - "_id" - ] - }, - "references": [ - { - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern", - "id": "sessions2-*" - } - ], - "migrationVersion": { - "search": "7.4.0" - } - }, { "id": "9d7d51d5-9d5f-4fc1-a0fe-bffa6c7548a9", "type": "visualization", - "updated_at": "2019-12-18T16:20:26.725Z", - "version": "WzI0OSwxXQ==", + "updated_at": "2020-02-12T15:00:28.340Z", + "version": "WzQzMSwxXQ==", "attributes": { "visState": "{\"title\":\"SNMP - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}", "description": "", @@ -298,8 +259,8 @@ { "id": "AWDHD-LfxQT5EBNmq4iB", "type": "visualization", - "updated_at": "2019-12-18T16:20:26.725Z", - "version": "WzI1MCwxXQ==", + "updated_at": "2020-02-12T15:00:28.340Z", + "version": "WzQzMiwxXQ==", "attributes": { "title": "SNMP - Log Count", "visState": "{\"title\":\"SNMP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", @@ -325,8 +286,8 @@ { "id": "72341dff-ce1a-4f9c-bf4b-5675409476a1", "type": "visualization", - "updated_at": "2019-12-18T16:20:26.725Z", - "version": "WzI1MSwxXQ==", + "updated_at": "2020-02-12T15:00:28.340Z", + "version": "WzQzMywxXQ==", "attributes": { "title": "SNMP - Community String", "visState": "{\"title\":\"SNMP - Community String\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_snmp.community\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Community String\"}}]}", @@ -348,6 +309,45 @@ "migrationVersion": { "visualization": "7.4.2" } + }, + { + "id": "a7b5dae1-2f35-47c9-91ba-c8e8e66d10c8", + "type": "search", + "updated_at": "2020-02-12T19:46:48.081Z", + "version": "WzExNjAsMV0=", + "attributes": { + "title": "SNMP - Logs", + "description": "", + "hits": 0, + "columns": [ + "srcIp", + "dstIp", + "dstPort", + "zeek_snmp.version", + "zeek_snmp.community", + "zeek.uid" + ], + "sort": [ + [ + "firstPacket", + "desc" + ] + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:snmp\",\"analyze_wildcard\":true,\"time_zone\":\"America/Denver\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "search": "7.4.0" + } } ] } \ No newline at end of file diff --git a/kibana/dashboards/50ced171-1b10-4c3f-8b67-2db9635661a6.json b/kibana/dashboards/50ced171-1b10-4c3f-8b67-2db9635661a6.json index 048619661..f8751aa08 100644 --- a/kibana/dashboards/50ced171-1b10-4c3f-8b67-2db9635661a6.json +++ b/kibana/dashboards/50ced171-1b10-4c3f-8b67-2db9635661a6.json @@ -1,21 +1,21 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "50ced171-1b10-4c3f-8b67-2db9635661a6", "type": "dashboard", - "updated_at": "2019-12-18T16:20:27.758Z", - "version": "WzI2MCwxXQ==", + "updated_at": "2020-02-12T17:54:05.240Z", + "version": "Wzk4MiwxXQ==", "attributes": { "title": "MySQL", "hits": 0, "description": "", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":56,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{\"columns\":[\"srcIp\",\"srcPort\",\"dstIp\",\"dstPort\",\"zeek.uid\",\"_id\"],\"sort\":[\"firstPacket\",\"desc\"]}},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":8,\"i\":\"12\"},\"panelIndex\":\"12\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":16,\"h\":24,\"x\":8,\"y\":8,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}}]", + "panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":24,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":true},\"legendOpen\":false},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":24,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":9,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":9,\"w\":8,\"h\":15,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":24,\"w\":48,\"h\":32,\"i\":\"04e96790-2a76-4656-956b-bdf780792c40\"},\"panelIndex\":\"04e96790-2a76-4656-956b-bdf780792c40\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":56,\"w\":48,\"h\":26,\"i\":\"27a5666b-5633-4982-b276-ecafa4a38b74\"},\"panelIndex\":\"27a5666b-5633-4982-b276-ecafa4a38b74\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Denver\"}}}}" } }, "references": [ @@ -32,27 +32,22 @@ { "name": "panel_2", "type": "visualization", - "id": "0229ca49-719d-4668-8fa0-a5b0777be627" + "id": "AWDHBRrrxQT5EBNmq4TI" }, { "name": "panel_3", - "type": "search", - "id": "f4ad663c-8222-4f64-9f66-d4fa8b04c20a" + "type": "visualization", + "id": "3bfe2a4c-d202-49e0-8ebc-484e542f910f" }, { "name": "panel_4", "type": "visualization", - "id": "AWDHBRrrxQT5EBNmq4TI" + "id": "f82136c0-4dbf-11ea-8336-d3388483188b" }, { "name": "panel_5", - "type": "visualization", - "id": "e2396df9-49c7-445a-bb80-3ff4c1432912" - }, - { - "name": "panel_6", - "type": "visualization", - "id": "3bfe2a4c-d202-49e0-8ebc-484e542f910f" + "type": "search", + "id": "f4ad663c-8222-4f64-9f66-d4fa8b04c20a" } ], "migrationVersion": { @@ -62,13 +57,13 @@ { "id": "a2e900c8-9dd9-490b-9043-a9b5034424b5", "type": "visualization", - "updated_at": "2019-12-18T16:20:27.758Z", - "version": "WzI1MywxXQ==", + "updated_at": "2020-02-12T17:52:54.897Z", + "version": "Wzk4MCwxXQ==", "attributes": { - "visState": "{\"title\":\"MySQL - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", - "description": "", "title": "MySQL - Log Count Over Time", + "visState": "{\"title\":\"MySQL - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"stacked\",\"type\":\"histogram\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"type\":\"line\",\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD\"}},\"params\":{\"date\":true,\"interval\":\"P30D\",\"intervalESValue\":30,\"intervalESUnit\":\"d\",\"format\":\"YYYY-MM-DD\",\"bounds\":{\"min\":\"1976-02-12T17:52:43.825Z\",\"max\":\"2020-02-12T17:52:43.825Z\"}},\"label\":\"firstPacket per 30 days\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Command\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-44y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek_mysql.cmd\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Command\"}}]}", "uiStateJSON": "{}", + "description": "", "version": 1, "kibanaSavedObjectMeta": { "searchSourceJSON": "{\"filter\":[]}" @@ -77,8 +72,8 @@ }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "f4ad663c-8222-4f64-9f66-d4fa8b04c20a" } ], @@ -89,11 +84,11 @@ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", "type": "visualization", - "updated_at": "2019-12-18T16:21:02.636Z", - "version": "WzU5OCwxXQ==", + "updated_at": "2020-02-12T15:01:05.290Z", + "version": "Wzc5NiwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -107,15 +102,15 @@ } }, { - "id": "0229ca49-719d-4668-8fa0-a5b0777be627", + "id": "AWDHBRrrxQT5EBNmq4TI", "type": "visualization", - "updated_at": "2019-12-18T16:20:27.758Z", - "version": "WzI1NSwxXQ==", + "updated_at": "2020-02-12T15:00:29.369Z", + "version": "WzQzOSwxXQ==", "attributes": { - "visState": "{\"title\":\"MySQL - Command/Argument\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mysql.command\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Command\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mysql.arg\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Argument\"}}],\"listeners\":{}}", + "title": "MySQL - Log Count", + "visState": "{\"title\":\"MySQL - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "description": "", - "title": "MySQL - Command/Argument", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "kibanaSavedObjectMeta": { "searchSourceJSON": "{\"filter\":[]}" @@ -134,64 +129,25 @@ } }, { - "id": "f4ad663c-8222-4f64-9f66-d4fa8b04c20a", - "type": "search", - "updated_at": "2019-12-18T16:20:27.758Z", - "version": "WzI1NiwxXQ==", - "attributes": { - "sort": [ - [ - "firstPacket", - "desc" - ] - ], - "hits": 0, - "description": "", - "title": "MySQL - Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"zeek.logType:mysql\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "columns": [ - "srcIp", - "srcPort", - "dstIp", - "dstPort", - "zeek.uid", - "_id" - ] - }, - "references": [ - { - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern", - "id": "sessions2-*" - } - ], - "migrationVersion": { - "search": "7.4.0" - } - }, - { - "id": "AWDHBRrrxQT5EBNmq4TI", + "id": "3bfe2a4c-d202-49e0-8ebc-484e542f910f", "type": "visualization", - "updated_at": "2019-12-18T16:20:27.758Z", - "version": "WzI1NywxXQ==", + "updated_at": "2020-02-12T17:37:49.986Z", + "version": "Wzk2NiwxXQ==", "attributes": { - "title": "MySQL - Log Count", - "visState": "{\"title\":\"MySQL - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", + "title": "MySQL - Success", + "visState": "{\"title\":\"MySQL - Success\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"zeek_mysql.success: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_mysql.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" + "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" }, "savedSearchRefName": "search_0" }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "f4ad663c-8222-4f64-9f66-d4fa8b04c20a" } ], @@ -200,25 +156,25 @@ } }, { - "id": "e2396df9-49c7-445a-bb80-3ff4c1432912", + "id": "f82136c0-4dbf-11ea-8336-d3388483188b", "type": "visualization", - "updated_at": "2019-12-18T16:20:27.758Z", - "version": "WzI1OCwxXQ==", + "updated_at": "2020-02-12T17:50:55.881Z", + "version": "Wzk3OCwxXQ==", "attributes": { - "title": "MySQL - Response", - "visState": "{\"title\":\"MySQL - Response\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mysql.response\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Response\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "title": "MySQL - Commands", + "visState": "{\"title\":\"MySQL - Commands\",\"type\":\"table\",\"params\":{\"perPage\":20,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":4,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Command\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Argument\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Response\",\"aggType\":\"terms\"},{\"accessor\":3,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Success\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mysql.cmd\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Command\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mysql.arg\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Argument\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mysql.response\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Response\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mysql.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Success\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}}}}", "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" + "searchSourceJSON": "{}" }, "savedSearchRefName": "search_0" }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "f4ad663c-8222-4f64-9f66-d4fa8b04c20a" } ], @@ -227,30 +183,42 @@ } }, { - "id": "3bfe2a4c-d202-49e0-8ebc-484e542f910f", - "type": "visualization", - "updated_at": "2019-12-18T16:20:27.758Z", - "version": "WzI1OSwxXQ==", + "id": "f4ad663c-8222-4f64-9f66-d4fa8b04c20a", + "type": "search", + "updated_at": "2020-02-12T17:43:24.227Z", + "version": "Wzk3MCwxXQ==", "attributes": { - "title": "MySQL - Success", - "visState": "{\"title\":\"MySQL - Success\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_mysql.success\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}", - "uiStateJSON": "{}", + "title": "MySQL - Logs", "description": "", + "hits": 0, + "columns": [ + "srcIp", + "dstIp", + "dstPort", + "zeek_mysql.cmd", + "zeek_mysql.success", + "zeek.uid" + ], + "sort": [ + [ + "firstPacket", + "desc" + ] + ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - }, - "savedSearchRefName": "search_0" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:mysql\",\"analyze_wildcard\":true,\"time_zone\":\"America/Denver\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } }, "references": [ { - "type": "search", - "name": "search_0", - "id": "f4ad663c-8222-4f64-9f66-d4fa8b04c20a" + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "sessions2-*" } ], "migrationVersion": { - "visualization": "7.4.2" + "search": "7.4.0" } } ] diff --git a/kibana/dashboards/543118a9-02d7-43fe-b669-b8652177fc37.json b/kibana/dashboards/543118a9-02d7-43fe-b669-b8652177fc37.json index 7b62e8ebf..4800d81b4 100644 --- a/kibana/dashboards/543118a9-02d7-43fe-b669-b8652177fc37.json +++ b/kibana/dashboards/543118a9-02d7-43fe-b669-b8652177fc37.json @@ -1,21 +1,21 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "543118a9-02d7-43fe-b669-b8652177fc37", "type": "dashboard", - "updated_at": "2019-12-18T16:20:28.779Z", - "version": "WzI3MywxXQ==", + "updated_at": "2020-02-12T18:02:40.275Z", + "version": "WzEwMDAsMV0=", "attributes": { "title": "NTLM", "hits": 0, "description": "", - "panelsJSON": "[{\"panelIndex\":\"1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":60,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"4\",\"gridData\":{\"x\":0,\"y\":84,\"w\":48,\"h\":24,\"i\":\"4\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"columns\":[\"srcIp\",\"srcPort\",\"dstIp\",\"dstPort\",\"zeek.uid\",\"_id\"],\"sort\":[\"firstPacket\",\"desc\"]}},{\"panelIndex\":\"5\",\"gridData\":{\"x\":32,\"y\":32,\"w\":16,\"h\":28,\"i\":\"5\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"7\",\"gridData\":{\"x\":8,\"y\":32,\"w\":12,\"h\":28,\"i\":\"7\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"8\",\"gridData\":{\"x\":20,\"y\":32,\"w\":12,\"h\":28,\"i\":\"8\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"10\",\"gridData\":{\"x\":16,\"y\":60,\"w\":16,\"h\":24,\"i\":\"10\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"11\",\"gridData\":{\"x\":0,\"y\":60,\"w\":16,\"h\":24,\"i\":\"11\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"13\",\"gridData\":{\"x\":32,\"y\":60,\"w\":16,\"h\":24,\"i\":\"13\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"14\",\"gridData\":{\"x\":32,\"y\":8,\"w\":16,\"h\":24,\"i\":\"14\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{}},{\"panelIndex\":\"15\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"15\"},\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\"},{\"panelIndex\":\"16\",\"gridData\":{\"x\":8,\"y\":8,\"w\":24,\"h\":24,\"i\":\"16\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}}]", + "panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":47,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":32,\"y\":23,\"w\":16,\"h\":24,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":27,\"w\":12,\"h\":20,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":20,\"y\":27,\"w\":12,\"h\":20,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":16,\"y\":47,\"w\":16,\"h\":24,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":47,\"w\":16,\"h\":24,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":32,\"y\":47,\"w\":16,\"h\":24,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":8,\"w\":24,\"h\":19,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":32,\"y\":8,\"w\":16,\"h\":15,\"i\":\"810e5272-b5cd-4e76-b0cf-32cc7a3f57e8\"},\"panelIndex\":\"810e5272-b5cd-4e76-b0cf-32cc7a3f57e8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":71,\"w\":48,\"h\":40,\"i\":\"cac38fd6-65a1-4041-83e4-f95e0d136537\"},\"panelIndex\":\"cac38fd6-65a1-4041-83e4-f95e0d136537\",\"embeddableConfig\":{\"columns\":[\"srcIp\",\"dstIp\",\"dstPort\",\"zeek_ntlm.host\",\"zeek_ntlm.domain\",\"zeek_ntlm.server_nb_computer\",\"zeek_ntlm.server_dns_computer\",\"zeek_ntlm.server_tree\",\"zeek.uid\"]},\"panelRefName\":\"panel_11\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Denver\"}}}}" } }, "references": [ @@ -31,53 +31,53 @@ }, { "name": "panel_2", - "type": "search", - "id": "40c651a5-3e02-47b4-8d6b-8628a351007c" + "type": "visualization", + "id": "9500b522-519f-4219-8ba3-8f5fa5bc1452" }, { "name": "panel_3", "type": "visualization", - "id": "9500b522-519f-4219-8ba3-8f5fa5bc1452" + "id": "cc045686-66be-4450-8d8a-90927323968d" }, { "name": "panel_4", "type": "visualization", - "id": "cc045686-66be-4450-8d8a-90927323968d" + "id": "9e559bef-866f-4934-b1b5-4db5bf213664" }, { "name": "panel_5", "type": "visualization", - "id": "9e559bef-866f-4934-b1b5-4db5bf213664" + "id": "706e217b-6d5c-4c74-b340-a34c9801e2dc" }, { "name": "panel_6", "type": "visualization", - "id": "706e217b-6d5c-4c74-b340-a34c9801e2dc" + "id": "97f78ed5-c786-4e8d-924e-3c69f09cd79f" }, { "name": "panel_7", "type": "visualization", - "id": "97f78ed5-c786-4e8d-924e-3c69f09cd79f" + "id": "03592efa-6618-4b50-8071-21accd137e30" }, { "name": "panel_8", "type": "visualization", - "id": "03592efa-6618-4b50-8071-21accd137e30" + "id": "AWDHCEx7xQT5EBNmq4Vf" }, { "name": "panel_9", "type": "visualization", - "id": "96ae9f6a-7b69-4bcb-afa8-96c34fb0aa80" + "id": "319e9e0b-b12e-4401-8833-3c62de2df7da" }, { "name": "panel_10", "type": "visualization", - "id": "AWDHCEx7xQT5EBNmq4Vf" + "id": "110b46c0-4dc1-11ea-8336-d3388483188b" }, { "name": "panel_11", - "type": "visualization", - "id": "319e9e0b-b12e-4401-8833-3c62de2df7da" + "type": "search", + "id": "40c651a5-3e02-47b4-8d6b-8628a351007c" } ], "migrationVersion": { @@ -87,11 +87,11 @@ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", "type": "visualization", - "updated_at": "2019-12-18T16:21:02.636Z", - "version": "WzU5OCwxXQ==", + "updated_at": "2020-02-12T15:01:05.290Z", + "version": "Wzc5NiwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -107,8 +107,8 @@ { "id": "7be3afad-a0db-466b-8dd1-3e04d5acea6b", "type": "visualization", - "updated_at": "2019-12-18T16:20:28.779Z", - "version": "WzI2MiwxXQ==", + "updated_at": "2020-02-12T15:00:30.401Z", + "version": "WzQ0NCwxXQ==", "attributes": { "visState": "{\"title\":\"NTLM - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per minute\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", "description": "", @@ -131,55 +131,16 @@ "visualization": "7.4.2" } }, - { - "id": "40c651a5-3e02-47b4-8d6b-8628a351007c", - "type": "search", - "updated_at": "2019-12-18T16:20:28.779Z", - "version": "WzI2MywxXQ==", - "attributes": { - "sort": [ - [ - "firstPacket", - "desc" - ] - ], - "hits": 0, - "description": "", - "title": "NTLM - Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"zeek.logType:ntlm\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "columns": [ - "srcIp", - "srcPort", - "dstIp", - "dstPort", - "zeek.uid", - "_id" - ] - }, - "references": [ - { - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern", - "id": "sessions2-*" - } - ], - "migrationVersion": { - "search": "7.4.0" - } - }, { "id": "9500b522-519f-4219-8ba3-8f5fa5bc1452", "type": "visualization", - "updated_at": "2019-12-18T16:20:28.779Z", - "version": "WzI2NCwxXQ==", + "updated_at": "2020-02-12T17:58:15.812Z", + "version": "Wzk4NywxXQ==", "attributes": { - "visState": "{\"title\":\"NTLM - Hostname\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ntlm.host\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Hostname\"}}],\"listeners\":{}}", - "description": "", "title": "NTLM - Hostname", + "visState": "{\"title\":\"NTLM - Hostname\",\"type\":\"table\",\"params\":{\"perPage\":15,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Hostname\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ntlm.host\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Hostname\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "description": "", "version": 1, "kibanaSavedObjectMeta": { "searchSourceJSON": "{\"filter\":[]}" @@ -188,8 +149,8 @@ }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "40c651a5-3e02-47b4-8d6b-8628a351007c" } ], @@ -200,8 +161,8 @@ { "id": "cc045686-66be-4450-8d8a-90927323968d", "type": "visualization", - "updated_at": "2019-12-18T16:20:28.779Z", - "version": "WzI2NSwxXQ==", + "updated_at": "2020-02-12T15:00:30.401Z", + "version": "WzQ0NywxXQ==", "attributes": { "visState": "{\"title\":\"NTLM - Domain Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ntlm.domain\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Domain\"}}],\"listeners\":{}}", "description": "", @@ -227,8 +188,8 @@ { "id": "9e559bef-866f-4934-b1b5-4db5bf213664", "type": "visualization", - "updated_at": "2019-12-18T16:20:28.779Z", - "version": "WzI2NiwxXQ==", + "updated_at": "2020-02-12T15:00:30.401Z", + "version": "WzQ0OCwxXQ==", "attributes": { "visState": "{\"title\":\"NTLM - Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.user\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}}],\"listeners\":{}}", "description": "", @@ -254,8 +215,8 @@ { "id": "706e217b-6d5c-4c74-b340-a34c9801e2dc", "type": "visualization", - "updated_at": "2019-12-18T16:20:28.779Z", - "version": "WzI2NywxXQ==", + "updated_at": "2020-02-12T15:00:30.401Z", + "version": "WzQ0OSwxXQ==", "attributes": { "visState": "{\"title\":\"NTLM - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", @@ -281,8 +242,8 @@ { "id": "97f78ed5-c786-4e8d-924e-3c69f09cd79f", "type": "visualization", - "updated_at": "2019-12-18T16:20:28.779Z", - "version": "WzI2OCwxXQ==", + "updated_at": "2020-02-12T15:00:30.401Z", + "version": "WzQ1MCwxXQ==", "attributes": { "visState": "{\"title\":\"NTLM - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", @@ -308,8 +269,8 @@ { "id": "03592efa-6618-4b50-8071-21accd137e30", "type": "visualization", - "updated_at": "2019-12-18T16:20:28.779Z", - "version": "WzI2OSwxXQ==", + "updated_at": "2020-02-12T15:00:30.401Z", + "version": "WzQ1MSwxXQ==", "attributes": { "visState": "{\"title\":\"NTLM - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}", "description": "", @@ -333,15 +294,15 @@ } }, { - "id": "96ae9f6a-7b69-4bcb-afa8-96c34fb0aa80", + "id": "AWDHCEx7xQT5EBNmq4Vf", "type": "visualization", - "updated_at": "2019-12-18T16:20:28.779Z", - "version": "WzI3MCwxXQ==", + "updated_at": "2020-02-12T15:00:30.401Z", + "version": "WzQ1MywxXQ==", "attributes": { - "visState": "{\"title\":\"NTLM - Status\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"Status\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_ntlm.status\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Status\"}}],\"listeners\":{}}", + "title": "NTLM - Log Count", + "visState": "{\"title\":\"NTLM - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "description": "", - "title": "NTLM - Status", - "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "version": 1, "kibanaSavedObjectMeta": { "searchSourceJSON": "{\"filter\":[]}" @@ -360,18 +321,18 @@ } }, { - "id": "AWDHCEx7xQT5EBNmq4Vf", + "id": "319e9e0b-b12e-4401-8833-3c62de2df7da", "type": "visualization", - "updated_at": "2019-12-18T16:20:28.779Z", - "version": "WzI3MSwxXQ==", + "updated_at": "2020-02-12T15:00:30.401Z", + "version": "WzQ1NCwxXQ==", "attributes": { - "title": "NTLM - Log Count", - "visState": "{\"title\":\"NTLM - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", + "title": "NTLM - Hostname to Username", + "visState": "{\"title\":\"NTLM - Hostname to Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ntlm.host\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Hostname\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.user\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ntlm.domain\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Domain\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" + "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" }, "savedSearchRefName": "search_0" }, @@ -387,31 +348,73 @@ } }, { - "id": "319e9e0b-b12e-4401-8833-3c62de2df7da", + "id": "110b46c0-4dc1-11ea-8336-d3388483188b", "type": "visualization", - "updated_at": "2019-12-18T16:20:28.779Z", - "version": "WzI3MiwxXQ==", + "updated_at": "2020-02-12T17:56:59.820Z", + "version": "Wzk4NCwxXQ==", "attributes": { - "title": "NTLM - Hostname to Username", - "visState": "{\"title\":\"NTLM - Hostname to Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ntlm.host\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Hostname\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.user\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ntlm.domain\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Domain\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "title": "NTLM - Success", + "visState": "{\"title\":\"NTLM - Success\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Success\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_ntlm.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Success\"}}]}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" + "searchSourceJSON": "{}" }, "savedSearchRefName": "search_0" }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "40c651a5-3e02-47b4-8d6b-8628a351007c" } ], "migrationVersion": { "visualization": "7.4.2" } + }, + { + "id": "40c651a5-3e02-47b4-8d6b-8628a351007c", + "type": "search", + "updated_at": "2020-02-12T18:02:58.042Z", + "version": "WzEwMDIsMV0=", + "attributes": { + "title": "NTLM - Logs", + "description": "", + "hits": 0, + "columns": [ + "srcIp", + "dstIp", + "dstPort", + "zeek_ntlm.host", + "zeek_ntlm.domain", + "zeek_ntlm.server_nb_computer", + "zeek_ntlm.server_dns_computer", + "zeek_ntlm.server_tree", + "zeek.uid" + ], + "sort": [ + [ + "firstPacket", + "desc" + ] + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:ntlm\",\"time_zone\":\"America/Denver\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "search": "7.4.0" + } } ] } \ No newline at end of file diff --git a/kibana/dashboards/55e332d0-3f99-11e9-a58e-8bdedb0915e8.json b/kibana/dashboards/55e332d0-3f99-11e9-a58e-8bdedb0915e8.json index 45c9c6e7a..04781d79e 100644 --- a/kibana/dashboards/55e332d0-3f99-11e9-a58e-8bdedb0915e8.json +++ b/kibana/dashboards/55e332d0-3f99-11e9-a58e-8bdedb0915e8.json @@ -1,5 +1,5 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "55e332d0-3f99-11e9-a58e-8bdedb0915e8", @@ -10,7 +10,7 @@ "title": "Connections - Destination - Originator Bytes (region map)", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":44,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_0\"},{\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":40,\"i\":\"3\"},\"version\":\"7.5.1\",\"panelIndex\":\"3\",\"embeddableConfig\":{\"mapCenter\":[0,0],\"mapZoom\":3},\"panelRefName\":\"panel_1\"}]", + "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":44,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_0\"},{\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":40,\"i\":\"3\"},\"version\":\"7.6.2\",\"panelIndex\":\"3\",\"embeddableConfig\":{\"mapCenter\":[0,0],\"mapZoom\":3},\"panelRefName\":\"panel_1\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, @@ -41,7 +41,7 @@ "version": "WzU5OCwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -61,7 +61,7 @@ "version": "WzI3NSwxXQ==", "attributes": { "title": "Connections - Destination - Originator Bytes (region map)", - "visState": "{\"title\":\"Connections - Destination - Originator Bytes (region map)\",\"type\":\"region_map\",\"params\":{\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"emsHotLink\":null,\"isDisplayWarning\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapZoom\":3,\"outlineWeight\":1,\"selectedJoinField\":{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},\"selectedLayer\":{\"attribution\":\"https://exploratory.io/maps\",\"fields\":[{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},{\"description\":\"Country Code2\",\"name\":\"WB_A2\"},{\"description\":\"Country Name\",\"name\":\"NAME\"}],\"format\":{\"type\":\"geojson\"},\"isEMS\":false,\"layerId\":\"self_hosted.World (offline)\",\"meta\":{\"feature_collection_path\":\"data\"},\"name\":\"World (offline)\",\"url\":\"http://localhost:28991/world.geojson\"},\"showAllShapes\":true,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek_conn.orig_bytes\",\"customLabel\":\"Originator Bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dstGEO\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Responder Country\"}}]}", + "visState": "{\"title\":\"Connections - Destination - Originator Bytes (region map)\",\"type\":\"region_map\",\"params\":{\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"emsHotLink\":null,\"isDisplayWarning\":false,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapZoom\":3,\"outlineWeight\":1,\"selectedJoinField\":{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},\"selectedLayer\":{\"attribution\":\"https://exploratory.io/maps\",\"fields\":[{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},{\"description\":\"Country Code2\",\"name\":\"WB_A2\"},{\"description\":\"Country Name\",\"name\":\"NAME\"}],\"format\":{\"type\":\"geojson\"},\"isEMS\":false,\"layerId\":\"self_hosted.World (offline)\",\"meta\":{\"feature_collection_path\":\"data\"},\"name\":\"World (offline)\",\"url\":\"/world.geojson\"},\"showAllShapes\":true,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek_conn.orig_bytes\",\"customLabel\":\"Originator Bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dstGEO\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Responder Country\"}}]}", "uiStateJSON": "{\"mapCenter\":[0,0],\"mapZoom\":3}", "description": "", "version": 1, @@ -84,30 +84,32 @@ { "id": "52570870-e9d4-444f-a3df-e44c6757ed9f", "type": "search", - "updated_at": "2019-12-18T16:21:00.551Z", - "version": "WzU4MSwxXQ==", + "updated_at": "2020-02-12T22:48:55.398Z", + "version": "WzgwMiwxXQ==", "attributes": { + "title": "Connections - Logs", + "description": "", + "hits": 0, + "columns": [ + "zeek.proto", + "zeek.service", + "srcIp", + "srcPort", + "dstIp", + "dstPort", + "totBytes", + "zeek.uid" + ], "sort": [ [ "firstPacket", "desc" ] ], - "hits": 0, - "description": "", - "title": "Connections - Logs", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"size\":10,\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "columns": [ - "srcIp", - "srcPort", - "dstIp", - "dstPort", - "zeek.uid", - "_id" - ] + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true,\"time_zone\":\"America/Denver\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } }, "references": [ { diff --git a/kibana/dashboards/60d78fbd-471c-4f59-a9e3-189b33a13644.json b/kibana/dashboards/60d78fbd-471c-4f59-a9e3-189b33a13644.json index abd234a92..ef1b780e4 100644 --- a/kibana/dashboards/60d78fbd-471c-4f59-a9e3-189b33a13644.json +++ b/kibana/dashboards/60d78fbd-471c-4f59-a9e3-189b33a13644.json @@ -1,21 +1,21 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "60d78fbd-471c-4f59-a9e3-189b33a13644", "type": "dashboard", - "updated_at": "2019-12-18T16:20:30.834Z", - "version": "WzI4MSwxXQ==", + "updated_at": "2020-02-13T15:36:32.331Z", + "version": "WzkzMCwxXQ==", "attributes": { "title": "Connections - Destination - Sum of Total Bytes", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{\"mapCenter\":[24.846565348219734,0.087890625],\"mapZoom\":2}},{\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}}]", + "panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":39,\"h\":50,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"mapCenter\":null,\"mapZoom\":null},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":23,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":23,\"w\":8,\"h\":15,\"i\":\"185e3f31-3f18-4df8-93c1-617c0323f051\"},\"panelIndex\":\"185e3f31-3f18-4df8-93c1-617c0323f051\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":38,\"w\":8,\"h\":12,\"i\":\"887a57e9-3078-4fe1-9ea9-0ee63abe554f\"},\"panelIndex\":\"887a57e9-3078-4fe1-9ea9-0ee63abe554f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}" + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"}}" } }, "references": [ @@ -28,6 +28,16 @@ "name": "panel_1", "type": "visualization", "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3" + }, + { + "name": "panel_2", + "type": "visualization", + "id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49" + }, + { + "name": "panel_3", + "type": "visualization", + "id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5" } ], "migrationVersion": { @@ -37,8 +47,8 @@ { "id": "7fe0a885-b172-48b9-ac34-0c8e8d5c2f82", "type": "visualization", - "updated_at": "2019-12-18T16:20:30.834Z", - "version": "WzI3OCwxXQ==", + "updated_at": "2020-02-13T14:16:32.344Z", + "version": "WzQ2MCwxXQ==", "attributes": { "visState": "{\"title\":\"Connections - Destination - Sum of Total Bytes\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"totBytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.destination_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}", "description": "", @@ -64,11 +74,67 @@ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", "type": "visualization", - "updated_at": "2019-12-18T16:21:02.636Z", - "version": "WzU5OCwxXQ==", + "updated_at": "2020-02-13T14:17:04.192Z", + "version": "Wzc3NiwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "references": [], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49", + "type": "visualization", + "updated_at": "2020-02-13T15:17:58.982Z", + "version": "Wzg5NywxXQ==", + "attributes": { + "title": "Connections - Protocol Filters", + "visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"zeek.proto\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"zeek.service\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "references": [ + { + "name": "control_0_index_pattern", + "type": "index-pattern", + "id": "sessions2-*" + }, + { + "name": "control_1_index_pattern", + "type": "index-pattern", + "id": "sessions2-*" + }, + { + "name": "control_2_index_pattern", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5", + "type": "visualization", + "updated_at": "2020-02-13T14:16:47.803Z", + "version": "WzYzMSwxXQ==", + "attributes": { + "title": "Connections - Maps", + "visState": "{\"title\":\"Connections - Maps\",\"type\":\"markdown\",\"params\":{\"fontSize\":10,\"markdown\":\"#### Coordinate Maps\\n[Source - Originator Bytes](/kibana/app/kibana#/dashboard/b50c8d17-6ed3-4de6-aed4-5181032810b2) ● [Destination - Responder Bytes](/kibana/app/kibana#/dashboard/d4fd6afd-15cb-42bf-8a25-03dd8e59b327) ● [Source - Sum of Total Bytes](/kibana/app/kibana#/dashboard/f394057d-1b16-4174-b994-7045f423a416) ● [Destination - Sum of Total Bytes](/kibana/app/kibana#/dashboard/60d78fbd-471c-4f59-a9e3-189b33a13644) ● [Source - Top Connection Duration](/kibana/app/kibana#/dashboard/e09a4b86-29b5-4256-bb3b-802ac9f90404) ● [Destination - Top Connection Duration](/kibana/app/kibana#/dashboard/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0) \\n#### Region Maps\\n[Source - Originator Bytes ](/kibana/app/kibana#/dashboard/d41fe630-3f98-11e9-a58e-8bdedb0915e8) ● [Destination - Responder Bytes ](/kibana/app/kibana#/dashboard/77fc9960-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Sum of Total Bytes ](/kibana/app/kibana#/dashboard/1ce42250-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Sum of Total Bytes ](/kibana/app/kibana#/dashboard/a16110b0-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Top Connection Duration ](/kibana/app/kibana#/dashboard/39abfe30-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Top Connection Duration ](/kibana/app/kibana#/dashboard/b9f247c0-3f99-11e9-a58e-8bdedb0915e8)\",\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -84,30 +150,32 @@ { "id": "52570870-e9d4-444f-a3df-e44c6757ed9f", "type": "search", - "updated_at": "2019-12-18T16:21:00.551Z", - "version": "WzU4MSwxXQ==", + "updated_at": "2020-02-13T14:17:02.148Z", + "version": "Wzc2MCwxXQ==", "attributes": { + "title": "Connections - Logs", + "description": "", + "hits": 0, + "columns": [ + "zeek.proto", + "zeek.service", + "srcIp", + "srcPort", + "dstIp", + "dstPort", + "totBytes", + "zeek.uid" + ], "sort": [ [ "firstPacket", "desc" ] ], - "hits": 0, - "description": "", - "title": "Connections - Logs", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"size\":10,\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "columns": [ - "srcIp", - "srcPort", - "dstIp", - "dstPort", - "zeek.uid", - "_id" - ] + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true,\"time_zone\":\"America/Denver\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } }, "references": [ { diff --git a/kibana/dashboards/665d1610-523d-11e9-a30e-e3576242f3ed.json b/kibana/dashboards/665d1610-523d-11e9-a30e-e3576242f3ed.json index 662d538a7..89547d7a6 100644 --- a/kibana/dashboards/665d1610-523d-11e9-a30e-e3576242f3ed.json +++ b/kibana/dashboards/665d1610-523d-11e9-a30e-e3576242f3ed.json @@ -1,21 +1,21 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "665d1610-523d-11e9-a30e-e3576242f3ed", "type": "dashboard", - "updated_at": "2019-12-18T16:20:31.866Z", - "version": "WzI4OCwxXQ==", + "updated_at": "2020-02-12T15:53:37.316Z", + "version": "Wzg2NSwxXQ==", "attributes": { "title": "Signatures", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"h\":56,\"i\":\"2\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"2\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":8,\"i\":\"9\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"9\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"10\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"10\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":48,\"i\":\"11\",\"w\":40,\"x\":8,\"y\":32},\"panelIndex\":\"11\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":24,\"i\":\"12\",\"w\":20,\"x\":8,\"y\":8},\"panelIndex\":\"12\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":24,\"i\":\"13\",\"w\":20,\"x\":28,\"y\":8},\"panelIndex\":\"13\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_5\"}]", + "panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":32,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":32,\"w\":48,\"h\":48,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":8,\"w\":20,\"h\":24,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":28,\"y\":8,\"w\":20,\"h\":24,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Denver\"}}}}" } }, "references": [ @@ -57,11 +57,11 @@ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", "type": "visualization", - "updated_at": "2019-12-18T16:21:02.636Z", - "version": "WzU5OCwxXQ==", + "updated_at": "2020-02-12T15:01:05.290Z", + "version": "Wzc5NiwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -77,8 +77,8 @@ { "id": "0927a2fa-f94e-4f68-a23b-5054ed2e171a", "type": "visualization", - "updated_at": "2019-12-18T16:20:31.866Z", - "version": "WzI4MywxXQ==", + "updated_at": "2020-02-12T15:00:33.475Z", + "version": "WzQ2NSwxXQ==", "attributes": { "title": "Signatures - Log Count Over Time", "visState": "{\"title\":\"Signatures - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"type\":\"line\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"useNormalizedEsInterval\":true,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}]}", @@ -103,8 +103,8 @@ { "id": "8356c570-523f-11e9-a30e-e3576242f3ed", "type": "visualization", - "updated_at": "2019-12-18T16:20:31.866Z", - "version": "WzI4NCwxXQ==", + "updated_at": "2020-02-12T15:00:33.475Z", + "version": "WzQ2NiwxXQ==", "attributes": { "title": "Signatures - Log Count", "visState": "{\"title\":\"Signatures - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":false},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}}]}", @@ -130,8 +130,8 @@ { "id": "34dd33c0-523f-11e9-a30e-e3576242f3ed", "type": "search", - "updated_at": "2019-12-18T16:20:31.866Z", - "version": "WzI4NSwxXQ==", + "updated_at": "2020-02-12T15:00:43.723Z", + "version": "WzU4MywxXQ==", "attributes": { "title": "Signatures - Logs", "description": "", @@ -167,8 +167,8 @@ { "id": "0e9b1a00-525e-11e9-9bd7-13d6d1bafa75", "type": "visualization", - "updated_at": "2019-12-18T16:20:31.866Z", - "version": "WzI4NiwxXQ==", + "updated_at": "2020-02-12T15:00:43.723Z", + "version": "WzU3MywxXQ==", "attributes": { "title": "Signatures - Signature IDs", "visState": "{\"title\":\"Signatures - Signature IDs\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_signatures.signature_id\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Signature ID\"}}]}", @@ -194,8 +194,8 @@ { "id": "39073d50-525e-11e9-9bd7-13d6d1bafa75", "type": "visualization", - "updated_at": "2019-12-18T16:20:31.866Z", - "version": "WzI4NywxXQ==", + "updated_at": "2020-02-12T15:00:33.475Z", + "version": "WzQ2OSwxXQ==", "attributes": { "title": "Signatures - Engines", "visState": "{\"title\":\"Signatures - Engines\",\"type\":\"horizontal_bar\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"legendPosition\":\"bottom\",\"orderBucketsBySum\":false,\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":75,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_signatures.engine\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Engines\"}}]}", diff --git a/kibana/dashboards/76f2f912-80da-44cd-ab66-6a73c8344cc3.json b/kibana/dashboards/76f2f912-80da-44cd-ab66-6a73c8344cc3.json index ce199c1d1..dd0de2a58 100644 --- a/kibana/dashboards/76f2f912-80da-44cd-ab66-6a73c8344cc3.json +++ b/kibana/dashboards/76f2f912-80da-44cd-ab66-6a73c8344cc3.json @@ -1,21 +1,21 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "76f2f912-80da-44cd-ab66-6a73c8344cc3", "type": "dashboard", - "updated_at": "2019-12-18T16:20:32.890Z", - "version": "WzI5OCwxXQ==", + "updated_at": "2020-02-12T17:13:26.938Z", + "version": "Wzk0NCwxXQ==", "attributes": { "title": "IRC", "hits": 0, "description": "", - "panelsJSON": "[{\"panelIndex\":\"2\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"2\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"4\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"4\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"5\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":32,\"i\":\"5\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":32,\"i\":\"6\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"10\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":56,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{\"columns\":[\"srcIp\",\"srcPort\",\"dstIp\",\"dstPort\",\"zeek.uid\",\"_id\"],\"sort\":[\"firstPacket\",\"desc\"]}},{\"panelIndex\":\"11\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":32,\"i\":\"11\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"12\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"12\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":8,\"i\":\"13\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"panelIndex\":\"15\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":8,\"i\":\"15\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\",\"embeddableConfig\":{}}]", + "panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":47,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":20,\"y\":27,\"w\":12,\"h\":20,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":27,\"w\":12,\"h\":20,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":32,\"y\":27,\"w\":16,\"h\":20,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":28,\"y\":8,\"w\":20,\"h\":19,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":8,\"w\":20,\"h\":19,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":47,\"w\":48,\"h\":37,\"i\":\"d32001ad-b1a2-4fde-8feb-c06e3a7b1f91\"},\"panelIndex\":\"d32001ad-b1a2-4fde-8feb-c06e3a7b1f91\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Denver\"}}}}" } }, "references": [ @@ -41,28 +41,28 @@ }, { "name": "panel_4", - "type": "search", - "id": "5486b4b2-714d-45d1-b347-ab274894de1f" + "type": "visualization", + "id": "6544edd6-ae35-4e10-be83-ede9cb2a5fa2" }, { "name": "panel_5", "type": "visualization", - "id": "6544edd6-ae35-4e10-be83-ede9cb2a5fa2" + "id": "AWDG_HoKxQT5EBNmq4KN" }, { "name": "panel_6", "type": "visualization", - "id": "AWDG_HoKxQT5EBNmq4KN" + "id": "7a04aa5c-8e7f-4405-9291-2fa3ce1b6c7a" }, { "name": "panel_7", "type": "visualization", - "id": "7a04aa5c-8e7f-4405-9291-2fa3ce1b6c7a" + "id": "91a1e5ab-35e4-4a8a-a26f-4b4c1b9bb8ec" }, { "name": "panel_8", - "type": "visualization", - "id": "91a1e5ab-35e4-4a8a-a26f-4b4c1b9bb8ec" + "type": "search", + "id": "5486b4b2-714d-45d1-b347-ab274894de1f" } ], "migrationVersion": { @@ -72,11 +72,11 @@ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", "type": "visualization", - "updated_at": "2019-12-18T16:21:02.636Z", - "version": "WzU5OCwxXQ==", + "updated_at": "2020-02-12T15:01:05.290Z", + "version": "Wzc5NiwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -92,8 +92,8 @@ { "id": "97e59b5d-86f2-42e6-9dbb-67336dd6c38a", "type": "visualization", - "updated_at": "2019-12-18T16:20:32.890Z", - "version": "WzI5MCwxXQ==", + "updated_at": "2020-02-12T15:00:34.504Z", + "version": "WzQ3MiwxXQ==", "attributes": { "visState": "{\"title\":\"IRC - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", "description": "", @@ -119,8 +119,8 @@ { "id": "46ada5c4-3522-4a0c-a2dd-279d59e23160", "type": "visualization", - "updated_at": "2019-12-18T16:20:32.890Z", - "version": "WzI5MSwxXQ==", + "updated_at": "2020-02-12T15:00:34.504Z", + "version": "WzQ3MywxXQ==", "attributes": { "visState": "{\"title\":\"IRC - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", @@ -146,8 +146,8 @@ { "id": "3e7fcb65-15e8-4a05-92de-ee924c08d85c", "type": "visualization", - "updated_at": "2019-12-18T16:20:32.890Z", - "version": "WzI5MiwxXQ==", + "updated_at": "2020-02-12T15:00:34.504Z", + "version": "WzQ3NCwxXQ==", "attributes": { "visState": "{\"title\":\"IRC - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", @@ -170,50 +170,11 @@ "visualization": "7.4.2" } }, - { - "id": "5486b4b2-714d-45d1-b347-ab274894de1f", - "type": "search", - "updated_at": "2019-12-18T16:20:32.890Z", - "version": "WzI5MywxXQ==", - "attributes": { - "sort": [ - [ - "firstPacket", - "desc" - ] - ], - "hits": 0, - "description": "", - "title": "IRC - Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"zeek.logType:irc\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "columns": [ - "srcIp", - "srcPort", - "dstIp", - "dstPort", - "zeek.uid", - "_id" - ] - }, - "references": [ - { - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern", - "id": "sessions2-*" - } - ], - "migrationVersion": { - "search": "7.4.0" - } - }, { "id": "6544edd6-ae35-4e10-be83-ede9cb2a5fa2", "type": "visualization", - "updated_at": "2019-12-18T16:20:32.890Z", - "version": "WzI5NCwxXQ==", + "updated_at": "2020-02-12T15:00:34.504Z", + "version": "WzQ3NiwxXQ==", "attributes": { "title": "IRC - Destination Port", "visState": "{\"title\":\"IRC - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}]}", @@ -239,8 +200,8 @@ { "id": "AWDG_HoKxQT5EBNmq4KN", "type": "visualization", - "updated_at": "2019-12-18T16:20:32.890Z", - "version": "WzI5NSwxXQ==", + "updated_at": "2020-02-12T15:00:34.504Z", + "version": "WzQ3NywxXQ==", "attributes": { "title": "IRC - Log Count", "visState": "{\"title\":\"IRC - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", @@ -266,8 +227,8 @@ { "id": "7a04aa5c-8e7f-4405-9291-2fa3ce1b6c7a", "type": "visualization", - "updated_at": "2019-12-18T16:20:32.890Z", - "version": "WzI5NiwxXQ==", + "updated_at": "2020-02-12T15:00:34.504Z", + "version": "WzQ3OCwxXQ==", "attributes": { "title": "IRC - Destination Country", "visState": "{\"title\":\"IRC - Destination Country\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.destination_geo.country_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Country\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.destination_geo.city_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination City\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}]}", @@ -293,8 +254,8 @@ { "id": "91a1e5ab-35e4-4a8a-a26f-4b4c1b9bb8ec", "type": "visualization", - "updated_at": "2019-12-18T16:20:32.890Z", - "version": "WzI5NywxXQ==", + "updated_at": "2020-02-12T15:00:34.504Z", + "version": "WzQ3OSwxXQ==", "attributes": { "title": "IRC - Command", "visState": "{\"title\":\"IRC - Command\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_irc.command\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Command\"}}]}", @@ -316,6 +277,46 @@ "migrationVersion": { "visualization": "7.4.2" } + }, + { + "id": "5486b4b2-714d-45d1-b347-ab274894de1f", + "type": "search", + "updated_at": "2020-02-12T17:12:29.165Z", + "version": "Wzk0MiwxXQ==", + "attributes": { + "title": "IRC - Logs", + "description": "", + "hits": 0, + "columns": [ + "srcIp", + "dstIp", + "dstPort", + "zeek_irc.nick", + "zeek_irc.command", + "zeek_irc.value", + "zeek.uid" + ], + "sort": [ + [ + "firstPacket", + "desc" + ] + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:irc\",\"analyze_wildcard\":true,\"time_zone\":\"America/Denver\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "search": "7.4.0" + } } ] } \ No newline at end of file diff --git a/kibana/dashboards/77fc9960-3f99-11e9-a58e-8bdedb0915e8.json b/kibana/dashboards/77fc9960-3f99-11e9-a58e-8bdedb0915e8.json index 34861ea02..00bf1ba9d 100644 --- a/kibana/dashboards/77fc9960-3f99-11e9-a58e-8bdedb0915e8.json +++ b/kibana/dashboards/77fc9960-3f99-11e9-a58e-8bdedb0915e8.json @@ -1,21 +1,21 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "77fc9960-3f99-11e9-a58e-8bdedb0915e8", "type": "dashboard", - "updated_at": "2019-12-18T16:20:33.914Z", - "version": "WzMwMiwxXQ==", + "updated_at": "2020-02-13T15:37:23.331Z", + "version": "WzkzNCwxXQ==", "attributes": { "title": "Connections - Destination - Responder Bytes (region map)", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":44,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_0\"},{\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":40,\"i\":\"3\"},\"version\":\"7.5.1\",\"panelIndex\":\"3\",\"embeddableConfig\":{\"mapCenter\":[0,0],\"mapZoom\":3},\"panelRefName\":\"panel_1\"}]", + "panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":23,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":50,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"mapCenter\":null,\"mapZoom\":3},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":23,\"w\":8,\"h\":15,\"i\":\"18ef74a3-0457-4cdd-acdc-2c0d967c4b7c\"},\"panelIndex\":\"18ef74a3-0457-4cdd-acdc-2c0d967c4b7c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":38,\"w\":8,\"h\":12,\"i\":\"bf8d1e0a-e6dd-4ea2-8466-220565d99081\"},\"panelIndex\":\"bf8d1e0a-e6dd-4ea2-8466-220565d99081\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"}}" } }, "references": [ @@ -28,6 +28,16 @@ "name": "panel_1", "type": "visualization", "id": "54431ec0-3f96-11e9-a58e-8bdedb0915e8" + }, + { + "name": "panel_2", + "type": "visualization", + "id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49" + }, + { + "name": "panel_3", + "type": "visualization", + "id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5" } ], "migrationVersion": { @@ -37,11 +47,11 @@ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", "type": "visualization", - "updated_at": "2019-12-18T16:21:02.636Z", - "version": "WzU5OCwxXQ==", + "updated_at": "2020-02-13T14:17:04.192Z", + "version": "Wzc3NiwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -57,11 +67,11 @@ { "id": "54431ec0-3f96-11e9-a58e-8bdedb0915e8", "type": "visualization", - "updated_at": "2019-12-18T16:20:33.914Z", - "version": "WzMwMCwxXQ==", + "updated_at": "2020-02-13T14:16:35.430Z", + "version": "WzQ4MiwxXQ==", "attributes": { "title": "Connections - Destination - Responder Bytes (region map)", - "visState": "{\"title\":\"Connections - Destination - Responder Bytes (region map)\",\"type\":\"region_map\",\"params\":{\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"emsHotLink\":null,\"isDisplayWarning\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapZoom\":3,\"outlineWeight\":1,\"selectedJoinField\":{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},\"selectedLayer\":{\"attribution\":\"https://exploratory.io/maps\",\"fields\":[{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},{\"description\":\"Country Code2\",\"name\":\"WB_A2\"},{\"description\":\"Country Name\",\"name\":\"NAME\"}],\"format\":{\"type\":\"geojson\"},\"isEMS\":false,\"layerId\":\"self_hosted.World (offline)\",\"meta\":{\"feature_collection_path\":\"data\"},\"name\":\"World (offline)\",\"url\":\"http://localhost:28991/world.geojson\"},\"showAllShapes\":true,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek_conn.resp_bytes\",\"customLabel\":\"Responder Bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dstGEO\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Responder Country\"}}]}", + "visState": "{\"title\":\"Connections - Destination - Responder Bytes (region map)\",\"type\":\"region_map\",\"params\":{\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"emsHotLink\":null,\"isDisplayWarning\":false,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapZoom\":3,\"outlineWeight\":1,\"selectedJoinField\":{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},\"selectedLayer\":{\"attribution\":\"https://exploratory.io/maps\",\"fields\":[{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},{\"description\":\"Country Code2\",\"name\":\"WB_A2\"},{\"description\":\"Country Name\",\"name\":\"NAME\"}],\"format\":{\"type\":\"geojson\"},\"isEMS\":false,\"layerId\":\"self_hosted.World (offline)\",\"meta\":{\"feature_collection_path\":\"data\"},\"name\":\"World (offline)\",\"url\":\"/world.geojson\"},\"showAllShapes\":true,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek_conn.resp_bytes\",\"customLabel\":\"Responder Bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dstGEO\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Responder Country\"}}]}", "uiStateJSON": "{\"mapCenter\":[0,0],\"mapZoom\":3}", "description": "", "version": 1, @@ -81,33 +91,91 @@ "visualization": "7.4.2" } }, + { + "id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49", + "type": "visualization", + "updated_at": "2020-02-13T15:17:58.982Z", + "version": "Wzg5NywxXQ==", + "attributes": { + "title": "Connections - Protocol Filters", + "visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"zeek.proto\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"zeek.service\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "references": [ + { + "name": "control_0_index_pattern", + "type": "index-pattern", + "id": "sessions2-*" + }, + { + "name": "control_1_index_pattern", + "type": "index-pattern", + "id": "sessions2-*" + }, + { + "name": "control_2_index_pattern", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5", + "type": "visualization", + "updated_at": "2020-02-13T14:16:47.803Z", + "version": "WzYzMSwxXQ==", + "attributes": { + "title": "Connections - Maps", + "visState": "{\"title\":\"Connections - Maps\",\"type\":\"markdown\",\"params\":{\"fontSize\":10,\"markdown\":\"#### Coordinate Maps\\n[Source - Originator Bytes](/kibana/app/kibana#/dashboard/b50c8d17-6ed3-4de6-aed4-5181032810b2) ● [Destination - Responder Bytes](/kibana/app/kibana#/dashboard/d4fd6afd-15cb-42bf-8a25-03dd8e59b327) ● [Source - Sum of Total Bytes](/kibana/app/kibana#/dashboard/f394057d-1b16-4174-b994-7045f423a416) ● [Destination - Sum of Total Bytes](/kibana/app/kibana#/dashboard/60d78fbd-471c-4f59-a9e3-189b33a13644) ● [Source - Top Connection Duration](/kibana/app/kibana#/dashboard/e09a4b86-29b5-4256-bb3b-802ac9f90404) ● [Destination - Top Connection Duration](/kibana/app/kibana#/dashboard/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0) \\n#### Region Maps\\n[Source - Originator Bytes ](/kibana/app/kibana#/dashboard/d41fe630-3f98-11e9-a58e-8bdedb0915e8) ● [Destination - Responder Bytes ](/kibana/app/kibana#/dashboard/77fc9960-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Sum of Total Bytes ](/kibana/app/kibana#/dashboard/1ce42250-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Sum of Total Bytes ](/kibana/app/kibana#/dashboard/a16110b0-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Top Connection Duration ](/kibana/app/kibana#/dashboard/39abfe30-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Top Connection Duration ](/kibana/app/kibana#/dashboard/b9f247c0-3f99-11e9-a58e-8bdedb0915e8)\",\"openLinksInNewTab\":false},\"aggs\":[]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "references": [], + "migrationVersion": { + "visualization": "7.4.2" + } + }, { "id": "52570870-e9d4-444f-a3df-e44c6757ed9f", "type": "search", - "updated_at": "2019-12-18T16:21:00.551Z", - "version": "WzU4MSwxXQ==", + "updated_at": "2020-02-13T14:17:02.148Z", + "version": "Wzc2MCwxXQ==", "attributes": { + "title": "Connections - Logs", + "description": "", + "hits": 0, + "columns": [ + "zeek.proto", + "zeek.service", + "srcIp", + "srcPort", + "dstIp", + "dstPort", + "totBytes", + "zeek.uid" + ], "sort": [ [ "firstPacket", "desc" ] ], - "hits": 0, - "description": "", - "title": "Connections - Logs", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"size\":10,\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "columns": [ - "srcIp", - "srcPort", - "dstIp", - "dstPort", - "zeek.uid", - "_id" - ] + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true,\"time_zone\":\"America/Denver\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } }, "references": [ { diff --git a/kibana/dashboards/7f41913f-cba8-43f5-82a8-241b7ead03e0.json b/kibana/dashboards/7f41913f-cba8-43f5-82a8-241b7ead03e0.json index f1c2d9208..403b2de17 100644 --- a/kibana/dashboards/7f41913f-cba8-43f5-82a8-241b7ead03e0.json +++ b/kibana/dashboards/7f41913f-cba8-43f5-82a8-241b7ead03e0.json @@ -1,21 +1,21 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "7f41913f-cba8-43f5-82a8-241b7ead03e0", "type": "dashboard", - "updated_at": "2019-12-18T16:20:34.939Z", - "version": "WzMxNiwxXQ==", + "updated_at": "2020-02-12T18:38:06.748Z", + "version": "WzEwNjEsMV0=", "attributes": { "title": "RDP", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":80,\"i\":\"4\"},\"panelIndex\":\"4\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"columns\":[\"srcIp\",\"dstIp\",\"dstPort\",\"zeek.uid\",\"_id\"],\"sort\":[\"firstPacket\",\"desc\"]}},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":32,\"i\":\"6\"},\"panelIndex\":\"6\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"gridData\":{\"w\":12,\"h\":12,\"x\":36,\"y\":8,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":56,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":56,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":12,\"h\":12,\"x\":8,\"y\":8,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"gridData\":{\"w\":16,\"h\":12,\"x\":20,\"y\":8,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":20,\"i\":\"12\"},\"panelIndex\":\"12\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":20,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"14\"},\"panelIndex\":\"14\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\"}]", + "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":40,\"i\":\"1\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"3\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":22,\"i\":\"5\",\"w\":15,\"x\":0,\"y\":40},\"panelIndex\":\"5\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":22,\"i\":\"6\",\"w\":16,\"x\":15,\"y\":40},\"panelIndex\":\"6\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"7\",\"w\":11,\"x\":37,\"y\":8},\"panelIndex\":\"7\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":22,\"i\":\"9\",\"w\":17,\"x\":31,\"y\":40},\"panelIndex\":\"9\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":12,\"i\":\"10\",\"w\":15,\"x\":8,\"y\":8},\"panelIndex\":\"10\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{\"legendOpen\":false,\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":12,\"i\":\"11\",\"w\":14,\"x\":23,\"y\":8},\"panelIndex\":\"11\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"12\",\"w\":20,\"x\":8,\"y\":20},\"panelIndex\":\"12\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"14\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"14\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_9\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"17548109-6b40-41e7-997f-17290b9759ac\",\"w\":20,\"x\":28,\"y\":20},\"panelIndex\":\"17548109-6b40-41e7-997f-17290b9759ac\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_10\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":36,\"i\":\"c76b082d-e205-42f7-8c7a-46be60fccb19\",\"w\":48,\"x\":0,\"y\":62},\"panelIndex\":\"c76b082d-e205-42f7-8c7a-46be60fccb19\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_11\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Denver\"}}}}" } }, "references": [ @@ -31,58 +31,53 @@ }, { "name": "panel_2", - "type": "search", - "id": "5697fae3-8fed-45cd-82e1-ba6f86a99bd3" + "type": "visualization", + "id": "171c1475-1288-4dab-b5f4-f2105c7167a5" }, { "name": "panel_3", "type": "visualization", - "id": "171c1475-1288-4dab-b5f4-f2105c7167a5" + "id": "0a4694d9-2c36-48f3-979e-22548fff8fda" }, { "name": "panel_4", "type": "visualization", - "id": "0a4694d9-2c36-48f3-979e-22548fff8fda" + "id": "7bb9def4-0e06-49ba-a83a-8223f34d7331" }, { "name": "panel_5", "type": "visualization", - "id": "7bb9def4-0e06-49ba-a83a-8223f34d7331" + "id": "890ddd12-deb4-4608-890c-f0290dea3566" }, { "name": "panel_6", "type": "visualization", - "id": "0f8faebc-f66b-45b0-9015-6fa5a4d8258a" + "id": "874675b5-bc49-4a3a-8d6e-a7efd713919e" }, { "name": "panel_7", "type": "visualization", - "id": "890ddd12-deb4-4608-890c-f0290dea3566" + "id": "088c8f99-a90e-4a1e-b1a4-afd93ff076da" }, { "name": "panel_8", "type": "visualization", - "id": "874675b5-bc49-4a3a-8d6e-a7efd713919e" + "id": "b4d98d1f-dad9-4883-95ff-f8edc0b23b34" }, { "name": "panel_9", "type": "visualization", - "id": "088c8f99-a90e-4a1e-b1a4-afd93ff076da" + "id": "AWDHCvBexQT5EBNmq4aK" }, { "name": "panel_10", "type": "visualization", - "id": "b4d98d1f-dad9-4883-95ff-f8edc0b23b34" + "id": "93df26c0-4dc6-11ea-8336-d3388483188b" }, { "name": "panel_11", - "type": "visualization", - "id": "29c1e2ac-9a73-4a64-944d-d76135f41f30" - }, - { - "name": "panel_12", - "type": "visualization", - "id": "AWDHCvBexQT5EBNmq4aK" + "type": "search", + "id": "5697fae3-8fed-45cd-82e1-ba6f86a99bd3" } ], "migrationVersion": { @@ -92,11 +87,11 @@ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", "type": "visualization", - "updated_at": "2019-12-18T16:21:02.636Z", - "version": "WzU5OCwxXQ==", + "updated_at": "2020-02-12T15:01:05.290Z", + "version": "Wzc5NiwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -112,8 +107,8 @@ { "id": "b4e1f8d3-fdd9-4a86-b907-0e432b1a6049", "type": "visualization", - "updated_at": "2019-12-18T16:20:34.939Z", - "version": "WzMwNCwxXQ==", + "updated_at": "2020-02-12T15:00:36.543Z", + "version": "WzQ4NiwxXQ==", "attributes": { "visState": "{\"title\":\"RDP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", "description": "", @@ -136,50 +131,11 @@ "visualization": "7.4.2" } }, - { - "id": "5697fae3-8fed-45cd-82e1-ba6f86a99bd3", - "type": "search", - "updated_at": "2019-12-18T16:20:34.939Z", - "version": "WzMwNSwxXQ==", - "attributes": { - "sort": [ - [ - "firstPacket", - "desc" - ] - ], - "hits": 0, - "description": "", - "title": "RDP - Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"zeek.logType:rdp\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "columns": [ - "srcIp", - "srcPort", - "dstIp", - "dstPort", - "zeek.uid", - "_id" - ] - }, - "references": [ - { - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern", - "id": "sessions2-*" - } - ], - "migrationVersion": { - "search": "7.4.0" - } - }, { "id": "171c1475-1288-4dab-b5f4-f2105c7167a5", "type": "visualization", - "updated_at": "2019-12-18T16:20:34.939Z", - "version": "WzMwNiwxXQ==", + "updated_at": "2020-02-12T15:00:36.543Z", + "version": "WzQ4OCwxXQ==", "attributes": { "visState": "{\"title\":\"RDP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", @@ -205,8 +161,8 @@ { "id": "0a4694d9-2c36-48f3-979e-22548fff8fda", "type": "visualization", - "updated_at": "2019-12-18T16:20:34.939Z", - "version": "WzMwNywxXQ==", + "updated_at": "2020-02-12T15:00:36.543Z", + "version": "WzQ4OSwxXQ==", "attributes": { "visState": "{\"title\":\"RDP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", @@ -232,8 +188,8 @@ { "id": "7bb9def4-0e06-49ba-a83a-8223f34d7331", "type": "visualization", - "updated_at": "2019-12-18T16:20:34.939Z", - "version": "WzMwOCwxXQ==", + "updated_at": "2020-02-12T15:00:36.543Z", + "version": "WzQ5MCwxXQ==", "attributes": { "title": "RDP - Destination Port", "visState": "{\"title\":\"RDP - Destination Port\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dstPort\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}]}", @@ -257,14 +213,14 @@ } }, { - "id": "0f8faebc-f66b-45b0-9015-6fa5a4d8258a", + "id": "890ddd12-deb4-4608-890c-f0290dea3566", "type": "visualization", - "updated_at": "2019-12-18T16:20:34.939Z", - "version": "WzMwOSwxXQ==", + "updated_at": "2020-02-12T15:00:36.543Z", + "version": "WzQ5MiwxXQ==", "attributes": { - "visState": "{\"title\":\"RDP - Client\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_rdp.client_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Client\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"RDP - Cookie\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_rdp.cookie\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Cookie\"}}],\"listeners\":{}}", "description": "", - "title": "RDP - Client", + "title": "RDP - Cookie", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "kibanaSavedObjectMeta": { @@ -284,25 +240,25 @@ } }, { - "id": "890ddd12-deb4-4608-890c-f0290dea3566", + "id": "874675b5-bc49-4a3a-8d6e-a7efd713919e", "type": "visualization", - "updated_at": "2019-12-18T16:20:34.939Z", - "version": "WzMxMCwxXQ==", + "updated_at": "2020-02-12T18:37:47.020Z", + "version": "WzEwNTksMV0=", "attributes": { - "visState": "{\"title\":\"RDP - Cookie\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_rdp.cookie\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Cookie\"}}],\"listeners\":{}}", + "title": "RDP - Result", + "visState": "{\"title\":\"RDP - Result\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Result\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_rdp.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Result\"}}]}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", "description": "", - "title": "RDP - Cookie", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" + "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" }, "savedSearchRefName": "search_0" }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "5697fae3-8fed-45cd-82e1-ba6f86a99bd3" } ], @@ -311,13 +267,13 @@ } }, { - "id": "874675b5-bc49-4a3a-8d6e-a7efd713919e", + "id": "088c8f99-a90e-4a1e-b1a4-afd93ff076da", "type": "visualization", - "updated_at": "2019-12-18T16:20:34.939Z", - "version": "WzMxMSwxXQ==", + "updated_at": "2020-02-12T15:00:36.543Z", + "version": "WzQ5NCwxXQ==", "attributes": { - "title": "RDP - Client Build", - "visState": "{\"title\":\"RDP - Client Build\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_rdp.client_build\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Client Build\"}}]}", + "title": "RDP - Keyboard Layout", + "visState": "{\"title\":\"RDP - Keyboard Layout\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_rdp.keyboard_layout\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Keyboard Layout\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -338,13 +294,13 @@ } }, { - "id": "088c8f99-a90e-4a1e-b1a4-afd93ff076da", + "id": "b4d98d1f-dad9-4883-95ff-f8edc0b23b34", "type": "visualization", - "updated_at": "2019-12-18T16:20:34.939Z", - "version": "WzMxMiwxXQ==", + "updated_at": "2020-02-12T18:26:24.737Z", + "version": "WzEwMzAsMV0=", "attributes": { - "title": "RDP - Keyboard Layout", - "visState": "{\"title\":\"RDP - Keyboard Layout\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_rdp.keyboard_layout\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Keyboard Layout\"}}]}", + "title": "RDP - Client Version", + "visState": "{\"title\":\"RDP - Client Version\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":null,\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Client\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek_rdp.client_build\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Client\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -355,8 +311,8 @@ }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "5697fae3-8fed-45cd-82e1-ba6f86a99bd3" } ], @@ -365,18 +321,18 @@ } }, { - "id": "b4d98d1f-dad9-4883-95ff-f8edc0b23b34", + "id": "AWDHCvBexQT5EBNmq4aK", "type": "visualization", - "updated_at": "2019-12-18T16:20:34.939Z", - "version": "WzMxMywxXQ==", + "updated_at": "2020-02-12T15:00:36.543Z", + "version": "WzQ5NywxXQ==", "attributes": { - "title": "RDP - Result", - "visState": "{\"title\":\"RDP - Result\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek_rdp.result\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Result\"}}]}", - "uiStateJSON": "{}", + "title": "RDP - Log Count", + "visState": "{\"title\":\"RDP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" + "searchSourceJSON": "{\"filter\":[]}" }, "savedSearchRefName": "search_0" }, @@ -392,25 +348,25 @@ } }, { - "id": "29c1e2ac-9a73-4a64-944d-d76135f41f30", + "id": "93df26c0-4dc6-11ea-8336-d3388483188b", "type": "visualization", - "updated_at": "2019-12-18T16:20:34.939Z", - "version": "WzMxNCwxXQ==", + "updated_at": "2020-02-12T18:36:26.796Z", + "version": "WzEwNTYsMV0=", "attributes": { - "title": "RDP - Encryption Level", - "visState": "{\"title\":\"RDP - Encryption Level\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Encryption Level\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_rdp.encryption_level\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Encryption Level\"}}]}", - "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "title": "RDP - Encryption", + "visState": "{\"title\":\"RDP - Encryption\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Encryption Level\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Encryption Method\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_rdp.encryption_level\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Encryption Type\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_rdp.encryption_method\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Encryption Method\"}}]}", + "uiStateJSON": "{}", "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" + "searchSourceJSON": "{}" }, "savedSearchRefName": "search_0" }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "5697fae3-8fed-45cd-82e1-ba6f86a99bd3" } ], @@ -419,30 +375,45 @@ } }, { - "id": "AWDHCvBexQT5EBNmq4aK", - "type": "visualization", - "updated_at": "2019-12-18T16:20:34.939Z", - "version": "WzMxNSwxXQ==", + "id": "5697fae3-8fed-45cd-82e1-ba6f86a99bd3", + "type": "search", + "updated_at": "2020-02-12T18:31:03.976Z", + "version": "WzEwNDcsMV0=", "attributes": { - "title": "RDP - Log Count", - "visState": "{\"title\":\"RDP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", + "title": "RDP - Logs", "description": "", + "hits": 0, + "columns": [ + "srcIp", + "dstIp", + "dstPort", + "zeek_rdp.client_build", + "zeek_rdp.keyboard_layout", + "zeek_rdp.security_protocol", + "zeek_rdp.encryption_method", + "zeek_rdp.result", + "zeek.uid" + ], + "sort": [ + [ + "firstPacket", + "desc" + ] + ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:rdp\",\"analyze_wildcard\":true,\"time_zone\":\"America/Denver\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } }, "references": [ { - "type": "search", - "name": "search_0", - "id": "5697fae3-8fed-45cd-82e1-ba6f86a99bd3" + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "sessions2-*" } ], "migrationVersion": { - "visualization": "7.4.2" + "search": "7.4.0" } } ] diff --git a/kibana/dashboards/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb.json b/kibana/dashboards/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb.json index c57632be4..0e881b37d 100644 --- a/kibana/dashboards/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb.json +++ b/kibana/dashboards/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb.json @@ -1,21 +1,21 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb", "type": "dashboard", - "updated_at": "2019-12-18T16:20:35.964Z", - "version": "WzMzMiwxXQ==", + "updated_at": "2020-02-13T20:44:37.133Z", + "version": "WzUxMSwxXQ==", "attributes": { "title": "SSL", "hits": 0, "description": "", - "panelsJSON": "[{\"panelIndex\":\"1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":56,\"i\":\"1\"},\"version\":\"7.5.1\",\"panelRefName\":\"panel_0\"},{\"panelIndex\":\"3\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"version\":\"7.5.1\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"6\",\"gridData\":{\"x\":0,\"y\":80,\"w\":48,\"h\":24,\"i\":\"6\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.5.1\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"7\",\"gridData\":{\"x\":24,\"y\":8,\"w\":24,\"h\":24,\"i\":\"7\"},\"version\":\"7.5.1\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"9\",\"gridData\":{\"x\":0,\"y\":124,\"w\":16,\"h\":24,\"i\":\"9\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.5.1\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"10\",\"gridData\":{\"x\":36,\"y\":124,\"w\":12,\"h\":24,\"i\":\"10\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.5.1\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"11\",\"gridData\":{\"x\":16,\"y\":124,\"w\":20,\"h\":24,\"i\":\"11\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.5.1\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"12\",\"gridData\":{\"x\":0,\"y\":56,\"w\":24,\"h\":24,\"i\":\"12\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.5.1\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"14\",\"gridData\":{\"x\":8,\"y\":8,\"w\":16,\"h\":24,\"i\":\"14\"},\"version\":\"7.5.1\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"15\",\"gridData\":{\"x\":0,\"y\":148,\"w\":48,\"h\":72,\"i\":\"15\"},\"version\":\"7.5.1\",\"embeddableConfig\":{\"columns\":[\"srcIp\",\"srcPort\",\"dstIp\",\"dstPort\",\"zeek.uid\",\"_id\"],\"sort\":[\"firstPacket\",\"desc\"]},\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"19\",\"gridData\":{\"x\":24,\"y\":56,\"w\":24,\"h\":24,\"i\":\"19\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.5.1\",\"panelRefName\":\"panel_10\"},{\"panelIndex\":\"20\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"20\"},\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"version\":\"7.5.1\",\"panelRefName\":\"panel_11\"},{\"panelIndex\":\"21\",\"gridData\":{\"x\":8,\"y\":32,\"w\":40,\"h\":24,\"i\":\"21\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":null}}}},\"version\":\"7.5.1\",\"panelRefName\":\"panel_12\"},{\"gridData\":{\"x\":0,\"y\":104,\"w\":24,\"h\":20,\"i\":\"22\"},\"version\":\"7.5.1\",\"panelIndex\":\"22\",\"embeddableConfig\":{},\"panelRefName\":\"panel_13\"},{\"gridData\":{\"x\":24,\"y\":104,\"w\":24,\"h\":20,\"i\":\"23\"},\"version\":\"7.5.1\",\"panelIndex\":\"23\",\"embeddableConfig\":{},\"panelRefName\":\"panel_14\"}]", + "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":27,\"i\":\"1\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"3\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":19,\"i\":\"6\",\"w\":30,\"x\":0,\"y\":64},\"panelIndex\":\"6\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"7\",\"w\":11,\"x\":37,\"y\":8},\"panelIndex\":\"7\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":19,\"i\":\"9\",\"w\":13,\"x\":0,\"y\":103},\"panelIndex\":\"9\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":19,\"i\":\"10\",\"w\":9,\"x\":27,\"y\":103},\"panelIndex\":\"10\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":19,\"i\":\"11\",\"w\":14,\"x\":13,\"y\":103},\"panelIndex\":\"11\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":19,\"i\":\"12\",\"w\":29,\"x\":19,\"y\":45},\"panelIndex\":\"12\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"14\",\"w\":16,\"x\":8,\"y\":8},\"panelIndex\":\"14\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":19,\"i\":\"19\",\"w\":19,\"x\":0,\"y\":45},\"panelIndex\":\"19\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_9\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"20\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"20\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_10\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":null}}}},\"gridData\":{\"h\":18,\"i\":\"21\",\"w\":38,\"x\":10,\"y\":27},\"panelIndex\":\"21\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_11\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"22\",\"w\":24,\"x\":0,\"y\":83},\"panelIndex\":\"22\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_12\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"23\",\"w\":24,\"x\":24,\"y\":83},\"panelIndex\":\"23\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_13\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"e57b69c8-34a0-4b5a-9146-f81034ce74fe\",\"w\":13,\"x\":24,\"y\":8},\"panelIndex\":\"e57b69c8-34a0-4b5a-9146-f81034ce74fe\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_14\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":18,\"i\":\"078aaedd-22fb-4a22-ad5b-b81403587fde\",\"w\":10,\"x\":0,\"y\":27},\"panelIndex\":\"078aaedd-22fb-4a22-ad5b-b81403587fde\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_15\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":19,\"i\":\"c151c3a5-c079-4d3b-8a31-da338b974e44\",\"w\":18,\"x\":30,\"y\":64},\"panelIndex\":\"c151c3a5-c079-4d3b-8a31-da338b974e44\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_16\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"cd6004c4-d604-4503-a4a2-d1c38e852279\",\"w\":12,\"x\":36,\"y\":103},\"panelIndex\":\"cd6004c4-d604-4503-a4a2-d1c38e852279\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_17\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":43,\"i\":\"bbcebabc-0baf-4b15-ad17-fc7633b9b8b8\",\"w\":48,\"x\":0,\"y\":122},\"panelIndex\":\"bbcebabc-0baf-4b15-ad17-fc7633b9b8b8\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_18\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Denver\"}}}}" } }, "references": [ @@ -66,33 +66,53 @@ }, { "name": "panel_9", - "type": "search", - "id": "b945a684-0841-4e86-87aa-0f1af6fb6579" + "type": "visualization", + "id": "f821c7fe-0dd3-4c3c-b5df-77b926f4007a" }, { "name": "panel_10", "type": "visualization", - "id": "f821c7fe-0dd3-4c3c-b5df-77b926f4007a" + "id": "AWDHElRWxQT5EBNmq4lz" }, { "name": "panel_11", "type": "visualization", - "id": "AWDHElRWxQT5EBNmq4lz" + "id": "1567ea7f-8d0e-470b-adbf-f605dd68bdce" }, { "name": "panel_12", "type": "visualization", - "id": "1567ea7f-8d0e-470b-adbf-f605dd68bdce" + "id": "371b06d0-72a1-11e9-b0f3-590266f42743" }, { "name": "panel_13", "type": "visualization", - "id": "371b06d0-72a1-11e9-b0f3-590266f42743" + "id": "bdda87a0-72a0-11e9-b0f3-590266f42743" }, { "name": "panel_14", "type": "visualization", - "id": "bdda87a0-72a0-11e9-b0f3-590266f42743" + "id": "fa696510-4e9b-11ea-b504-97aa449f6abc" + }, + { + "name": "panel_15", + "type": "visualization", + "id": "41325860-4dd6-11ea-8336-d3388483188b" + }, + { + "name": "panel_16", + "type": "visualization", + "id": "9c20d940-4dd6-11ea-8336-d3388483188b" + }, + { + "name": "panel_17", + "type": "visualization", + "id": "f13ba720-4dd6-11ea-8336-d3388483188b" + }, + { + "name": "panel_18", + "type": "search", + "id": "b945a684-0841-4e86-87aa-0f1af6fb6579" } ], "migrationVersion": { @@ -102,11 +122,11 @@ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", "type": "visualization", - "updated_at": "2019-12-18T16:21:02.636Z", - "version": "WzU5OCwxXQ==", + "updated_at": "2020-02-13T20:45:03.886Z", + "version": "WzgwNiwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -122,8 +142,8 @@ { "id": "dc0b1b11-52da-4cc0-bddf-db127bd6cfee", "type": "visualization", - "updated_at": "2019-12-18T16:20:35.964Z", - "version": "WzMxOCwxXQ==", + "updated_at": "2020-02-13T20:44:37.133Z", + "version": "WzUxMywxXQ==", "attributes": { "visState": "{\"title\":\"SSL - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", "description": "", @@ -149,8 +169,8 @@ { "id": "d988522e-b3a8-4d74-98d4-96aff3e0f3f9", "type": "visualization", - "updated_at": "2019-12-18T16:20:35.964Z", - "version": "WzMxOSwxXQ==", + "updated_at": "2020-02-13T20:44:37.133Z", + "version": "WzUxNCwxXQ==", "attributes": { "visState": "{\"title\":\"SSL - Certificate Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssl.subject_full\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Subject\"}}],\"listeners\":{}}", "description": "", @@ -176,11 +196,11 @@ { "id": "20fa1fd0-f204-499d-996f-e41e1ee3d40f", "type": "visualization", - "updated_at": "2019-12-18T16:20:35.964Z", - "version": "WzMyMCwxXQ==", + "updated_at": "2020-02-13T20:44:37.133Z", + "version": "WzUxNSwxXQ==", "attributes": { "title": "SSL - Version", - "visState": "{\"title\":\"SSL - Version\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":false,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_ssl.ssl_version\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}", + "visState": "{\"title\":\"SSL - Version\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":false,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"zeek_ssl.ssl_version: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_ssl.ssl_version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -191,8 +211,8 @@ }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "b945a684-0841-4e86-87aa-0f1af6fb6579" } ], @@ -203,8 +223,8 @@ { "id": "df8bd09c-064c-45b3-8d54-9797ccb58d74", "type": "visualization", - "updated_at": "2019-12-18T16:20:35.964Z", - "version": "WzMyMSwxXQ==", + "updated_at": "2020-02-13T20:44:37.133Z", + "version": "WzUxNiwxXQ==", "attributes": { "visState": "{\"title\":\"SSL - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", @@ -230,8 +250,8 @@ { "id": "f81fe18d-c2ff-4757-9de3-8b943a759169", "type": "visualization", - "updated_at": "2019-12-18T16:20:35.964Z", - "version": "WzMyMiwxXQ==", + "updated_at": "2020-02-13T20:44:37.133Z", + "version": "WzUxNywxXQ==", "attributes": { "visState": "{\"title\":\"SSL - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}", "description": "", @@ -257,8 +277,8 @@ { "id": "b50ee1a8-d83d-46bf-9ba2-419d089d4797", "type": "visualization", - "updated_at": "2019-12-18T16:20:35.964Z", - "version": "WzMyMywxXQ==", + "updated_at": "2020-02-13T20:44:37.133Z", + "version": "WzUxOCwxXQ==", "attributes": { "visState": "{\"title\":\"SSL - Destination Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", @@ -284,13 +304,13 @@ { "id": "8486949c-3592-4831-9020-59bfd968ccfa", "type": "visualization", - "updated_at": "2019-12-18T16:20:53.365Z", - "version": "WzUyNCwxXQ==", + "updated_at": "2020-02-13T20:54:48.292Z", + "version": "WzgyNSwxXQ==", "attributes": { - "visState": "{\"title\":\"SSL - Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssl.server_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}],\"listeners\":{}}", - "description": "", "title": "SSL - Server", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "visState": "{\"title\":\"SSL - Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Server\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Randomness Score (method 1)\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssl.server_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.freq_score_v1\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Randomness Score (method 1)\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.freq_score_v2\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Randomness Score (method 2)\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}}", + "description": "", "version": 1, "kibanaSavedObjectMeta": { "searchSourceJSON": "{\"filter\":[]}" @@ -299,8 +319,8 @@ }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "b945a684-0841-4e86-87aa-0f1af6fb6579" } ], @@ -311,8 +331,8 @@ { "id": "d7a673bc-4a11-423b-acd3-a446425551c1", "type": "visualization", - "updated_at": "2019-12-18T16:20:35.964Z", - "version": "WzMyNSwxXQ==", + "updated_at": "2020-02-13T20:44:37.133Z", + "version": "WzUyMCwxXQ==", "attributes": { "title": "SSL - Destination Country", "visState": "{\"title\":\"SSL - Destination Country\",\"type\":\"histogram\",\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"zeek.destination_geo.country_name: Descending\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.destination_geo.country_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}", @@ -335,50 +355,11 @@ "visualization": "7.4.2" } }, - { - "id": "b945a684-0841-4e86-87aa-0f1af6fb6579", - "type": "search", - "updated_at": "2019-12-18T16:20:53.365Z", - "version": "WzUzMywxXQ==", - "attributes": { - "sort": [ - [ - "firstPacket", - "desc" - ] - ], - "hits": 0, - "description": "", - "title": "SSL - Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"zeek.logType:ssl\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "columns": [ - "srcIp", - "srcPort", - "dstIp", - "dstPort", - "zeek.uid", - "_id" - ] - }, - "references": [ - { - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern", - "id": "sessions2-*" - } - ], - "migrationVersion": { - "search": "7.4.0" - } - }, { "id": "f821c7fe-0dd3-4c3c-b5df-77b926f4007a", "type": "visualization", - "updated_at": "2019-12-18T16:20:35.964Z", - "version": "WzMyNywxXQ==", + "updated_at": "2020-02-13T20:44:37.133Z", + "version": "WzUyMSwxXQ==", "attributes": { "visState": "{\"title\":\"SSL - Validation Status\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssl.validation_status\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Validation Status\"}}],\"listeners\":{}}", "description": "", @@ -404,8 +385,8 @@ { "id": "AWDHElRWxQT5EBNmq4lz", "type": "visualization", - "updated_at": "2019-12-18T16:20:35.964Z", - "version": "WzMyOCwxXQ==", + "updated_at": "2020-02-13T20:44:37.133Z", + "version": "WzUyMiwxXQ==", "attributes": { "title": "SSL - Log Count", "visState": "{\"title\":\"SSL - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", @@ -431,8 +412,8 @@ { "id": "1567ea7f-8d0e-470b-adbf-f605dd68bdce", "type": "visualization", - "updated_at": "2019-12-18T16:20:35.964Z", - "version": "WzMyOSwxXQ==", + "updated_at": "2020-02-13T20:44:37.133Z", + "version": "WzUyMywxXQ==", "attributes": { "title": "SSL - Summary", "visState": "{\"title\":\"SSL - Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssl.server_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server Name\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssl.subject.CN\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Common Name\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssl.validation_status\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Validation Status\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssl.ssl_version\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"TLS Version\"}}]}", @@ -458,8 +439,8 @@ { "id": "371b06d0-72a1-11e9-b0f3-590266f42743", "type": "visualization", - "updated_at": "2019-12-18T16:20:35.964Z", - "version": "WzMzMCwxXQ==", + "updated_at": "2020-02-13T20:44:37.133Z", + "version": "WzUyNCwxXQ==", "attributes": { "title": "SSL - Client JA3 Lookup", "visState": "{\"title\":\"SSL - Client JA3 Lookup\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssl.ja3_desc\",\"size\":500,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Client JA3 Lookup\"}}]}", @@ -485,8 +466,8 @@ { "id": "bdda87a0-72a0-11e9-b0f3-590266f42743", "type": "visualization", - "updated_at": "2019-12-18T16:20:35.964Z", - "version": "WzMzMSwxXQ==", + "updated_at": "2020-02-13T20:44:37.133Z", + "version": "WzUyNSwxXQ==", "attributes": { "title": "SSL - Server JA3 Lookup", "visState": "{\"title\":\"SSL - Server JA3 Lookup\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssl.ja3s_desc\",\"size\":500,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server JA3 Lookup\"}}]}", @@ -508,6 +489,192 @@ "migrationVersion": { "visualization": "7.4.2" } + }, + { + "id": "fa696510-4e9b-11ea-b504-97aa449f6abc", + "type": "visualization", + "updated_at": "2020-02-13T20:44:37.133Z", + "version": "WzUyNiwxXQ==", + "attributes": { + "title": "SSL - Relevant Notices", + "visState": "{\"title\":\"SSL - Relevant Notices\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":4,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Notice Category\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Notice Subcategory\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Source IP\",\"aggType\":\"terms\"},{\"accessor\":3,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"1\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Destination IP\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Notice Category\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.sub_category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Notice Subcategory\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"zeek_notice.category:(SSL OR CVE_2020_0601)\",\"language\":\"lucene\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "8f003748-a6f8-4244-9d4e-e38e4a48da4c" + } + ], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "41325860-4dd6-11ea-8336-d3388483188b", + "type": "visualization", + "updated_at": "2020-02-13T20:44:37.133Z", + "version": "WzUyNywxXQ==", + "attributes": { + "title": "SSL - Connection Established", + "visState": "{\"title\":\"SSL - Connection Established\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":false,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Established\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_ssl.established\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Established\"}}]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "b945a684-0841-4e86-87aa-0f1af6fb6579" + } + ], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "9c20d940-4dd6-11ea-8336-d3388483188b", + "type": "visualization", + "updated_at": "2020-02-13T20:44:37.133Z", + "version": "WzUyOCwxXQ==", + "attributes": { + "title": "SSL - Elliptic Curve", + "visState": "{\"title\":\"SSL - Elliptic Curve\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Elliptic Curve\",\"aggType\":\"terms\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_ssl.curve\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Elliptic Curve\"}}]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "b945a684-0841-4e86-87aa-0f1af6fb6579" + } + ], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "f13ba720-4dd6-11ea-8336-d3388483188b", + "type": "visualization", + "updated_at": "2020-02-13T20:44:37.133Z", + "version": "WzUyOSwxXQ==", + "attributes": { + "title": "SSL - Next Protocol", + "visState": "{\"title\":\"SSL - Next Protocol\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssl.next_protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Next Protocol\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "b945a684-0841-4e86-87aa-0f1af6fb6579" + } + ], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "b945a684-0841-4e86-87aa-0f1af6fb6579", + "type": "search", + "updated_at": "2020-02-13T20:44:37.133Z", + "version": "WzUzMCwxXQ==", + "attributes": { + "title": "SSL - Logs", + "description": "", + "hits": 0, + "columns": [ + "srcIp", + "dstIp", + "dstPort", + "zeek_ssl.server_name", + "zeek_ssl.validation_status", + "zeek_ssl.established", + "zeek.uid" + ], + "sort": [ + [ + "firstPacket", + "desc" + ] + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:ssl\",\"analyze_wildcard\":true,\"time_zone\":\"America/Denver\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "search": "7.4.0" + } + }, + { + "id": "8f003748-a6f8-4244-9d4e-e38e4a48da4c", + "type": "search", + "updated_at": "2020-02-13T20:45:00.802Z", + "version": "Wzc4MiwxXQ==", + "attributes": { + "title": "Notices - Logs", + "description": "", + "hits": 0, + "columns": [ + "zeek_notice.category", + "zeek_notice.sub_category", + "srcIp", + "dstIp", + "zeek.uid" + ], + "sort": [ + [ + "firstPacket", + "desc" + ] + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:notice\",\"default_field\":\"*\",\"time_zone\":\"America/Denver\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "search": "7.4.0" + } } ] } \ No newline at end of file diff --git a/kibana/dashboards/82da3101-2a9c-4ae2-bb61-d447a3fbe673.json b/kibana/dashboards/82da3101-2a9c-4ae2-bb61-d447a3fbe673.json index 976898082..f837e057b 100644 --- a/kibana/dashboards/82da3101-2a9c-4ae2-bb61-d447a3fbe673.json +++ b/kibana/dashboards/82da3101-2a9c-4ae2-bb61-d447a3fbe673.json @@ -1,21 +1,21 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "82da3101-2a9c-4ae2-bb61-d447a3fbe673", "type": "dashboard", - "updated_at": "2019-12-18T16:20:36.982Z", - "version": "WzM0NywxXQ==", + "updated_at": "2020-02-12T17:35:19.152Z", + "version": "Wzk2MiwxXQ==", "attributes": { "title": "Kerberos", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":120,\"i\":\"4\"},\"panelIndex\":\"4\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"columns\":[\"srcIp\",\"dstIp\",\"dstPort\",\"zeek_kerberos.request_type\",\"zeek.uid\",\"_id\"],\"sort\":[\"firstPacket\",\"desc\"]}},{\"embeddableConfig\":{},\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":48,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"gridData\":{\"w\":20,\"h\":16,\"x\":28,\"y\":8,\"i\":\"6\"},\"panelIndex\":\"6\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":48,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"gridData\":{\"w\":20,\"h\":16,\"x\":8,\"y\":8,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":96,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":96,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":96,\"i\":\"12\"},\"panelIndex\":\"12\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":28,\"h\":24,\"x\":0,\"y\":72,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\"},{\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":24,\"i\":\"14\"},\"panelIndex\":\"14\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":72,\"i\":\"15\"},\"panelIndex\":\"15\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"16\"},\"panelIndex\":\"16\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_13\"}]", + "panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":25,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":25,\"w\":19,\"h\":20,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":36,\"y\":8,\"w\":12,\"h\":17,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":19,\"y\":25,\"w\":19,\"h\":20,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":8,\"w\":15,\"h\":17,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":45,\"w\":24,\"h\":20,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":24,\"y\":45,\"w\":24,\"h\":20,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":65,\"w\":28,\"h\":25,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":23,\"y\":8,\"w\":13,\"h\":17,\"i\":\"7d02cf7a-cad4-4b2c-822d-a255de92ce23\"},\"panelIndex\":\"7d02cf7a-cad4-4b2c-822d-a255de92ce23\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":38,\"y\":25,\"w\":10,\"h\":20,\"i\":\"defd333f-2642-4357-822f-9fa6f09a9356\"},\"panelIndex\":\"defd333f-2642-4357-822f-9fa6f09a9356\",\"embeddableConfig\":{},\"panelRefName\":\"panel_11\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":28,\"y\":65,\"w\":20,\"h\":25,\"i\":\"6f759830-50a0-41d2-a383-b8e307be3ba3\"},\"panelIndex\":\"6f759830-50a0-41d2-a383-b8e307be3ba3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_12\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":90,\"w\":48,\"h\":30,\"i\":\"f0a6a77c-c3fe-48e1-aa26-870211f54ecf\"},\"panelIndex\":\"f0a6a77c-c3fe-48e1-aa26-870211f54ecf\",\"embeddableConfig\":{},\"panelRefName\":\"panel_13\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Denver\"}}}}" } }, "references": [ @@ -31,63 +31,63 @@ }, { "name": "panel_2", - "type": "search", - "id": "e1bfade1-72ee-4093-9257-5d1921c71041" + "type": "visualization", + "id": "5a8ab6ad-ea8c-4d52-935e-82fbd2445ec3" }, { "name": "panel_3", "type": "visualization", - "id": "5a8ab6ad-ea8c-4d52-935e-82fbd2445ec3" + "id": "0319fd42-76c4-4894-b7d8-2540537705ff" }, { "name": "panel_4", "type": "visualization", - "id": "0319fd42-76c4-4894-b7d8-2540537705ff" + "id": "334efe47-3d71-4995-8f73-8945969c6879" }, { "name": "panel_5", "type": "visualization", - "id": "334efe47-3d71-4995-8f73-8945969c6879" + "id": "8fdb77a7-748c-47a6-a1f9-31c4583f354d" }, { "name": "panel_6", "type": "visualization", - "id": "8fdb77a7-748c-47a6-a1f9-31c4583f354d" + "id": "62d29d31-59dd-4339-9793-5df6bd4cde91" }, { "name": "panel_7", "type": "visualization", - "id": "62d29d31-59dd-4339-9793-5df6bd4cde91" + "id": "2805b0f5-d7cf-4cbc-8ffe-d6b087fadb82" }, { "name": "panel_8", "type": "visualization", - "id": "2805b0f5-d7cf-4cbc-8ffe-d6b087fadb82" + "id": "626b7405-7acb-4b43-a0de-44e1d92c7fbf" }, { "name": "panel_9", "type": "visualization", - "id": "c0fc173f-0d69-4e8d-9f3a-1cbf5992df1b" + "id": "AWDG_UbkxQT5EBNmq4Lg" }, { "name": "panel_10", "type": "visualization", - "id": "626b7405-7acb-4b43-a0de-44e1d92c7fbf" + "id": "2bf924c0-4dbc-11ea-8336-d3388483188b" }, { "name": "panel_11", "type": "visualization", - "id": "4767e016-b8e7-48e2-be2c-d4b3d958879f" + "id": "c8180830-4dbc-11ea-8336-d3388483188b" }, { "name": "panel_12", "type": "visualization", - "id": "d8e847de-d2f5-4585-9e9e-b9f172c16134" + "id": "51e6a850-4dbd-11ea-8336-d3388483188b" }, { "name": "panel_13", - "type": "visualization", - "id": "AWDG_UbkxQT5EBNmq4Lg" + "type": "search", + "id": "e1bfade1-72ee-4093-9257-5d1921c71041" } ], "migrationVersion": { @@ -97,11 +97,11 @@ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", "type": "visualization", - "updated_at": "2019-12-18T16:21:02.636Z", - "version": "WzU5OCwxXQ==", + "updated_at": "2020-02-12T15:01:05.290Z", + "version": "Wzc5NiwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -117,8 +117,8 @@ { "id": "aaf2aff1-0941-4df3-9668-329601e90ea3", "type": "visualization", - "updated_at": "2019-12-18T16:20:36.982Z", - "version": "WzMzNCwxXQ==", + "updated_at": "2020-02-12T15:00:38.595Z", + "version": "WzUxNiwxXQ==", "attributes": { "visState": "{\"title\":\"Kerberos - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", "description": "", @@ -141,51 +141,11 @@ "visualization": "7.4.2" } }, - { - "id": "e1bfade1-72ee-4093-9257-5d1921c71041", - "type": "search", - "updated_at": "2019-12-18T16:20:36.982Z", - "version": "WzMzNSwxXQ==", - "attributes": { - "sort": [ - [ - "firstPacket", - "desc" - ] - ], - "hits": 0, - "description": "", - "title": "Kerberos - Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"zeek.logType:kerberos\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "columns": [ - "srcIp", - "srcPort", - "dstIp", - "dstPort", - "zeek_kerberos.request_type", - "zeek.uid", - "_id" - ] - }, - "references": [ - { - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern", - "id": "sessions2-*" - } - ], - "migrationVersion": { - "search": "7.4.0" - } - }, { "id": "5a8ab6ad-ea8c-4d52-935e-82fbd2445ec3", "type": "visualization", - "updated_at": "2019-12-18T16:20:36.982Z", - "version": "WzMzNiwxXQ==", + "updated_at": "2020-02-12T15:00:38.595Z", + "version": "WzUxOCwxXQ==", "attributes": { "visState": "{\"title\":\"Kerberos - Client\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_kerberos.cname\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Client\"}}],\"listeners\":{}}", "description": "", @@ -211,12 +171,12 @@ { "id": "0319fd42-76c4-4894-b7d8-2540537705ff", "type": "visualization", - "updated_at": "2019-12-18T16:20:36.982Z", - "version": "WzMzNywxXQ==", + "updated_at": "2020-02-12T17:15:35.671Z", + "version": "Wzk0NiwxXQ==", "attributes": { "title": "Kerberos - Success Status", - "visState": "{\"title\":\"Kerberos - Success Status\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_kerberos.success\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}", - "uiStateJSON": "{}", + "visState": "{\"title\":\"Kerberos - Success Status\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"zeek_kerberos.success: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_kerberos.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, "kibanaSavedObjectMeta": { @@ -226,8 +186,8 @@ }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "e1bfade1-72ee-4093-9257-5d1921c71041" } ], @@ -238,8 +198,8 @@ { "id": "334efe47-3d71-4995-8f73-8945969c6879", "type": "visualization", - "updated_at": "2019-12-18T16:20:36.982Z", - "version": "WzMzOCwxXQ==", + "updated_at": "2020-02-12T15:00:38.595Z", + "version": "WzUyMCwxXQ==", "attributes": { "visState": "{\"title\":\"Kerberos - Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_kerberos.sname\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}],\"listeners\":{}}", "description": "", @@ -265,8 +225,8 @@ { "id": "8fdb77a7-748c-47a6-a1f9-31c4583f354d", "type": "visualization", - "updated_at": "2019-12-18T16:20:36.982Z", - "version": "WzMzOSwxXQ==", + "updated_at": "2020-02-12T15:00:38.595Z", + "version": "WzUyMSwxXQ==", "attributes": { "title": "Kerberos - Cipher", "visState": "{\"title\":\"Kerberos - Cipher\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_kerberos.cipher\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}", @@ -292,8 +252,8 @@ { "id": "62d29d31-59dd-4339-9793-5df6bd4cde91", "type": "visualization", - "updated_at": "2019-12-18T16:20:36.982Z", - "version": "WzM0MCwxXQ==", + "updated_at": "2020-02-12T15:00:38.595Z", + "version": "WzUyMiwxXQ==", "attributes": { "visState": "{\"title\":\"Kerberos - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", @@ -319,8 +279,8 @@ { "id": "2805b0f5-d7cf-4cbc-8ffe-d6b087fadb82", "type": "visualization", - "updated_at": "2019-12-18T16:20:36.982Z", - "version": "WzM0MSwxXQ==", + "updated_at": "2020-02-12T15:00:38.595Z", + "version": "WzUyMywxXQ==", "attributes": { "visState": "{\"title\":\"Kerberos - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", @@ -344,15 +304,15 @@ } }, { - "id": "c0fc173f-0d69-4e8d-9f3a-1cbf5992df1b", + "id": "626b7405-7acb-4b43-a0de-44e1d92c7fbf", "type": "visualization", - "updated_at": "2019-12-18T16:20:36.982Z", - "version": "WzM0MiwxXQ==", + "updated_at": "2020-02-12T17:31:02.545Z", + "version": "Wzk1OCwxXQ==", "attributes": { - "visState": "{\"title\":\"Kerberos - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}", - "description": "", - "title": "Kerberos - Destination Port", + "title": "Kerberos - Service", + "visState": "{\"title\":\"Kerberos - Service\",\"type\":\"table\",\"params\":{\"perPage\":15,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Service\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_kerberos.sname\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Service\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "description": "", "version": 1, "kibanaSavedObjectMeta": { "searchSourceJSON": "{\"filter\":[]}" @@ -361,8 +321,8 @@ }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "e1bfade1-72ee-4093-9257-5d1921c71041" } ], @@ -371,15 +331,15 @@ } }, { - "id": "626b7405-7acb-4b43-a0de-44e1d92c7fbf", + "id": "AWDG_UbkxQT5EBNmq4Lg", "type": "visualization", - "updated_at": "2019-12-18T16:20:36.982Z", - "version": "WzM0MywxXQ==", + "updated_at": "2020-02-12T15:00:38.595Z", + "version": "WzUyOCwxXQ==", "attributes": { - "visState": "{\"title\":\"Kerberos - Service\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_kerberos.sname\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Service\"}}],\"listeners\":{}}", + "title": "Kerberos - Log Count", + "visState": "{\"title\":\"Kerberos - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "description": "", - "title": "Kerberos - Service", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "kibanaSavedObjectMeta": { "searchSourceJSON": "{\"filter\":[]}" @@ -398,25 +358,25 @@ } }, { - "id": "4767e016-b8e7-48e2-be2c-d4b3d958879f", + "id": "2bf924c0-4dbc-11ea-8336-d3388483188b", "type": "visualization", - "updated_at": "2019-12-18T16:20:36.982Z", - "version": "WzM0NCwxXQ==", + "updated_at": "2020-02-12T17:21:57.516Z", + "version": "Wzk1MSwxXQ==", "attributes": { - "title": "Kerberos - Request Type", - "visState": "{\"title\":\"Kerberos - Request Type\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek_kerberos.request_type\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Request Type\"}}]}", - "uiStateJSON": "{}", + "title": "Kerberos - Request Types", + "visState": "{\"title\":\"Kerberos - Request Types\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Request Type\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_kerberos.request_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Request Type\"}}]}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" }, "savedSearchRefName": "search_0" }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "e1bfade1-72ee-4093-9257-5d1921c71041" } ], @@ -425,25 +385,25 @@ } }, { - "id": "d8e847de-d2f5-4585-9e9e-b9f172c16134", + "id": "c8180830-4dbc-11ea-8336-d3388483188b", "type": "visualization", - "updated_at": "2019-12-18T16:20:36.982Z", - "version": "WzM0NSwxXQ==", + "updated_at": "2020-02-12T17:26:19.442Z", + "version": "Wzk1NCwxXQ==", "attributes": { - "visState": "{\"title\":\"Kerberos - Renewable\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_kerberos.renewable\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Renewable\"}}],\"listeners\":{}}", + "title": "Kerberos - Renewable Ticket Requested", + "visState": "{\"title\":\"Kerberos - Renewable Ticket Requested\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Renewable ticket requested\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_kerberos.renewable\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Renewable ticket requested\"}}]}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", - "title": "Kerberos - Renewable", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" + "searchSourceJSON": "{}" }, "savedSearchRefName": "search_0" }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "e1bfade1-72ee-4093-9257-5d1921c71041" } ], @@ -452,31 +412,71 @@ } }, { - "id": "AWDG_UbkxQT5EBNmq4Lg", + "id": "51e6a850-4dbd-11ea-8336-d3388483188b", "type": "visualization", - "updated_at": "2019-12-18T16:20:36.982Z", - "version": "WzM0NiwxXQ==", + "updated_at": "2020-02-12T17:30:10.645Z", + "version": "Wzk1NywxXQ==", "attributes": { - "title": "Kerberos - Log Count", - "visState": "{\"title\":\"Kerberos - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", + "title": "Kerberos - Destination Ports", + "visState": "{\"title\":\"Kerberos - Destination Ports\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"log\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Destination Port\",\"aggType\":\"terms\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dstPort\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"}}]}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" + "searchSourceJSON": "{}" }, "savedSearchRefName": "search_0" }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "e1bfade1-72ee-4093-9257-5d1921c71041" } ], "migrationVersion": { "visualization": "7.4.2" } + }, + { + "id": "e1bfade1-72ee-4093-9257-5d1921c71041", + "type": "search", + "updated_at": "2020-02-12T17:34:34.569Z", + "version": "Wzk2MSwxXQ==", + "attributes": { + "title": "Kerberos - Logs", + "description": "", + "hits": 0, + "columns": [ + "srcIp", + "dstIp", + "dstPort", + "zeek_kerberos.request_type", + "zeek_kerberos.success", + "zeek_kerberos.error_msg", + "zeek.uid" + ], + "sort": [ + [ + "firstPacket", + "desc" + ] + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:kerberos\",\"analyze_wildcard\":true,\"time_zone\":\"America/Denver\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "search": "7.4.0" + } } ] } \ No newline at end of file diff --git a/kibana/dashboards/870a5862-6c26-4a08-99fd-0c06cda85ba3.json b/kibana/dashboards/870a5862-6c26-4a08-99fd-0c06cda85ba3.json index b29ab8dbf..32553570d 100644 --- a/kibana/dashboards/870a5862-6c26-4a08-99fd-0c06cda85ba3.json +++ b/kibana/dashboards/870a5862-6c26-4a08-99fd-0c06cda85ba3.json @@ -1,21 +1,21 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "870a5862-6c26-4a08-99fd-0c06cda85ba3", "type": "dashboard", - "updated_at": "2019-12-18T16:20:38.006Z", - "version": "WzM1NywxXQ==", + "updated_at": "2020-02-12T21:24:41.208Z", + "version": "WzEyNzksMV0=", "attributes": { "title": "DNP3", "hits": 0, "description": "", - "panelsJSON": "[{\"panelIndex\":\"1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":56,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"7\",\"gridData\":{\"x\":8,\"y\":32,\"w\":12,\"h\":24,\"i\":\"7\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"8\",\"gridData\":{\"x\":20,\"y\":32,\"w\":12,\"h\":24,\"i\":\"8\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"10\",\"gridData\":{\"x\":0,\"y\":56,\"w\":48,\"h\":24,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{\"columns\":[\"srcIp\",\"dstIp\",\"dstPort\",\"zeek.uid\",\"_id\"],\"sort\":[\"firstPacket\",\"desc\"]}},{\"panelIndex\":\"11\",\"gridData\":{\"x\":32,\"y\":32,\"w\":16,\"h\":24,\"i\":\"11\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"12\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"12\"},\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"13\",\"gridData\":{\"x\":8,\"y\":8,\"w\":20,\"h\":24,\"i\":\"13\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"panelIndex\":\"14\",\"gridData\":{\"x\":28,\"y\":8,\"w\":20,\"h\":24,\"i\":\"14\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\",\"embeddableConfig\":{}}]", + "panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":47,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":27,\"w\":14,\"h\":20,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":22,\"y\":27,\"w\":14,\"h\":20,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":36,\"y\":27,\"w\":12,\"h\":20,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":8,\"w\":20,\"h\":19,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":28,\"y\":8,\"w\":20,\"h\":19,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":47,\"w\":48,\"h\":37,\"i\":\"20bab908-6058-4f9a-819b-de9011dd65b0\"},\"panelIndex\":\"20bab908-6058-4f9a-819b-de9011dd65b0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Denver\"}}}}" } }, "references": [ @@ -41,28 +41,28 @@ }, { "name": "panel_4", - "type": "search", - "id": "cc135a63-3e30-4703-bc31-f7ac09c1d21a" + "type": "visualization", + "id": "5dec50f8-81f2-46f0-affd-2f945b6b7475" }, { "name": "panel_5", "type": "visualization", - "id": "5dec50f8-81f2-46f0-affd-2f945b6b7475" + "id": "AWDG9DWvxQT5EBNmq3-m" }, { "name": "panel_6", "type": "visualization", - "id": "AWDG9DWvxQT5EBNmq3-m" + "id": "46cd2e4c-ecfb-4fe9-ae51-28c2fecbffc0" }, { "name": "panel_7", "type": "visualization", - "id": "46cd2e4c-ecfb-4fe9-ae51-28c2fecbffc0" + "id": "9422ff81-b007-4eef-aca1-1af16509ab8c" }, { "name": "panel_8", - "type": "visualization", - "id": "9422ff81-b007-4eef-aca1-1af16509ab8c" + "type": "search", + "id": "cc135a63-3e30-4703-bc31-f7ac09c1d21a" } ], "migrationVersion": { @@ -72,11 +72,11 @@ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", "type": "visualization", - "updated_at": "2019-12-18T16:21:02.636Z", - "version": "WzU5OCwxXQ==", + "updated_at": "2020-02-12T15:01:05.290Z", + "version": "Wzc5NiwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -92,8 +92,8 @@ { "id": "ab886b44-653f-401f-aca3-a6edb990dff7", "type": "visualization", - "updated_at": "2019-12-18T16:20:38.006Z", - "version": "WzM0OSwxXQ==", + "updated_at": "2020-02-12T15:00:39.630Z", + "version": "WzUzMSwxXQ==", "attributes": { "visState": "{\"title\":\"DNP3 - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 30 minutes\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", "description": "", @@ -119,8 +119,8 @@ { "id": "d34dd3b3-3861-4b9b-ba39-4ca7e15b3bdd", "type": "visualization", - "updated_at": "2019-12-18T16:20:38.006Z", - "version": "WzM1MCwxXQ==", + "updated_at": "2020-02-12T15:00:39.630Z", + "version": "WzUzMiwxXQ==", "attributes": { "visState": "{\"title\":\"DNP3 - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", @@ -146,8 +146,8 @@ { "id": "131198e7-afc4-40be-bedd-2a3a3a2d511e", "type": "visualization", - "updated_at": "2019-12-18T16:20:38.006Z", - "version": "WzM1MSwxXQ==", + "updated_at": "2020-02-12T15:00:39.630Z", + "version": "WzUzMywxXQ==", "attributes": { "visState": "{\"title\":\"DNP3 - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", @@ -170,49 +170,11 @@ "visualization": "7.4.2" } }, - { - "id": "cc135a63-3e30-4703-bc31-f7ac09c1d21a", - "type": "search", - "updated_at": "2019-12-18T16:20:38.006Z", - "version": "WzM1MiwxXQ==", - "attributes": { - "sort": [ - [ - "firstPacket", - "desc" - ] - ], - "hits": 0, - "description": "", - "title": "DNP3 - Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"zeek.logType:dnp3\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "columns": [ - "srcIp", - "dstIp", - "dstPort", - "zeek.uid", - "_id" - ] - }, - "references": [ - { - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern", - "id": "sessions2-*" - } - ], - "migrationVersion": { - "search": "7.4.0" - } - }, { "id": "5dec50f8-81f2-46f0-affd-2f945b6b7475", "type": "visualization", - "updated_at": "2019-12-18T16:20:38.006Z", - "version": "WzM1MywxXQ==", + "updated_at": "2020-02-12T15:00:39.630Z", + "version": "WzUzNSwxXQ==", "attributes": { "visState": "{\"title\":\"DNP3 - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}", "description": "", @@ -238,8 +200,8 @@ { "id": "AWDG9DWvxQT5EBNmq3-m", "type": "visualization", - "updated_at": "2019-12-18T16:20:38.006Z", - "version": "WzM1NCwxXQ==", + "updated_at": "2020-02-12T15:00:39.630Z", + "version": "WzUzNiwxXQ==", "attributes": { "title": "DNP3 - Log Count", "visState": "{\"title\":\"DNP3 - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", @@ -265,8 +227,8 @@ { "id": "46cd2e4c-ecfb-4fe9-ae51-28c2fecbffc0", "type": "visualization", - "updated_at": "2019-12-18T16:20:38.006Z", - "version": "WzM1NSwxXQ==", + "updated_at": "2020-02-12T15:00:39.630Z", + "version": "WzUzNywxXQ==", "attributes": { "title": "DNP3 - Function Request", "visState": "{\"title\":\"DNP3 - Function Request\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dnp3.fc_request\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Request\"}}]}", @@ -292,8 +254,8 @@ { "id": "9422ff81-b007-4eef-aca1-1af16509ab8c", "type": "visualization", - "updated_at": "2019-12-18T16:20:38.006Z", - "version": "WzM1NiwxXQ==", + "updated_at": "2020-02-12T15:00:39.630Z", + "version": "WzUzOCwxXQ==", "attributes": { "title": "DNP3 - Function Reply", "visState": "{\"title\":\"DNP3 - Function Reply\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dnp3.fc_reply\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Reply\"}}]}", @@ -315,6 +277,45 @@ "migrationVersion": { "visualization": "7.4.2" } + }, + { + "id": "cc135a63-3e30-4703-bc31-f7ac09c1d21a", + "type": "search", + "updated_at": "2020-02-12T21:24:03.851Z", + "version": "WzEyNzgsMV0=", + "attributes": { + "title": "DNP3 - Logs", + "description": "", + "hits": 0, + "columns": [ + "srcIp", + "dstIp", + "dstPort", + "zeek_dnp3.fc_request", + "zeek_dnp3.fc_reply", + "zeek.uid" + ], + "sort": [ + [ + "firstPacket", + "desc" + ] + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:dnp3\",\"analyze_wildcard\":true,\"time_zone\":\"America/Denver\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "search": "7.4.0" + } } ] } \ No newline at end of file diff --git a/kibana/dashboards/87a32f90-ef58-11e9-974e-9d600036d105.json b/kibana/dashboards/87a32f90-ef58-11e9-974e-9d600036d105.json index b29bc391d..b34b173cc 100644 --- a/kibana/dashboards/87a32f90-ef58-11e9-974e-9d600036d105.json +++ b/kibana/dashboards/87a32f90-ef58-11e9-974e-9d600036d105.json @@ -1,5 +1,5 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "87a32f90-ef58-11e9-974e-9d600036d105", @@ -10,7 +10,7 @@ "title": "MQTT", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":33,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":14,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":14,\"i\":\"4\"},\"panelIndex\":\"4\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":14,\"w\":16,\"h\":19,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":24,\"y\":14,\"w\":24,\"h\":19,\"i\":\"6\"},\"panelIndex\":\"6\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":33,\"w\":15,\"h\":20,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":15,\"y\":33,\"w\":17,\"h\":20,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":32,\"y\":33,\"w\":16,\"h\":20,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":53,\"w\":16,\"h\":21,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}},\"gridData\":{\"x\":16,\"y\":53,\"w\":32,\"h\":21,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_9\"},{\"gridData\":{\"x\":0,\"y\":74,\"w\":48,\"h\":25,\"i\":\"12\"},\"version\":\"7.5.1\",\"panelIndex\":\"12\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"}]", + "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":33,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":14,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":14,\"i\":\"4\"},\"panelIndex\":\"4\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":14,\"w\":16,\"h\":19,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":24,\"y\":14,\"w\":24,\"h\":19,\"i\":\"6\"},\"panelIndex\":\"6\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":33,\"w\":15,\"h\":20,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":15,\"y\":33,\"w\":17,\"h\":20,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":32,\"y\":33,\"w\":16,\"h\":20,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":53,\"w\":16,\"h\":21,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}},\"gridData\":{\"x\":16,\"y\":53,\"w\":32,\"h\":21,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_9\"},{\"gridData\":{\"x\":0,\"y\":74,\"w\":48,\"h\":25,\"i\":\"12\"},\"version\":\"7.6.2\",\"panelIndex\":\"12\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, @@ -86,7 +86,7 @@ "version": "WzU5OCwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/kibana/dashboards/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85.json b/kibana/dashboards/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85.json index 452bebb42..08643b886 100644 --- a/kibana/dashboards/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85.json +++ b/kibana/dashboards/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85.json @@ -1,21 +1,21 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "87d990cc-9e0b-41e5-b8fe-b10ae1da0c85", "type": "dashboard", - "updated_at": "2019-12-18T16:20:40.052Z", - "version": "WzM3OSwxXQ==", + "updated_at": "2020-02-20T20:23:48.015Z", + "version": "WzExNzUsMV0=", "attributes": { "title": "Software", "hits": 0, "description": "", - "panelsJSON": "[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":48,\"h\":40,\"x\":0,\"y\":44,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"columns\":[\"srcIp\",\"zeek_software.name\",\"zeek_software.software_type\"],\"sort\":[\"firstPacket\",\"desc\"]}},{\"panelIndex\":\"10\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"10\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"11\",\"gridData\":{\"w\":40,\"h\":36,\"x\":8,\"y\":8,\"i\":\"11\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{}}]", + "panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":44,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":8,\"w\":40,\"h\":36,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":44,\"w\":48,\"h\":36,\"i\":\"f99c68bd-2da6-41d5-bbd1-45f85e79526c\"},\"panelIndex\":\"f99c68bd-2da6-41d5-bbd1-45f85e79526c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Denver\"}}}}" } }, "references": [ @@ -31,18 +31,18 @@ }, { "name": "panel_2", - "type": "search", - "id": "7d54b196-5c2b-485e-9798-f116fb668413" + "type": "visualization", + "id": "AWDHEKJUxQT5EBNmq4jW" }, { "name": "panel_3", "type": "visualization", - "id": "AWDHEKJUxQT5EBNmq4jW" + "id": "bb882862-2f74-440a-bb62-41a9dca2b463" }, { "name": "panel_4", - "type": "visualization", - "id": "bb882862-2f74-440a-bb62-41a9dca2b463" + "type": "search", + "id": "7d54b196-5c2b-485e-9798-f116fb668413" } ], "migrationVersion": { @@ -52,11 +52,11 @@ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", "type": "visualization", - "updated_at": "2019-12-18T16:21:02.636Z", - "version": "WzU5OCwxXQ==", + "updated_at": "2020-02-20T19:39:06.465Z", + "version": "WzY0MSwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -72,8 +72,8 @@ { "id": "097640cc-167e-453d-bf5a-0e92ac1347fc", "type": "visualization", - "updated_at": "2019-12-18T16:20:40.052Z", - "version": "WzM3NCwxXQ==", + "updated_at": "2020-02-20T19:38:43.667Z", + "version": "WzQwOSwxXQ==", "attributes": { "visState": "{\"title\":\"Software - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", "description": "", @@ -96,47 +96,11 @@ "visualization": "7.4.2" } }, - { - "id": "7d54b196-5c2b-485e-9798-f116fb668413", - "type": "search", - "updated_at": "2019-12-18T16:20:40.052Z", - "version": "WzM3NSwxXQ==", - "attributes": { - "title": "Software - Logs", - "description": "", - "hits": 0, - "columns": [ - "srcIp", - "zeek_software.name", - "zeek_software.software_type" - ], - "sort": [ - [ - "firstPacket", - "desc" - ] - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"zeek.logType:software\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - } - }, - "references": [ - { - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern", - "id": "sessions2-*" - } - ], - "migrationVersion": { - "search": "7.4.0" - } - }, { "id": "AWDHEKJUxQT5EBNmq4jW", "type": "visualization", - "updated_at": "2019-12-18T16:20:40.052Z", - "version": "WzM3NiwxXQ==", + "updated_at": "2020-02-20T19:38:43.667Z", + "version": "WzQxMSwxXQ==", "attributes": { "title": "Software - Log Count", "visState": "{\"title\":\"Software - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", @@ -162,8 +126,8 @@ { "id": "bb882862-2f74-440a-bb62-41a9dca2b463", "type": "visualization", - "updated_at": "2019-12-18T16:20:40.052Z", - "version": "WzM3OCwxXQ==", + "updated_at": "2020-02-20T19:38:43.667Z", + "version": "WzQxMiwxXQ==", "attributes": { "visState": "{\"title\":\"Software - Summary\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_software.software_type\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Type\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_software.name\",\"otherBucket\":false,\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Name\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_software.version_major\",\"otherBucket\":false,\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Major Version\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_software.version_minor\",\"otherBucket\":false,\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Minor Version\"}}],\"listeners\":{}}", "description": "", @@ -185,6 +149,43 @@ "migrationVersion": { "visualization": "7.4.2" } + }, + { + "id": "7d54b196-5c2b-485e-9798-f116fb668413", + "type": "search", + "updated_at": "2020-02-20T20:23:14.902Z", + "version": "WzExNzMsMV0=", + "attributes": { + "title": "Software - Logs", + "description": "", + "hits": 0, + "columns": [ + "srcIp", + "zeek_software.software_type", + "zeek_software.name", + "zeek_software.unparsed_version" + ], + "sort": [ + [ + "firstPacket", + "desc" + ] + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:software\",\"analyze_wildcard\":true,\"time_zone\":\"America/Denver\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "search": "7.4.0" + } } ] } \ No newline at end of file diff --git a/kibana/dashboards/92985909-dc29-4533-9e80-d3182a0ecf1d.json b/kibana/dashboards/92985909-dc29-4533-9e80-d3182a0ecf1d.json index 4152357e1..7f1b6e1d7 100644 --- a/kibana/dashboards/92985909-dc29-4533-9e80-d3182a0ecf1d.json +++ b/kibana/dashboards/92985909-dc29-4533-9e80-d3182a0ecf1d.json @@ -1,21 +1,21 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "92985909-dc29-4533-9e80-d3182a0ecf1d", "type": "dashboard", - "updated_at": "2019-12-18T16:20:41.083Z", - "version": "WzM4OSwxXQ==", + "updated_at": "2020-02-12T21:10:50.462Z", + "version": "WzEyNjQsMV0=", "attributes": { "title": "Syslog", "hits": 0, "description": "", - "panelsJSON": "[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"panelIndex\":\"4\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":56,\"i\":\"4\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"columns\":[\"srcIp\",\"dstIp\",\"dstPort\",\"zeek.uid\",\"_id\"],\"sort\":[\"firstPacket\",\"desc\"]}},{\"panelIndex\":\"5\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"6\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":32,\"i\":\"6\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"7\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":32,\"i\":\"7\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"8\",\"gridData\":{\"w\":12,\"h\":24,\"x\":36,\"y\":8,\"i\":\"8\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"9\",\"gridData\":{\"w\":28,\"h\":24,\"x\":8,\"y\":8,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"panelIndex\":\"10\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}}]", + "panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":34,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":34,\"w\":12,\"h\":20,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":12,\"y\":34,\"w\":12,\"h\":20,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":24,\"y\":34,\"w\":12,\"h\":20,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":8,\"w\":13,\"h\":26,\"i\":\"d1325585-cce1-46f1-acfd-59d64a8be83a\"},\"panelIndex\":\"d1325585-cce1-46f1-acfd-59d64a8be83a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":21,\"y\":8,\"w\":27,\"h\":26,\"i\":\"2abd9c38-fd1e-44fa-b391-ead499a92787\"},\"panelIndex\":\"2abd9c38-fd1e-44fa-b391-ead499a92787\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":36,\"y\":34,\"w\":12,\"h\":20,\"i\":\"13e3b050-3d67-4745-a182-b462852a67ef\"},\"panelIndex\":\"13e3b050-3d67-4745-a182-b462852a67ef\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":54,\"w\":48,\"h\":44,\"i\":\"59631e23-e452-40a9-a9dd-7d432278d35f\"},\"panelIndex\":\"59631e23-e452-40a9-a9dd-7d432278d35f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"}}" + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Denver\"}}}}" } }, "references": [ @@ -31,38 +31,43 @@ }, { "name": "panel_2", - "type": "search", - "id": "7d7fd24e-51be-4040-83b3-a6630e989e2d" + "type": "visualization", + "id": "46cba2ad-03cd-4eef-8e3a-c35ac3ac1b76" }, { "name": "panel_3", "type": "visualization", - "id": "46cba2ad-03cd-4eef-8e3a-c35ac3ac1b76" + "id": "f54d6418-1499-4a14-9a8e-f706249b9962" }, { "name": "panel_4", "type": "visualization", - "id": "f54d6418-1499-4a14-9a8e-f706249b9962" + "id": "6a006054-309e-447f-9371-99f119d18291" }, { "name": "panel_5", "type": "visualization", - "id": "6a006054-309e-447f-9371-99f119d18291" + "id": "AWDHE-_wxQT5EBNmq4n3" }, { "name": "panel_6", "type": "visualization", - "id": "ab31bef3-9eaf-458b-8ff8-6fba232a6a06" + "id": "eb455420-4dda-11ea-8336-d3388483188b" }, { "name": "panel_7", "type": "visualization", - "id": "1c50098c-be32-4f8e-bdf3-d78c0bfa2c0c" + "id": "343952d0-4ddb-11ea-8336-d3388483188b" }, { "name": "panel_8", "type": "visualization", - "id": "AWDHE-_wxQT5EBNmq4n3" + "id": "19044160-4dda-11ea-8336-d3388483188b" + }, + { + "name": "panel_9", + "type": "search", + "id": "7d7fd24e-51be-4040-83b3-a6630e989e2d" } ], "migrationVersion": { @@ -72,11 +77,11 @@ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", "type": "visualization", - "updated_at": "2019-12-18T16:21:02.636Z", - "version": "WzU5OCwxXQ==", + "updated_at": "2020-02-12T15:01:05.290Z", + "version": "Wzc5NiwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -92,8 +97,8 @@ { "id": "cf553dfa-f641-47cf-916d-041cf46a80c4", "type": "visualization", - "updated_at": "2019-12-18T16:20:41.083Z", - "version": "WzM4MSwxXQ==", + "updated_at": "2020-02-12T15:00:42.701Z", + "version": "WzU2MiwxXQ==", "attributes": { "visState": "{\"title\":\"Syslog - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 30 seconds\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", "description": "", @@ -117,52 +122,41 @@ } }, { - "id": "7d7fd24e-51be-4040-83b3-a6630e989e2d", - "type": "search", - "updated_at": "2019-12-18T16:20:41.083Z", - "version": "WzM4MiwxXQ==", + "id": "46cba2ad-03cd-4eef-8e3a-c35ac3ac1b76", + "type": "visualization", + "updated_at": "2020-02-12T15:00:42.701Z", + "version": "WzU2NCwxXQ==", "attributes": { - "sort": [ - [ - "firstPacket", - "desc" - ] - ], - "hits": 0, + "visState": "{\"title\":\"Syslog - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", - "title": "Syslog (Zeek) - Logs", + "title": "Syslog - Source IP Address", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"zeek.logType:syslog\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"filter\":[]}" }, - "columns": [ - "srcIp", - "dstIp", - "dstPort", - "zeek.uid", - "_id" - ] + "savedSearchRefName": "search_0" }, "references": [ { - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern", - "id": "sessions2-*" + "type": "search", + "name": "search_0", + "id": "7d7fd24e-51be-4040-83b3-a6630e989e2d" } ], "migrationVersion": { - "search": "7.4.0" + "visualization": "7.4.2" } }, { - "id": "46cba2ad-03cd-4eef-8e3a-c35ac3ac1b76", + "id": "f54d6418-1499-4a14-9a8e-f706249b9962", "type": "visualization", - "updated_at": "2019-12-18T16:20:41.083Z", - "version": "WzM4MywxXQ==", + "updated_at": "2020-02-12T15:00:42.701Z", + "version": "WzU2NSwxXQ==", "attributes": { - "visState": "{\"title\":\"Syslog - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"Syslog - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", - "title": "Syslog - Source IP Address", + "title": "Syslog - Destination IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "kibanaSavedObjectMeta": { @@ -182,15 +176,15 @@ } }, { - "id": "f54d6418-1499-4a14-9a8e-f706249b9962", + "id": "6a006054-309e-447f-9371-99f119d18291", "type": "visualization", - "updated_at": "2019-12-18T16:20:41.083Z", - "version": "WzM4NCwxXQ==", + "updated_at": "2020-02-12T21:00:07.262Z", + "version": "WzEyNTMsMV0=", "attributes": { - "visState": "{\"title\":\"Syslog - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", - "description": "", - "title": "Syslog - Destination IP Address", + "title": "Syslog - Destination Port", + "visState": "{\"title\":\"Syslog - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Port\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Port\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "description": "", "version": 1, "kibanaSavedObjectMeta": { "searchSourceJSON": "{\"filter\":[]}" @@ -199,8 +193,8 @@ }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "7d7fd24e-51be-4040-83b3-a6630e989e2d" } ], @@ -209,15 +203,15 @@ } }, { - "id": "6a006054-309e-447f-9371-99f119d18291", + "id": "AWDHE-_wxQT5EBNmq4n3", "type": "visualization", - "updated_at": "2019-12-18T16:20:41.083Z", - "version": "WzM4NSwxXQ==", + "updated_at": "2020-02-12T15:00:42.701Z", + "version": "WzU2OSwxXQ==", "attributes": { - "visState": "{\"title\":\"Syslog - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}", + "title": "Syslog - Log Count", + "visState": "{\"title\":\"Syslog - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "description": "", - "title": "Syslog - Destination Port", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "kibanaSavedObjectMeta": { "searchSourceJSON": "{\"filter\":[]}" @@ -236,25 +230,25 @@ } }, { - "id": "ab31bef3-9eaf-458b-8ff8-6fba232a6a06", + "id": "eb455420-4dda-11ea-8336-d3388483188b", "type": "visualization", - "updated_at": "2019-12-18T16:20:41.083Z", - "version": "WzM4NiwxXQ==", + "updated_at": "2020-02-12T21:02:03.362Z", + "version": "WzEyNTUsMV0=", "attributes": { - "visState": "{\"title\":\"Syslog - Protocol\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.proto\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Protocol\"}}],\"listeners\":{}}", + "title": "Syslog - Severity", + "visState": "{\"title\":\"Syslog - Severity\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Severity\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_syslog.severity\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Severity\"}}]}", + "uiStateJSON": "{}", "description": "", - "title": "Syslog - Protocol", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" + "searchSourceJSON": "{}" }, "savedSearchRefName": "search_0" }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "7d7fd24e-51be-4040-83b3-a6630e989e2d" } ], @@ -263,25 +257,25 @@ } }, { - "id": "1c50098c-be32-4f8e-bdf3-d78c0bfa2c0c", + "id": "343952d0-4ddb-11ea-8336-d3388483188b", "type": "visualization", - "updated_at": "2019-12-18T16:20:41.083Z", - "version": "WzM4NywxXQ==", + "updated_at": "2020-02-12T21:08:28.776Z", + "version": "WzEyNjIsMV0=", "attributes": { - "visState": "{\"title\":\"Syslog - Severity\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":false,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{\"text\":\"Severity\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_syslog.severity\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Severity\"}}],\"listeners\":{}}", + "title": "Syslog - Facility", + "visState": "{\"title\":\"Syslog - Facility\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":null,\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Facility\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek_syslog.facility\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Facility\"}}]}", + "uiStateJSON": "{}", "description": "", - "title": "Syslog - Severity", - "uiStateJSON": "{\"vis\":{\"legendOpen\":false},\"spy\":{\"mode\":{\"name\":null,\"fill\":false}}}", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" + "searchSourceJSON": "{}" }, "savedSearchRefName": "search_0" }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "7d7fd24e-51be-4040-83b3-a6630e989e2d" } ], @@ -290,31 +284,71 @@ } }, { - "id": "AWDHE-_wxQT5EBNmq4n3", + "id": "19044160-4dda-11ea-8336-d3388483188b", "type": "visualization", - "updated_at": "2019-12-18T16:20:41.083Z", - "version": "WzM4OCwxXQ==", + "updated_at": "2020-02-12T20:56:10.614Z", + "version": "WzEyMzgsMV0=", "attributes": { - "title": "Syslog - Log Count", - "visState": "{\"title\":\"Syslog - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", + "title": "Syslog - Protocol", + "visState": "{\"title\":\"Syslog - Protocol\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":false,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"IP Protocol\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.proto\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Protocol\"}}]}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" + "searchSourceJSON": "{}" }, "savedSearchRefName": "search_0" }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "7d7fd24e-51be-4040-83b3-a6630e989e2d" } ], "migrationVersion": { "visualization": "7.4.2" } + }, + { + "id": "7d7fd24e-51be-4040-83b3-a6630e989e2d", + "type": "search", + "updated_at": "2020-02-12T20:58:39.964Z", + "version": "WzEyNTEsMV0=", + "attributes": { + "title": "Syslog (Zeek) - Logs", + "description": "", + "hits": 0, + "columns": [ + "srcIp", + "dstIp", + "dstPort", + "zeek_syslog.severity", + "zeek_syslog.facility", + "zeek_syslog.message", + "zeek.uid" + ], + "sort": [ + [ + "firstPacket", + "desc" + ] + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:syslog\",\"time_zone\":\"America/Denver\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "search": "7.4.0" + } } ] } \ No newline at end of file diff --git a/kibana/dashboards/95479950-41f2-11ea-88fa-7151df485405.json b/kibana/dashboards/95479950-41f2-11ea-88fa-7151df485405.json new file mode 100644 index 000000000..d2881f878 --- /dev/null +++ b/kibana/dashboards/95479950-41f2-11ea-88fa-7151df485405.json @@ -0,0 +1,522 @@ +{ + "version": "7.6.2", + "objects": [ + { + "id": "95479950-41f2-11ea-88fa-7151df485405", + "type": "dashboard", + "updated_at": "2020-02-04T14:48:41.812Z", + "version": "WzgxNywxXQ==", + "attributes": { + "title": "Security Overview", + "hits": 0, + "description": "", + "panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":23,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":12,\"h\":23,\"i\":\"320b8bf0-6567-4d0b-b7d1-7402baf830d4\"},\"panelIndex\":\"320b8bf0-6567-4d0b-b7d1-7402baf830d4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":20,\"y\":0,\"w\":15,\"h\":23,\"i\":\"8f421b7e-8ea9-4d52-a165-8e2a4fa78fd0\"},\"panelIndex\":\"8f421b7e-8ea9-4d52-a165-8e2a4fa78fd0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":35,\"y\":0,\"w\":13,\"h\":23,\"i\":\"119a8b45-c803-4c71-93b4-a9514803021a\"},\"panelIndex\":\"119a8b45-c803-4c71-93b4-a9514803021a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":23,\"w\":15,\"h\":18,\"i\":\"1789e54a-db27-4e5e-92d3-2f44b3f9f96e\"},\"panelIndex\":\"1789e54a-db27-4e5e-92d3-2f44b3f9f96e\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":15,\"y\":23,\"w\":15,\"h\":38,\"i\":\"9df4498d-9d4d-4613-bc54-8fca34ade25c\"},\"panelIndex\":\"9df4498d-9d4d-4613-bc54-8fca34ade25c\",\"embeddableConfig\":{\"mapCenter\":null,\"mapZoom\":null},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":30,\"y\":23,\"w\":9,\"h\":18,\"i\":\"4cdbaf8d-bb32-457f-a198-e9734168c5eb\"},\"panelIndex\":\"4cdbaf8d-bb32-457f-a198-e9734168c5eb\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":39,\"y\":23,\"w\":9,\"h\":18,\"i\":\"61f158d0-8c28-499f-af09-4df087948d42\"},\"panelIndex\":\"61f158d0-8c28-499f-af09-4df087948d42\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":41,\"w\":15,\"h\":20,\"i\":\"071a1c98-695f-4708-92c9-2c950e515131\"},\"panelIndex\":\"071a1c98-695f-4708-92c9-2c950e515131\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":null}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"asc\"}}}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":30,\"y\":41,\"w\":18,\"h\":20,\"i\":\"a5c3b5c2-37c3-488d-81ab-d74a89d4be84\"},\"panelIndex\":\"a5c3b5c2-37c3-488d-81ab-d74a89d4be84\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":61,\"w\":48,\"h\":19,\"i\":\"2231b6ad-9e0d-4524-a359-bdc2c8332991\"},\"panelIndex\":\"2231b6ad-9e0d-4524-a359-bdc2c8332991\",\"embeddableConfig\":{\"legendOpen\":false,\"vis\":{\"legendOpen\":true}},\"panelRefName\":\"panel_10\"}]", + "optionsJSON": "{\"useMargins\":true}", + "version": 1, + "timeRestore": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}" + } + }, + "references": [ + { + "name": "panel_0", + "type": "visualization", + "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3" + }, + { + "name": "panel_1", + "type": "visualization", + "id": "a4f6eba0-41f5-11ea-88fa-7151df485405" + }, + { + "name": "panel_2", + "type": "visualization", + "id": "0e9b1a00-525e-11e9-9bd7-13d6d1bafa75" + }, + { + "name": "panel_3", + "type": "visualization", + "id": "c5b1e590-41f3-11ea-88fa-7151df485405" + }, + { + "name": "panel_4", + "type": "visualization", + "id": "e9f27fa0-41f8-11ea-88fa-7151df485405" + }, + { + "name": "panel_5", + "type": "visualization", + "id": "f7b3ba60-41f7-11ea-88fa-7151df485405" + }, + { + "name": "panel_6", + "type": "visualization", + "id": "0ffb5790-41f3-11ea-88fa-7151df485405" + }, + { + "name": "panel_7", + "type": "visualization", + "id": "4a183420-41f3-11ea-88fa-7151df485405" + }, + { + "name": "panel_8", + "type": "visualization", + "id": "69241a80-421d-11ea-9084-41ab7c5fff2e" + }, + { + "name": "panel_9", + "type": "visualization", + "id": "10a01120-41f5-11ea-88fa-7151df485405" + }, + { + "name": "panel_10", + "type": "visualization", + "id": "d8b8a6a0-41fe-11ea-88fa-7151df485405" + } + ], + "migrationVersion": { + "dashboard": "7.3.0" + } + }, + { + "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", + "type": "visualization", + "updated_at": "2020-02-04T14:21:03.422Z", + "version": "Wzc4MCwxXQ==", + "attributes": { + "title": "Zeek Logs", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "references": [], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "a4f6eba0-41f5-11ea-88fa-7151df485405", + "type": "visualization", + "updated_at": "2020-02-04T14:20:41.897Z", + "version": "WzU1NiwxXQ==", + "attributes": { + "title": "Notices by Category", + "visState": "{\"title\":\"Notices by Category\",\"type\":\"table\",\"params\":{\"perPage\":15,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.note\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Notice Category\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "8f003748-a6f8-4244-9d4e-e38e4a48da4c" + } + ], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "0e9b1a00-525e-11e9-9bd7-13d6d1bafa75", + "type": "visualization", + "updated_at": "2020-02-04T14:20:41.897Z", + "version": "WzU1NywxXQ==", + "attributes": { + "title": "Signatures - Signature IDs", + "visState": "{\"title\":\"Signatures - Signature IDs\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_signatures.signature_id\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Signature ID\"}}]}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "type": "search", + "name": "search_0", + "id": "34dd33c0-523f-11e9-a30e-e3576242f3ed" + } + ], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "c5b1e590-41f3-11ea-88fa-7151df485405", + "type": "visualization", + "updated_at": "2020-02-04T14:20:41.897Z", + "version": "WzU1OCwxXQ==", + "attributes": { + "title": "Clear-text Transmission of Passwords ", + "visState": "{\"title\":\"Clear-text Transmission of Passwords \",\"type\":\"table\",\"params\":{\"perPage\":15,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Application Protocol\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"user\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Username\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\\\\*password:*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "e9f27fa0-41f8-11ea-88fa-7151df485405", + "type": "visualization", + "updated_at": "2020-02-04T14:51:37.130Z", + "version": "WzgxOCwxXQ==", + "attributes": { + "title": "Outdated/Insecure Application Protocols", + "visState": "{\"title\":\"Outdated/Insecure Application Protocols\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":0,\"direction\":\"asc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Application Protocol\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.service_version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Protocol Version\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"asc\"}}}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"(NOT zeek.logType:known*) AND ((zeek.service:ssh AND zeek.service_version < 2) OR (zeek.service:smb AND zeek.service_version < 2) OR (zeek.service:tls AND NOT zeek.service_version:(*TLS*v12* OR *TLS*v13*)) OR (zeek.service:ntp AND zeek.service_version < 4) OR (zeek.service:rfb AND zeek.service_version < 3.8) OR (zeek.service:rdp AND zeek.service_version < 6.0) OR (zeek.service:snmp AND zeek.service_version < 3) OR (zeek.service:ftp))\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "f7b3ba60-41f7-11ea-88fa-7151df485405", + "type": "visualization", + "updated_at": "2020-02-04T14:20:41.897Z", + "version": "WzU2MCwxXQ==", + "attributes": { + "title": "Connections by Destination Country (region map)", + "visState": "{\"title\":\"Connections by Destination Country (region map)\",\"type\":\"region_map\",\"params\":{\"legendPosition\":\"bottomright\",\"addTooltip\":true,\"colorSchema\":\"Blues\",\"emsHotLink\":\"\",\"isDisplayWarning\":false,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"origin\":\"elastic_maps_service\",\"id\":\"road_map\",\"minZoom\":0,\"maxZoom\":10,\"attribution\":\"

OpenStreetMap contributors | OpenMapTiles | MapTiler | Elastic Maps Service

\"}},\"mapZoom\":2,\"mapCenter\":[0,0],\"outlineWeight\":1,\"showAllShapes\":true,\"selectedLayer\":{\"name\":\"World (offline)\",\"url\":\"/world.geojson\",\"attribution\":\"https://exploratory.io/maps\",\"fields\":[{\"name\":\"ISO_A2\",\"description\":\"Country Code\"},{\"name\":\"WB_A2\",\"description\":\"Country Code2\"},{\"name\":\"NAME\",\"description\":\"Country Name\"}],\"format\":{\"type\":\"geojson\"},\"meta\":{\"feature_collection_path\":\"data\"},\"layerId\":\"self_hosted.World (offline)\",\"isEMS\":false},\"selectedJoinField\":{\"name\":\"WB_A2\",\"description\":\"Country Code2\"},\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"},\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Connections\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.destination_geo.country_code2\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Country\"}}]}", + "uiStateJSON": "{\"mapZoom\":3,\"mapCenter\":[37.16031654673677,-5.7511603125000015]}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "52570870-e9d4-444f-a3df-e44c6757ed9f" + } + ], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "0ffb5790-41f3-11ea-88fa-7151df485405", + "type": "visualization", + "updated_at": "2020-02-04T14:20:41.897Z", + "version": "WzU2MSwxXQ==", + "attributes": { + "title": "Inbound External Traffic by Country", + "visState": "{\"title\":\"Inbound External Traffic by Country\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.source_geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Originating Country\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"tags:external_source AND tags:internal_destination\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "4a183420-41f3-11ea-88fa-7151df485405", + "type": "visualization", + "updated_at": "2020-02-04T14:20:41.897Z", + "version": "WzU2MiwxXQ==", + "attributes": { + "title": "Outbound Internal Traffic by Country", + "visState": "{\"title\":\"Outbound Internal Traffic by Country\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.destination_geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Responding Country\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"tags:internal_source AND tags:external_destination\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "69241a80-421d-11ea-9084-41ab7c5fff2e", + "type": "visualization", + "updated_at": "2020-02-04T14:20:41.897Z", + "version": "WzU2MywxXQ==", + "attributes": { + "title": "DNS Queries by Randomness", + "visState": "{\"title\":\"DNS Queries by Randomness\",\"type\":\"table\",\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dns.host\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"DNS Query\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.freq_score_v1\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Randomness Score (method 1)\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.freq_score_v2\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Randomness Score (method 2)\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}}}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "0b971165-4c39-42ed-b80d-8a8f5658a38e" + } + ], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "10a01120-41f5-11ea-88fa-7151df485405", + "type": "visualization", + "updated_at": "2020-02-04T14:20:41.897Z", + "version": "WzU2NCwxXQ==", + "attributes": { + "title": "File Types Observed", + "visState": "{\"title\":\"File Types Observed\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"square root\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":48,\"showLabel\":false,\"metric\":{\"type\":\"vis_dimension\",\"accessor\":1,\"format\":{\"id\":\"string\",\"params\":{}}},\"bucket\":{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.filetype\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"File Type\"}}]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "d8b8a6a0-41fe-11ea-88fa-7151df485405", + "type": "visualization", + "updated_at": "2020-02-04T14:20:41.897Z", + "version": "WzU2NiwxXQ==", + "attributes": { + "title": "External Remote Access Over Time", + "visState": "{\"title\":\"External Remote Access Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#34130C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD\"}},\"params\":{\"date\":true,\"interval\":\"P30D\",\"intervalESValue\":30,\"intervalESUnit\":\"d\",\"format\":\"YYYY-MM-DD\",\"bounds\":{\"min\":\"1976-01-28T18:52:45.953Z\",\"max\":\"2020-01-28T18:52:45.953Z\"}},\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-44y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}}]}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"zeek.service:(ssh OR rdp OR rfb OR telnet) AND tags:(external_source OR external_destination)\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "52570870-e9d4-444f-a3df-e44c6757ed9f" + } + ], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "8f003748-a6f8-4244-9d4e-e38e4a48da4c", + "type": "search", + "updated_at": "2020-02-04T14:21:00.359Z", + "version": "Wzc1NywxXQ==", + "attributes": { + "title": "Notices - Logs", + "description": "", + "hits": 0, + "columns": [ + "zeek_notice.note", + "srcIp", + "dstIp", + "zeek.uid", + "_id" + ], + "sort": [ + [ + "firstPacket", + "desc" + ] + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:notice\",\"default_field\":\"*\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "search": "7.4.0" + } + }, + { + "id": "34dd33c0-523f-11e9-a30e-e3576242f3ed", + "type": "search", + "updated_at": "2020-02-04T14:20:41.897Z", + "version": "WzU2OCwxXQ==", + "attributes": { + "title": "Signatures - Logs", + "description": "", + "hits": 0, + "columns": [ + "zeek_signatures.note", + "zeek_signatures.signature_id", + "zeek_signatures.signature_count", + "zeek.fuid" + ], + "sort": [ + [ + "firstPacket", + "desc" + ] + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"zeek.logType:signatures\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "search": "7.4.0" + } + }, + { + "id": "52570870-e9d4-444f-a3df-e44c6757ed9f", + "type": "search", + "updated_at": "2020-02-12T22:48:55.398Z", + "version": "WzgwMiwxXQ==", + "attributes": { + "title": "Connections - Logs", + "description": "", + "hits": 0, + "columns": [ + "zeek.proto", + "zeek.service", + "srcIp", + "srcPort", + "dstIp", + "dstPort", + "totBytes", + "zeek.uid" + ], + "sort": [ + [ + "firstPacket", + "desc" + ] + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true,\"time_zone\":\"America/Denver\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "search": "7.4.0" + } + }, + { + "id": "0b971165-4c39-42ed-b80d-8a8f5658a38e", + "type": "search", + "updated_at": "2020-02-12T16:25:47.761Z", + "version": "WzkwMywxXQ==", + "attributes": { + "title": "DNS - Logs", + "description": "", + "hits": 0, + "columns": [ + "srcIp", + "dstIp", + "zeek_dns.query", + "zeek_dns.answers", + "zeek.uid" + ], + "sort": [ + [ + "firstPacket", + "desc" + ] + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:dns\",\"time_zone\":\"America/Denver\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "search": "7.4.0" + } + } + ] +} \ No newline at end of file diff --git a/kibana/dashboards/9ee51f94-3316-4fc5-bd89-93a52af69714.json b/kibana/dashboards/9ee51f94-3316-4fc5-bd89-93a52af69714.json index eef0b5bf1..35687e791 100644 --- a/kibana/dashboards/9ee51f94-3316-4fc5-bd89-93a52af69714.json +++ b/kibana/dashboards/9ee51f94-3316-4fc5-bd89-93a52af69714.json @@ -1,21 +1,21 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "9ee51f94-3316-4fc5-bd89-93a52af69714", "type": "dashboard", - "updated_at": "2019-12-18T16:20:42.110Z", - "version": "WzQwMCwxXQ==", + "updated_at": "2020-02-12T15:38:15.432Z", + "version": "Wzg0MSwxXQ==", "attributes": { "title": "Files", "hits": 0, "description": "", - "panelsJSON": "[{\"panelIndex\":\"2\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"2\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"panelIndex\":\"3\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"panelIndex\":\"4\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":72,\"i\":\"4\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"columns\":[\"zeek_files.tx_hosts\",\"dstIp\",\"zeek_files.source\",\"zeek.uid\",\"zeek_files.fuid\",\"_id\"],\"sort\":[\"firstPacket\",\"desc\"]}},{\"panelIndex\":\"6\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":24,\"i\":\"6\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"7\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":48,\"i\":\"7\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":48,\"i\":\"8\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":40,\"h\":16,\"x\":8,\"y\":8,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"panelIndex\":\"10\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":48,\"i\":\"10\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"11\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"11\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"12\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":24,\"i\":\"12\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{}}]", + "panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":43,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":28,\"y\":24,\"w\":20,\"h\":19,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":32,\"y\":43,\"w\":16,\"h\":20,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":16,\"y\":43,\"w\":16,\"h\":20,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":8,\"w\":40,\"h\":16,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":43,\"w\":16,\"h\":20,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":24,\"w\":20,\"h\":19,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":63,\"w\":48,\"h\":35,\"i\":\"8e4863be-7d69-4354-9eb4-4e30a7c983d6\"},\"panelIndex\":\"8e4863be-7d69-4354-9eb4-4e30a7c983d6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Denver\"}}}}" } }, "references": [ @@ -31,43 +31,43 @@ }, { "name": "panel_2", - "type": "search", - "id": "0aca5333-3b1c-4cda-afb4-f7dd86910459" + "type": "visualization", + "id": "66d5d357-edce-450d-b5be-a5a00190e153" }, { "name": "panel_3", "type": "visualization", - "id": "66d5d357-edce-450d-b5be-a5a00190e153" + "id": "d3a0ac2e-73cf-462e-8b03-e6ff3b8612b7" }, { "name": "panel_4", "type": "visualization", - "id": "d3a0ac2e-73cf-462e-8b03-e6ff3b8612b7" + "id": "9ba4473b-66f4-4aea-b19e-4309ec6534b8" }, { "name": "panel_5", "type": "visualization", - "id": "9ba4473b-66f4-4aea-b19e-4309ec6534b8" + "id": "4474edda-47f0-4b74-b5d2-cbf012368c59" }, { "name": "panel_6", "type": "visualization", - "id": "4474edda-47f0-4b74-b5d2-cbf012368c59" + "id": "b1cb0275-a84e-4ef3-ad40-b2b773be43ff" }, { "name": "panel_7", "type": "visualization", - "id": "b1cb0275-a84e-4ef3-ad40-b2b773be43ff" + "id": "AWDG9goqxQT5EBNmq4BP" }, { "name": "panel_8", "type": "visualization", - "id": "AWDG9goqxQT5EBNmq4BP" + "id": "5a4e8261-d65c-4b36-b3f4-5c272f18990f" }, { "name": "panel_9", - "type": "visualization", - "id": "5a4e8261-d65c-4b36-b3f4-5c272f18990f" + "type": "search", + "id": "0aca5333-3b1c-4cda-afb4-f7dd86910459" } ], "migrationVersion": { @@ -77,8 +77,8 @@ { "id": "aaa4fbb0-d5fe-4ef9-be76-405b977bcd5b", "type": "visualization", - "updated_at": "2019-12-18T16:20:42.110Z", - "version": "WzM5MCwxXQ==", + "updated_at": "2020-02-12T15:00:44.752Z", + "version": "WzU4NywxXQ==", "attributes": { "visState": "{\"title\":\"Files - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", "description": "", @@ -104,11 +104,11 @@ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", "type": "visualization", - "updated_at": "2019-12-18T16:21:02.636Z", - "version": "WzU5OCwxXQ==", + "updated_at": "2020-02-12T15:01:05.290Z", + "version": "Wzc5NiwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -121,50 +121,11 @@ "visualization": "7.4.2" } }, - { - "id": "0aca5333-3b1c-4cda-afb4-f7dd86910459", - "type": "search", - "updated_at": "2019-12-18T16:20:42.110Z", - "version": "WzM5MiwxXQ==", - "attributes": { - "sort": [ - [ - "firstPacket", - "desc" - ] - ], - "hits": 0, - "description": "", - "title": "Files - Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:files\"}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "columns": [ - "zeek_files.tx_hosts", - "dstIp", - "zeek_files.source", - "zeek.uid", - "zeek_files.fuid", - "_id" - ] - }, - "references": [ - { - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern", - "id": "sessions2-*" - } - ], - "migrationVersion": { - "search": "7.4.0" - } - }, { "id": "66d5d357-edce-450d-b5be-a5a00190e153", "type": "visualization", - "updated_at": "2019-12-18T16:20:42.110Z", - "version": "WzM5MywxXQ==", + "updated_at": "2020-02-12T15:00:44.752Z", + "version": "WzU5MCwxXQ==", "attributes": { "visState": "{\"title\":\"Files - Files By Size (Bytes)\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_files.seen_bytes\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Bytes Seen\"}}],\"listeners\":{}}", "description": "", @@ -190,8 +151,8 @@ { "id": "d3a0ac2e-73cf-462e-8b03-e6ff3b8612b7", "type": "visualization", - "updated_at": "2019-12-18T16:20:42.110Z", - "version": "WzM5NCwxXQ==", + "updated_at": "2020-02-12T15:00:44.752Z", + "version": "WzU5MSwxXQ==", "attributes": { "visState": "{\"title\":\"FIles - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", @@ -217,8 +178,8 @@ { "id": "9ba4473b-66f4-4aea-b19e-4309ec6534b8", "type": "visualization", - "updated_at": "2019-12-18T16:20:42.110Z", - "version": "WzM5NSwxXQ==", + "updated_at": "2020-02-12T15:00:44.752Z", + "version": "WzU5MiwxXQ==", "attributes": { "visState": "{\"title\":\"FIles - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_files.tx_hosts\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"File IP Address\"}}],\"listeners\":{}}", "description": "", @@ -244,8 +205,8 @@ { "id": "4474edda-47f0-4b74-b5d2-cbf012368c59", "type": "visualization", - "updated_at": "2019-12-18T16:20:42.110Z", - "version": "WzM5NiwxXQ==", + "updated_at": "2020-02-12T15:00:44.752Z", + "version": "WzU5MywxXQ==", "attributes": { "title": "Files - MIME Type", "visState": "{\"title\":\"Files - MIME Type\",\"type\":\"histogram\",\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"rotate\":75,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"MIME Type\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_files.mime_type\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}]}", @@ -271,8 +232,8 @@ { "id": "b1cb0275-a84e-4ef3-ad40-b2b773be43ff", "type": "visualization", - "updated_at": "2019-12-18T16:20:42.110Z", - "version": "WzM5NywxXQ==", + "updated_at": "2020-02-12T15:00:44.752Z", + "version": "WzU5NCwxXQ==", "attributes": { "visState": "{\"title\":\"FIles - MIME Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_files.mime_type\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}],\"listeners\":{}}", "description": "", @@ -298,8 +259,8 @@ { "id": "AWDG9goqxQT5EBNmq4BP", "type": "visualization", - "updated_at": "2019-12-18T16:20:42.110Z", - "version": "WzM5OCwxXQ==", + "updated_at": "2020-02-12T15:00:44.752Z", + "version": "WzU5NSwxXQ==", "attributes": { "title": "Files - Log Count", "visState": "{\"title\":\"Files - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", @@ -325,8 +286,8 @@ { "id": "5a4e8261-d65c-4b36-b3f4-5c272f18990f", "type": "visualization", - "updated_at": "2019-12-18T16:20:42.110Z", - "version": "WzM5OSwxXQ==", + "updated_at": "2020-02-12T15:00:44.752Z", + "version": "WzU5NiwxXQ==", "attributes": { "title": "Files - Source", "visState": "{\"title\":\"Files - Source\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_files.source\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source\"}}]}", @@ -348,6 +309,45 @@ "migrationVersion": { "visualization": "7.4.2" } + }, + { + "id": "0aca5333-3b1c-4cda-afb4-f7dd86910459", + "type": "search", + "updated_at": "2020-02-12T15:36:31.616Z", + "version": "Wzg0MCwxXQ==", + "attributes": { + "title": "Files - Logs", + "description": "", + "hits": 0, + "columns": [ + "zeek_files.tx_hosts", + "dstIp", + "zeek_files.source", + "zeek_files.mime_type", + "zeek.uid", + "zeek.fuid" + ], + "sort": [ + [ + "firstPacket", + "desc" + ] + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:files\",\"time_zone\":\"America/Denver\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "search": "7.4.0" + } } ] } \ No newline at end of file diff --git a/kibana/dashboards/a16110b0-3f99-11e9-a58e-8bdedb0915e8.json b/kibana/dashboards/a16110b0-3f99-11e9-a58e-8bdedb0915e8.json index c2f3660c4..3e14a580b 100644 --- a/kibana/dashboards/a16110b0-3f99-11e9-a58e-8bdedb0915e8.json +++ b/kibana/dashboards/a16110b0-3f99-11e9-a58e-8bdedb0915e8.json @@ -1,21 +1,21 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "a16110b0-3f99-11e9-a58e-8bdedb0915e8", "type": "dashboard", - "updated_at": "2019-12-18T16:20:43.143Z", - "version": "WzQwNCwxXQ==", + "updated_at": "2020-02-13T15:37:51.002Z", + "version": "WzkzNiwxXQ==", "attributes": { "title": "Connections - Destination - Sum of Total Bytes (region map)", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":44,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_0\"},{\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":40,\"i\":\"3\"},\"version\":\"7.5.1\",\"panelIndex\":\"3\",\"embeddableConfig\":{\"mapCenter\":[0,0],\"mapZoom\":3},\"panelRefName\":\"panel_1\"}]", + "panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":23,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":50,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"mapCenter\":null,\"mapZoom\":3},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":23,\"w\":8,\"h\":15,\"i\":\"95f9b964-c2a2-416b-9903-8b969247e1ab\"},\"panelIndex\":\"95f9b964-c2a2-416b-9903-8b969247e1ab\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":38,\"w\":8,\"h\":12,\"i\":\"7f315dd1-7809-49af-bed1-edfa12322240\"},\"panelIndex\":\"7f315dd1-7809-49af-bed1-edfa12322240\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"}}" } }, "references": [ @@ -28,6 +28,16 @@ "name": "panel_1", "type": "visualization", "id": "304de8c0-3f95-11e9-a58e-8bdedb0915e8" + }, + { + "name": "panel_2", + "type": "visualization", + "id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49" + }, + { + "name": "panel_3", + "type": "visualization", + "id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5" } ], "migrationVersion": { @@ -37,11 +47,11 @@ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", "type": "visualization", - "updated_at": "2019-12-18T16:21:02.636Z", - "version": "WzU5OCwxXQ==", + "updated_at": "2020-02-13T14:17:04.192Z", + "version": "Wzc3NiwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -57,12 +67,12 @@ { "id": "304de8c0-3f95-11e9-a58e-8bdedb0915e8", "type": "visualization", - "updated_at": "2019-12-18T16:20:43.143Z", - "version": "WzQwMiwxXQ==", + "updated_at": "2020-02-13T14:48:28.279Z", + "version": "Wzg3NywxXQ==", "attributes": { "title": "Connections - Destination - Sum of Total Bytes (region map)", - "visState": "{\"title\":\"Connections - Destination - Sum of Total Bytes (region map)\",\"type\":\"region_map\",\"params\":{\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"emsHotLink\":null,\"isDisplayWarning\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapZoom\":2,\"outlineWeight\":1,\"selectedJoinField\":{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},\"selectedLayer\":{\"attribution\":\"https://exploratory.io/maps\",\"fields\":[{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},{\"description\":\"Country Code2\",\"name\":\"WB_A2\"},{\"description\":\"Country Name\",\"name\":\"NAME\"}],\"format\":{\"type\":\"geojson\"},\"isEMS\":false,\"layerId\":\"self_hosted.World (offline)\",\"meta\":{\"feature_collection_path\":\"data\"},\"name\":\"World (offline)\",\"url\":\"http://localhost:28991/world.geojson\"},\"showAllShapes\":true,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"totBytes\",\"customLabel\":\"Total Bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dstGEO\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Responder Country\"}}]}", - "uiStateJSON": "{\"mapCenter\":[0,0],\"mapZoom\":3}", + "visState": "{\"title\":\"Connections - Destination - Sum of Total Bytes (region map)\",\"type\":\"region_map\",\"params\":{\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"emsHotLink\":null,\"isDisplayWarning\":false,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapZoom\":2,\"outlineWeight\":1,\"selectedJoinField\":{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},\"selectedLayer\":{\"attribution\":\"https://exploratory.io/maps\",\"fields\":[{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},{\"description\":\"Country Code2\",\"name\":\"WB_A2\"},{\"description\":\"Country Name\",\"name\":\"NAME\"}],\"format\":{\"type\":\"geojson\"},\"isEMS\":false,\"layerId\":\"self_hosted.World (offline)\",\"meta\":{\"feature_collection_path\":\"data\"},\"name\":\"World (offline)\",\"url\":\"/world.geojson\"},\"showAllShapes\":true,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"origin\":\"elastic_maps_service\",\"id\":\"road_map\",\"minZoom\":0,\"maxZoom\":10,\"attribution\":\"OpenStreetMap contributors | OpenMapTiles | MapTiler | Elastic Maps Service\"}},\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Total Bytes\",\"aggType\":\"sum\"},\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Responder Country\",\"aggType\":\"terms\"}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"totBytes\",\"customLabel\":\"Total Bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dstGEO\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Responder Country\"}}]}", + "uiStateJSON": "{\"mapCenter\":[38.14774734584061,16.699218750000004],\"mapZoom\":3}", "description": "", "version": 1, "kibanaSavedObjectMeta": { @@ -72,8 +82,8 @@ }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "52570870-e9d4-444f-a3df-e44c6757ed9f" } ], @@ -81,33 +91,91 @@ "visualization": "7.4.2" } }, + { + "id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49", + "type": "visualization", + "updated_at": "2020-02-13T15:17:58.982Z", + "version": "Wzg5NywxXQ==", + "attributes": { + "title": "Connections - Protocol Filters", + "visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"zeek.proto\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"zeek.service\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "references": [ + { + "name": "control_0_index_pattern", + "type": "index-pattern", + "id": "sessions2-*" + }, + { + "name": "control_1_index_pattern", + "type": "index-pattern", + "id": "sessions2-*" + }, + { + "name": "control_2_index_pattern", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5", + "type": "visualization", + "updated_at": "2020-02-13T14:16:47.803Z", + "version": "WzYzMSwxXQ==", + "attributes": { + "title": "Connections - Maps", + "visState": "{\"title\":\"Connections - Maps\",\"type\":\"markdown\",\"params\":{\"fontSize\":10,\"markdown\":\"#### Coordinate Maps\\n[Source - Originator Bytes](/kibana/app/kibana#/dashboard/b50c8d17-6ed3-4de6-aed4-5181032810b2) ● [Destination - Responder Bytes](/kibana/app/kibana#/dashboard/d4fd6afd-15cb-42bf-8a25-03dd8e59b327) ● [Source - Sum of Total Bytes](/kibana/app/kibana#/dashboard/f394057d-1b16-4174-b994-7045f423a416) ● [Destination - Sum of Total Bytes](/kibana/app/kibana#/dashboard/60d78fbd-471c-4f59-a9e3-189b33a13644) ● [Source - Top Connection Duration](/kibana/app/kibana#/dashboard/e09a4b86-29b5-4256-bb3b-802ac9f90404) ● [Destination - Top Connection Duration](/kibana/app/kibana#/dashboard/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0) \\n#### Region Maps\\n[Source - Originator Bytes ](/kibana/app/kibana#/dashboard/d41fe630-3f98-11e9-a58e-8bdedb0915e8) ● [Destination - Responder Bytes ](/kibana/app/kibana#/dashboard/77fc9960-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Sum of Total Bytes ](/kibana/app/kibana#/dashboard/1ce42250-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Sum of Total Bytes ](/kibana/app/kibana#/dashboard/a16110b0-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Top Connection Duration ](/kibana/app/kibana#/dashboard/39abfe30-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Top Connection Duration ](/kibana/app/kibana#/dashboard/b9f247c0-3f99-11e9-a58e-8bdedb0915e8)\",\"openLinksInNewTab\":false},\"aggs\":[]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "references": [], + "migrationVersion": { + "visualization": "7.4.2" + } + }, { "id": "52570870-e9d4-444f-a3df-e44c6757ed9f", "type": "search", - "updated_at": "2019-12-18T16:21:00.551Z", - "version": "WzU4MSwxXQ==", + "updated_at": "2020-02-13T14:17:02.148Z", + "version": "Wzc2MCwxXQ==", "attributes": { + "title": "Connections - Logs", + "description": "", + "hits": 0, + "columns": [ + "zeek.proto", + "zeek.service", + "srcIp", + "srcPort", + "dstIp", + "dstPort", + "totBytes", + "zeek.uid" + ], "sort": [ [ "firstPacket", "desc" ] ], - "hits": 0, - "description": "", - "title": "Connections - Logs", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"size\":10,\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "columns": [ - "srcIp", - "srcPort", - "dstIp", - "dstPort", - "zeek.uid", - "_id" - ] + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true,\"time_zone\":\"America/Denver\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } }, "references": [ { diff --git a/kibana/dashboards/a7514350-eba6-11e9-a384-0fcf32210194.json b/kibana/dashboards/a7514350-eba6-11e9-a384-0fcf32210194.json index f46d049a9..34f71b5f5 100644 --- a/kibana/dashboards/a7514350-eba6-11e9-a384-0fcf32210194.json +++ b/kibana/dashboards/a7514350-eba6-11e9-a384-0fcf32210194.json @@ -1,21 +1,21 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "a7514350-eba6-11e9-a384-0fcf32210194", "type": "dashboard", - "updated_at": "2019-12-18T16:20:44.165Z", - "version": "WzQxNywxXQ==", + "updated_at": "2020-02-12T21:37:07.159Z", + "version": "WzEyOTIsMV0=", "attributes": { "title": "PROFINET", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":69,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":14,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":14,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":69,\"w\":48,\"h\":34,\"i\":\"4\"},\"panelIndex\":\"4\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":50,\"w\":19,\"h\":19,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":27,\"y\":50,\"w\":20,\"h\":19,\"i\":\"6\"},\"panelIndex\":\"6\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":14,\"w\":16,\"h\":19,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":24,\"y\":14,\"w\":24,\"h\":19,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":33,\"w\":19,\"h\":17,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_8\"},{\"gridData\":{\"x\":27,\"y\":33,\"w\":21,\"h\":17,\"i\":\"10\"},\"version\":\"7.5.1\",\"panelIndex\":\"10\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]", + "panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":69,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":14,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":14,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":69,\"w\":48,\"h\":34,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":50,\"w\":19,\"h\":19,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":27,\"y\":50,\"w\":21,\"h\":19,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":14,\"w\":16,\"h\":19,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":24,\"y\":14,\"w\":24,\"h\":19,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":33,\"w\":19,\"h\":17,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":27,\"y\":33,\"w\":21,\"h\":17,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Denver\"}}}}" } }, "references": [ @@ -77,11 +77,11 @@ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", "type": "visualization", - "updated_at": "2019-12-18T16:21:02.636Z", - "version": "WzU5OCwxXQ==", + "updated_at": "2020-02-12T15:01:05.290Z", + "version": "Wzc5NiwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -97,8 +97,8 @@ { "id": "bf41a680-eba6-11e9-a384-0fcf32210194", "type": "visualization", - "updated_at": "2019-12-18T16:20:44.165Z", - "version": "WzQwNiwxXQ==", + "updated_at": "2020-02-12T15:00:46.801Z", + "version": "WzYwMywxXQ==", "attributes": { "title": "PROFINET - Log Count", "visState": "{\"title\":\"PROFINET - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Log Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}", @@ -128,8 +128,8 @@ { "id": "fcf95d10-eba6-11e9-a384-0fcf32210194", "type": "visualization", - "updated_at": "2019-12-18T16:20:44.165Z", - "version": "WzQwNywxXQ==", + "updated_at": "2020-02-12T15:00:46.801Z", + "version": "WzYwNCwxXQ==", "attributes": { "title": "PROFINET - Logs Over Time", "visState": "{\"title\":\"PROFINET - Logs Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\",\"mode\":\"relative\"},\"useNormalizedEsInterval\":true,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}", @@ -159,8 +159,8 @@ { "id": "a0a10870-eba5-11e9-a384-0fcf32210194", "type": "search", - "updated_at": "2019-12-18T16:20:44.165Z", - "version": "WzQwOCwxXQ==", + "updated_at": "2020-02-12T15:00:46.801Z", + "version": "WzYwNSwxXQ==", "attributes": { "title": "PROFINET and Related - Logs", "description": "", @@ -200,8 +200,8 @@ { "id": "ec42baa0-eba8-11e9-a384-0fcf32210194", "type": "visualization", - "updated_at": "2019-12-18T16:20:44.165Z", - "version": "WzQwOSwxXQ==", + "updated_at": "2020-02-12T15:00:46.801Z", + "version": "WzYwNiwxXQ==", "attributes": { "title": "PROFINET - Source IP", "visState": "{\"title\":\"PROFINET - Source IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcPort\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source Port\"}}]}", @@ -227,8 +227,8 @@ { "id": "0957f330-eba9-11e9-a384-0fcf32210194", "type": "visualization", - "updated_at": "2019-12-18T16:20:44.165Z", - "version": "WzQxMCwxXQ==", + "updated_at": "2020-02-12T15:00:46.801Z", + "version": "WzYwNywxXQ==", "attributes": { "title": "PROFINET - Destination IP", "visState": "{\"title\":\"PROFINET - Destination IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"}}]}", @@ -254,8 +254,8 @@ { "id": "41f36a70-ebaa-11e9-a384-0fcf32210194", "type": "visualization", - "updated_at": "2019-12-18T16:20:44.165Z", - "version": "WzQxMSwxXQ==", + "updated_at": "2020-02-12T15:00:46.801Z", + "version": "WzYwOCwxXQ==", "attributes": { "title": "PROFINET - Operation", "visState": "{\"title\":\"PROFINET - Operation\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_profinet.operation_type\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Operation\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_profinet.index\",\"size\":30,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Index\"}}]}", @@ -281,8 +281,8 @@ { "id": "9dccb5f0-eba9-11e9-a384-0fcf32210194", "type": "visualization", - "updated_at": "2019-12-18T16:20:44.165Z", - "version": "WzQxMiwxXQ==", + "updated_at": "2020-02-12T15:00:46.801Z", + "version": "WzYwOSwxXQ==", "attributes": { "title": "PROFINET - Operation Details", "visState": "{\"title\":\"PROFINET - Operation Details\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_profinet.operation_type\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Operation\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_profinet.index\",\"size\":30,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Index\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_profinet.slot_number\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Slot\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_profinet.subslot_number\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Subslot\"}}]}", @@ -308,8 +308,8 @@ { "id": "17319090-ebab-11e9-a384-0fcf32210194", "type": "visualization", - "updated_at": "2019-12-18T16:20:44.165Z", - "version": "WzQxMywxXQ==", + "updated_at": "2020-02-12T15:00:46.801Z", + "version": "WzYxMCwxXQ==", "attributes": { "title": "PROFINET DCE/RPC - Operation", "visState": "{\"title\":\"PROFINET DCE/RPC - Operation\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_profinet_dce_rpc.operation\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Operation\"}}]}", @@ -335,8 +335,8 @@ { "id": "8022cc90-ebab-11e9-a384-0fcf32210194", "type": "visualization", - "updated_at": "2019-12-18T16:20:44.165Z", - "version": "WzQxNCwxXQ==", + "updated_at": "2020-02-12T15:00:46.801Z", + "version": "WzYxMSwxXQ==", "attributes": { "title": "PROFINET DCE/RPC - Packet Type", "visState": "{\"title\":\"PROFINET DCE/RPC - Packet Type\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_profinet_dce_rpc.packet_type\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Packet Type\"}}]}", @@ -362,8 +362,8 @@ { "id": "8524e670-eba5-11e9-a384-0fcf32210194", "type": "search", - "updated_at": "2019-12-18T16:20:44.165Z", - "version": "WzQxNSwxXQ==", + "updated_at": "2020-02-12T15:00:46.801Z", + "version": "WzYxMiwxXQ==", "attributes": { "title": "PROFINET - Logs", "description": "", @@ -403,8 +403,8 @@ { "id": "96d31d60-eba5-11e9-a384-0fcf32210194", "type": "search", - "updated_at": "2019-12-18T16:20:44.165Z", - "version": "WzQxNiwxXQ==", + "updated_at": "2020-02-12T15:00:46.801Z", + "version": "WzYxMywxXQ==", "attributes": { "title": "PROFINET DCE/RPC - Logs", "description": "", diff --git a/kibana/dashboards/abdd7550-2c7c-40dc-947e-f6d186a158c4.json b/kibana/dashboards/abdd7550-2c7c-40dc-947e-f6d186a158c4.json index 17b697ec2..dacb3098a 100644 --- a/kibana/dashboards/abdd7550-2c7c-40dc-947e-f6d186a158c4.json +++ b/kibana/dashboards/abdd7550-2c7c-40dc-947e-f6d186a158c4.json @@ -1,21 +1,21 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "abdd7550-2c7c-40dc-947e-f6d186a158c4", "type": "dashboard", - "updated_at": "2019-12-18T16:20:45.186Z", - "version": "WzQ0MywxXQ==", + "updated_at": "2020-02-12T23:24:16.730Z", + "version": "WzgzOCwxXQ==", "attributes": { "title": "Connections", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":48,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_1\"},{\"gridData\":{\"x\":0,\"y\":98,\"w\":48,\"h\":16,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":0,\"y\":134,\"w\":16,\"h\":21,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":16,\"y\":134,\"w\":16,\"h\":21,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":0,\"y\":195,\"w\":16,\"h\":20,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":16,\"y\":195,\"w\":16,\"h\":20,\"i\":\"12\"},\"panelIndex\":\"12\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":32,\"y\":195,\"w\":16,\"h\":20,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":0,\"y\":114,\"w\":48,\"h\":20,\"i\":\"19\"},\"panelIndex\":\"19\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_8\"},{\"gridData\":{\"x\":8,\"y\":8,\"w\":20,\"h\":20,\"i\":\"21\"},\"panelIndex\":\"21\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_9\"},{\"gridData\":{\"x\":28,\"y\":28,\"w\":20,\"h\":20,\"i\":\"22\"},\"panelIndex\":\"22\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_10\"},{\"gridData\":{\"x\":28,\"y\":8,\"w\":20,\"h\":20,\"i\":\"23\"},\"panelIndex\":\"23\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_11\"},{\"gridData\":{\"x\":8,\"y\":28,\"w\":20,\"h\":20,\"i\":\"24\"},\"panelIndex\":\"24\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_12\"},{\"embeddableConfig\":{\"columns\":[\"srcIp\",\"srcPort\",\"dstIp\",\"dstPort\",\"zeek.uid\",\"_id\"],\"sort\":[\"firstPacket\",\"desc\"]},\"gridData\":{\"x\":0,\"y\":215,\"w\":48,\"h\":24,\"i\":\"25\"},\"panelIndex\":\"25\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_13\"},{\"gridData\":{\"x\":0,\"y\":91,\"w\":19,\"h\":7,\"i\":\"26\"},\"panelIndex\":\"26\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_14\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"29\"},\"panelIndex\":\"29\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_15\"},{\"gridData\":{\"x\":19,\"y\":73,\"w\":29,\"h\":25,\"i\":\"30\"},\"panelIndex\":\"30\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_16\"},{\"gridData\":{\"x\":32,\"y\":134,\"w\":16,\"h\":21,\"i\":\"31\"},\"panelIndex\":\"31\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_17\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":175,\"w\":24,\"h\":20,\"i\":\"32\"},\"panelIndex\":\"32\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_18\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":24,\"y\":175,\"w\":24,\"h\":20,\"i\":\"33\"},\"panelIndex\":\"33\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_19\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":155,\"w\":24,\"h\":20,\"i\":\"34\"},\"panelIndex\":\"34\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_20\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":24,\"y\":155,\"w\":24,\"h\":20,\"i\":\"35\"},\"panelIndex\":\"35\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_21\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":48,\"w\":24,\"h\":25,\"i\":\"36\"},\"panelIndex\":\"36\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_22\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":24,\"y\":48,\"w\":24,\"h\":25,\"i\":\"37\"},\"panelIndex\":\"37\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_23\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"gridData\":{\"x\":0,\"y\":73,\"w\":19,\"h\":18,\"i\":\"38\"},\"panelIndex\":\"38\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_24\"}]", + "panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"h\":24,\"i\":\"2\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":22,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":61},\"panelIndex\":\"5\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":21,\"i\":\"8\",\"w\":16,\"x\":0,\"y\":131},\"panelIndex\":\"8\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":21,\"i\":\"9\",\"w\":16,\"x\":16,\"y\":131},\"panelIndex\":\"9\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":20,\"i\":\"11\",\"w\":16,\"x\":0,\"y\":192},\"panelIndex\":\"11\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":20,\"i\":\"12\",\"w\":16,\"x\":16,\"y\":192},\"panelIndex\":\"12\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":20,\"i\":\"13\",\"w\":16,\"x\":32,\"y\":192},\"panelIndex\":\"13\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":25,\"i\":\"19\",\"w\":25,\"x\":23,\"y\":106},\"panelIndex\":\"19\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":29,\"i\":\"21\",\"w\":19,\"x\":29,\"y\":8},\"panelIndex\":\"21\",\"embeddableConfig\":{\"legendOpen\":false,\"vis\":{\"legendOpen\":true}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":23,\"i\":\"22\",\"w\":17,\"x\":16,\"y\":83},\"panelIndex\":\"22\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":23,\"i\":\"23\",\"w\":15,\"x\":33,\"y\":83},\"panelIndex\":\"23\",\"embeddableConfig\":{},\"panelRefName\":\"panel_11\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":23,\"i\":\"24\",\"w\":16,\"x\":0,\"y\":83},\"panelIndex\":\"24\",\"embeddableConfig\":{},\"panelRefName\":\"panel_12\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":13,\"i\":\"26\",\"w\":8,\"x\":0,\"y\":24},\"panelIndex\":\"26\",\"embeddableConfig\":{},\"panelRefName\":\"panel_13\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":8,\"i\":\"29\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"29\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"panelRefName\":\"panel_14\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":25,\"i\":\"30\",\"w\":23,\"x\":0,\"y\":106},\"panelIndex\":\"30\",\"embeddableConfig\":{},\"panelRefName\":\"panel_15\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":21,\"i\":\"31\",\"w\":16,\"x\":32,\"y\":131},\"panelIndex\":\"31\",\"embeddableConfig\":{},\"panelRefName\":\"panel_16\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":20,\"i\":\"32\",\"w\":24,\"x\":0,\"y\":172},\"panelIndex\":\"32\",\"embeddableConfig\":{},\"panelRefName\":\"panel_17\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":20,\"i\":\"33\",\"w\":24,\"x\":24,\"y\":172},\"panelIndex\":\"33\",\"embeddableConfig\":{},\"panelRefName\":\"panel_18\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":20,\"i\":\"34\",\"w\":24,\"x\":0,\"y\":152},\"panelIndex\":\"34\",\"embeddableConfig\":{},\"panelRefName\":\"panel_19\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":20,\"i\":\"35\",\"w\":24,\"x\":24,\"y\":152},\"panelIndex\":\"35\",\"embeddableConfig\":{},\"panelRefName\":\"panel_20\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":24,\"i\":\"36\",\"w\":24,\"x\":0,\"y\":37},\"panelIndex\":\"36\",\"embeddableConfig\":{},\"panelRefName\":\"panel_21\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":24,\"i\":\"37\",\"w\":24,\"x\":24,\"y\":37},\"panelIndex\":\"37\",\"embeddableConfig\":{},\"panelRefName\":\"panel_22\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":29,\"i\":\"38\",\"w\":12,\"x\":17,\"y\":8},\"panelIndex\":\"38\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false},\"legendOpen\":true},\"panelRefName\":\"panel_23\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":29,\"i\":\"cbba4b14-342c-4e8e-9afd-f4da9e4b8f00\",\"w\":9,\"x\":8,\"y\":8},\"panelIndex\":\"cbba4b14-342c-4e8e-9afd-f4da9e4b8f00\",\"embeddableConfig\":{},\"panelRefName\":\"panel_24\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":37,\"i\":\"82da0128-4dcd-4f8b-9275-aad74435296f\",\"w\":48,\"x\":0,\"y\":212},\"panelIndex\":\"82da0128-4dcd-4f8b-9275-aad74435296f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_25\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Denver\"}}}}" } }, "references": [ @@ -86,63 +86,68 @@ }, { "name": "panel_13", - "type": "search", - "id": "52570870-e9d4-444f-a3df-e44c6757ed9f" + "type": "visualization", + "id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5" }, { "name": "panel_14", "type": "visualization", - "id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5" + "id": "AWDG71xFxQT5EBNmq336" }, { "name": "panel_15", "type": "visualization", - "id": "AWDG71xFxQT5EBNmq336" + "id": "f7ddb5a7-32d5-4e10-b9d5-01ac0bd694c0" }, { "name": "panel_16", "type": "visualization", - "id": "f7ddb5a7-32d5-4e10-b9d5-01ac0bd694c0" + "id": "568c74ff-3ef3-45ba-a178-0520633697bd" }, { "name": "panel_17", "type": "visualization", - "id": "568c74ff-3ef3-45ba-a178-0520633697bd" + "id": "73df67e0-1f4b-11e9-b7cf-71e2cd3bde1b" }, { "name": "panel_18", "type": "visualization", - "id": "73df67e0-1f4b-11e9-b7cf-71e2cd3bde1b" + "id": "b1851d10-1f4b-11e9-b7cf-71e2cd3bde1b" }, { "name": "panel_19", "type": "visualization", - "id": "b1851d10-1f4b-11e9-b7cf-71e2cd3bde1b" + "id": "cf9a1cf0-1f4c-11e9-b7cf-71e2cd3bde1b" }, { "name": "panel_20", "type": "visualization", - "id": "cf9a1cf0-1f4c-11e9-b7cf-71e2cd3bde1b" + "id": "b9e4dcb0-1f4c-11e9-b7cf-71e2cd3bde1b" }, { "name": "panel_21", "type": "visualization", - "id": "b9e4dcb0-1f4c-11e9-b7cf-71e2cd3bde1b" + "id": "c513e8f0-1f4d-11e9-b7cf-71e2cd3bde1b" }, { "name": "panel_22", "type": "visualization", - "id": "c513e8f0-1f4d-11e9-b7cf-71e2cd3bde1b" + "id": "b04c8b20-1f4d-11e9-b7cf-71e2cd3bde1b" }, { "name": "panel_23", "type": "visualization", - "id": "b04c8b20-1f4d-11e9-b7cf-71e2cd3bde1b" + "id": "ede811b0-1f4e-11e9-b7cf-71e2cd3bde1b" }, { "name": "panel_24", "type": "visualization", - "id": "ede811b0-1f4e-11e9-b7cf-71e2cd3bde1b" + "id": "adc09360-49c7-11ea-812f-2bc51df4ea1e" + }, + { + "name": "panel_25", + "type": "search", + "id": "52570870-e9d4-444f-a3df-e44c6757ed9f" } ], "migrationVersion": { @@ -152,11 +157,11 @@ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", "type": "visualization", - "updated_at": "2019-12-18T16:21:02.636Z", - "version": "WzU5OCwxXQ==", + "updated_at": "2020-02-12T22:17:04.378Z", + "version": "Wzc3NiwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -172,8 +177,8 @@ { "id": "03eba854-72b5-47d0-a92a-b671a0d7ed19", "type": "visualization", - "updated_at": "2019-12-18T16:20:45.186Z", - "version": "WzQxOSwxXQ==", + "updated_at": "2020-02-12T22:16:47.983Z", + "version": "WzYxOSwxXQ==", "attributes": { "visState": "{\"title\":\"Connections - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", "description": "", @@ -199,8 +204,8 @@ { "id": "52013c7c-c554-450e-9198-dbafdc050459", "type": "visualization", - "updated_at": "2019-12-18T16:20:45.186Z", - "version": "WzQyMCwxXQ==", + "updated_at": "2020-02-12T22:16:47.983Z", + "version": "WzYyMCwxXQ==", "attributes": { "title": "Connections - Service By Destination Country", "visState": "{\"title\":\"Connections - Service By Destination Country\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"zeek.destination_geo.country_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\",\"row\":false}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.service\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Service\"}}]}", @@ -226,8 +231,8 @@ { "id": "13f8cfbf-7b48-414b-8b34-9fc40d4fc066", "type": "visualization", - "updated_at": "2019-12-18T16:20:45.186Z", - "version": "WzQyMSwxXQ==", + "updated_at": "2020-02-12T22:16:47.983Z", + "version": "WzYyMSwxXQ==", "attributes": { "visState": "{\"title\":\"Connections - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", @@ -253,8 +258,8 @@ { "id": "4ab657d5-88d3-44c0-90fd-4e731e528d60", "type": "visualization", - "updated_at": "2019-12-18T16:20:45.186Z", - "version": "WzQyMiwxXQ==", + "updated_at": "2020-02-12T22:16:47.983Z", + "version": "WzYyMiwxXQ==", "attributes": { "visState": "{\"title\":\"Connections - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", @@ -280,8 +285,8 @@ { "id": "d25f4abc-24af-405e-a6f6-873277fe5771", "type": "visualization", - "updated_at": "2019-12-18T16:20:45.186Z", - "version": "WzQyMywxXQ==", + "updated_at": "2020-02-12T22:16:47.983Z", + "version": "WzYyMywxXQ==", "attributes": { "visState": "{\"title\":\"Connections - Source Country\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.source_geo.country_code2\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}}],\"listeners\":{}}", "description": "", @@ -307,8 +312,8 @@ { "id": "0eb7d869-bd51-4711-8ac3-f3cea41dee37", "type": "visualization", - "updated_at": "2019-12-18T16:20:45.186Z", - "version": "WzQyNCwxXQ==", + "updated_at": "2020-02-12T22:16:47.983Z", + "version": "WzYyNCwxXQ==", "attributes": { "visState": "{\"title\":\"Connections - Responder Bytes\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_conn.resp_bytes\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Responder Bytes\"}}],\"listeners\":{}}", "description": "", @@ -334,8 +339,8 @@ { "id": "fccf0fdd-7e50-4dce-8b85-74141c404ef3", "type": "visualization", - "updated_at": "2019-12-18T16:20:45.186Z", - "version": "WzQyNSwxXQ==", + "updated_at": "2020-02-12T22:16:47.983Z", + "version": "WzYyNSwxXQ==", "attributes": { "visState": "{\"title\":\"Connections - Missed Bytes\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_conn.missed_bytes\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Missed Bytes\"}}],\"listeners\":{}}", "description": "", @@ -361,13 +366,13 @@ { "id": "bda3ad0a-aa00-40b6-b0ed-a42b96f3343e", "type": "visualization", - "updated_at": "2019-12-18T16:20:45.186Z", - "version": "WzQyNiwxXQ==", + "updated_at": "2020-02-12T23:15:34.955Z", + "version": "WzgyNSwxXQ==", "attributes": { - "visState": "{\"title\":\"Connections - Connection State\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_conn.conn_state_description\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Connection State Description\"}}],\"listeners\":{}}", - "description": "", "title": "Connections - Connection State", + "visState": "{\"title\":\"Connections - Connection State\",\"type\":\"table\",\"params\":{\"perPage\":15,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Connection State Description\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_conn.conn_state_description\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Connection State Description\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "description": "", "version": 1, "kibanaSavedObjectMeta": { "searchSourceJSON": "{\"filter\":[]}" @@ -376,8 +381,8 @@ }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "52570870-e9d4-444f-a3df-e44c6757ed9f" } ], @@ -388,13 +393,13 @@ { "id": "73528008-f11d-4faa-8f69-a5bf23507b8f", "type": "visualization", - "updated_at": "2019-12-18T16:20:45.186Z", - "version": "WzQyNywxXQ==", + "updated_at": "2020-02-12T23:05:22.182Z", + "version": "WzgxNiwxXQ==", "attributes": { - "visState": "{\"title\":\"Connections - Top 10 - Total Bytes By Connection\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Connection ID\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"left\",\"orderBucketsBySum\":false,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Total Bytes\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total Bytes\"},\"type\":\"value\"}]},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"totBytes\",\"customLabel\":\"Total Bytes\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.uid\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Connection ID\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.uid\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Connection ID\"}}],\"listeners\":{}}", - "description": "", "title": "Connections - Top 10 - Total Bytes By Connection", - "uiStateJSON": "{}", + "visState": "{\"title\":\"Connections - Top 10 - Total Bytes By Connection\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":false,\"truncate\":100,\"rotate\":75},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Connection ID\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"orderBucketsBySum\":false,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Total Bytes\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total Bytes\"},\"type\":\"value\"}],\"type\":\"histogram\",\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Connection ID\",\"aggType\":\"terms\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\",\"params\":{\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Total Bytes\",\"aggType\":\"max\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Connection ID\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"totBytes\",\"customLabel\":\"Total Bytes\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.uid\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Connection ID\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.uid\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Connection ID\"}}]}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", + "description": "", "version": 1, "kibanaSavedObjectMeta": { "searchSourceJSON": "{\"filter\":[]}" @@ -403,8 +408,8 @@ }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "52570870-e9d4-444f-a3df-e44c6757ed9f" } ], @@ -415,13 +420,13 @@ { "id": "faa08629-0011-4b38-8b74-3ba86b59155f", "type": "visualization", - "updated_at": "2019-12-18T16:20:45.186Z", - "version": "WzQyOCwxXQ==", + "updated_at": "2020-02-12T23:11:06.696Z", + "version": "WzgyMiwxXQ==", "attributes": { - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Bytes\",\"field\":\"totBytes\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination IP Address\",\"field\":\"dstIp\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Destination IP Address\",\"field\":\"dstIp\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Destination IP Address\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"orderBucketsBySum\":false,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Total Bytes\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total Bytes\"},\"type\":\"value\"}]},\"title\":\"Connections - Top 10 - Total Bytes By Destination IP\",\"type\":\"histogram\"}", - "description": "", "title": "Connections - Top 10 - Total Bytes By Destination IP", + "visState": "{\"title\":\"Connections - Top 10 - Total Bytes By Destination IP\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":75},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Destination IP Address\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"orderBucketsBySum\":false,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Total Bytes\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total Bytes\"},\"type\":\"value\"}],\"type\":\"histogram\",\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Destination IP Address\",\"aggType\":\"terms\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\",\"params\":{\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Total Bytes\",\"aggType\":\"max\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Destination IP Address\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"totBytes\",\"customLabel\":\"Total Bytes\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dstIp\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP Address\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"dstIp\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP Address\"}}]}", "uiStateJSON": "{}", + "description": "", "version": 1, "kibanaSavedObjectMeta": { "searchSourceJSON": "{\"filter\":[]}" @@ -430,8 +435,8 @@ }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "52570870-e9d4-444f-a3df-e44c6757ed9f" } ], @@ -442,13 +447,13 @@ { "id": "0418f791-97b5-4eb4-b644-bf91c98f9c1d", "type": "visualization", - "updated_at": "2019-12-18T16:20:45.186Z", - "version": "WzQyOSwxXQ==", + "updated_at": "2020-02-12T23:11:52.925Z", + "version": "WzgyMywxXQ==", "attributes": { - "visState": "{\"title\":\"Connections - Top 10 - Total Bytes By Destination Port\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Destination Port\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"orderBucketsBySum\":false,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Max totBytes\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total Bytes\"},\"type\":\"value\"}]},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"totBytes\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"dstPort\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dstPort\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}],\"listeners\":{}}", - "description": "", "title": "Connections - Top 10 - Total Bytes By Destination Port", + "visState": "{\"title\":\"Connections - Top 10 - Total Bytes By Destination Port\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Destination Port\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"orderBucketsBySum\":false,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Max totBytes\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total Bytes\"},\"type\":\"value\"}],\"type\":\"histogram\",\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Destination Port\",\"aggType\":\"terms\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\",\"params\":{\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Max totBytes\",\"aggType\":\"max\"}],\"series\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Destination Port\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"totBytes\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"dstPort\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dstPort\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"}}]}", "uiStateJSON": "{}", + "description": "", "version": 1, "kibanaSavedObjectMeta": { "searchSourceJSON": "{\"filter\":[]}" @@ -457,8 +462,8 @@ }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "52570870-e9d4-444f-a3df-e44c6757ed9f" } ], @@ -469,13 +474,13 @@ { "id": "a76bc3ed-bbf7-429a-a936-475e9f9e0c0d", "type": "visualization", - "updated_at": "2019-12-18T16:20:45.186Z", - "version": "WzQzMCwxXQ==", + "updated_at": "2020-02-12T23:10:07.685Z", + "version": "WzgxOSwxXQ==", "attributes": { - "visState": "{\"title\":\"Connections - Top 10 - Total Bytes By Source IP\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Source IP Address\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"left\",\"orderBucketsBySum\":false,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Total Bytes\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total Bytes\"},\"type\":\"value\"}]},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"totBytes\",\"customLabel\":\"Total Bytes\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}}],\"listeners\":{}}", - "description": "", "title": "Connections - Top 10 - Total Bytes By Source IP", + "visState": "{\"title\":\"Connections - Top 10 - Total Bytes By Source IP\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":75},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Source IP Address\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"left\",\"orderBucketsBySum\":false,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Total Bytes\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total Bytes\"},\"type\":\"value\"}],\"type\":\"histogram\",\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Source IP Address\",\"aggType\":\"terms\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\",\"params\":{\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Total Bytes\",\"aggType\":\"max\"}],\"series\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Source IP Address\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"totBytes\",\"customLabel\":\"Total Bytes\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"srcIp\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"srcIp\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP Address\"}}]}", "uiStateJSON": "{}", + "description": "", "version": 1, "kibanaSavedObjectMeta": { "searchSourceJSON": "{\"filter\":[]}" @@ -484,8 +489,8 @@ }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "52570870-e9d4-444f-a3df-e44c6757ed9f" } ], @@ -493,58 +498,19 @@ "visualization": "7.4.2" } }, - { - "id": "52570870-e9d4-444f-a3df-e44c6757ed9f", - "type": "search", - "updated_at": "2019-12-18T16:21:00.551Z", - "version": "WzU4MSwxXQ==", - "attributes": { - "sort": [ - [ - "firstPacket", - "desc" - ] - ], - "hits": 0, - "description": "", - "title": "Connections - Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"size\":10,\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "columns": [ - "srcIp", - "srcPort", - "dstIp", - "dstPort", - "zeek.uid", - "_id" - ] - }, - "references": [ - { - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern", - "id": "sessions2-*" - } - ], - "migrationVersion": { - "search": "7.4.0" - } - }, { "id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5", "type": "visualization", - "updated_at": "2019-12-18T16:20:45.186Z", - "version": "WzQzMiwxXQ==", + "updated_at": "2020-02-12T23:18:28.303Z", + "version": "WzgyOCwxXQ==", "attributes": { "title": "Connections - Maps", - "visState": "{\"title\":\"Connections - Maps\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"markdown\":\"#### Coordinate Maps\\n[Source - Originator Bytes](/kibana/app/kibana#/dashboard/b50c8d17-6ed3-4de6-aed4-5181032810b2) | [Destination - Responder Bytes](/kibana/app/kibana#/dashboard/d4fd6afd-15cb-42bf-8a25-03dd8e59b327) \\n[Source - Sum of Total Bytes](/kibana/app/kibana#/dashboard/f394057d-1b16-4174-b994-7045f423a416) | [Destination - Sum of Total Bytes](/kibana/app/kibana#/dashboard/60d78fbd-471c-4f59-a9e3-189b33a13644) \\n[Source - Top Connection Duration](/kibana/app/kibana#/dashboard/e09a4b86-29b5-4256-bb3b-802ac9f90404) | [Destination - Top Connection Duration](/kibana/app/kibana#/dashboard/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0) \\n#### Region Maps\\n[Source - Originator Bytes ](/kibana/app/kibana#/dashboard/d41fe630-3f98-11e9-a58e-8bdedb0915e8) | [Destination - Responder Bytes ](/kibana/app/kibana#/dashboard/77fc9960-3f99-11e9-a58e-8bdedb0915e8) \\n[Source - Sum of Total Bytes ](/kibana/app/kibana#/dashboard/1ce42250-3f99-11e9-a58e-8bdedb0915e8) | [Destination - Sum of Total Bytes ](/kibana/app/kibana#/dashboard/a16110b0-3f99-11e9-a58e-8bdedb0915e8) \\n[Source - Top Connection Duration ](/kibana/app/kibana#/dashboard/39abfe30-3f99-11e9-a58e-8bdedb0915e8) | [Destination - Top Connection Duration ](/kibana/app/kibana#/dashboard/b9f247c0-3f99-11e9-a58e-8bdedb0915e8)\",\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Connections - Maps\",\"type\":\"markdown\",\"params\":{\"fontSize\":10,\"markdown\":\"#### Coordinate Maps\\n[Source: Originator Bytes](/kibana/app/kibana#/dashboard/b50c8d17-6ed3-4de6-aed4-5181032810b2) ● [Destination: Responder Bytes](/kibana/app/kibana#/dashboard/d4fd6afd-15cb-42bf-8a25-03dd8e59b327) ● [Source: Sum of Total Bytes](/kibana/app/kibana#/dashboard/f394057d-1b16-4174-b994-7045f423a416) ● [Destination: Sum of Total Bytes](/kibana/app/kibana#/dashboard/60d78fbd-471c-4f59-a9e3-189b33a13644) ● [Source: Top Connection Duration](/kibana/app/kibana#/dashboard/e09a4b86-29b5-4256-bb3b-802ac9f90404) ● [Destination: Top Connection Duration](/kibana/app/kibana#/dashboard/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0) \\n#### Region Maps\\n[Source: Originator Bytes ](/kibana/app/kibana#/dashboard/d41fe630-3f98-11e9-a58e-8bdedb0915e8) ● [Destination: Responder Bytes ](/kibana/app/kibana#/dashboard/77fc9960-3f99-11e9-a58e-8bdedb0915e8) ● [Source: Sum of Total Bytes ](/kibana/app/kibana#/dashboard/1ce42250-3f99-11e9-a58e-8bdedb0915e8) ● [Destination: Sum of Total Bytes ](/kibana/app/kibana#/dashboard/a16110b0-3f99-11e9-a58e-8bdedb0915e8) ● [Source: Top Connection Duration ](/kibana/app/kibana#/dashboard/39abfe30-3f99-11e9-a58e-8bdedb0915e8) ● [Destination: Top Connection Duration ](/kibana/app/kibana#/dashboard/b9f247c0-3f99-11e9-a58e-8bdedb0915e8)\",\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query_string\":{\"query\":\"*\"}},\"filter\":[]}" + "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" } }, "references": [], @@ -555,8 +521,8 @@ { "id": "AWDG71xFxQT5EBNmq336", "type": "visualization", - "updated_at": "2019-12-18T16:20:45.186Z", - "version": "WzQzMywxXQ==", + "updated_at": "2020-02-12T22:16:47.983Z", + "version": "WzYzMywxXQ==", "attributes": { "title": "Connections - Log Count", "visState": "{\"title\":\"Connections - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", @@ -582,8 +548,8 @@ { "id": "f7ddb5a7-32d5-4e10-b9d5-01ac0bd694c0", "type": "visualization", - "updated_at": "2019-12-18T16:20:45.186Z", - "version": "WzQzNCwxXQ==", + "updated_at": "2020-02-12T22:16:47.983Z", + "version": "WzYzNCwxXQ==", "attributes": { "title": "Connections - Total Bytes Per Source/Destination IP Pair", "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Total Bytes\",\"field\":\"totBytes\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source IP\",\"field\":\"srcIp\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderAgg\":{\"enabled\":true,\"id\":\"2-orderAgg\",\"params\":{\"field\":\"totBytes\"},\"schema\":{\"aggFilter\":[\"!top_hits\",\"!percentiles\",\"!median\",\"!std_dev\",\"!derivative\",\"!moving_avg\",\"!serial_diff\",\"!cumulative_sum\",\"!avg_bucket\",\"!max_bucket\",\"!min_bucket\",\"!sum_bucket\"],\"deprecate\":false,\"editor\":false,\"group\":\"none\",\"hideCustomLabel\":true,\"max\":null,\"min\":0,\"name\":\"orderAgg\",\"params\":[],\"title\":\"Order Agg\"},\"type\":\"cardinality\"},\"orderBy\":\"custom\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination IP\",\"field\":\"dstIp\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderAgg\":{\"enabled\":true,\"id\":\"3-orderAgg\",\"params\":{\"field\":\"totBytes\"},\"schema\":{\"aggFilter\":[\"!top_hits\",\"!percentiles\",\"!median\",\"!std_dev\",\"!derivative\",\"!moving_avg\",\"!serial_diff\",\"!cumulative_sum\",\"!avg_bucket\",\"!max_bucket\",\"!min_bucket\",\"!sum_bucket\"],\"deprecate\":false,\"editor\":false,\"group\":\"none\",\"hideCustomLabel\":true,\"max\":null,\"min\":0,\"name\":\"orderAgg\",\"params\":[],\"title\":\"Order Agg\"},\"type\":\"cardinality\"},\"orderBy\":\"custom\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":15,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Connections - Total Bytes Per Source/Destination IP Pair\",\"type\":\"table\"}", @@ -609,8 +575,8 @@ { "id": "568c74ff-3ef3-45ba-a178-0520633697bd", "type": "visualization", - "updated_at": "2019-12-18T16:20:45.186Z", - "version": "WzQzNSwxXQ==", + "updated_at": "2020-02-12T22:16:47.983Z", + "version": "WzYzNSwxXQ==", "attributes": { "title": "Connections - Destination Port", "visState": "{\"title\":\"Connections - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}]}", @@ -636,8 +602,8 @@ { "id": "73df67e0-1f4b-11e9-b7cf-71e2cd3bde1b", "type": "visualization", - "updated_at": "2019-12-18T16:20:45.186Z", - "version": "WzQzNiwxXQ==", + "updated_at": "2020-02-12T22:16:47.983Z", + "version": "WzYzNiwxXQ==", "attributes": { "title": "Connections - Source MAC OUI", "visState": "{\"title\":\"Connections - Source MAC OUI\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.orig_l2_oui\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source MAC OUI\"}}]}", @@ -663,8 +629,8 @@ { "id": "b1851d10-1f4b-11e9-b7cf-71e2cd3bde1b", "type": "visualization", - "updated_at": "2019-12-18T16:20:45.186Z", - "version": "WzQzNywxXQ==", + "updated_at": "2020-02-12T22:16:47.983Z", + "version": "WzYzNywxXQ==", "attributes": { "title": "Connections - Destination MAC OUI", "visState": "{\"title\":\"Connections - Destination MAC OUI\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.resp_l2_oui\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination MAC OUI\"}}]}", @@ -690,8 +656,8 @@ { "id": "cf9a1cf0-1f4c-11e9-b7cf-71e2cd3bde1b", "type": "visualization", - "updated_at": "2019-12-18T16:20:45.186Z", - "version": "WzQzOCwxXQ==", + "updated_at": "2020-02-12T22:16:47.983Z", + "version": "WzYzOCwxXQ==", "attributes": { "title": "Connections - Source MAC Address", "visState": "{\"title\":\"Connections - Source MAC Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcMac\",\"size\":500,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"MAC Address\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcOui\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Organizational Unique Identifier\"}}]}", @@ -717,8 +683,8 @@ { "id": "b9e4dcb0-1f4c-11e9-b7cf-71e2cd3bde1b", "type": "visualization", - "updated_at": "2019-12-18T16:20:45.186Z", - "version": "WzQzOSwxXQ==", + "updated_at": "2020-02-12T22:16:47.983Z", + "version": "WzYzOSwxXQ==", "attributes": { "title": "Connections - Destination MAC Address", "visState": "{\"title\":\"Connections - Destination MAC Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstMac\",\"size\":500,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"MAC Address\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstOui\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Organizational Unique Identifier\"}}]}", @@ -744,11 +710,11 @@ { "id": "c513e8f0-1f4d-11e9-b7cf-71e2cd3bde1b", "type": "visualization", - "updated_at": "2019-12-18T16:20:45.186Z", - "version": "WzQ0MCwxXQ==", + "updated_at": "2020-02-12T23:03:16.658Z", + "version": "WzgxMiwxXQ==", "attributes": { "title": "Connections - Top 10 - Total Bytes By Source MAC OUI", - "visState": "{\"title\":\"Connections - Top 10 - Total Bytes By Source MAC OUI\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Destination IP Address\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"orderBucketsBySum\":false,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Total Bytes\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total Bytes\"},\"type\":\"value\"}],\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"totBytes\",\"customLabel\":\"Total Bytes\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"srcOui\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source MAC OUI\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"srcOui\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source MAC OUI\"}}]}", + "visState": "{\"title\":\"Connections - Top 10 - Total Bytes By Source MAC OUI\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":false,\"truncate\":100,\"rotate\":75},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Destination IP Address\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"orderBucketsBySum\":false,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Total Bytes\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total Bytes\"},\"type\":\"value\"}],\"type\":\"histogram\",\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Source MAC OUI\",\"aggType\":\"terms\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\",\"params\":{\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Total Bytes\",\"aggType\":\"max\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Source MAC OUI\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"totBytes\",\"customLabel\":\"Total Bytes\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"srcOui\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source MAC OUI\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"srcOui\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source MAC OUI\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -759,8 +725,8 @@ }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "52570870-e9d4-444f-a3df-e44c6757ed9f" } ], @@ -771,11 +737,11 @@ { "id": "b04c8b20-1f4d-11e9-b7cf-71e2cd3bde1b", "type": "visualization", - "updated_at": "2019-12-18T16:20:45.186Z", - "version": "WzQ0MSwxXQ==", + "updated_at": "2020-02-12T23:04:08.623Z", + "version": "WzgxNCwxXQ==", "attributes": { "title": "Connections - Top 10 - Total Bytes By Destination MAC OUI", - "visState": "{\"title\":\"Connections - Top 10 - Total Bytes By Destination MAC OUI\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Destination IP Address\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"orderBucketsBySum\":false,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Total Bytes\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total Bytes\"},\"type\":\"value\"}],\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"totBytes\",\"customLabel\":\"Total Bytes\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dstOui\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination MAC OUI\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"dstOui\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination MAC OUI\"}}]}", + "visState": "{\"title\":\"Connections - Top 10 - Total Bytes By Destination MAC OUI\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":false,\"truncate\":100,\"rotate\":75},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Destination IP Address\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"orderBucketsBySum\":false,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Total Bytes\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total Bytes\"},\"type\":\"value\"}],\"type\":\"histogram\",\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Destination MAC OUI\",\"aggType\":\"terms\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\",\"params\":{\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Total Bytes\",\"aggType\":\"max\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Destination MAC OUI\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"totBytes\",\"customLabel\":\"Total Bytes\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dstOui\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination MAC OUI\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"dstOui\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination MAC OUI\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -786,8 +752,8 @@ }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "52570870-e9d4-444f-a3df-e44c6757ed9f" } ], @@ -798,12 +764,12 @@ { "id": "ede811b0-1f4e-11e9-b7cf-71e2cd3bde1b", "type": "visualization", - "updated_at": "2019-12-18T16:20:45.186Z", - "version": "WzQ0MiwxXQ==", + "updated_at": "2020-02-12T23:21:45.676Z", + "version": "WzgzNCwxXQ==", "attributes": { "title": "Connections - Protocol", - "visState": "{\"title\":\"Connections - Protocol\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":false,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.proto\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}}]}", - "uiStateJSON": "{}", + "visState": "{\"title\":\"Connections - Protocol\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":false,\"labels\":{\"show\":true,\"values\":false,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Protocol\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.proto\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}}]}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, "kibanaSavedObjectMeta": { @@ -813,14 +779,82 @@ }, "references": [ { + "name": "search_0", "type": "search", + "id": "52570870-e9d4-444f-a3df-e44c6757ed9f" + } + ], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "adc09360-49c7-11ea-812f-2bc51df4ea1e", + "type": "visualization", + "updated_at": "2020-02-12T23:21:07.483Z", + "version": "WzgzMiwxXQ==", + "attributes": { + "title": "Network Layer", + "visState": "{\"title\":\"Network Layer\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":false,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Network Layer\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"network.type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Network Layer\"}}]}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { "name": "search_0", + "type": "search", "id": "52570870-e9d4-444f-a3df-e44c6757ed9f" } ], "migrationVersion": { "visualization": "7.4.2" } + }, + { + "id": "52570870-e9d4-444f-a3df-e44c6757ed9f", + "type": "search", + "updated_at": "2020-02-12T22:48:55.398Z", + "version": "WzgwMiwxXQ==", + "attributes": { + "title": "Connections - Logs", + "description": "", + "hits": 0, + "columns": [ + "zeek.proto", + "zeek.service", + "srcIp", + "srcPort", + "dstIp", + "dstPort", + "totBytes", + "zeek.uid" + ], + "sort": [ + [ + "firstPacket", + "desc" + ] + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true,\"time_zone\":\"America/Denver\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "search": "7.4.0" + } } ] } \ No newline at end of file diff --git a/kibana/dashboards/ae79b7d1-4281-4095-b2f6-fa7eafda9970.json b/kibana/dashboards/ae79b7d1-4281-4095-b2f6-fa7eafda9970.json index 7fa6a732e..ea73c10b9 100644 --- a/kibana/dashboards/ae79b7d1-4281-4095-b2f6-fa7eafda9970.json +++ b/kibana/dashboards/ae79b7d1-4281-4095-b2f6-fa7eafda9970.json @@ -1,21 +1,21 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "ae79b7d1-4281-4095-b2f6-fa7eafda9970", "type": "dashboard", - "updated_at": "2019-12-18T16:20:46.215Z", - "version": "WzQ1NSwxXQ==", + "updated_at": "2020-02-12T18:23:50.969Z", + "version": "WzEwMjYsMV0=", "attributes": { "title": "RADIUS", "hits": 0, "description": "", - "panelsJSON": "[{\"panelIndex\":\"1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":56,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"6\",\"gridData\":{\"x\":8,\"y\":32,\"w\":14,\"h\":24,\"i\":\"6\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"7\",\"gridData\":{\"x\":22,\"y\":32,\"w\":14,\"h\":24,\"i\":\"7\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"8\",\"gridData\":{\"x\":24,\"y\":56,\"w\":24,\"h\":24,\"i\":\"8\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"9\",\"gridData\":{\"x\":0,\"y\":56,\"w\":24,\"h\":24,\"i\":\"9\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"11\",\"gridData\":{\"x\":0,\"y\":80,\"w\":48,\"h\":24,\"i\":\"11\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{\"columns\":[\"srcIp\",\"srcPort\",\"dstIp\",\"dstPort\",\"zeek.uid\",\"_id\"],\"sort\":[\"firstPacket\",\"desc\"]}},{\"panelIndex\":\"12\",\"gridData\":{\"x\":36,\"y\":32,\"w\":12,\"h\":24,\"i\":\"12\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"14\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"14\"},\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"15\",\"gridData\":{\"x\":28,\"y\":8,\"w\":20,\"h\":24,\"i\":\"15\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{}},{\"panelIndex\":\"16\",\"gridData\":{\"x\":8,\"y\":8,\"w\":20,\"h\":24,\"i\":\"16\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{}}]", + "panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":49,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":27,\"w\":14,\"h\":22,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":22,\"y\":27,\"w\":14,\"h\":22,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":24,\"y\":49,\"w\":24,\"h\":24,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":49,\"w\":24,\"h\":24,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":36,\"y\":27,\"w\":12,\"h\":22,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":28,\"y\":8,\"w\":20,\"h\":19,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":8,\"w\":20,\"h\":19,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":73,\"w\":48,\"h\":35,\"i\":\"1422b8a5-559d-4c37-91aa-cc36a293ddff\"},\"panelIndex\":\"1422b8a5-559d-4c37-91aa-cc36a293ddff\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}" } }, "references": [ @@ -51,28 +51,28 @@ }, { "name": "panel_6", - "type": "search", - "id": "33bc7949-5692-4044-9e3c-0791dc7d70c0" + "type": "visualization", + "id": "df8a9a16-7dc6-4004-91c0-337d7c7d6b4c" }, { "name": "panel_7", "type": "visualization", - "id": "df8a9a16-7dc6-4004-91c0-337d7c7d6b4c" + "id": "AWDHCgWzxQT5EBNmq4Y5" }, { "name": "panel_8", "type": "visualization", - "id": "AWDHCgWzxQT5EBNmq4Y5" + "id": "56f04556-a0c9-4b82-878b-8d5d9f29edd6" }, { "name": "panel_9", "type": "visualization", - "id": "56f04556-a0c9-4b82-878b-8d5d9f29edd6" + "id": "0299c83a-bd6c-40e6-bd18-01ee324ae7b0" }, { "name": "panel_10", - "type": "visualization", - "id": "0299c83a-bd6c-40e6-bd18-01ee324ae7b0" + "type": "search", + "id": "33bc7949-5692-4044-9e3c-0791dc7d70c0" } ], "migrationVersion": { @@ -82,11 +82,11 @@ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", "type": "visualization", - "updated_at": "2019-12-18T16:21:02.636Z", - "version": "WzU5OCwxXQ==", + "updated_at": "2020-02-12T15:01:05.290Z", + "version": "Wzc5NiwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -102,8 +102,8 @@ { "id": "4a3b4d78-6adc-4e6f-a7ae-180c6a58e49f", "type": "visualization", - "updated_at": "2019-12-18T16:20:46.215Z", - "version": "WzQ0NSwxXQ==", + "updated_at": "2020-02-12T15:00:48.864Z", + "version": "WzY0MywxXQ==", "attributes": { "visState": "{\"title\":\"RADIUS - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", "description": "", @@ -129,8 +129,8 @@ { "id": "799ed170-b759-4b14-8a05-8fbdb356ec0e", "type": "visualization", - "updated_at": "2019-12-18T16:20:46.215Z", - "version": "WzQ0NiwxXQ==", + "updated_at": "2020-02-12T15:00:48.864Z", + "version": "WzY0NCwxXQ==", "attributes": { "visState": "{\"title\":\"RADIUS - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", @@ -156,8 +156,8 @@ { "id": "6f92b5d9-82b3-477f-9cd5-a68d62a2c804", "type": "visualization", - "updated_at": "2019-12-18T16:20:46.215Z", - "version": "WzQ0NywxXQ==", + "updated_at": "2020-02-12T15:00:48.864Z", + "version": "WzY0NSwxXQ==", "attributes": { "visState": "{\"title\":\"RADIUS - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", @@ -183,8 +183,8 @@ { "id": "45e768b2-e4b3-4e3f-8f1f-9a9300dedce6", "type": "visualization", - "updated_at": "2019-12-18T16:20:46.215Z", - "version": "WzQ0OCwxXQ==", + "updated_at": "2020-02-12T15:00:48.864Z", + "version": "WzY0NiwxXQ==", "attributes": { "visState": "{\"title\":\"RADIUS - MAC\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_radius.mac\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MAC Address\"}}],\"listeners\":{}}", "description": "", @@ -210,8 +210,8 @@ { "id": "5d64df1a-dc17-475a-ac3b-99e5c4c244f6", "type": "visualization", - "updated_at": "2019-12-18T16:20:46.215Z", - "version": "WzQ0OSwxXQ==", + "updated_at": "2020-02-12T15:00:48.864Z", + "version": "WzY0NywxXQ==", "attributes": { "visState": "{\"title\":\"RADIUS - Connection Information\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_radius.connect_info\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Connection Info\"}}],\"listeners\":{}}", "description": "", @@ -234,50 +234,11 @@ "visualization": "7.4.2" } }, - { - "id": "33bc7949-5692-4044-9e3c-0791dc7d70c0", - "type": "search", - "updated_at": "2019-12-18T16:20:46.215Z", - "version": "WzQ1MCwxXQ==", - "attributes": { - "sort": [ - [ - "firstPacket", - "desc" - ] - ], - "hits": 0, - "description": "", - "title": "RADIUS - Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"zeek.logType:radius\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "columns": [ - "srcIp", - "srcPort", - "dstIp", - "dstPort", - "zeek.uid", - "_id" - ] - }, - "references": [ - { - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern", - "id": "sessions2-*" - } - ], - "migrationVersion": { - "search": "7.4.0" - } - }, { "id": "df8a9a16-7dc6-4004-91c0-337d7c7d6b4c", "type": "visualization", - "updated_at": "2019-12-18T16:20:46.215Z", - "version": "WzQ1MSwxXQ==", + "updated_at": "2020-02-12T15:00:48.864Z", + "version": "WzY0OSwxXQ==", "attributes": { "visState": "{\"title\":\"RADIUS - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}", "description": "", @@ -303,8 +264,8 @@ { "id": "AWDHCgWzxQT5EBNmq4Y5", "type": "visualization", - "updated_at": "2019-12-18T16:20:46.215Z", - "version": "WzQ1MiwxXQ==", + "updated_at": "2020-02-12T15:00:48.864Z", + "version": "WzY1MCwxXQ==", "attributes": { "title": "RADIUS - Log Count", "visState": "{\"title\":\"RADIUS - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", @@ -330,8 +291,8 @@ { "id": "56f04556-a0c9-4b82-878b-8d5d9f29edd6", "type": "visualization", - "updated_at": "2019-12-18T16:20:46.215Z", - "version": "WzQ1MywxXQ==", + "updated_at": "2020-02-12T15:00:48.864Z", + "version": "WzY1MSwxXQ==", "attributes": { "title": "RADIUS - Username", "visState": "{\"title\":\"RADIUS - Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.user\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}}]}", @@ -357,8 +318,8 @@ { "id": "0299c83a-bd6c-40e6-bd18-01ee324ae7b0", "type": "visualization", - "updated_at": "2019-12-18T16:20:46.215Z", - "version": "WzQ1NCwxXQ==", + "updated_at": "2020-02-12T15:00:48.864Z", + "version": "WzY1MiwxXQ==", "attributes": { "title": "RADIUS - Authentication Result", "visState": "{\"title\":\"RADIUS - Authentication Result\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_radius.result\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}", @@ -380,6 +341,47 @@ "migrationVersion": { "visualization": "7.4.2" } + }, + { + "id": "33bc7949-5692-4044-9e3c-0791dc7d70c0", + "type": "search", + "updated_at": "2020-02-12T18:23:26.526Z", + "version": "WzEwMjUsMV0=", + "attributes": { + "title": "RADIUS - Logs", + "description": "", + "hits": 0, + "columns": [ + "srcIp", + "dstIp", + "dstPort", + "zeek.user", + "zeek_radius.mac", + "zeek_radius.framed_addr", + "zeek_radius.result", + "zeek.uid" + ], + "sort": [ + [ + "firstPacket", + "desc" + ] + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:radius\",\"analyze_wildcard\":true,\"time_zone\":\"America/Denver\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "search": "7.4.0" + } } ] } \ No newline at end of file diff --git a/kibana/dashboards/af5df620-eeb6-11e9-bdef-65a192b7f586.json b/kibana/dashboards/af5df620-eeb6-11e9-bdef-65a192b7f586.json index 00fde0bad..a9c09b080 100644 --- a/kibana/dashboards/af5df620-eeb6-11e9-bdef-65a192b7f586.json +++ b/kibana/dashboards/af5df620-eeb6-11e9-bdef-65a192b7f586.json @@ -1,5 +1,5 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "af5df620-eeb6-11e9-bdef-65a192b7f586", @@ -10,7 +10,7 @@ "title": "NTP", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":28,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":68,\"w\":48,\"h\":29,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"4\"},\"panelIndex\":\"4\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":28,\"w\":24,\"h\":20,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":8,\"w\":19,\"h\":20,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":27,\"y\":8,\"w\":21,\"h\":20,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":24,\"y\":28,\"w\":24,\"h\":20,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":48,\"w\":24,\"h\":20,\"i\":\"12\"},\"panelIndex\":\"12\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_8\"},{\"gridData\":{\"x\":24,\"y\":48,\"w\":24,\"h\":20,\"i\":\"13\"},\"version\":\"7.5.1\",\"panelIndex\":\"13\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]", + "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":28,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":68,\"w\":48,\"h\":29,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"4\"},\"panelIndex\":\"4\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":28,\"w\":24,\"h\":20,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":8,\"w\":19,\"h\":20,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":27,\"y\":8,\"w\":21,\"h\":20,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":24,\"y\":28,\"w\":24,\"h\":20,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":48,\"w\":24,\"h\":20,\"i\":\"12\"},\"panelIndex\":\"12\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_8\"},{\"gridData\":{\"x\":24,\"y\":48,\"w\":24,\"h\":20,\"i\":\"13\"},\"version\":\"7.6.2\",\"panelIndex\":\"13\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, @@ -81,7 +81,7 @@ "version": "WzU5OCwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/kibana/dashboards/b50c8d17-6ed3-4de6-aed4-5181032810b2.json b/kibana/dashboards/b50c8d17-6ed3-4de6-aed4-5181032810b2.json index 6e1917e34..62aec75ea 100644 --- a/kibana/dashboards/b50c8d17-6ed3-4de6-aed4-5181032810b2.json +++ b/kibana/dashboards/b50c8d17-6ed3-4de6-aed4-5181032810b2.json @@ -1,21 +1,21 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "b50c8d17-6ed3-4de6-aed4-5181032810b2", "type": "dashboard", - "updated_at": "2019-12-18T16:20:48.251Z", - "version": "WzQ3MCwxXQ==", + "updated_at": "2020-02-13T15:35:28.915Z", + "version": "WzkyNywxXQ==", "attributes": { "title": "Connections - Source - Originator Bytes", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{\"mapCenter\":[25.16517336866393,0.17578125],\"mapZoom\":2}}]", + "panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":23,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":50,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"mapCenter\":null,\"mapZoom\":3},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":23,\"w\":8,\"h\":15,\"i\":\"5a871ebe-5904-4f52-ab3a-e3da4846933d\"},\"panelIndex\":\"5a871ebe-5904-4f52-ab3a-e3da4846933d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":38,\"w\":8,\"h\":12,\"i\":\"3b635110-907e-457a-bfdf-b86a667a8483\"},\"panelIndex\":\"3b635110-907e-457a-bfdf-b86a667a8483\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}" + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"}}" } }, "references": [ @@ -28,6 +28,16 @@ "name": "panel_1", "type": "visualization", "id": "e959f9f2-e154-417f-a530-e1d7744ab9e4" + }, + { + "name": "panel_2", + "type": "visualization", + "id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49" + }, + { + "name": "panel_3", + "type": "visualization", + "id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5" } ], "migrationVersion": { @@ -37,11 +47,11 @@ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", "type": "visualization", - "updated_at": "2019-12-18T16:21:02.636Z", - "version": "WzU5OCwxXQ==", + "updated_at": "2020-02-13T14:17:04.192Z", + "version": "Wzc3NiwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -57,8 +67,8 @@ { "id": "e959f9f2-e154-417f-a530-e1d7744ab9e4", "type": "visualization", - "updated_at": "2019-12-18T16:20:48.251Z", - "version": "WzQ2OCwxXQ==", + "updated_at": "2020-02-13T14:16:50.828Z", + "version": "WzY2OSwxXQ==", "attributes": { "visState": "{\"title\":\"Connections - Source - Originator Bytes\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek_conn.orig_bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.source_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}", "description": "", @@ -81,33 +91,91 @@ "visualization": "7.4.2" } }, + { + "id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49", + "type": "visualization", + "updated_at": "2020-02-13T15:17:58.982Z", + "version": "Wzg5NywxXQ==", + "attributes": { + "title": "Connections - Protocol Filters", + "visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"zeek.proto\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"zeek.service\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "references": [ + { + "name": "control_0_index_pattern", + "type": "index-pattern", + "id": "sessions2-*" + }, + { + "name": "control_1_index_pattern", + "type": "index-pattern", + "id": "sessions2-*" + }, + { + "name": "control_2_index_pattern", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5", + "type": "visualization", + "updated_at": "2020-02-13T14:16:47.803Z", + "version": "WzYzMSwxXQ==", + "attributes": { + "title": "Connections - Maps", + "visState": "{\"title\":\"Connections - Maps\",\"type\":\"markdown\",\"params\":{\"fontSize\":10,\"markdown\":\"#### Coordinate Maps\\n[Source - Originator Bytes](/kibana/app/kibana#/dashboard/b50c8d17-6ed3-4de6-aed4-5181032810b2) ● [Destination - Responder Bytes](/kibana/app/kibana#/dashboard/d4fd6afd-15cb-42bf-8a25-03dd8e59b327) ● [Source - Sum of Total Bytes](/kibana/app/kibana#/dashboard/f394057d-1b16-4174-b994-7045f423a416) ● [Destination - Sum of Total Bytes](/kibana/app/kibana#/dashboard/60d78fbd-471c-4f59-a9e3-189b33a13644) ● [Source - Top Connection Duration](/kibana/app/kibana#/dashboard/e09a4b86-29b5-4256-bb3b-802ac9f90404) ● [Destination - Top Connection Duration](/kibana/app/kibana#/dashboard/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0) \\n#### Region Maps\\n[Source - Originator Bytes ](/kibana/app/kibana#/dashboard/d41fe630-3f98-11e9-a58e-8bdedb0915e8) ● [Destination - Responder Bytes ](/kibana/app/kibana#/dashboard/77fc9960-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Sum of Total Bytes ](/kibana/app/kibana#/dashboard/1ce42250-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Sum of Total Bytes ](/kibana/app/kibana#/dashboard/a16110b0-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Top Connection Duration ](/kibana/app/kibana#/dashboard/39abfe30-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Top Connection Duration ](/kibana/app/kibana#/dashboard/b9f247c0-3f99-11e9-a58e-8bdedb0915e8)\",\"openLinksInNewTab\":false},\"aggs\":[]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "references": [], + "migrationVersion": { + "visualization": "7.4.2" + } + }, { "id": "52570870-e9d4-444f-a3df-e44c6757ed9f", "type": "search", - "updated_at": "2019-12-18T16:21:00.551Z", - "version": "WzU4MSwxXQ==", + "updated_at": "2020-02-13T14:17:02.148Z", + "version": "Wzc2MCwxXQ==", "attributes": { + "title": "Connections - Logs", + "description": "", + "hits": 0, + "columns": [ + "zeek.proto", + "zeek.service", + "srcIp", + "srcPort", + "dstIp", + "dstPort", + "totBytes", + "zeek.uid" + ], "sort": [ [ "firstPacket", "desc" ] ], - "hits": 0, - "description": "", - "title": "Connections - Logs", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"size\":10,\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "columns": [ - "srcIp", - "srcPort", - "dstIp", - "dstPort", - "zeek.uid", - "_id" - ] + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true,\"time_zone\":\"America/Denver\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } }, "references": [ { diff --git a/kibana/dashboards/b9f247c0-3f99-11e9-a58e-8bdedb0915e8.json b/kibana/dashboards/b9f247c0-3f99-11e9-a58e-8bdedb0915e8.json index 6749c245b..8f6324f4e 100644 --- a/kibana/dashboards/b9f247c0-3f99-11e9-a58e-8bdedb0915e8.json +++ b/kibana/dashboards/b9f247c0-3f99-11e9-a58e-8bdedb0915e8.json @@ -1,21 +1,21 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "b9f247c0-3f99-11e9-a58e-8bdedb0915e8", "type": "dashboard", - "updated_at": "2019-12-18T16:20:49.282Z", - "version": "WzQ3NCwxXQ==", + "updated_at": "2020-02-13T15:38:11.270Z", + "version": "WzkzOCwxXQ==", "attributes": { "title": "Connections - Destination - Top Connection Duration (region map)", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":44,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_0\"},{\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":40,\"i\":\"3\"},\"version\":\"7.5.1\",\"panelIndex\":\"3\",\"embeddableConfig\":{\"mapCenter\":[0,0],\"mapZoom\":3},\"panelRefName\":\"panel_1\"}]", + "panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":23,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":50,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"mapCenter\":null,\"mapZoom\":3},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":23,\"w\":8,\"h\":15,\"i\":\"c96be8c5-f3a1-4d01-a747-66cc2d298318\"},\"panelIndex\":\"c96be8c5-f3a1-4d01-a747-66cc2d298318\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":38,\"w\":8,\"h\":12,\"i\":\"266c822f-c268-4e47-a53e-90b6ecf74660\"},\"panelIndex\":\"266c822f-c268-4e47-a53e-90b6ecf74660\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"}}" } }, "references": [ @@ -28,6 +28,16 @@ "name": "panel_1", "type": "visualization", "id": "9b1b6960-3f96-11e9-a58e-8bdedb0915e8" + }, + { + "name": "panel_2", + "type": "visualization", + "id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49" + }, + { + "name": "panel_3", + "type": "visualization", + "id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5" } ], "migrationVersion": { @@ -37,11 +47,11 @@ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", "type": "visualization", - "updated_at": "2019-12-18T16:21:02.636Z", - "version": "WzU5OCwxXQ==", + "updated_at": "2020-02-13T14:17:04.192Z", + "version": "Wzc3NiwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -57,12 +67,12 @@ { "id": "9b1b6960-3f96-11e9-a58e-8bdedb0915e8", "type": "visualization", - "updated_at": "2019-12-18T16:20:49.282Z", - "version": "WzQ3MiwxXQ==", + "updated_at": "2020-02-13T14:47:59.790Z", + "version": "Wzg3NSwxXQ==", "attributes": { "title": "Connections - Destination - Top Connection Duration (region map)", - "visState": "{\"title\":\"Connections - Destination - Top Connection Duration (region map)\",\"type\":\"region_map\",\"params\":{\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"emsHotLink\":null,\"isDisplayWarning\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapZoom\":3,\"outlineWeight\":1,\"selectedJoinField\":{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},\"selectedLayer\":{\"attribution\":\"https://exploratory.io/maps\",\"fields\":[{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},{\"description\":\"Country Code2\",\"name\":\"WB_A2\"},{\"description\":\"Country Name\",\"name\":\"NAME\"}],\"format\":{\"type\":\"geojson\"},\"isEMS\":false,\"layerId\":\"self_hosted.World (offline)\",\"meta\":{\"feature_collection_path\":\"data\"},\"name\":\"World (offline)\",\"url\":\"http://localhost:28991/world.geojson\"},\"showAllShapes\":true,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek_conn.duration\",\"customLabel\":\"Longest Session (seconds)\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dstGEO\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Responder Country\"}}]}", - "uiStateJSON": "{\"mapCenter\":[0,0],\"mapZoom\":3}", + "visState": "{\"title\":\"Connections - Destination - Top Connection Duration (region map)\",\"type\":\"region_map\",\"params\":{\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"emsHotLink\":null,\"isDisplayWarning\":false,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapZoom\":3,\"outlineWeight\":1,\"selectedJoinField\":{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},\"selectedLayer\":{\"attribution\":\"https://exploratory.io/maps\",\"fields\":[{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},{\"description\":\"Country Code2\",\"name\":\"WB_A2\"},{\"description\":\"Country Name\",\"name\":\"NAME\"}],\"format\":{\"type\":\"geojson\"},\"isEMS\":false,\"layerId\":\"self_hosted.World (offline)\",\"meta\":{\"feature_collection_path\":\"data\"},\"name\":\"World (offline)\",\"url\":\"/world.geojson\"},\"showAllShapes\":true,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"origin\":\"elastic_maps_service\",\"id\":\"road_map\",\"minZoom\":0,\"maxZoom\":10,\"attribution\":\"OpenStreetMap contributors | OpenMapTiles | MapTiler | Elastic Maps Service\"}},\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Longest Session (seconds)\",\"aggType\":\"max\"},\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Responder Country\",\"aggType\":\"terms\"}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek_conn.duration\",\"customLabel\":\"Longest Session (seconds)\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dstGEO\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Responder Country\"}}]}", + "uiStateJSON": "{\"mapCenter\":[38.28591031601368,16.875000000000004],\"mapZoom\":3}", "description": "", "version": 1, "kibanaSavedObjectMeta": { @@ -72,8 +82,8 @@ }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "52570870-e9d4-444f-a3df-e44c6757ed9f" } ], @@ -81,33 +91,91 @@ "visualization": "7.4.2" } }, + { + "id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49", + "type": "visualization", + "updated_at": "2020-02-13T15:17:58.982Z", + "version": "Wzg5NywxXQ==", + "attributes": { + "title": "Connections - Protocol Filters", + "visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"zeek.proto\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"zeek.service\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "references": [ + { + "name": "control_0_index_pattern", + "type": "index-pattern", + "id": "sessions2-*" + }, + { + "name": "control_1_index_pattern", + "type": "index-pattern", + "id": "sessions2-*" + }, + { + "name": "control_2_index_pattern", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5", + "type": "visualization", + "updated_at": "2020-02-13T14:16:47.803Z", + "version": "WzYzMSwxXQ==", + "attributes": { + "title": "Connections - Maps", + "visState": "{\"title\":\"Connections - Maps\",\"type\":\"markdown\",\"params\":{\"fontSize\":10,\"markdown\":\"#### Coordinate Maps\\n[Source - Originator Bytes](/kibana/app/kibana#/dashboard/b50c8d17-6ed3-4de6-aed4-5181032810b2) ● [Destination - Responder Bytes](/kibana/app/kibana#/dashboard/d4fd6afd-15cb-42bf-8a25-03dd8e59b327) ● [Source - Sum of Total Bytes](/kibana/app/kibana#/dashboard/f394057d-1b16-4174-b994-7045f423a416) ● [Destination - Sum of Total Bytes](/kibana/app/kibana#/dashboard/60d78fbd-471c-4f59-a9e3-189b33a13644) ● [Source - Top Connection Duration](/kibana/app/kibana#/dashboard/e09a4b86-29b5-4256-bb3b-802ac9f90404) ● [Destination - Top Connection Duration](/kibana/app/kibana#/dashboard/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0) \\n#### Region Maps\\n[Source - Originator Bytes ](/kibana/app/kibana#/dashboard/d41fe630-3f98-11e9-a58e-8bdedb0915e8) ● [Destination - Responder Bytes ](/kibana/app/kibana#/dashboard/77fc9960-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Sum of Total Bytes ](/kibana/app/kibana#/dashboard/1ce42250-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Sum of Total Bytes ](/kibana/app/kibana#/dashboard/a16110b0-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Top Connection Duration ](/kibana/app/kibana#/dashboard/39abfe30-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Top Connection Duration ](/kibana/app/kibana#/dashboard/b9f247c0-3f99-11e9-a58e-8bdedb0915e8)\",\"openLinksInNewTab\":false},\"aggs\":[]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "references": [], + "migrationVersion": { + "visualization": "7.4.2" + } + }, { "id": "52570870-e9d4-444f-a3df-e44c6757ed9f", "type": "search", - "updated_at": "2019-12-18T16:21:00.551Z", - "version": "WzU4MSwxXQ==", + "updated_at": "2020-02-13T14:17:02.148Z", + "version": "Wzc2MCwxXQ==", "attributes": { + "title": "Connections - Logs", + "description": "", + "hits": 0, + "columns": [ + "zeek.proto", + "zeek.service", + "srcIp", + "srcPort", + "dstIp", + "dstPort", + "totBytes", + "zeek.uid" + ], "sort": [ [ "firstPacket", "desc" ] ], - "hits": 0, - "description": "", - "title": "Connections - Logs", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"size\":10,\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "columns": [ - "srcIp", - "srcPort", - "dstIp", - "dstPort", - "zeek.uid", - "_id" - ] + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true,\"time_zone\":\"America/Denver\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } }, "references": [ { diff --git a/kibana/dashboards/bb827f8e-639e-468c-93c8-9f5bc132eb8f.json b/kibana/dashboards/bb827f8e-639e-468c-93c8-9f5bc132eb8f.json index bbcd37232..94fb63ec2 100644 --- a/kibana/dashboards/bb827f8e-639e-468c-93c8-9f5bc132eb8f.json +++ b/kibana/dashboards/bb827f8e-639e-468c-93c8-9f5bc132eb8f.json @@ -1,21 +1,21 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "bb827f8e-639e-468c-93c8-9f5bc132eb8f", "type": "dashboard", - "updated_at": "2019-12-18T16:20:50.306Z", - "version": "WzQ5MCwxXQ==", + "updated_at": "2020-02-12T19:41:07.956Z", + "version": "WzExNDYsMV0=", "attributes": { "title": "SMTP", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":32,\"i\":\"6\"},\"panelIndex\":\"6\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":8,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":80,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":80,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":8,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":56,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":16,\"y\":56,\"i\":\"14\"},\"panelIndex\":\"14\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"gridData\":{\"w\":48,\"h\":28,\"x\":0,\"y\":104,\"i\":\"15\"},\"panelIndex\":\"15\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{\"columns\":[\"srcIp\",\"srcPort\",\"dstIp\",\"dstPort\",\"zeek.uid\",\"_id\"],\"sort\":[\"firstPacket\",\"desc\"]}},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":32,\"i\":\"16\"},\"panelIndex\":\"16\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\"},{\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":20,\"i\":\"17\"},\"panelIndex\":\"17\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":20,\"i\":\"18\"},\"panelIndex\":\"18\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":12,\"h\":24,\"x\":36,\"y\":56,\"i\":\"19\"},\"panelIndex\":\"19\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_13\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"20\"},\"panelIndex\":\"20\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_14\"}]", + "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":29,\"i\":\"1\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"3\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":22,\"i\":\"6\",\"w\":40,\"x\":8,\"y\":23},\"panelIndex\":\"6\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":20,\"x\":8,\"y\":8},\"panelIndex\":\"7\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"9\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"9\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"10\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"10\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"11\",\"w\":10,\"x\":28,\"y\":8},\"panelIndex\":\"11\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"13\",\"w\":13,\"x\":0,\"y\":65},\"panelIndex\":\"13\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"14\",\"w\":13,\"x\":13,\"y\":65},\"panelIndex\":\"14\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"16\",\"w\":22,\"x\":26,\"y\":65},\"panelIndex\":\"16\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_9\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"19\",\"w\":8,\"x\":0,\"y\":29},\"panelIndex\":\"19\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_10\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"20\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"20\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_11\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"633e2c8c-ef8e-48b1-b0a4-546a5adff4e4\",\"w\":10,\"x\":38,\"y\":8},\"panelIndex\":\"633e2c8c-ef8e-48b1-b0a4-546a5adff4e4\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_12\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":40,\"i\":\"10319c5c-00bb-41a9-bbab-010e21fd4dfb\",\"w\":48,\"x\":0,\"y\":85},\"panelIndex\":\"10319c5c-00bb-41a9-bbab-010e21fd4dfb\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_13\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Denver\"}}}}" } }, "references": [ @@ -66,33 +66,28 @@ }, { "name": "panel_9", - "type": "search", - "id": "c999cb1b-03c8-446e-92ea-addad33ac1ff" + "type": "visualization", + "id": "d622d8f0-64ce-45a6-8d66-9b04ddea2548" }, { "name": "panel_10", "type": "visualization", - "id": "d622d8f0-64ce-45a6-8d66-9b04ddea2548" + "id": "70d51476-219d-4792-b5fd-aee9992e1345" }, { "name": "panel_11", "type": "visualization", - "id": "bb1b9db7-3932-435c-b9bb-cdeaa004019b" + "id": "AWDHDsr0xQT5EBNmq4gw" }, { "name": "panel_12", "type": "visualization", - "id": "30588ef1-65cf-46e5-bca7-79112123d6b6" + "id": "38de7940-4dcd-11ea-8336-d3388483188b" }, { "name": "panel_13", - "type": "visualization", - "id": "70d51476-219d-4792-b5fd-aee9992e1345" - }, - { - "name": "panel_14", - "type": "visualization", - "id": "AWDHDsr0xQT5EBNmq4gw" + "type": "search", + "id": "c999cb1b-03c8-446e-92ea-addad33ac1ff" } ], "migrationVersion": { @@ -102,11 +97,11 @@ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", "type": "visualization", - "updated_at": "2019-12-18T16:21:02.636Z", - "version": "WzU5OCwxXQ==", + "updated_at": "2020-02-12T15:01:05.290Z", + "version": "Wzc5NiwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -122,8 +117,8 @@ { "id": "815aba5e-16e2-4fa1-ab37-b09c39562fe4", "type": "visualization", - "updated_at": "2019-12-18T16:20:50.306Z", - "version": "WzQ3NiwxXQ==", + "updated_at": "2020-02-12T15:00:52.948Z", + "version": "WzY3NCwxXQ==", "attributes": { "visState": "{\"title\":\"SMTP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", "description": "", @@ -149,8 +144,8 @@ { "id": "63a89f9a-274c-4baa-9336-0d7cd6851bb6", "type": "visualization", - "updated_at": "2019-12-18T16:20:50.306Z", - "version": "WzQ3NywxXQ==", + "updated_at": "2020-02-12T15:00:52.948Z", + "version": "WzY3NSwxXQ==", "attributes": { "visState": "{\"title\":\"SMTP - Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_smtp.subject\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"SMTP\"}}],\"listeners\":{}}", "description": "", @@ -176,11 +171,11 @@ { "id": "7e16fa6b-1793-4dcd-a19b-ff251bbd0265", "type": "visualization", - "updated_at": "2019-12-18T16:20:50.306Z", - "version": "WzQ3OCwxXQ==", + "updated_at": "2020-02-12T19:21:30.644Z", + "version": "WzExMTksMV0=", "attributes": { "title": "SMTP - Destination Country", - "visState": "{\"title\":\"SMTP - Destination Country\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.destination_geo.country_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}}]}", + "visState": "{\"title\":\"SMTP - Destination Country\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Country\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.destination_geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Country\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -191,8 +186,8 @@ }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "c999cb1b-03c8-446e-92ea-addad33ac1ff" } ], @@ -203,8 +198,8 @@ { "id": "de856f53-42d1-4ffc-8182-5f275cf40006", "type": "visualization", - "updated_at": "2019-12-18T16:20:50.306Z", - "version": "WzQ3OSwxXQ==", + "updated_at": "2020-02-12T15:00:52.948Z", + "version": "WzY3NywxXQ==", "attributes": { "visState": "{\"title\":\"SMTP - \\\"From\\\" Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_smtp.mailfrom\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"\\\"From\\\" Address\"}}],\"listeners\":{}}", "description": "", @@ -230,8 +225,8 @@ { "id": "45314b56-b8ba-4a89-9cb0-8d2a0e7ebd2e", "type": "visualization", - "updated_at": "2019-12-18T16:20:50.306Z", - "version": "WzQ4MCwxXQ==", + "updated_at": "2020-02-12T15:00:52.948Z", + "version": "WzY3OCwxXQ==", "attributes": { "visState": "{\"title\":\"SMTP - \\\"To\\\" Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_smtp.rcptto\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"\\\"To\\\" Address\"}}],\"listeners\":{}}", "description": "", @@ -257,13 +252,13 @@ { "id": "77e86ab5-725a-4512-8c05-5250529b4385", "type": "visualization", - "updated_at": "2019-12-18T16:20:50.306Z", - "version": "WzQ4MSwxXQ==", + "updated_at": "2020-02-12T19:22:32.887Z", + "version": "WzExMjIsMV0=", "attributes": { - "visState": "{\"title\":\"SMTP - TLS\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_smtp.tls\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", - "description": "", "title": "SMTP - TLS", - "uiStateJSON": "{}", + "visState": "{\"title\":\"SMTP - TLS\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":true,\"values\":false,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Using TLS\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_smtp.tls\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Using TLS\"}}]}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", "version": 1, "kibanaSavedObjectMeta": { "searchSourceJSON": "{\"filter\":[]}" @@ -272,8 +267,8 @@ }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "c999cb1b-03c8-446e-92ea-addad33ac1ff" } ], @@ -284,8 +279,8 @@ { "id": "ab85a06b-e513-4c8b-b80b-7283f5f1b066", "type": "visualization", - "updated_at": "2019-12-18T16:20:50.306Z", - "version": "WzQ4MiwxXQ==", + "updated_at": "2020-02-12T15:00:52.948Z", + "version": "WzY4MCwxXQ==", "attributes": { "visState": "{\"title\":\"SMTP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", @@ -311,8 +306,8 @@ { "id": "ceaa93c5-1a76-469b-b3b3-bf4f9d6315c5", "type": "visualization", - "updated_at": "2019-12-18T16:20:50.306Z", - "version": "WzQ4MywxXQ==", + "updated_at": "2020-02-12T15:00:52.948Z", + "version": "WzY4MSwxXQ==", "attributes": { "visState": "{\"title\":\"SMTP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", @@ -335,50 +330,11 @@ "visualization": "7.4.2" } }, - { - "id": "c999cb1b-03c8-446e-92ea-addad33ac1ff", - "type": "search", - "updated_at": "2019-12-18T16:20:50.306Z", - "version": "WzQ4NCwxXQ==", - "attributes": { - "sort": [ - [ - "firstPacket", - "desc" - ] - ], - "hits": 0, - "description": "", - "title": "SMTP - Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"zeek.logType:smtp\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "columns": [ - "srcIp", - "srcPort", - "dstIp", - "dstPort", - "zeek.uid", - "_id" - ] - }, - "references": [ - { - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern", - "id": "sessions2-*" - } - ], - "migrationVersion": { - "search": "7.4.0" - } - }, { "id": "d622d8f0-64ce-45a6-8d66-9b04ddea2548", "type": "visualization", - "updated_at": "2019-12-18T16:20:50.306Z", - "version": "WzQ4NSwxXQ==", + "updated_at": "2020-02-12T15:00:52.948Z", + "version": "WzY4MywxXQ==", "attributes": { "visState": "{\"title\":\"SMTP - User Agent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_smtp.user_agent\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", "description": "", @@ -402,15 +358,15 @@ } }, { - "id": "bb1b9db7-3932-435c-b9bb-cdeaa004019b", + "id": "70d51476-219d-4792-b5fd-aee9992e1345", "type": "visualization", - "updated_at": "2019-12-18T16:20:50.306Z", - "version": "WzQ4NiwxXQ==", + "updated_at": "2020-02-12T19:26:48.647Z", + "version": "WzExMjgsMV0=", "attributes": { - "visState": "{\"title\":\"SMTP - Webmail - True/False\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Webmail\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_smtp.is_webmail\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Webmail\"}}],\"listeners\":{}}", + "title": "SMTP - Destination Port", + "visState": "{\"title\":\"SMTP - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Port\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Port\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", - "title": "SMTP - Webmail - True/False", - "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "version": 1, "kibanaSavedObjectMeta": { "searchSourceJSON": "{\"filter\":[]}" @@ -419,8 +375,8 @@ }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "c999cb1b-03c8-446e-92ea-addad33ac1ff" } ], @@ -429,15 +385,15 @@ } }, { - "id": "30588ef1-65cf-46e5-bca7-79112123d6b6", + "id": "AWDHDsr0xQT5EBNmq4gw", "type": "visualization", - "updated_at": "2019-12-18T16:20:50.306Z", - "version": "WzQ4NywxXQ==", + "updated_at": "2020-02-12T15:00:52.948Z", + "version": "WzY4NywxXQ==", "attributes": { - "visState": "{\"title\":\"SMTP - TLS - True/False\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"TLS\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_smtp.tls\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"TLS\"}}],\"listeners\":{}}", + "title": "SMTP - Log Count", + "visState": "{\"title\":\"SMTP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "description": "", - "title": "SMTP - TLS - True/False", - "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "version": 1, "kibanaSavedObjectMeta": { "searchSourceJSON": "{\"filter\":[]}" @@ -456,15 +412,15 @@ } }, { - "id": "70d51476-219d-4792-b5fd-aee9992e1345", + "id": "38de7940-4dcd-11ea-8336-d3388483188b", "type": "visualization", - "updated_at": "2019-12-18T16:20:50.306Z", - "version": "WzQ4OCwxXQ==", + "updated_at": "2020-02-12T19:24:00.595Z", + "version": "WzExMjQsMV0=", "attributes": { - "visState": "{\"title\":\"SMTP - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}", + "title": "SMTP - Webmail", + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Is Webmail\",\"field\":\"zeek_smtp.is_webmail\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Unknown\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/kibana\",\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\"}}},\"label\":\"Using TLS\",\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}},\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":true,\"truncate\":100,\"values\":false},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"SMTP - Webmail\",\"type\":\"pie\"}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", - "title": "SMTP - Destination Port", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "kibanaSavedObjectMeta": { "searchSourceJSON": "{\"filter\":[]}" @@ -473,8 +429,8 @@ }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "c999cb1b-03c8-446e-92ea-addad33ac1ff" } ], @@ -483,30 +439,43 @@ } }, { - "id": "AWDHDsr0xQT5EBNmq4gw", - "type": "visualization", - "updated_at": "2019-12-18T16:20:50.306Z", - "version": "WzQ4OSwxXQ==", + "id": "c999cb1b-03c8-446e-92ea-addad33ac1ff", + "type": "search", + "updated_at": "2020-02-12T19:39:39.650Z", + "version": "WzExNDMsMV0=", "attributes": { - "title": "SMTP - Log Count", - "visState": "{\"title\":\"SMTP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", + "title": "SMTP - Logs", "description": "", + "hits": 0, + "columns": [ + "zeek_smtp.x_originating_ip", + "srcIp", + "dstIp", + "dstPort", + "zeek_smtp.mailfrom", + "zeek_smtp.user_agent", + "zeek.uid" + ], + "sort": [ + [ + "firstPacket", + "desc" + ] + ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:smtp\",\"analyze_wildcard\":true,\"time_zone\":\"America/Denver\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } }, "references": [ { - "type": "search", - "name": "search_0", - "id": "c999cb1b-03c8-446e-92ea-addad33ac1ff" + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "sessions2-*" } ], "migrationVersion": { - "visualization": "7.4.2" + "search": "7.4.0" } } ] diff --git a/kibana/dashboards/bed185a0-ef82-11e9-b38a-2db3ee640e88.json b/kibana/dashboards/bed185a0-ef82-11e9-b38a-2db3ee640e88.json index 42259d51b..111b2b3ef 100644 --- a/kibana/dashboards/bed185a0-ef82-11e9-b38a-2db3ee640e88.json +++ b/kibana/dashboards/bed185a0-ef82-11e9-b38a-2db3ee640e88.json @@ -1,5 +1,5 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "bed185a0-ef82-11e9-b38a-2db3ee640e88", @@ -10,7 +10,7 @@ "title": "Tabular Data Stream", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":34,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":34,\"w\":48,\"h\":30,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":0,\"w\":7,\"h\":14,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":15,\"y\":0,\"w\":33,\"h\":14,\"i\":\"4\"},\"panelIndex\":\"4\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":14,\"w\":16,\"h\":20,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":24,\"y\":14,\"w\":11,\"h\":20,\"i\":\"6\"},\"panelIndex\":\"6\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_5\"},{\"gridData\":{\"x\":35,\"y\":14,\"w\":13,\"h\":20,\"i\":\"7\"},\"version\":\"7.5.1\",\"panelIndex\":\"7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"}]", + "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":34,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":34,\"w\":48,\"h\":30,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":0,\"w\":7,\"h\":14,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":15,\"y\":0,\"w\":33,\"h\":14,\"i\":\"4\"},\"panelIndex\":\"4\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":14,\"w\":16,\"h\":20,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":24,\"y\":14,\"w\":11,\"h\":20,\"i\":\"6\"},\"panelIndex\":\"6\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_5\"},{\"gridData\":{\"x\":35,\"y\":14,\"w\":13,\"h\":20,\"i\":\"7\"},\"version\":\"7.6.2\",\"panelIndex\":\"7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, @@ -66,7 +66,7 @@ "version": "WzU5OCwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/kibana/dashboards/caef3ade-d289-4d05-a511-149f3e97f238.json b/kibana/dashboards/caef3ade-d289-4d05-a511-149f3e97f238.json index f50d9e94b..39c63f76b 100644 --- a/kibana/dashboards/caef3ade-d289-4d05-a511-149f3e97f238.json +++ b/kibana/dashboards/caef3ade-d289-4d05-a511-149f3e97f238.json @@ -1,21 +1,21 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "caef3ade-d289-4d05-a511-149f3e97f238", "type": "dashboard", - "updated_at": "2019-12-18T16:20:52.344Z", - "version": "WzUxMCwxXQ==", + "updated_at": "2020-02-12T20:23:39.553Z", + "version": "WzExOTcsMV0=", "attributes": { "title": "SSH", "hits": 0, "description": "", - "panelsJSON": "[{\"panelIndex\":\"1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":56,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"7\",\"gridData\":{\"x\":8,\"y\":32,\"w\":14,\"h\":24,\"i\":\"7\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"8\",\"gridData\":{\"x\":22,\"y\":32,\"w\":14,\"h\":24,\"i\":\"8\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"10\",\"gridData\":{\"x\":0,\"y\":80,\"w\":48,\"h\":24,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{\"columns\":[\"srcIp\",\"srcPort\",\"dstIp\",\"dstPort\",\"zeek.uid\",\"_id\"],\"sort\":[\"firstPacket\",\"desc\"]}},{\"panelIndex\":\"11\",\"gridData\":{\"x\":36,\"y\":32,\"w\":12,\"h\":24,\"i\":\"11\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"12\",\"gridData\":{\"x\":36,\"y\":8,\"w\":12,\"h\":24,\"i\":\"12\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"panelIndex\":\"13\",\"gridData\":{\"x\":0,\"y\":56,\"w\":48,\"h\":24,\"i\":\"13\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"14\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"14\"},\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"15\",\"gridData\":{\"x\":8,\"y\":8,\"w\":28,\"h\":24,\"i\":\"15\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{}}]", + "panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":30,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":30,\"w\":17,\"h\":22,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":17,\"y\":30,\"w\":17,\"h\":22,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":34,\"y\":30,\"w\":14,\"h\":22,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":52,\"w\":18,\"h\":21,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":20,\"y\":8,\"w\":28,\"h\":22,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":8,\"w\":12,\"h\":22,\"i\":\"1becdc6f-a3f4-46f7-b5b0-72a67a679e0f\"},\"panelIndex\":\"1becdc6f-a3f4-46f7-b5b0-72a67a679e0f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":18,\"y\":52,\"w\":15,\"h\":21,\"i\":\"68d1576b-a947-46f9-a99d-b951a09a95c7\"},\"panelIndex\":\"68d1576b-a947-46f9-a99d-b951a09a95c7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":33,\"y\":52,\"w\":15,\"h\":21,\"i\":\"4a419bd4-4f84-446b-b269-1f6f1c2c27fe\"},\"panelIndex\":\"4a419bd4-4f84-446b-b269-1f6f1c2c27fe\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":73,\"w\":24,\"h\":21,\"i\":\"db42e16c-0961-4dda-a58a-dd44b5197bcf\"},\"panelIndex\":\"db42e16c-0961-4dda-a58a-dd44b5197bcf\",\"embeddableConfig\":{},\"panelRefName\":\"panel_11\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":24,\"y\":73,\"w\":24,\"h\":21,\"i\":\"26424c79-7bf6-45f0-bf5c-ca687818490b\"},\"panelIndex\":\"26424c79-7bf6-45f0-bf5c-ca687818490b\",\"embeddableConfig\":{},\"panelRefName\":\"panel_12\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":94,\"w\":48,\"h\":36,\"i\":\"4afc3dad-4ba2-4e21-9f31-87453145b668\"},\"panelIndex\":\"4afc3dad-4ba2-4e21-9f31-87453145b668\",\"embeddableConfig\":{},\"panelRefName\":\"panel_13\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Denver\"}}}}" } }, "references": [ @@ -41,33 +41,53 @@ }, { "name": "panel_4", - "type": "search", - "id": "88a40703-9791-4f96-bc06-992f96c9b350" + "type": "visualization", + "id": "1b6d266e-e726-4fcb-b752-6cf55322c900" }, { "name": "panel_5", "type": "visualization", - "id": "1b6d266e-e726-4fcb-b752-6cf55322c900" + "id": "4d7cb8d4-9f67-4469-b3f5-74d6fb942d35" }, { "name": "panel_6", "type": "visualization", - "id": "78fd6107-9ac0-4415-b1ff-55da745835c8" + "id": "AWDHEYk4xQT5EBNmq4k5" }, { "name": "panel_7", "type": "visualization", - "id": "4d7cb8d4-9f67-4469-b3f5-74d6fb942d35" + "id": "35ca43f9-14cc-4266-8a55-25f859530ba2" }, { "name": "panel_8", "type": "visualization", - "id": "AWDHEYk4xQT5EBNmq4k5" + "id": "eba2e900-4dd0-11ea-8336-d3388483188b" }, { "name": "panel_9", "type": "visualization", - "id": "35ca43f9-14cc-4266-8a55-25f859530ba2" + "id": "baa06220-4dd4-11ea-8336-d3388483188b" + }, + { + "name": "panel_10", + "type": "visualization", + "id": "90422180-4dd4-11ea-8336-d3388483188b" + }, + { + "name": "panel_11", + "type": "visualization", + "id": "3760b940-4dd5-11ea-8336-d3388483188b" + }, + { + "name": "panel_12", + "type": "visualization", + "id": "562d3ec0-4dd5-11ea-8336-d3388483188b" + }, + { + "name": "panel_13", + "type": "search", + "id": "88a40703-9791-4f96-bc06-992f96c9b350" } ], "migrationVersion": { @@ -77,11 +97,11 @@ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", "type": "visualization", - "updated_at": "2019-12-18T16:21:02.636Z", - "version": "WzU5OCwxXQ==", + "updated_at": "2020-02-12T15:01:05.290Z", + "version": "Wzc5NiwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -97,8 +117,8 @@ { "id": "14e6c4af-72c5-4ce3-94fc-0cb1d501af96", "type": "visualization", - "updated_at": "2019-12-18T16:20:52.344Z", - "version": "WzUwMSwxXQ==", + "updated_at": "2020-02-12T15:00:55.035Z", + "version": "WzY5OSwxXQ==", "attributes": { "visState": "{\"title\":\"SSH - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", "description": "", @@ -124,8 +144,8 @@ { "id": "17a08d5e-7ee7-43ed-b7f4-eaed153bdb7d", "type": "visualization", - "updated_at": "2019-12-18T16:20:52.344Z", - "version": "WzUwMiwxXQ==", + "updated_at": "2020-02-12T15:00:55.035Z", + "version": "WzcwMCwxXQ==", "attributes": { "visState": "{\"title\":\"SSH - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", @@ -151,8 +171,8 @@ { "id": "71ef0954-81c5-4953-b455-f996b21e8f08", "type": "visualization", - "updated_at": "2019-12-18T16:20:52.344Z", - "version": "WzUwMywxXQ==", + "updated_at": "2020-02-12T15:00:55.035Z", + "version": "WzcwMSwxXQ==", "attributes": { "visState": "{\"title\":\"SSH - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", @@ -176,53 +196,41 @@ } }, { - "id": "88a40703-9791-4f96-bc06-992f96c9b350", - "type": "search", - "updated_at": "2019-12-18T16:20:52.344Z", - "version": "WzUwNCwxXQ==", + "id": "1b6d266e-e726-4fcb-b752-6cf55322c900", + "type": "visualization", + "updated_at": "2020-02-12T15:00:55.035Z", + "version": "WzcwMywxXQ==", "attributes": { - "sort": [ - [ - "firstPacket", - "desc" - ] - ], - "hits": 0, + "visState": "{\"title\":\"SSH - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}", "description": "", - "title": "SSH - Logs", + "title": "SSH - Destination Port", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"zeek.logType:ssh\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"filter\":[]}" }, - "columns": [ - "srcIp", - "srcPort", - "dstIp", - "dstPort", - "zeek.uid", - "_id" - ] + "savedSearchRefName": "search_0" }, "references": [ { - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern", - "id": "sessions2-*" + "type": "search", + "name": "search_0", + "id": "88a40703-9791-4f96-bc06-992f96c9b350" } ], "migrationVersion": { - "search": "7.4.0" + "visualization": "7.4.2" } }, { - "id": "1b6d266e-e726-4fcb-b752-6cf55322c900", + "id": "4d7cb8d4-9f67-4469-b3f5-74d6fb942d35", "type": "visualization", - "updated_at": "2019-12-18T16:20:52.344Z", - "version": "WzUwNSwxXQ==", + "updated_at": "2020-02-12T15:00:55.035Z", + "version": "WzcwNSwxXQ==", "attributes": { - "visState": "{\"title\":\"SSH - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"SSH - Client/Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssh.client\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Client\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssh.server\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}],\"listeners\":{}}", "description": "", - "title": "SSH - Destination Port", + "title": "SSH - Client/Server", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "kibanaSavedObjectMeta": { @@ -242,15 +250,15 @@ } }, { - "id": "78fd6107-9ac0-4415-b1ff-55da745835c8", + "id": "AWDHEYk4xQT5EBNmq4k5", "type": "visualization", - "updated_at": "2019-12-18T16:20:52.344Z", - "version": "WzUwNiwxXQ==", + "updated_at": "2020-02-12T15:00:55.035Z", + "version": "WzcwNiwxXQ==", "attributes": { - "visState": "{\"title\":\"SSH - Authentication Success\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Authentication Success\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_ssh.auth_success\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Authentication Success\"}}],\"listeners\":{}}", + "title": "SSH - Log Count", + "visState": "{\"title\":\"SSH - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "description": "", - "title": "SSH - Authentication Success", - "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "version": 1, "kibanaSavedObjectMeta": { "searchSourceJSON": "{\"filter\":[]}" @@ -269,18 +277,18 @@ } }, { - "id": "4d7cb8d4-9f67-4469-b3f5-74d6fb942d35", + "id": "35ca43f9-14cc-4266-8a55-25f859530ba2", "type": "visualization", - "updated_at": "2019-12-18T16:20:52.344Z", - "version": "WzUwNywxXQ==", + "updated_at": "2020-02-12T15:00:55.035Z", + "version": "WzcwNywxXQ==", "attributes": { - "visState": "{\"title\":\"SSH - Client/Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssh.client\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Client\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssh.server\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}],\"listeners\":{}}", - "description": "", - "title": "SSH - Client/Server", + "title": "SSH -Server", + "visState": "{\"title\":\"SSH -Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssh.server\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" + "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" }, "savedSearchRefName": "search_0" }, @@ -296,25 +304,79 @@ } }, { - "id": "AWDHEYk4xQT5EBNmq4k5", + "id": "eba2e900-4dd0-11ea-8336-d3388483188b", "type": "visualization", - "updated_at": "2019-12-18T16:20:52.344Z", - "version": "WzUwOCwxXQ==", + "updated_at": "2020-02-12T19:50:29.007Z", + "version": "WzExNjUsMV0=", "attributes": { - "title": "SSH - Log Count", - "visState": "{\"title\":\"SSH - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", + "title": "SSH - Version", + "visState": "{\"title\":\"SSH - Version\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":false,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"SSH Version\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_ssh.version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"SSH Version\"}}]}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" + "searchSourceJSON": "{}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "88a40703-9791-4f96-bc06-992f96c9b350" + } + ], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "baa06220-4dd4-11ea-8336-d3388483188b", + "type": "visualization", + "updated_at": "2020-02-12T20:17:44.770Z", + "version": "WzExODgsMV0=", + "attributes": { + "title": "SSH - Client Algorithms", + "visState": "{\"title\":\"SSH - Client Algorithms\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Algorithms Offered by Server\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssh.hasshAlgorithms\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Algorithms Offered by Client\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" }, "savedSearchRefName": "search_0" }, "references": [ { + "name": "search_0", "type": "search", + "id": "88a40703-9791-4f96-bc06-992f96c9b350" + } + ], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "90422180-4dd4-11ea-8336-d3388483188b", + "type": "visualization", + "updated_at": "2020-02-12T20:17:00.578Z", + "version": "WzExODcsMV0=", + "attributes": { + "title": "SSH - Server Algorithms", + "visState": "{\"title\":\"SSH - Server Algorithms\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Algorithms Offered by Client\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssh.hasshServerAlgorithms\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Algorithms Offered by Server\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { "name": "search_0", + "type": "search", "id": "88a40703-9791-4f96-bc06-992f96c9b350" } ], @@ -323,31 +385,99 @@ } }, { - "id": "35ca43f9-14cc-4266-8a55-25f859530ba2", + "id": "3760b940-4dd5-11ea-8336-d3388483188b", "type": "visualization", - "updated_at": "2019-12-18T16:20:52.344Z", - "version": "WzUwOSwxXQ==", + "updated_at": "2020-02-12T20:22:30.387Z", + "version": "WzExOTQsMV0=", "attributes": { - "title": "SSH -Server", - "visState": "{\"title\":\"SSH -Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssh.server\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}]}", + "title": "SSH - HASSH Client Hash", + "visState": "{\"title\":\"SSH - HASSH Client Hash\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"HASSH Client Hash\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssh.hassh\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"HASSH Client Hash\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" + "searchSourceJSON": "{}" }, "savedSearchRefName": "search_0" }, "references": [ { + "name": "search_0", "type": "search", + "id": "88a40703-9791-4f96-bc06-992f96c9b350" + } + ], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "562d3ec0-4dd5-11ea-8336-d3388483188b", + "type": "visualization", + "updated_at": "2020-02-12T20:22:05.740Z", + "version": "WzExOTMsMV0=", + "attributes": { + "title": "SSH - HASSH Server Hash", + "visState": "{\"title\":\"SSH - HASSH Server Hash\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"HASSH Client Hash\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssh.hasshServer\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"HASSH Server Hash\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { "name": "search_0", + "type": "search", "id": "88a40703-9791-4f96-bc06-992f96c9b350" } ], "migrationVersion": { "visualization": "7.4.2" } + }, + { + "id": "88a40703-9791-4f96-bc06-992f96c9b350", + "type": "search", + "updated_at": "2020-02-12T20:12:43.078Z", + "version": "WzExODEsMV0=", + "attributes": { + "title": "SSH - Logs", + "description": "", + "hits": 0, + "columns": [ + "srcIp", + "dstIp", + "dstPort", + "zeek_ssh.auth_success", + "zeek_ssh.sshka", + "zeek_ssh.cipher_alg", + "zeek_ssh.mac_alg", + "zeek.uid" + ], + "sort": [ + [ + "firstPacket", + "desc" + ] + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:ssh\",\"analyze_wildcard\":true,\"time_zone\":\"America/Denver\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "search": "7.4.0" + } } ] } \ No newline at end of file diff --git a/kibana/dashboards/d15a9d40-5c3e-492f-8e17-67a5d6862a3a.json b/kibana/dashboards/d15a9d40-5c3e-492f-8e17-67a5d6862a3a.json deleted file mode 100644 index 42d47b481..000000000 --- a/kibana/dashboards/d15a9d40-5c3e-492f-8e17-67a5d6862a3a.json +++ /dev/null @@ -1,845 +0,0 @@ -{ - "version": "7.5.1", - "objects": [ - { - "id": "d15a9d40-5c3e-492f-8e17-67a5d6862a3a", - "type": "dashboard", - "updated_at": "2019-12-18T16:20:53.365Z", - "version": "WzUzNSwxXQ==", - "attributes": { - "title": "Indicator", - "hits": 0, - "description": "", - "panelsJSON": "[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"2\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":0,\"i\":\"2\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"4\",\"gridData\":{\"w\":32,\"h\":24,\"x\":16,\"y\":120,\"i\":\"4\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"5\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":144,\"i\":\"5\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":144,\"i\":\"6\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":180,\"i\":\"8\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":180,\"i\":\"9\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":24,\"i\":\"13\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"16\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":120,\"i\":\"16\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"18\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":48,\"i\":\"18\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{\"columns\":[\"node\",\"alert_level\",\"description\"],\"sort\":[\"firstPacket\",\"desc\"]}},{\"panelIndex\":\"19\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":204,\"i\":\"19\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{\"columns\":[\"srcIp\",\"srcPort\",\"dstIp\",\"dstPort\",\"zeek.uid\",\"_id\"],\"sort\":[\"firstPacket\",\"desc\"]}},{\"panelIndex\":\"20\",\"gridData\":{\"w\":48,\"h\":12,\"x\":0,\"y\":168,\"i\":\"20\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"panelIndex\":\"21\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":144,\"i\":\"21\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\",\"embeddableConfig\":{}},{\"panelIndex\":\"22\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":96,\"i\":\"22\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_13\"},{\"panelIndex\":\"23\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":96,\"i\":\"23\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_14\"},{\"panelIndex\":\"24\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":24,\"i\":\"24\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_15\"},{\"panelIndex\":\"26\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":0,\"i\":\"26\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_16\",\"embeddableConfig\":{}},{\"panelIndex\":\"27\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":72,\"i\":\"27\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_17\",\"embeddableConfig\":{}},{\"panelIndex\":\"28\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":72,\"i\":\"28\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_18\",\"embeddableConfig\":{}}]", - "optionsJSON": "{\"useMargins\":true}", - "version": 1, - "timeRestore": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" - } - }, - "references": [ - { - "name": "panel_0", - "type": "visualization", - "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3" - }, - { - "name": "panel_1", - "type": "visualization", - "id": "4f606c47-ce70-4546-84c0-47d3fafb5751" - }, - { - "name": "panel_2", - "type": "visualization", - "id": "8a3a0bd6-555d-45c6-bf3d-d2b8598e9926" - }, - { - "name": "panel_3", - "type": "visualization", - "id": "2c18f5be-4023-40fb-8de6-7b490045520b" - }, - { - "name": "panel_4", - "type": "visualization", - "id": "44d6d5ce-bdf6-46d3-ad97-a30ebda437fa" - }, - { - "name": "panel_5", - "type": "visualization", - "id": "c3c266ad-58c5-45f4-a463-180b531bd96e" - }, - { - "name": "panel_6", - "type": "visualization", - "id": "be7d9516-7555-407f-9971-0394c7e822e4" - }, - { - "name": "panel_7", - "type": "visualization", - "id": "cc206fe4-dad8-4e98-8bee-648186e6f160" - }, - { - "name": "panel_8", - "type": "visualization", - "id": "727d7b36-4153-4c51-b723-2700a3c815f1" - }, - { - "name": "panel_9", - "type": "search", - "id": "58822c6d-5c84-4d33-a623-ce740be2c057" - }, - { - "name": "panel_10", - "type": "search", - "id": "c97bc964-5319-41e7-ad22-db28156a2ac1" - }, - { - "name": "panel_11", - "type": "visualization", - "id": "e22ccafa-aad2-4897-8a15-ca114f31464c" - }, - { - "name": "panel_12", - "type": "visualization", - "id": "a6cacf2a-7cf5-4991-be10-474429651b51" - }, - { - "name": "panel_13", - "type": "visualization", - "id": "8486949c-3592-4831-9020-59bfd968ccfa" - }, - { - "name": "panel_14", - "type": "visualization", - "id": "a3d7ae56-264b-4e8f-9c45-242bff74179d" - }, - { - "name": "panel_15", - "type": "visualization", - "id": "519823ff-ee5b-4051-9dd5-0467e595ab25" - }, - { - "name": "panel_16", - "type": "visualization", - "id": "40d65c7d-c62a-4115-80dd-ba239ee74df6" - }, - { - "name": "panel_17", - "type": "visualization", - "id": "45ccdb84-8eec-45ca-b7d3-dd8e28fa8ee7" - }, - { - "name": "panel_18", - "type": "visualization", - "id": "cc670ed6-87d2-494e-91ee-4a84be7cadc4" - } - ], - "migrationVersion": { - "dashboard": "7.3.0" - } - }, - { - "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", - "type": "visualization", - "updated_at": "2019-12-18T16:21:02.636Z", - "version": "WzU5OCwxXQ==", - "attributes": { - "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "references": [], - "migrationVersion": { - "visualization": "7.4.2" - } - }, - { - "id": "4f606c47-ce70-4546-84c0-47d3fafb5751", - "type": "visualization", - "updated_at": "2019-12-18T16:20:53.365Z", - "version": "WzUxMiwxXQ==", - "attributes": { - "title": "Data Types", - "visState": "{\"title\":\"Data Types\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.logType\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Data Type\"}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0" - }, - "references": [ - { - "type": "search", - "name": "search_0", - "id": "c97bc964-5319-41e7-ad22-db28156a2ac1" - } - ], - "migrationVersion": { - "visualization": "7.4.2" - } - }, - { - "id": "8a3a0bd6-555d-45c6-bf3d-d2b8598e9926", - "type": "visualization", - "updated_at": "2019-12-18T16:20:53.365Z", - "version": "WzUxMywxXQ==", - "attributes": { - "visState": "{\"title\":\"DNS - Query/Answer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dns.query\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Query\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dns.answers\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Answer\"}}],\"listeners\":{}}", - "description": "", - "title": "DNS - Query/Answer", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0" - }, - "references": [ - { - "type": "search", - "name": "search_0", - "id": "0b971165-4c39-42ed-b80d-8a8f5658a38e" - } - ], - "migrationVersion": { - "visualization": "7.4.2" - } - }, - { - "id": "2c18f5be-4023-40fb-8de6-7b490045520b", - "type": "visualization", - "updated_at": "2019-12-18T16:20:53.365Z", - "version": "WzUxNCwxXQ==", - "attributes": { - "visState": "{\"title\":\"HTTP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", - "description": "", - "title": "HTTP - Source IP Address", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0" - }, - "references": [ - { - "type": "search", - "name": "search_0", - "id": "1762ad89-2039-4d70-8c2d-60b3e5a2c381" - } - ], - "migrationVersion": { - "visualization": "7.4.2" - } - }, - { - "id": "44d6d5ce-bdf6-46d3-ad97-a30ebda437fa", - "type": "visualization", - "updated_at": "2019-12-18T16:20:53.365Z", - "version": "WzUxNSwxXQ==", - "attributes": { - "visState": "{\"title\":\"HTTP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", - "description": "", - "title": "HTTP - Destination IP Address", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0" - }, - "references": [ - { - "type": "search", - "name": "search_0", - "id": "1762ad89-2039-4d70-8c2d-60b3e5a2c381" - } - ], - "migrationVersion": { - "visualization": "7.4.2" - } - }, - { - "id": "c3c266ad-58c5-45f4-a463-180b531bd96e", - "type": "visualization", - "updated_at": "2019-12-18T16:20:53.365Z", - "version": "WzUxNiwxXQ==", - "attributes": { - "visState": "{\"title\":\"HTTP - Sites\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_http.host\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Site\"}}],\"listeners\":{}}", - "description": "", - "title": "HTTP - Sites", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0" - }, - "references": [ - { - "type": "search", - "name": "search_0", - "id": "1762ad89-2039-4d70-8c2d-60b3e5a2c381" - } - ], - "migrationVersion": { - "visualization": "7.4.2" - } - }, - { - "id": "be7d9516-7555-407f-9971-0394c7e822e4", - "type": "visualization", - "updated_at": "2019-12-18T16:20:53.365Z", - "version": "WzUxNywxXQ==", - "attributes": { - "visState": "{\"title\":\"HTTP - Sites Hosting EXEs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_http.host\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Site\"}}],\"listeners\":{}}", - "description": "", - "title": "HTTP - Sites Hosting EXEs", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query_string\":{\"query\":\"\\\"application/x-dosexec\\\"\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - } - }, - "references": [ - { - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern", - "id": "sessions2-*" - } - ], - "migrationVersion": { - "visualization": "7.4.2" - } - }, - { - "id": "cc206fe4-dad8-4e98-8bee-648186e6f160", - "type": "visualization", - "updated_at": "2019-12-18T16:20:53.365Z", - "version": "WzUxOCwxXQ==", - "attributes": { - "visState": "{\"title\":\"NIDS - Alerts\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"alert\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", - "description": "", - "title": "NIDS - Alerts", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0" - }, - "references": [ - { - "type": "search", - "name": "search_0", - "id": "1a9147fe-9214-466e-9ae9-8e674a7a4631" - } - ], - "migrationVersion": { - "visualization": "7.4.2" - } - }, - { - "id": "727d7b36-4153-4c51-b723-2700a3c815f1", - "type": "visualization", - "updated_at": "2019-12-18T16:20:53.365Z", - "version": "WzUxOSwxXQ==", - "attributes": { - "title": "DNS - Query Class", - "visState": "{\"title\":\"DNS - Query Class\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_dns.qclass_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Query Class\"}}]}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - }, - "savedSearchRefName": "search_0" - }, - "references": [ - { - "type": "search", - "name": "search_0", - "id": "0b971165-4c39-42ed-b80d-8a8f5658a38e" - } - ], - "migrationVersion": { - "visualization": "7.4.2" - } - }, - { - "id": "58822c6d-5c84-4d33-a623-ce740be2c057", - "type": "search", - "updated_at": "2019-12-18T16:20:53.365Z", - "version": "WzUyMCwxXQ==", - "attributes": { - "sort": [ - [ - "firstPacket", - "desc" - ] - ], - "hits": 0, - "description": "", - "title": "OSSEC - Alerts", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[{\"meta\":{\"negate\":false,\"key\":\"tags\",\"value\":\"alert\",\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"tags\":{\"query\":\"alert\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"query\":{\"query_string\":{\"query\":\"zeek.logType:ossec\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "columns": [ - "alert_level", - "classification", - "description" - ] - }, - "references": [ - { - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern", - "id": "sessions2-*" - }, - { - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern", - "id": "sessions2-*" - } - ], - "migrationVersion": { - "search": "7.4.0" - } - }, - { - "id": "c97bc964-5319-41e7-ad22-db28156a2ac1", - "type": "search", - "updated_at": "2019-12-18T16:20:53.365Z", - "version": "WzUyMSwxXQ==", - "attributes": { - "sort": [ - [ - "firstPacket", - "desc" - ] - ], - "hits": 0, - "description": "", - "title": "All Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "columns": [ - "srcIp", - "srcPort", - "dstIp", - "dstPort", - "zeek.uid", - "_id" - ] - }, - "references": [ - { - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern", - "id": "sessions2-*" - } - ], - "migrationVersion": { - "search": "7.4.0" - } - }, - { - "id": "e22ccafa-aad2-4897-8a15-ca114f31464c", - "type": "visualization", - "updated_at": "2019-12-18T16:20:53.365Z", - "version": "WzUyMiwxXQ==", - "attributes": { - "visState": "{\"title\":\"HTTP - MIME Type\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":14,\"maxFontSize\":40},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_http.resp_mime_types\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}],\"listeners\":{}}", - "description": "", - "title": "HTTP - MIME Type", - "uiStateJSON": "{}", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0" - }, - "references": [ - { - "type": "search", - "name": "search_0", - "id": "1762ad89-2039-4d70-8c2d-60b3e5a2c381" - } - ], - "migrationVersion": { - "visualization": "7.4.2" - } - }, - { - "id": "a6cacf2a-7cf5-4991-be10-474429651b51", - "type": "visualization", - "updated_at": "2019-12-18T16:20:53.365Z", - "version": "WzUyMywxXQ==", - "attributes": { - "title": "HTTP - Destination Port", - "visState": "{\"title\":\"HTTP - Destination Port\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":75},\"title\":{\"text\":\"Port\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dstPort\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}]}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - }, - "savedSearchRefName": "search_0" - }, - "references": [ - { - "type": "search", - "name": "search_0", - "id": "1762ad89-2039-4d70-8c2d-60b3e5a2c381" - } - ], - "migrationVersion": { - "visualization": "7.4.2" - } - }, - { - "id": "8486949c-3592-4831-9020-59bfd968ccfa", - "type": "visualization", - "updated_at": "2019-12-18T16:20:53.365Z", - "version": "WzUyNCwxXQ==", - "attributes": { - "visState": "{\"title\":\"SSL - Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssl.server_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}],\"listeners\":{}}", - "description": "", - "title": "SSL - Server", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0" - }, - "references": [ - { - "type": "search", - "name": "search_0", - "id": "b945a684-0841-4e86-87aa-0f1af6fb6579" - } - ], - "migrationVersion": { - "visualization": "7.4.2" - } - }, - { - "id": "a3d7ae56-264b-4e8f-9c45-242bff74179d", - "type": "visualization", - "updated_at": "2019-12-18T16:20:53.365Z", - "version": "WzUyNSwxXQ==", - "attributes": { - "title": "DNS - Server", - "visState": "{\"title\":\"DNS - Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0" - }, - "references": [ - { - "type": "search", - "name": "search_0", - "id": "0b971165-4c39-42ed-b80d-8a8f5658a38e" - } - ], - "migrationVersion": { - "visualization": "7.4.2" - } - }, - { - "id": "519823ff-ee5b-4051-9dd5-0467e595ab25", - "type": "visualization", - "updated_at": "2019-12-18T16:20:59.520Z", - "version": "WzU2OSwxXQ==", - "attributes": { - "visState": "{\"title\":\"Notices - Notice Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.note\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Type\"}}],\"listeners\":{}}", - "description": "", - "title": "Notices - Notice Type", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0" - }, - "references": [ - { - "type": "search", - "name": "search_0", - "id": "8f003748-a6f8-4244-9d4e-e38e4a48da4c" - } - ], - "migrationVersion": { - "visualization": "7.4.2" - } - }, - { - "id": "40d65c7d-c62a-4115-80dd-ba239ee74df6", - "type": "visualization", - "updated_at": "2019-12-18T16:20:53.365Z", - "version": "WzUyNywxXQ==", - "attributes": { - "title": "Sensors - Sensor and Services", - "visState": "{\"title\":\"Sensors - Sensor and Services\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"sensor_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Sensor\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.service\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - }, - "savedSearchRefName": "search_0" - }, - "references": [ - { - "type": "search", - "name": "search_0", - "id": "c97bc964-5319-41e7-ad22-db28156a2ac1" - } - ], - "migrationVersion": { - "visualization": "7.4.2" - } - }, - { - "id": "45ccdb84-8eec-45ca-b7d3-dd8e28fa8ee7", - "type": "visualization", - "updated_at": "2019-12-18T16:20:53.365Z", - "version": "WzUyOCwxXQ==", - "attributes": { - "title": "Top 50 - Source IP Address", - "visState": "{\"title\":\"Top 50 - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - } - }, - "references": [ - { - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern", - "id": "sessions2-*" - } - ], - "migrationVersion": { - "visualization": "7.4.2" - } - }, - { - "id": "cc670ed6-87d2-494e-91ee-4a84be7cadc4", - "type": "visualization", - "updated_at": "2019-12-18T16:20:53.365Z", - "version": "WzUyOSwxXQ==", - "attributes": { - "title": "Top 50 - Destination IP Address", - "visState": "{\"title\":\"Top 50 - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - } - }, - "references": [ - { - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern", - "id": "sessions2-*" - } - ], - "migrationVersion": { - "visualization": "7.4.2" - } - }, - { - "id": "0b971165-4c39-42ed-b80d-8a8f5658a38e", - "type": "search", - "updated_at": "2019-12-18T16:20:53.365Z", - "version": "WzUzMCwxXQ==", - "attributes": { - "sort": [ - [ - "firstPacket", - "desc" - ] - ], - "hits": 0, - "description": "", - "title": "DNS - Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"zeek.logType:dns\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "columns": [ - "srcIp", - "srcPort", - "dstIp", - "dstPort", - "zeek.uid", - "_id" - ] - }, - "references": [ - { - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern", - "id": "sessions2-*" - } - ], - "migrationVersion": { - "search": "7.4.0" - } - }, - { - "id": "1762ad89-2039-4d70-8c2d-60b3e5a2c381", - "type": "search", - "updated_at": "2019-12-18T16:20:53.365Z", - "version": "WzUzMSwxXQ==", - "attributes": { - "sort": [ - [ - "firstPacket", - "desc" - ] - ], - "hits": 0, - "description": "", - "title": "HTTP - Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"zeek.logType:http\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "columns": [ - "srcIp", - "dstIp", - "dstPort", - "zeek_http.resp_fuids", - "zeek.uid", - "_id" - ] - }, - "references": [ - { - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern", - "id": "sessions2-*" - } - ], - "migrationVersion": { - "search": "7.4.0" - } - }, - { - "id": "1a9147fe-9214-466e-9ae9-8e674a7a4631", - "type": "search", - "updated_at": "2019-12-18T16:20:53.365Z", - "version": "WzUzMiwxXQ==", - "attributes": { - "sort": [ - [ - "firstPacket", - "desc" - ] - ], - "hits": 0, - "description": "", - "title": "NIDS - Alerts", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"zeek.logType:snort\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "columns": [ - "srcIp", - "srcPort", - "dstIp", - "dstPort", - "_id" - ] - }, - "references": [ - { - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern", - "id": "sessions2-*" - } - ], - "migrationVersion": { - "search": "7.4.0" - } - }, - { - "id": "b945a684-0841-4e86-87aa-0f1af6fb6579", - "type": "search", - "updated_at": "2019-12-18T16:20:53.365Z", - "version": "WzUzMywxXQ==", - "attributes": { - "sort": [ - [ - "firstPacket", - "desc" - ] - ], - "hits": 0, - "description": "", - "title": "SSL - Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"zeek.logType:ssl\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "columns": [ - "srcIp", - "srcPort", - "dstIp", - "dstPort", - "zeek.uid", - "_id" - ] - }, - "references": [ - { - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern", - "id": "sessions2-*" - } - ], - "migrationVersion": { - "search": "7.4.0" - } - }, - { - "id": "8f003748-a6f8-4244-9d4e-e38e4a48da4c", - "type": "search", - "updated_at": "2019-12-18T16:20:59.520Z", - "version": "WzU3NSwxXQ==", - "attributes": { - "title": "Notices - Logs", - "description": "", - "hits": 0, - "columns": [ - "zeek_notice.note", - "srcIp", - "dstIp", - "zeek.uid", - "_id" - ], - "sort": [ - [ - "firstPacket", - "desc" - ] - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:notice\",\"default_field\":\"*\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - } - }, - "references": [ - { - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern", - "id": "sessions2-*" - } - ], - "migrationVersion": { - "search": "7.4.0" - } - } - ] -} \ No newline at end of file diff --git a/kibana/dashboards/d41fe630-3f98-11e9-a58e-8bdedb0915e8.json b/kibana/dashboards/d41fe630-3f98-11e9-a58e-8bdedb0915e8.json index 332203b06..cdff68619 100644 --- a/kibana/dashboards/d41fe630-3f98-11e9-a58e-8bdedb0915e8.json +++ b/kibana/dashboards/d41fe630-3f98-11e9-a58e-8bdedb0915e8.json @@ -1,21 +1,21 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "d41fe630-3f98-11e9-a58e-8bdedb0915e8", "type": "dashboard", - "updated_at": "2019-12-18T16:20:54.394Z", - "version": "WzUzOSwxXQ==", + "updated_at": "2020-02-13T15:37:14.067Z", + "version": "WzkzMywxXQ==", "attributes": { "title": "Connections - Source - Originator Bytes (region map)", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":44,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{\"mapCenter\":[0,0],\"mapZoom\":3},\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":40,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_1\"}]", + "panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":23,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":50,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"mapCenter\":null,\"mapZoom\":3},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":23,\"w\":8,\"h\":15,\"i\":\"aa2d7102-11ce-426c-9979-82d5bd6d6d3b\"},\"panelIndex\":\"aa2d7102-11ce-426c-9979-82d5bd6d6d3b\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":38,\"w\":8,\"h\":12,\"i\":\"8519445c-b38a-4d86-bff3-e42b2b231ca4\"},\"panelIndex\":\"8519445c-b38a-4d86-bff3-e42b2b231ca4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"}}" } }, "references": [ @@ -28,6 +28,16 @@ "name": "panel_1", "type": "visualization", "id": "89122c10-3f94-11e9-a58e-8bdedb0915e8" + }, + { + "name": "panel_2", + "type": "visualization", + "id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49" + }, + { + "name": "panel_3", + "type": "visualization", + "id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5" } ], "migrationVersion": { @@ -37,11 +47,11 @@ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", "type": "visualization", - "updated_at": "2019-12-18T16:21:02.636Z", - "version": "WzU5OCwxXQ==", + "updated_at": "2020-02-13T14:17:04.192Z", + "version": "Wzc3NiwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -57,12 +67,12 @@ { "id": "89122c10-3f94-11e9-a58e-8bdedb0915e8", "type": "visualization", - "updated_at": "2019-12-18T16:20:54.394Z", - "version": "WzUzNywxXQ==", + "updated_at": "2020-02-13T14:46:55.253Z", + "version": "Wzg3MCwxXQ==", "attributes": { "title": "Connections - Source - Originator Bytes (region map)", - "visState": "{\"title\":\"Connections - Source - Originator Bytes (region map)\",\"type\":\"region_map\",\"params\":{\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"emsHotLink\":null,\"isDisplayWarning\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapZoom\":2,\"outlineWeight\":1,\"selectedJoinField\":{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},\"selectedLayer\":{\"attribution\":\"https://exploratory.io/maps\",\"fields\":[{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},{\"description\":\"Country Code2\",\"name\":\"WB_A2\"},{\"description\":\"Country Name\",\"name\":\"NAME\"}],\"format\":{\"type\":\"geojson\"},\"isEMS\":false,\"layerId\":\"self_hosted.World (offline)\",\"meta\":{\"feature_collection_path\":\"data\"},\"name\":\"World (offline)\",\"url\":\"http://localhost:28991/world.geojson\"},\"showAllShapes\":true,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek_conn.orig_bytes\",\"customLabel\":\"Originator Bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"srcGEO\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Originator Country\"}}]}", - "uiStateJSON": "{\"mapCenter\":[0,0],\"mapZoom\":3}", + "visState": "{\"title\":\"Connections - Source - Originator Bytes (region map)\",\"type\":\"region_map\",\"params\":{\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"emsHotLink\":null,\"isDisplayWarning\":false,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapZoom\":2,\"outlineWeight\":1,\"selectedJoinField\":{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},\"selectedLayer\":{\"attribution\":\"https://exploratory.io/maps\",\"fields\":[{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},{\"description\":\"Country Code2\",\"name\":\"WB_A2\"},{\"description\":\"Country Name\",\"name\":\"NAME\"}],\"format\":{\"type\":\"geojson\"},\"isEMS\":false,\"layerId\":\"self_hosted.World (offline)\",\"meta\":{\"feature_collection_path\":\"data\"},\"name\":\"World (offline)\",\"url\":\"/world.geojson\"},\"showAllShapes\":true,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"origin\":\"elastic_maps_service\",\"id\":\"road_map\",\"minZoom\":0,\"maxZoom\":10,\"attribution\":\"OpenStreetMap contributors | OpenMapTiles | MapTiler | Elastic Maps Service\"}},\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Originator Bytes\",\"aggType\":\"cardinality\"},\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Originator Country\",\"aggType\":\"terms\"}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek_conn.orig_bytes\",\"customLabel\":\"Originator Bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"srcGEO\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Originator Country\"}}]}", + "uiStateJSON": "{\"mapCenter\":[37.73168660636539,16.171875000000004],\"mapZoom\":3}", "description": "", "version": 1, "kibanaSavedObjectMeta": { @@ -72,8 +82,8 @@ }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "52570870-e9d4-444f-a3df-e44c6757ed9f" } ], @@ -81,33 +91,91 @@ "visualization": "7.4.2" } }, + { + "id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49", + "type": "visualization", + "updated_at": "2020-02-13T15:17:58.982Z", + "version": "Wzg5NywxXQ==", + "attributes": { + "title": "Connections - Protocol Filters", + "visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"zeek.proto\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"zeek.service\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "references": [ + { + "name": "control_0_index_pattern", + "type": "index-pattern", + "id": "sessions2-*" + }, + { + "name": "control_1_index_pattern", + "type": "index-pattern", + "id": "sessions2-*" + }, + { + "name": "control_2_index_pattern", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5", + "type": "visualization", + "updated_at": "2020-02-13T14:16:47.803Z", + "version": "WzYzMSwxXQ==", + "attributes": { + "title": "Connections - Maps", + "visState": "{\"title\":\"Connections - Maps\",\"type\":\"markdown\",\"params\":{\"fontSize\":10,\"markdown\":\"#### Coordinate Maps\\n[Source - Originator Bytes](/kibana/app/kibana#/dashboard/b50c8d17-6ed3-4de6-aed4-5181032810b2) ● [Destination - Responder Bytes](/kibana/app/kibana#/dashboard/d4fd6afd-15cb-42bf-8a25-03dd8e59b327) ● [Source - Sum of Total Bytes](/kibana/app/kibana#/dashboard/f394057d-1b16-4174-b994-7045f423a416) ● [Destination - Sum of Total Bytes](/kibana/app/kibana#/dashboard/60d78fbd-471c-4f59-a9e3-189b33a13644) ● [Source - Top Connection Duration](/kibana/app/kibana#/dashboard/e09a4b86-29b5-4256-bb3b-802ac9f90404) ● [Destination - Top Connection Duration](/kibana/app/kibana#/dashboard/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0) \\n#### Region Maps\\n[Source - Originator Bytes ](/kibana/app/kibana#/dashboard/d41fe630-3f98-11e9-a58e-8bdedb0915e8) ● [Destination - Responder Bytes ](/kibana/app/kibana#/dashboard/77fc9960-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Sum of Total Bytes ](/kibana/app/kibana#/dashboard/1ce42250-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Sum of Total Bytes ](/kibana/app/kibana#/dashboard/a16110b0-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Top Connection Duration ](/kibana/app/kibana#/dashboard/39abfe30-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Top Connection Duration ](/kibana/app/kibana#/dashboard/b9f247c0-3f99-11e9-a58e-8bdedb0915e8)\",\"openLinksInNewTab\":false},\"aggs\":[]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "references": [], + "migrationVersion": { + "visualization": "7.4.2" + } + }, { "id": "52570870-e9d4-444f-a3df-e44c6757ed9f", "type": "search", - "updated_at": "2019-12-18T16:21:00.551Z", - "version": "WzU4MSwxXQ==", + "updated_at": "2020-02-13T14:17:02.148Z", + "version": "Wzc2MCwxXQ==", "attributes": { + "title": "Connections - Logs", + "description": "", + "hits": 0, + "columns": [ + "zeek.proto", + "zeek.service", + "srcIp", + "srcPort", + "dstIp", + "dstPort", + "totBytes", + "zeek.uid" + ], "sort": [ [ "firstPacket", "desc" ] ], - "hits": 0, - "description": "", - "title": "Connections - Logs", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"size\":10,\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "columns": [ - "srcIp", - "srcPort", - "dstIp", - "dstPort", - "zeek.uid", - "_id" - ] + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true,\"time_zone\":\"America/Denver\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } }, "references": [ { diff --git a/kibana/dashboards/d4fd6afd-15cb-42bf-8a25-03dd8e59b327.json b/kibana/dashboards/d4fd6afd-15cb-42bf-8a25-03dd8e59b327.json index 1200e30e6..2af3415c3 100644 --- a/kibana/dashboards/d4fd6afd-15cb-42bf-8a25-03dd8e59b327.json +++ b/kibana/dashboards/d4fd6afd-15cb-42bf-8a25-03dd8e59b327.json @@ -1,21 +1,21 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "d4fd6afd-15cb-42bf-8a25-03dd8e59b327", "type": "dashboard", - "updated_at": "2019-12-18T16:20:55.423Z", - "version": "WzU0MywxXQ==", + "updated_at": "2020-02-13T15:35:20.365Z", + "version": "WzkyNiwxXQ==", "attributes": { "title": "Connections - Destination - Responder Bytes", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{\"mapCenter\":[24.84656534821976,0.17578125],\"mapZoom\":2}}]", + "panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":23,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":50,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"mapCenter\":null,\"mapZoom\":3},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":23,\"w\":8,\"h\":15,\"i\":\"d4b659f9-f6be-441e-a6c4-ea4acab7619d\"},\"panelIndex\":\"d4b659f9-f6be-441e-a6c4-ea4acab7619d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":38,\"w\":8,\"h\":12,\"i\":\"a23bbf3d-6744-4dc7-a46a-50f450b6bff4\"},\"panelIndex\":\"a23bbf3d-6744-4dc7-a46a-50f450b6bff4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}" + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Denver\"}}}}" } }, "references": [ @@ -28,6 +28,16 @@ "name": "panel_1", "type": "visualization", "id": "ba8e479e-49b0-427e-a919-72aa774cedba" + }, + { + "name": "panel_2", + "type": "visualization", + "id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49" + }, + { + "name": "panel_3", + "type": "visualization", + "id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5" } ], "migrationVersion": { @@ -37,11 +47,11 @@ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", "type": "visualization", - "updated_at": "2019-12-18T16:21:02.636Z", - "version": "WzU5OCwxXQ==", + "updated_at": "2020-02-13T14:17:04.192Z", + "version": "Wzc3NiwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -57,8 +67,8 @@ { "id": "ba8e479e-49b0-427e-a919-72aa774cedba", "type": "visualization", - "updated_at": "2019-12-18T16:20:55.423Z", - "version": "WzU0MSwxXQ==", + "updated_at": "2020-02-13T14:16:57.026Z", + "version": "WzcyMCwxXQ==", "attributes": { "visState": "{\"title\":\"Connections - Destination - Responder Bytes\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek_conn.resp_bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.destination_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}", "description": "", @@ -81,33 +91,91 @@ "visualization": "7.4.2" } }, + { + "id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49", + "type": "visualization", + "updated_at": "2020-02-13T15:17:58.982Z", + "version": "Wzg5NywxXQ==", + "attributes": { + "title": "Connections - Protocol Filters", + "visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"zeek.proto\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"zeek.service\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "references": [ + { + "name": "control_0_index_pattern", + "type": "index-pattern", + "id": "sessions2-*" + }, + { + "name": "control_1_index_pattern", + "type": "index-pattern", + "id": "sessions2-*" + }, + { + "name": "control_2_index_pattern", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5", + "type": "visualization", + "updated_at": "2020-02-13T14:16:47.803Z", + "version": "WzYzMSwxXQ==", + "attributes": { + "title": "Connections - Maps", + "visState": "{\"title\":\"Connections - Maps\",\"type\":\"markdown\",\"params\":{\"fontSize\":10,\"markdown\":\"#### Coordinate Maps\\n[Source - Originator Bytes](/kibana/app/kibana#/dashboard/b50c8d17-6ed3-4de6-aed4-5181032810b2) ● [Destination - Responder Bytes](/kibana/app/kibana#/dashboard/d4fd6afd-15cb-42bf-8a25-03dd8e59b327) ● [Source - Sum of Total Bytes](/kibana/app/kibana#/dashboard/f394057d-1b16-4174-b994-7045f423a416) ● [Destination - Sum of Total Bytes](/kibana/app/kibana#/dashboard/60d78fbd-471c-4f59-a9e3-189b33a13644) ● [Source - Top Connection Duration](/kibana/app/kibana#/dashboard/e09a4b86-29b5-4256-bb3b-802ac9f90404) ● [Destination - Top Connection Duration](/kibana/app/kibana#/dashboard/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0) \\n#### Region Maps\\n[Source - Originator Bytes ](/kibana/app/kibana#/dashboard/d41fe630-3f98-11e9-a58e-8bdedb0915e8) ● [Destination - Responder Bytes ](/kibana/app/kibana#/dashboard/77fc9960-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Sum of Total Bytes ](/kibana/app/kibana#/dashboard/1ce42250-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Sum of Total Bytes ](/kibana/app/kibana#/dashboard/a16110b0-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Top Connection Duration ](/kibana/app/kibana#/dashboard/39abfe30-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Top Connection Duration ](/kibana/app/kibana#/dashboard/b9f247c0-3f99-11e9-a58e-8bdedb0915e8)\",\"openLinksInNewTab\":false},\"aggs\":[]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "references": [], + "migrationVersion": { + "visualization": "7.4.2" + } + }, { "id": "52570870-e9d4-444f-a3df-e44c6757ed9f", "type": "search", - "updated_at": "2019-12-18T16:21:00.551Z", - "version": "WzU4MSwxXQ==", + "updated_at": "2020-02-13T14:17:02.148Z", + "version": "Wzc2MCwxXQ==", "attributes": { + "title": "Connections - Logs", + "description": "", + "hits": 0, + "columns": [ + "zeek.proto", + "zeek.service", + "srcIp", + "srcPort", + "dstIp", + "dstPort", + "totBytes", + "zeek.uid" + ], "sort": [ [ "firstPacket", "desc" ] ], - "hits": 0, - "description": "", - "title": "Connections - Logs", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"size\":10,\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "columns": [ - "srcIp", - "srcPort", - "dstIp", - "dstPort", - "zeek.uid", - "_id" - ] + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true,\"time_zone\":\"America/Denver\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } }, "references": [ { diff --git a/kibana/dashboards/e09a4b86-29b5-4256-bb3b-802ac9f90404.json b/kibana/dashboards/e09a4b86-29b5-4256-bb3b-802ac9f90404.json index 01a3383a8..55ce598cc 100644 --- a/kibana/dashboards/e09a4b86-29b5-4256-bb3b-802ac9f90404.json +++ b/kibana/dashboards/e09a4b86-29b5-4256-bb3b-802ac9f90404.json @@ -1,21 +1,21 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "e09a4b86-29b5-4256-bb3b-802ac9f90404", "type": "dashboard", - "updated_at": "2019-12-18T16:20:56.449Z", - "version": "WzU0NywxXQ==", + "updated_at": "2020-02-13T15:36:49.938Z", + "version": "WzkzMSwxXQ==", "attributes": { "title": "Connections - Source - Top Connection Duration", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{\"mapCenter\":[14.604847155053898,0.17578125],\"mapZoom\":2}}]", + "panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":23,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":50,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"mapCenter\":null,\"mapZoom\":null},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":23,\"w\":8,\"h\":15,\"i\":\"03359f20-178f-4878-b423-ec2b347e5d9a\"},\"panelIndex\":\"03359f20-178f-4878-b423-ec2b347e5d9a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":38,\"w\":8,\"h\":12,\"i\":\"e854052a-b93b-4de5-8ae3-46cef99a54ce\"},\"panelIndex\":\"e854052a-b93b-4de5-8ae3-46cef99a54ce\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}" + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\",\"time_zone\":\"America/Denver\"}}}}" } }, "references": [ @@ -28,6 +28,16 @@ "name": "panel_1", "type": "visualization", "id": "66e7f9d4-2a90-4708-b313-ca1cc2dbd89f" + }, + { + "name": "panel_2", + "type": "visualization", + "id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49" + }, + { + "name": "panel_3", + "type": "visualization", + "id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5" } ], "migrationVersion": { @@ -37,11 +47,11 @@ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", "type": "visualization", - "updated_at": "2019-12-18T16:21:02.636Z", - "version": "WzU5OCwxXQ==", + "updated_at": "2020-02-13T14:17:04.192Z", + "version": "Wzc3NiwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -57,8 +67,8 @@ { "id": "66e7f9d4-2a90-4708-b313-ca1cc2dbd89f", "type": "visualization", - "updated_at": "2019-12-18T16:20:56.449Z", - "version": "WzU0NSwxXQ==", + "updated_at": "2020-02-13T14:16:58.049Z", + "version": "WzcyNCwxXQ==", "attributes": { "visState": "{\"title\":\"Connections - Source - Top Connection Duration\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek_conn.duration\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.source_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}", "description": "", @@ -81,33 +91,91 @@ "visualization": "7.4.2" } }, + { + "id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49", + "type": "visualization", + "updated_at": "2020-02-13T15:17:58.982Z", + "version": "Wzg5NywxXQ==", + "attributes": { + "title": "Connections - Protocol Filters", + "visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"zeek.proto\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"zeek.service\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "references": [ + { + "name": "control_0_index_pattern", + "type": "index-pattern", + "id": "sessions2-*" + }, + { + "name": "control_1_index_pattern", + "type": "index-pattern", + "id": "sessions2-*" + }, + { + "name": "control_2_index_pattern", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5", + "type": "visualization", + "updated_at": "2020-02-13T14:16:47.803Z", + "version": "WzYzMSwxXQ==", + "attributes": { + "title": "Connections - Maps", + "visState": "{\"title\":\"Connections - Maps\",\"type\":\"markdown\",\"params\":{\"fontSize\":10,\"markdown\":\"#### Coordinate Maps\\n[Source - Originator Bytes](/kibana/app/kibana#/dashboard/b50c8d17-6ed3-4de6-aed4-5181032810b2) ● [Destination - Responder Bytes](/kibana/app/kibana#/dashboard/d4fd6afd-15cb-42bf-8a25-03dd8e59b327) ● [Source - Sum of Total Bytes](/kibana/app/kibana#/dashboard/f394057d-1b16-4174-b994-7045f423a416) ● [Destination - Sum of Total Bytes](/kibana/app/kibana#/dashboard/60d78fbd-471c-4f59-a9e3-189b33a13644) ● [Source - Top Connection Duration](/kibana/app/kibana#/dashboard/e09a4b86-29b5-4256-bb3b-802ac9f90404) ● [Destination - Top Connection Duration](/kibana/app/kibana#/dashboard/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0) \\n#### Region Maps\\n[Source - Originator Bytes ](/kibana/app/kibana#/dashboard/d41fe630-3f98-11e9-a58e-8bdedb0915e8) ● [Destination - Responder Bytes ](/kibana/app/kibana#/dashboard/77fc9960-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Sum of Total Bytes ](/kibana/app/kibana#/dashboard/1ce42250-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Sum of Total Bytes ](/kibana/app/kibana#/dashboard/a16110b0-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Top Connection Duration ](/kibana/app/kibana#/dashboard/39abfe30-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Top Connection Duration ](/kibana/app/kibana#/dashboard/b9f247c0-3f99-11e9-a58e-8bdedb0915e8)\",\"openLinksInNewTab\":false},\"aggs\":[]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "references": [], + "migrationVersion": { + "visualization": "7.4.2" + } + }, { "id": "52570870-e9d4-444f-a3df-e44c6757ed9f", "type": "search", - "updated_at": "2019-12-18T16:21:00.551Z", - "version": "WzU4MSwxXQ==", + "updated_at": "2020-02-13T14:17:02.148Z", + "version": "Wzc2MCwxXQ==", "attributes": { + "title": "Connections - Logs", + "description": "", + "hits": 0, + "columns": [ + "zeek.proto", + "zeek.service", + "srcIp", + "srcPort", + "dstIp", + "dstPort", + "totBytes", + "zeek.uid" + ], "sort": [ [ "firstPacket", "desc" ] ], - "hits": 0, - "description": "", - "title": "Connections - Logs", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"size\":10,\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "columns": [ - "srcIp", - "srcPort", - "dstIp", - "dstPort", - "zeek.uid", - "_id" - ] + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true,\"time_zone\":\"America/Denver\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } }, "references": [ { diff --git a/kibana/dashboards/e76d05c0-eb9f-11e9-a384-0fcf32210194.json b/kibana/dashboards/e76d05c0-eb9f-11e9-a384-0fcf32210194.json index b8fbe1d36..0b5e17bda 100644 --- a/kibana/dashboards/e76d05c0-eb9f-11e9-a384-0fcf32210194.json +++ b/kibana/dashboards/e76d05c0-eb9f-11e9-a384-0fcf32210194.json @@ -1,5 +1,5 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "e76d05c0-eb9f-11e9-a384-0fcf32210194", @@ -10,7 +10,7 @@ "title": "S7comm", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":51,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":14,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":14,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":28,\"y\":34,\"w\":20,\"h\":17,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":34,\"w\":20,\"h\":17,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":14,\"w\":20,\"h\":20,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":28,\"y\":14,\"w\":20,\"h\":20,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":24,\"y\":51,\"w\":24,\"h\":20,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":51,\"w\":24,\"h\":20,\"i\":\"14\"},\"panelIndex\":\"14\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":71,\"w\":48,\"h\":35,\"i\":\"15\"},\"panelIndex\":\"15\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_9\"}]", + "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":51,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":14,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":14,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":28,\"y\":34,\"w\":20,\"h\":17,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":34,\"w\":20,\"h\":17,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":14,\"w\":20,\"h\":20,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":28,\"y\":14,\"w\":20,\"h\":20,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":24,\"y\":51,\"w\":24,\"h\":20,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":51,\"w\":24,\"h\":20,\"i\":\"14\"},\"panelIndex\":\"14\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":71,\"w\":48,\"h\":35,\"i\":\"15\"},\"panelIndex\":\"15\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_9\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, @@ -81,7 +81,7 @@ "version": "WzU5OCwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/kibana/dashboards/ed8a6640-3f98-11e9-a58e-8bdedb0915e8.json b/kibana/dashboards/ed8a6640-3f98-11e9-a58e-8bdedb0915e8.json index 679477fcd..44b86efc3 100644 --- a/kibana/dashboards/ed8a6640-3f98-11e9-a58e-8bdedb0915e8.json +++ b/kibana/dashboards/ed8a6640-3f98-11e9-a58e-8bdedb0915e8.json @@ -1,5 +1,5 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "ed8a6640-3f98-11e9-a58e-8bdedb0915e8", @@ -10,7 +10,7 @@ "title": "Connections - Source - Responder Bytes (region map)", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":44,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_0\"},{\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":40,\"i\":\"3\"},\"version\":\"7.5.1\",\"panelIndex\":\"3\",\"embeddableConfig\":{\"mapCenter\":[0,0],\"mapZoom\":3},\"panelRefName\":\"panel_1\"}]", + "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":44,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_0\"},{\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":40,\"i\":\"3\"},\"version\":\"7.6.2\",\"panelIndex\":\"3\",\"embeddableConfig\":{\"mapCenter\":[0,0],\"mapZoom\":3},\"panelRefName\":\"panel_1\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, @@ -41,7 +41,7 @@ "version": "WzU5OCwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -61,7 +61,7 @@ "version": "WzU2MiwxXQ==", "attributes": { "title": "Connections - Source - Responder Bytes (region map)", - "visState": "{\"title\":\"Connections - Source - Responder Bytes (region map)\",\"type\":\"region_map\",\"params\":{\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"emsHotLink\":null,\"isDisplayWarning\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapZoom\":3,\"outlineWeight\":1,\"selectedJoinField\":{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},\"selectedLayer\":{\"attribution\":\"https://exploratory.io/maps\",\"fields\":[{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},{\"description\":\"Country Code2\",\"name\":\"WB_A2\"},{\"description\":\"Country Name\",\"name\":\"NAME\"}],\"format\":{\"type\":\"geojson\"},\"isEMS\":false,\"layerId\":\"self_hosted.World (offline)\",\"meta\":{\"feature_collection_path\":\"data\"},\"name\":\"World (offline)\",\"url\":\"http://localhost:28991/world.geojson\"},\"showAllShapes\":true,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek_conn.resp_bytes\",\"customLabel\":\"Responder Bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"srcGEO\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Originator Country\"}}]}", + "visState": "{\"title\":\"Connections - Source - Responder Bytes (region map)\",\"type\":\"region_map\",\"params\":{\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"emsHotLink\":null,\"isDisplayWarning\":false,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapZoom\":3,\"outlineWeight\":1,\"selectedJoinField\":{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},\"selectedLayer\":{\"attribution\":\"https://exploratory.io/maps\",\"fields\":[{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},{\"description\":\"Country Code2\",\"name\":\"WB_A2\"},{\"description\":\"Country Name\",\"name\":\"NAME\"}],\"format\":{\"type\":\"geojson\"},\"isEMS\":false,\"layerId\":\"self_hosted.World (offline)\",\"meta\":{\"feature_collection_path\":\"data\"},\"name\":\"World (offline)\",\"url\":\"/world.geojson\"},\"showAllShapes\":true,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek_conn.resp_bytes\",\"customLabel\":\"Responder Bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"srcGEO\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Originator Country\"}}]}", "uiStateJSON": "{\"mapCenter\":[0,0],\"mapZoom\":3}", "description": "", "version": 1, @@ -84,30 +84,32 @@ { "id": "52570870-e9d4-444f-a3df-e44c6757ed9f", "type": "search", - "updated_at": "2019-12-18T16:21:00.551Z", - "version": "WzU4MSwxXQ==", + "updated_at": "2020-02-12T22:48:55.398Z", + "version": "WzgwMiwxXQ==", "attributes": { + "title": "Connections - Logs", + "description": "", + "hits": 0, + "columns": [ + "zeek.proto", + "zeek.service", + "srcIp", + "srcPort", + "dstIp", + "dstPort", + "totBytes", + "zeek.uid" + ], "sort": [ [ "firstPacket", "desc" ] ], - "hits": 0, - "description": "", - "title": "Connections - Logs", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"size\":10,\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "columns": [ - "srcIp", - "srcPort", - "dstIp", - "dstPort", - "zeek.uid", - "_id" - ] + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true,\"time_zone\":\"America/Denver\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } }, "references": [ { diff --git a/kibana/dashboards/f1f09567-fc7f-450b-a341-19d2f2bb468b.json b/kibana/dashboards/f1f09567-fc7f-450b-a341-19d2f2bb468b.json index c862ddd67..58252c53d 100644 --- a/kibana/dashboards/f1f09567-fc7f-450b-a341-19d2f2bb468b.json +++ b/kibana/dashboards/f1f09567-fc7f-450b-a341-19d2f2bb468b.json @@ -1,21 +1,21 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "f1f09567-fc7f-450b-a341-19d2f2bb468b", "type": "dashboard", - "updated_at": "2019-12-18T16:20:59.520Z", - "version": "WzU3OCwxXQ==", + "updated_at": "2020-02-13T19:30:36.016Z", + "version": "WzgzNSwxXQ==", "attributes": { "title": "Notices", "hits": 0, "description": "", - "panelsJSON": "[{\"panelIndex\":\"4\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"4\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"panelIndex\":\"5\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"5\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"panelIndex\":\"7\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":48,\"i\":\"7\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":48,\"i\":\"8\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"11\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":72,\"i\":\"11\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"12\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":72,\"i\":\"12\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":136,\"i\":\"13\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"14\",\"gridData\":{\"w\":40,\"h\":16,\"x\":8,\"y\":32,\"i\":\"14\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"panelIndex\":\"15\",\"gridData\":{\"w\":48,\"h\":40,\"x\":0,\"y\":96,\"i\":\"15\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"16\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"16\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"17\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":160,\"i\":\"17\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{}},{\"panelIndex\":\"18\",\"gridData\":{\"w\":24,\"h\":24,\"x\":8,\"y\":8,\"i\":\"18\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"panelIndex\":\"19\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":8,\"i\":\"19\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\",\"embeddableConfig\":{}}]", + "panelsJSON": "[{\"embeddableConfig\":{\"legendOpen\":false,\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":11,\"i\":\"4\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"4\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":30,\"i\":\"5\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"5\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"7\",\"w\":13,\"x\":0,\"y\":30},\"panelIndex\":\"7\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"8\",\"w\":13,\"x\":13,\"y\":30},\"panelIndex\":\"8\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"11\",\"w\":17,\"x\":8,\"y\":11},\"panelIndex\":\"11\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"12\",\"w\":24,\"x\":24,\"y\":67},\"panelIndex\":\"12\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"13\",\"w\":24,\"x\":0,\"y\":67},\"panelIndex\":\"13\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"14\",\"w\":11,\"x\":25,\"y\":11},\"panelIndex\":\"14\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":18,\"i\":\"15\",\"w\":48,\"x\":0,\"y\":49},\"panelIndex\":\"15\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":11,\"i\":\"16\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"16\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_9\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":24,\"i\":\"17\",\"w\":48,\"x\":0,\"y\":86},\"panelIndex\":\"17\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_10\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"18\",\"w\":22,\"x\":26,\"y\":30},\"panelIndex\":\"18\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_11\"},{\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":19,\"i\":\"19\",\"w\":12,\"x\":36,\"y\":11},\"panelIndex\":\"19\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_12\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}" } }, "references": [ @@ -92,13 +92,13 @@ { "id": "0455b814-9b8e-4895-985d-c0d484bb025c", "type": "visualization", - "updated_at": "2019-12-18T16:20:59.520Z", - "version": "WzU2NSwxXQ==", + "updated_at": "2020-02-13T19:05:00.984Z", + "version": "Wzc2NiwxXQ==", "attributes": { - "visState": "{\"title\":\"Notices - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", - "description": "", "title": "Notices - Log Count Over Time", + "visState": "{\"title\":\"Notices - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"stacked\",\"type\":\"histogram\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"type\":\"line\",\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"HH:mm:ss\"}},\"params\":{\"date\":true,\"interval\":\"PT1S\",\"intervalESValue\":1,\"intervalESUnit\":\"s\",\"format\":\"HH:mm:ss\",\"bounds\":{\"min\":\"2017-04-16T17:22:12.510Z\",\"max\":\"2017-04-16T17:23:40.195Z\"}},\"label\":\"firstPacket per second\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Notice Category\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"2017-04-16T17:22:12.510Z\",\"to\":\"2017-04-16T17:23:40.195Z\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek_notice.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Notice Category\"}}]}", "uiStateJSON": "{}", + "description": "", "version": 1, "kibanaSavedObjectMeta": { "searchSourceJSON": "{\"filter\":[]}" @@ -107,8 +107,8 @@ }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "8f003748-a6f8-4244-9d4e-e38e4a48da4c" } ], @@ -119,11 +119,11 @@ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", "type": "visualization", - "updated_at": "2019-12-18T16:21:02.636Z", - "version": "WzU5OCwxXQ==", + "updated_at": "2020-02-13T19:05:04.060Z", + "version": "WzgwMCwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -139,8 +139,8 @@ { "id": "abb2c718-e1f5-4b59-9c3d-54082ee3a407", "type": "visualization", - "updated_at": "2019-12-18T16:20:59.520Z", - "version": "WzU2NywxXQ==", + "updated_at": "2020-02-13T19:05:00.984Z", + "version": "Wzc2OCwxXQ==", "attributes": { "visState": "{\"title\":\"Notices - Source IP Addresses\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", @@ -166,8 +166,8 @@ { "id": "af961658-7f3d-4f88-b35f-76d1b6f49002", "type": "visualization", - "updated_at": "2019-12-18T16:20:59.520Z", - "version": "WzU2OCwxXQ==", + "updated_at": "2020-02-13T19:05:00.984Z", + "version": "Wzc2OSwxXQ==", "attributes": { "visState": "{\"title\":\"Notices - Destination IP Addresses\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", @@ -193,13 +193,13 @@ { "id": "519823ff-ee5b-4051-9dd5-0467e595ab25", "type": "visualization", - "updated_at": "2019-12-18T16:20:59.520Z", - "version": "WzU2OSwxXQ==", + "updated_at": "2020-02-13T19:11:54.959Z", + "version": "WzgyMCwxXQ==", "attributes": { - "visState": "{\"title\":\"Notices - Notice Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.note\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Type\"}}],\"listeners\":{}}", - "description": "", "title": "Notices - Notice Type", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "visState": "{\"title\":\"Notices - Notice Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Notice Category\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Notice Category\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.sub_category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Notice Subcategory\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", + "description": "", "version": 1, "kibanaSavedObjectMeta": { "searchSourceJSON": "{\"filter\":[]}" @@ -208,8 +208,8 @@ }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "8f003748-a6f8-4244-9d4e-e38e4a48da4c" } ], @@ -220,8 +220,8 @@ { "id": "8f4a6c67-6833-4c53-b874-4341df5f181d", "type": "visualization", - "updated_at": "2019-12-18T16:20:59.520Z", - "version": "WzU3MCwxXQ==", + "updated_at": "2020-02-13T19:05:00.984Z", + "version": "Wzc3MSwxXQ==", "attributes": { "visState": "{\"title\":\"Notices - File MIME Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.file_mime_type\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}],\"listeners\":{}}", "description": "", @@ -247,8 +247,8 @@ { "id": "47adad3a-a0d2-46eb-a957-1886abd4472d", "type": "visualization", - "updated_at": "2019-12-18T16:20:59.520Z", - "version": "WzU3MSwxXQ==", + "updated_at": "2020-02-13T19:05:00.984Z", + "version": "Wzc3MiwxXQ==", "attributes": { "visState": "{\"title\":\"Notices - File Description\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.file_desc\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Description\"}}],\"listeners\":{}}", "description": "", @@ -274,11 +274,11 @@ { "id": "8a911a83-3962-44b8-be39-b54532f51b46", "type": "visualization", - "updated_at": "2019-12-18T16:20:59.520Z", - "version": "WzU3MiwxXQ==", + "updated_at": "2020-02-13T19:05:00.984Z", + "version": "Wzc3MywxXQ==", "attributes": { "title": "Notice - Destination Port", - "visState": "{\"title\":\"Notice - Destination Port\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"Port\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dstPort\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}]}", + "visState": "{\"title\":\"Notice - Destination Port\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"Port\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Port\",\"aggType\":\"terms\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dstPort\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Port\"}}]}", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, @@ -289,8 +289,8 @@ }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "8f003748-a6f8-4244-9d4e-e38e4a48da4c" } ], @@ -301,13 +301,13 @@ { "id": "8da041f0-ea80-4841-aabc-ae32c40f20c5", "type": "visualization", - "updated_at": "2019-12-18T16:20:59.520Z", - "version": "WzU3MywxXQ==", + "updated_at": "2020-02-13T19:18:14.196Z", + "version": "WzgyNCwxXQ==", "attributes": { - "visState": "{\"title\":\"Notice - Message/Sub-Message\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.msg\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Message\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.sub\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Sub-Message\"}}],\"listeners\":{}}", + "title": "Notice - Message Details", + "visState": "{\"title\":\"Notice - Message Details\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":4,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Category\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Message\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Sub-Message\",\"aggType\":\"terms\"},{\"accessor\":3,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Subcategory\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Category\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.sub_category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Subcategory\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.msg\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Message\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.sub\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Sub-Message\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}}}}", "description": "", - "title": "Notice - Message/Sub-Message", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "kibanaSavedObjectMeta": { "searchSourceJSON": "{\"filter\":[]}" @@ -316,8 +316,8 @@ }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "8f003748-a6f8-4244-9d4e-e38e4a48da4c" } ], @@ -328,8 +328,8 @@ { "id": "AWDG1uC-xQT5EBNmq3dP", "type": "visualization", - "updated_at": "2019-12-18T16:20:59.520Z", - "version": "WzU3NCwxXQ==", + "updated_at": "2020-02-13T19:05:00.984Z", + "version": "Wzc3NSwxXQ==", "attributes": { "title": "Notices - Log Count", "visState": "{\"title\":\"Notices - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", @@ -355,18 +355,18 @@ { "id": "8f003748-a6f8-4244-9d4e-e38e4a48da4c", "type": "search", - "updated_at": "2019-12-18T16:20:59.520Z", - "version": "WzU3NSwxXQ==", + "updated_at": "2020-02-13T19:05:00.984Z", + "version": "Wzc3NiwxXQ==", "attributes": { "title": "Notices - Logs", "description": "", "hits": 0, "columns": [ - "zeek_notice.note", + "zeek_notice.category", + "zeek_notice.sub_category", "srcIp", "dstIp", - "zeek.uid", - "_id" + "zeek.uid" ], "sort": [ [ @@ -376,7 +376,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:notice\",\"default_field\":\"*\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:notice\",\"default_field\":\"*\",\"time_zone\":\"America/Denver\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -393,12 +393,12 @@ { "id": "cd33ef1d-d5b8-43aa-8ae1-2534f0b79759", "type": "visualization", - "updated_at": "2019-12-18T16:20:59.520Z", - "version": "WzU3NiwxXQ==", + "updated_at": "2020-02-13T19:05:00.984Z", + "version": "Wzc3NywxXQ==", "attributes": { - "title": "Notices - Notice Types", - "visState": "{\"title\":\"Notices - Notice Types\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.note\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Note\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "title": "Notices - Notice Types by Source and Destination", + "visState": "{\"title\":\"Notices - Notice Types by Source and Destination\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":4,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Note\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Source IP Address\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Destination IP Address\",\"aggType\":\"terms\"},{\"accessor\":3,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Notice Category\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Notice Category\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.sub_category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Notice Subcategory\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP Address\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}}}}", "description": "", "version": 1, "kibanaSavedObjectMeta": { @@ -408,8 +408,8 @@ }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "8f003748-a6f8-4244-9d4e-e38e4a48da4c" } ], @@ -420,12 +420,12 @@ { "id": "559cf002-6086-4655-908e-d1f757cd58a9", "type": "visualization", - "updated_at": "2019-12-18T16:20:59.520Z", - "version": "WzU3NywxXQ==", + "updated_at": "2020-02-13T19:30:22.862Z", + "version": "WzgzNCwxXQ==", "attributes": { "title": "Notices - Destination Country", - "visState": "{\"title\":\"Notices - Destination Country\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.destination_geo.country_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "visState": "{\"title\":\"Notices - Destination Country\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Destination Country\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.destination_geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Country\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}", "description": "", "version": 1, "kibanaSavedObjectMeta": { @@ -435,8 +435,8 @@ }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "8f003748-a6f8-4244-9d4e-e38e4a48da4c" } ], diff --git a/kibana/dashboards/f394057d-1b16-4174-b994-7045f423a416.json b/kibana/dashboards/f394057d-1b16-4174-b994-7045f423a416.json index 2b72cb10c..b5454a926 100644 --- a/kibana/dashboards/f394057d-1b16-4174-b994-7045f423a416.json +++ b/kibana/dashboards/f394057d-1b16-4174-b994-7045f423a416.json @@ -1,21 +1,21 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "f394057d-1b16-4174-b994-7045f423a416", "type": "dashboard", - "updated_at": "2019-12-18T16:21:00.551Z", - "version": "WzU4MiwxXQ==", + "updated_at": "2020-02-13T15:36:21.456Z", + "version": "WzkyOSwxXQ==", "attributes": { "title": "Connections - Source - Sum of Total Bytes", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{\"mapCenter\":[24.84656534821976,0.17578125],\"mapZoom\":2}}]", + "panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":23,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":50,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"mapCenter\":null,\"mapZoom\":3},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":23,\"w\":8,\"h\":15,\"i\":\"0a22cd88-c236-4994-9b27-db3f5b731d7f\"},\"panelIndex\":\"0a22cd88-c236-4994-9b27-db3f5b731d7f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":38,\"w\":8,\"h\":12,\"i\":\"4a3f5963-08e0-4206-aede-70e943fed585\"},\"panelIndex\":\"4a3f5963-08e0-4206-aede-70e943fed585\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}" + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\",\"time_zone\":\"America/Denver\"}}}}" } }, "references": [ @@ -28,6 +28,16 @@ "name": "panel_1", "type": "visualization", "id": "c964c032-31ce-4397-bac3-f6b625e66548" + }, + { + "name": "panel_2", + "type": "visualization", + "id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49" + }, + { + "name": "panel_3", + "type": "visualization", + "id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5" } ], "migrationVersion": { @@ -37,11 +47,11 @@ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", "type": "visualization", - "updated_at": "2019-12-18T16:21:02.636Z", - "version": "WzU5OCwxXQ==", + "updated_at": "2020-02-13T14:17:04.192Z", + "version": "Wzc3NiwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -57,8 +67,8 @@ { "id": "c964c032-31ce-4397-bac3-f6b625e66548", "type": "visualization", - "updated_at": "2019-12-18T16:21:00.551Z", - "version": "WzU4MCwxXQ==", + "updated_at": "2020-02-13T14:17:02.148Z", + "version": "Wzc1OSwxXQ==", "attributes": { "visState": "{\"title\":\"Connections - Source - Sum of Total Bytes\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"totBytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.source_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}", "description": "", @@ -81,33 +91,91 @@ "visualization": "7.4.2" } }, + { + "id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49", + "type": "visualization", + "updated_at": "2020-02-13T15:17:58.982Z", + "version": "Wzg5NywxXQ==", + "attributes": { + "title": "Connections - Protocol Filters", + "visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"zeek.proto\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"zeek.service\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "references": [ + { + "name": "control_0_index_pattern", + "type": "index-pattern", + "id": "sessions2-*" + }, + { + "name": "control_1_index_pattern", + "type": "index-pattern", + "id": "sessions2-*" + }, + { + "name": "control_2_index_pattern", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "visualization": "7.4.2" + } + }, + { + "id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5", + "type": "visualization", + "updated_at": "2020-02-13T14:16:47.803Z", + "version": "WzYzMSwxXQ==", + "attributes": { + "title": "Connections - Maps", + "visState": "{\"title\":\"Connections - Maps\",\"type\":\"markdown\",\"params\":{\"fontSize\":10,\"markdown\":\"#### Coordinate Maps\\n[Source - Originator Bytes](/kibana/app/kibana#/dashboard/b50c8d17-6ed3-4de6-aed4-5181032810b2) ● [Destination - Responder Bytes](/kibana/app/kibana#/dashboard/d4fd6afd-15cb-42bf-8a25-03dd8e59b327) ● [Source - Sum of Total Bytes](/kibana/app/kibana#/dashboard/f394057d-1b16-4174-b994-7045f423a416) ● [Destination - Sum of Total Bytes](/kibana/app/kibana#/dashboard/60d78fbd-471c-4f59-a9e3-189b33a13644) ● [Source - Top Connection Duration](/kibana/app/kibana#/dashboard/e09a4b86-29b5-4256-bb3b-802ac9f90404) ● [Destination - Top Connection Duration](/kibana/app/kibana#/dashboard/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0) \\n#### Region Maps\\n[Source - Originator Bytes ](/kibana/app/kibana#/dashboard/d41fe630-3f98-11e9-a58e-8bdedb0915e8) ● [Destination - Responder Bytes ](/kibana/app/kibana#/dashboard/77fc9960-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Sum of Total Bytes ](/kibana/app/kibana#/dashboard/1ce42250-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Sum of Total Bytes ](/kibana/app/kibana#/dashboard/a16110b0-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Top Connection Duration ](/kibana/app/kibana#/dashboard/39abfe30-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Top Connection Duration ](/kibana/app/kibana#/dashboard/b9f247c0-3f99-11e9-a58e-8bdedb0915e8)\",\"openLinksInNewTab\":false},\"aggs\":[]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "references": [], + "migrationVersion": { + "visualization": "7.4.2" + } + }, { "id": "52570870-e9d4-444f-a3df-e44c6757ed9f", "type": "search", - "updated_at": "2019-12-18T16:21:00.551Z", - "version": "WzU4MSwxXQ==", + "updated_at": "2020-02-13T14:17:02.148Z", + "version": "Wzc2MCwxXQ==", "attributes": { + "title": "Connections - Logs", + "description": "", + "hits": 0, + "columns": [ + "zeek.proto", + "zeek.service", + "srcIp", + "srcPort", + "dstIp", + "dstPort", + "totBytes", + "zeek.uid" + ], "sort": [ [ "firstPacket", "desc" ] ], - "hits": 0, - "description": "", - "title": "Connections - Logs", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"size\":10,\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "columns": [ - "srcIp", - "srcPort", - "dstIp", - "dstPort", - "zeek.uid", - "_id" - ] + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true,\"time_zone\":\"America/Denver\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } }, "references": [ { diff --git a/kibana/dashboards/f77bf097-18a8-465c-b634-eb2acc7a4f26.json b/kibana/dashboards/f77bf097-18a8-465c-b634-eb2acc7a4f26.json index 16cad4e83..d0df9464a 100644 --- a/kibana/dashboards/f77bf097-18a8-465c-b634-eb2acc7a4f26.json +++ b/kibana/dashboards/f77bf097-18a8-465c-b634-eb2acc7a4f26.json @@ -1,21 +1,21 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "f77bf097-18a8-465c-b634-eb2acc7a4f26", "type": "dashboard", - "updated_at": "2019-12-18T16:21:01.608Z", - "version": "WzU5NywxXQ==", + "updated_at": "2020-02-12T18:49:35.910Z", + "version": "WzEwODEsMV0=", "attributes": { "title": "RFB", "hits": 0, "description": "", - "panelsJSON": "[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"5\",\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":8,\"i\":\"5\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{}},{\"panelIndex\":\"6\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":56,\"i\":\"6\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"7\",\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":8,\"i\":\"7\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":32,\"i\":\"8\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"10\",\"gridData\":{\"w\":48,\"h\":28,\"x\":0,\"y\":104,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{\"columns\":[\"srcIp\",\"srcPort\",\"dstIp\",\"dstPort\",\"zeek.uid\",\"_id\"],\"sort\":[\"firstPacket\",\"desc\"]}},{\"panelIndex\":\"11\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":56,\"i\":\"11\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"12\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":56,\"i\":\"12\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":80,\"i\":\"13\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"14\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":80,\"i\":\"14\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"},{\"panelIndex\":\"15\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":80,\"i\":\"15\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_11\"},{\"panelIndex\":\"16\",\"gridData\":{\"w\":40,\"h\":12,\"x\":8,\"y\":20,\"i\":\"16\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\",\"embeddableConfig\":{}},{\"panelIndex\":\"17\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"17\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_13\"}]", + "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":27,\"i\":\"1\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"3\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{\"legendOpen\":true,\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":19,\"i\":\"5\",\"w\":13,\"x\":8,\"y\":8},\"panelIndex\":\"5\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"7\",\"w\":13,\"x\":21,\"y\":8},\"panelIndex\":\"7\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"8\",\"w\":18,\"x\":0,\"y\":27},\"panelIndex\":\"8\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":22,\"i\":\"11\",\"w\":16,\"x\":0,\"y\":48},\"panelIndex\":\"11\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":22,\"i\":\"12\",\"w\":16,\"x\":16,\"y\":48},\"panelIndex\":\"12\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":22,\"i\":\"13\",\"w\":16,\"x\":32,\"y\":48},\"panelIndex\":\"13\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"14\",\"w\":15,\"x\":33,\"y\":27},\"panelIndex\":\"14\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"15\",\"w\":15,\"x\":18,\"y\":27},\"panelIndex\":\"15\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_9\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"16\",\"w\":14,\"x\":34,\"y\":8},\"panelIndex\":\"16\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_10\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"17\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_11\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":38,\"i\":\"2e466042-c74a-4549-9419-847d918823ae\",\"w\":48,\"x\":0,\"y\":70},\"panelIndex\":\"2e466042-c74a-4549-9419-847d918823ae\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_12\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"}}" + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Denver\"}}}}" } }, "references": [ @@ -37,57 +37,52 @@ { "name": "panel_3", "type": "visualization", - "id": "b8b1ddc7-f115-4f44-98fb-8763a01aec3a" + "id": "5d961a31-c465-45eb-9e8f-2bbad058a4f8" }, { "name": "panel_4", "type": "visualization", - "id": "5d961a31-c465-45eb-9e8f-2bbad058a4f8" + "id": "8efb6175-3c0d-45ac-ae17-2908b8b7ab33" }, { "name": "panel_5", "type": "visualization", - "id": "8efb6175-3c0d-45ac-ae17-2908b8b7ab33" + "id": "cd575019-21e5-45be-8fb1-7b447cdf2c91" }, { "name": "panel_6", - "type": "search", - "id": "161c6526-b634-4b79-8cb5-39b667eaa862" + "type": "visualization", + "id": "0ac25486-a491-4797-b40f-c83d7d14ded0" }, { "name": "panel_7", "type": "visualization", - "id": "cd575019-21e5-45be-8fb1-7b447cdf2c91" + "id": "5cd98bd4-370d-4d9c-afeb-0018145f6e28" }, { "name": "panel_8", "type": "visualization", - "id": "0ac25486-a491-4797-b40f-c83d7d14ded0" + "id": "c4b27ea5-7188-4c09-9754-ea3c67fe44de" }, { "name": "panel_9", "type": "visualization", - "id": "5cd98bd4-370d-4d9c-afeb-0018145f6e28" + "id": "c46f1254-54b6-414b-88cc-69751026b0e0" }, { "name": "panel_10", "type": "visualization", - "id": "c4b27ea5-7188-4c09-9754-ea3c67fe44de" + "id": "0537ea69-4e73-4055-92a8-b90369603b5a" }, { "name": "panel_11", "type": "visualization", - "id": "c46f1254-54b6-414b-88cc-69751026b0e0" + "id": "AWDHC8iGxQT5EBNmq4bs" }, { "name": "panel_12", - "type": "visualization", - "id": "0537ea69-4e73-4055-92a8-b90369603b5a" - }, - { - "name": "panel_13", - "type": "visualization", - "id": "AWDHC8iGxQT5EBNmq4bs" + "type": "search", + "id": "161c6526-b634-4b79-8cb5-39b667eaa862" } ], "migrationVersion": { @@ -97,11 +92,11 @@ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", "type": "visualization", - "updated_at": "2019-12-18T16:21:02.636Z", - "version": "WzU5OCwxXQ==", + "updated_at": "2020-02-12T15:01:05.290Z", + "version": "Wzc5NiwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -117,8 +112,8 @@ { "id": "ebfb6257-cd49-4120-aefb-e3ef95624acc", "type": "visualization", - "updated_at": "2019-12-18T16:21:01.608Z", - "version": "WzU4NCwxXQ==", + "updated_at": "2020-02-12T15:01:04.271Z", + "version": "Wzc4MiwxXQ==", "attributes": { "visState": "{\"title\":\"RFB - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", "description": "", @@ -144,40 +139,13 @@ { "id": "24fb5549-3160-41fb-901f-81c03c165e8c", "type": "visualization", - "updated_at": "2019-12-18T16:21:01.608Z", - "version": "WzU4NSwxXQ==", + "updated_at": "2020-02-12T18:46:20.561Z", + "version": "WzEwNzEsMV0=", "attributes": { - "visState": "{\"title\":\"RFB - Authentication Status\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_rfb.auth\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Authentication Status\"}}],\"listeners\":{}}", - "description": "", "title": "RFB - Authentication Status", - "uiStateJSON": "{}", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0" - }, - "references": [ - { - "type": "search", - "name": "search_0", - "id": "161c6526-b634-4b79-8cb5-39b667eaa862" - } - ], - "migrationVersion": { - "visualization": "7.4.2" - } - }, - { - "id": "b8b1ddc7-f115-4f44-98fb-8763a01aec3a", - "type": "visualization", - "updated_at": "2019-12-18T16:21:01.608Z", - "version": "WzU4NiwxXQ==", - "attributes": { - "visState": "{\"title\":\"RFB - Authentication Method\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_rfb.authentication_method\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Authentication Method\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"RFB - Authentication Status\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Authenticated\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_rfb.auth\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"F\",\"customLabel\":\"Authenticated\"}}]}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", - "title": "RFB - Authentication Method", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "kibanaSavedObjectMeta": { "searchSourceJSON": "{\"filter\":[]}" @@ -186,8 +154,8 @@ }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "161c6526-b634-4b79-8cb5-39b667eaa862" } ], @@ -198,13 +166,13 @@ { "id": "5d961a31-c465-45eb-9e8f-2bbad058a4f8", "type": "visualization", - "updated_at": "2019-12-18T16:21:01.608Z", - "version": "WzU4NywxXQ==", + "updated_at": "2020-02-12T18:40:36.801Z", + "version": "WzEwNjQsMV0=", "attributes": { - "visState": "{\"title\":\"RFB - Exclusive Session\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_rfb.share_flag\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", - "description": "", "title": "RFB - Exclusive Session", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", + "visState": "{\"title\":\"RFB - Exclusive Session\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"zeek_rfb.share_flag: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_rfb.share_flag\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Exclusive Session\"}}]}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", "version": 1, "kibanaSavedObjectMeta": { "searchSourceJSON": "{\"filter\":[]}" @@ -213,8 +181,8 @@ }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "161c6526-b634-4b79-8cb5-39b667eaa862" } ], @@ -225,8 +193,8 @@ { "id": "8efb6175-3c0d-45ac-ae17-2908b8b7ab33", "type": "visualization", - "updated_at": "2019-12-18T16:21:01.608Z", - "version": "WzU4OCwxXQ==", + "updated_at": "2020-02-12T15:01:04.271Z", + "version": "Wzc4NiwxXQ==", "attributes": { "visState": "{\"title\":\"RFB - Desktop Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_rfb.desktop_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Desktop Name\"}}],\"listeners\":{}}", "description": "", @@ -249,50 +217,11 @@ "visualization": "7.4.2" } }, - { - "id": "161c6526-b634-4b79-8cb5-39b667eaa862", - "type": "search", - "updated_at": "2019-12-18T16:21:01.608Z", - "version": "WzU4OSwxXQ==", - "attributes": { - "sort": [ - [ - "firstPacket", - "desc" - ] - ], - "hits": 0, - "description": "", - "title": "RFB - Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"zeek.logType:rfb\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "columns": [ - "srcIp", - "srcPort", - "dstIp", - "dstPort", - "zeek.uid", - "_id" - ] - }, - "references": [ - { - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern", - "id": "sessions2-*" - } - ], - "migrationVersion": { - "search": "7.4.0" - } - }, { "id": "cd575019-21e5-45be-8fb1-7b447cdf2c91", "type": "visualization", - "updated_at": "2019-12-18T16:21:01.608Z", - "version": "WzU5MCwxXQ==", + "updated_at": "2020-02-12T15:01:04.271Z", + "version": "Wzc4OCwxXQ==", "attributes": { "visState": "{\"title\":\"RFB - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", @@ -318,8 +247,8 @@ { "id": "0ac25486-a491-4797-b40f-c83d7d14ded0", "type": "visualization", - "updated_at": "2019-12-18T16:21:01.608Z", - "version": "WzU5MSwxXQ==", + "updated_at": "2020-02-12T15:01:04.271Z", + "version": "Wzc4OSwxXQ==", "attributes": { "visState": "{\"title\":\"RFB - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", @@ -345,8 +274,8 @@ { "id": "5cd98bd4-370d-4d9c-afeb-0018145f6e28", "type": "visualization", - "updated_at": "2019-12-18T16:21:01.608Z", - "version": "WzU5MiwxXQ==", + "updated_at": "2020-02-12T15:01:04.271Z", + "version": "Wzc5MCwxXQ==", "attributes": { "visState": "{\"title\":\"RFB - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}", "description": "", @@ -372,8 +301,8 @@ { "id": "c4b27ea5-7188-4c09-9754-ea3c67fe44de", "type": "visualization", - "updated_at": "2019-12-18T16:21:01.608Z", - "version": "WzU5MywxXQ==", + "updated_at": "2020-02-12T15:01:04.271Z", + "version": "Wzc5MSwxXQ==", "attributes": { "visState": "{\"title\":\"RFB - Server Version\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_rfb.server_major_version\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Major Version\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_rfb.server_minor_version\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Minor Version\"}}],\"listeners\":{}}", "description": "", @@ -399,8 +328,8 @@ { "id": "c46f1254-54b6-414b-88cc-69751026b0e0", "type": "visualization", - "updated_at": "2019-12-18T16:21:01.608Z", - "version": "WzU5NCwxXQ==", + "updated_at": "2020-02-12T15:01:04.271Z", + "version": "Wzc5MiwxXQ==", "attributes": { "visState": "{\"title\":\"RFB - Client Version\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_rfb.client_major_version\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Major Version\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_rfb.client_minor_version\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Minor Version\"}}],\"listeners\":{}}", "description": "", @@ -426,13 +355,13 @@ { "id": "0537ea69-4e73-4055-92a8-b90369603b5a", "type": "visualization", - "updated_at": "2019-12-18T16:21:01.608Z", - "version": "WzU5NSwxXQ==", + "updated_at": "2020-02-12T18:49:14.219Z", + "version": "WzEwODAsMV0=", "attributes": { - "visState": "{\"title\":\"RFB - Authentication Method\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek_rfb.authentication_method\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Method\"}}],\"listeners\":{}}", - "description": "", "title": "RFB - Authentication Method", + "visState": "{\"title\":\"RFB - Authentication Method\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":null,\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\",\"parsedUrl\":{\"origin\":\"https://localhost\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Method\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek_rfb.authentication_method\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Method\"}}]}", "uiStateJSON": "{}", + "description": "", "version": 1, "kibanaSavedObjectMeta": { "searchSourceJSON": "{\"filter\":[]}" @@ -441,8 +370,8 @@ }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "161c6526-b634-4b79-8cb5-39b667eaa862" } ], @@ -453,8 +382,8 @@ { "id": "AWDHC8iGxQT5EBNmq4bs", "type": "visualization", - "updated_at": "2019-12-18T16:21:01.608Z", - "version": "WzU5NiwxXQ==", + "updated_at": "2020-02-12T15:01:04.271Z", + "version": "Wzc5NCwxXQ==", "attributes": { "title": "RFB - Log Count", "visState": "{\"title\":\"RFB - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", @@ -476,6 +405,47 @@ "migrationVersion": { "visualization": "7.4.2" } + }, + { + "id": "161c6526-b634-4b79-8cb5-39b667eaa862", + "type": "search", + "updated_at": "2020-02-12T18:48:16.263Z", + "version": "WzEwNzgsMV0=", + "attributes": { + "title": "RFB - Logs", + "description": "", + "hits": 0, + "columns": [ + "srcIp", + "dstIp", + "dstPort", + "zeek_rfb.desktop_name", + "zeek_rfb.authentication_method", + "zeek_rfb.auth", + "zeek_rfb.share_flag", + "zeek.uid" + ], + "sort": [ + [ + "firstPacket", + "desc" + ] + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:rfb\",\"time_zone\":\"America/Denver\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "sessions2-*" + } + ], + "migrationVersion": { + "search": "7.4.0" + } } ] } \ No newline at end of file diff --git a/kibana/dashboards/fa141950-ef89-11e9-b38a-2db3ee640e88.json b/kibana/dashboards/fa141950-ef89-11e9-b38a-2db3ee640e88.json index 78494f26f..bb574a9ce 100644 --- a/kibana/dashboards/fa141950-ef89-11e9-b38a-2db3ee640e88.json +++ b/kibana/dashboards/fa141950-ef89-11e9-b38a-2db3ee640e88.json @@ -1,5 +1,5 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "fa141950-ef89-11e9-b38a-2db3ee640e88", @@ -10,7 +10,7 @@ "title": "Tabular Data Stream - SQL", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"h\":47,\"i\":\"1\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"h\":31,\"i\":\"2\",\"w\":48,\"x\":0,\"y\":47},\"panelIndex\":\"2\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"3\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"4\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"4\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"5\",\"w\":13,\"x\":8,\"y\":8},\"panelIndex\":\"5\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"6\",\"w\":11,\"x\":21,\"y\":8},\"panelIndex\":\"6\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"7\",\"w\":16,\"x\":32,\"y\":8},\"panelIndex\":\"7\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"8\",\"w\":40,\"x\":8,\"y\":27},\"panelIndex\":\"8\",\"version\":\"7.5.1\",\"panelRefName\":\"panel_7\"}]", + "panelsJSON": "[{\"gridData\":{\"h\":47,\"i\":\"1\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"h\":31,\"i\":\"2\",\"w\":48,\"x\":0,\"y\":47},\"panelIndex\":\"2\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"3\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"4\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"4\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"5\",\"w\":13,\"x\":8,\"y\":8},\"panelIndex\":\"5\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"6\",\"w\":11,\"x\":21,\"y\":8},\"panelIndex\":\"6\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"7\",\"w\":16,\"x\":32,\"y\":8},\"panelIndex\":\"7\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"8\",\"w\":40,\"x\":8,\"y\":27},\"panelIndex\":\"8\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_7\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, @@ -71,7 +71,7 @@ "version": "WzU5OCwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/kibana#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/kibana#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/kibana/elastalert-kibana-plugin/server/routes/elastalert.js b/kibana/elastalert-kibana-plugin/server/routes/elastalert.js new file mode 100644 index 000000000..1e97abcaf --- /dev/null +++ b/kibana/elastalert-kibana-plugin/server/routes/elastalert.js @@ -0,0 +1,27 @@ +export default function(server, options) { + const baseUri = `http${options.serverSsl ? 's' : ''}://${options.serverHost}:${options.serverPort}`; + + // Route every request to the ElastAlert API + const handler = { + proxy: { + mapUri: request => { + return { uri: `${baseUri}/${request.params.path || ''}` }; + } + } + }; + + ['GET', 'POST', 'DELETE'].forEach(method => { + server.route({ + path: '/api/elastalert/{path*}', + method, + handler, + config: + method === 'GET' + ? undefined + : { + validate: { payload: null }, + payload: { parse: false }, + }, + }); + }); +} diff --git a/kibana/kibana-offline-maps.yml b/kibana/kibana-offline-maps.yml index 4ebc64dca..b40344f29 100644 --- a/kibana/kibana-offline-maps.yml +++ b/kibana/kibana-offline-maps.yml @@ -16,7 +16,7 @@ map.regionmap: includeElasticMapsService: false layers: - name: "World (offline)" - url: "http://localhost:${KIBANA_OFFLINE_REGION_MAPS_PORT}/world.geojson" + url: "/world.geojson" attribution: "https://exploratory.io/maps" fields: - name: "ISO_A2" @@ -25,3 +25,6 @@ map.regionmap: description: "Country Code2" - name: "NAME" description: "Country Name" + +server.cors: true +server.cors.origin: ['*'] \ No newline at end of file diff --git a/kibana/scripts/kibana-create-moloch-sessions-index.sh b/kibana/scripts/kibana-create-moloch-sessions-index.sh index 9b1068bf5..b9142418c 100755 --- a/kibana/scripts/kibana-create-moloch-sessions-index.sh +++ b/kibana/scripts/kibana-create-moloch-sessions-index.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. set -euo pipefail @@ -48,6 +48,9 @@ if [[ "$CREATE_ES_MOLOCH_SESSION_INDEX" = "true" ]] ; then # turn off telemetry curl -XPOST "$KIBANA_URL/api/telemetry/v2/optIn" -H 'kbn-xsrf:true' -H 'Content-type:application/json' -d '{"enabled":false}' + + # pin filters by default + curl -XPOST "$KIBANA_URL/api/kibana/settings/filters:pinnedByDefault" -H 'kbn-xsrf:true' -H 'Content-type:application/json' -d '{"value":true}' fi fi fi diff --git a/kibana/scripts/kibana.sh b/kibana/scripts/kibana.sh index db09dcf21..978dd8560 100755 --- a/kibana/scripts/kibana.sh +++ b/kibana/scripts/kibana.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. echo "Giving Elasticsearch time to start before starting Kibana..." /data/elastic_search_status.sh 2>&1 && echo "Elasticsearch is running!" diff --git a/kibana/scripts/kibana_index_refresh.py b/kibana/scripts/kibana_index_refresh.py index cf80af9fd..7d0d1ada6 100755 --- a/kibana/scripts/kibana_index_refresh.py +++ b/kibana/scripts/kibana_index_refresh.py @@ -10,7 +10,7 @@ import sys GET_STATUS_API = 'api/status' -GET_INDEX_PATTERN_INFO_URI = 'api/saved_objects/index-pattern' +GET_INDEX_PATTERN_INFO_URI = 'api/saved_objects/_find' GET_FIELDS_URI = 'api/index_patterns/_fields_for_wildcard' PUT_INDEX_PATTERN_URI = 'api/saved_objects/index-pattern' @@ -78,42 +78,54 @@ def main(): if debug: eprint('Kibana version is {}'.format(kibanaVersion)) - # get the ID of the index name (probably will be the same as the name) - getIndexInfoResponse = requests.get('{}/{}/{}'.format(args.url, GET_INDEX_PATTERN_INFO_URI, args.index)) + # find the ID of the index name (probably will be the same as the name) + getIndexInfoResponse = requests.get( + '{}/{}'.format(args.url, GET_INDEX_PATTERN_INFO_URI), + params={ + 'type': 'index-pattern', + 'fields': 'id', + 'search': '"{}"'.format(args.index) + } + ) getIndexInfoResponse.raise_for_status() getIndexInfo = getIndexInfoResponse.json() - indexId = getIndexInfo['id'] + indexId = getIndexInfo['saved_objects'][0]['id'] if (len(getIndexInfo['saved_objects']) > 0) else None if debug: eprint('Index ID for {} is {}'.format(args.index, indexId)) - # get the fields list - getFieldsResponse = requests.get('{}/{}'.format(args.url, GET_FIELDS_URI), - params={ 'pattern': args.index, - 'meta_fields': ["_source","_id","_type","_index","_score"] }) - getFieldsResponse.raise_for_status() - getFieldsList = getFieldsResponse.json()['fields'] - if debug: - eprint('{} would have {} fields'.format(args.index, len(getFieldsList))) - - # set the index pattern with our complete list of fields - if not args.dryrun: - putIndexInfo = {} - putIndexInfo['attributes'] = {} - putIndexInfo['attributes']['title'] = args.index - putIndexInfo['attributes']['fields'] = json.dumps(getFieldsList) - - putResponse = requests.put('{}/{}/{}'.format(args.url, PUT_INDEX_PATTERN_URI, indexId), - headers={ 'Content-Type': 'application/json', - 'kbn-xsrf': 'true', - 'kbn-version': kibanaVersion, }, - data=json.dumps(putIndexInfo)) - putResponse.raise_for_status() - - # if we got this far, it probably worked! - if args.dryrun: - print("success (dry run only, no write performed)") + if indexId is not None: + + # get the fields list + getFieldsResponse = requests.get('{}/{}'.format(args.url, GET_FIELDS_URI), + params={ 'pattern': args.index, + 'meta_fields': ["_source","_id","_type","_index","_score"] }) + getFieldsResponse.raise_for_status() + getFieldsList = getFieldsResponse.json()['fields'] + if debug: + eprint('{} would have {} fields'.format(args.index, len(getFieldsList))) + + # set the index pattern with our complete list of fields + if not args.dryrun: + putIndexInfo = {} + putIndexInfo['attributes'] = {} + putIndexInfo['attributes']['title'] = args.index + putIndexInfo['attributes']['fields'] = json.dumps(getFieldsList) + + putResponse = requests.put('{}/{}/{}'.format(args.url, PUT_INDEX_PATTERN_URI, indexId), + headers={ 'Content-Type': 'application/json', + 'kbn-xsrf': 'true', + 'kbn-version': kibanaVersion, }, + data=json.dumps(putIndexInfo)) + putResponse.raise_for_status() + + # if we got this far, it probably worked! + if args.dryrun: + print("success (dry run only, no write performed)") + else: + print("success") + else: - print("success") + print("failure (could not find Index ID for {})".format(args.index)) if __name__ == '__main__': main() diff --git a/kibana/supervisord.conf b/kibana/supervisord.conf index 80efd4126..43d5be174 100644 --- a/kibana/supervisord.conf +++ b/kibana/supervisord.conf @@ -1,4 +1,4 @@ -; Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +; Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. [unix_http_server] file=/var/run/supervisor.sock ; (the path to the socket file) @@ -30,7 +30,7 @@ stdout_logfile_maxbytes=0 redirect_stderr=true [program:maps] -command=/usr/bin/http-server /opt/maps --cors='*' -p %(ENV_KIBANA_OFFLINE_REGION_MAPS_PORT)s +command=/usr/bin/http-server /opt/maps --cors='*' -d false -i false --no-dotfiles -p %(ENV_KIBANA_OFFLINE_REGION_MAPS_PORT)s user=kibana autostart=%(ENV_KIBANA_OFFLINE_REGION_MAPS)s startsecs=0 diff --git a/logstash/certs/Makefile b/logstash/certs/Makefile deleted file mode 100644 index 306b63c81..000000000 --- a/logstash/certs/Makefile +++ /dev/null @@ -1,24 +0,0 @@ -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. - -# one may wish to consider not using self-signed certificates in production - -all: ca server client - -ca: - openssl genrsa -out ca.key 2048 - openssl req -x509 -new -nodes -key ca.key -sha256 -days 9999 -subj /C=US/ST=ID/O=sensor/OU=ca -out ca.crt - -server: - openssl genrsa -out server.key 2048 - openssl req -sha512 -new -key server.key -out server.csr -config server.conf - openssl x509 -days 3650 -req -sha512 -in server.csr -CAcreateserial -CA ca.crt -CAkey ca.key -out server.crt -extensions v3_req -extfile server.conf - mv server.key server.key.pem && openssl pkcs8 -in server.key.pem -topk8 -nocrypt -out server.key - -client: - openssl genrsa -out client.key 2048 - openssl req -sha512 -new -key client.key -out client.csr -config client.conf - openssl x509 -days 3650 -req -sha512 -in client.csr -CAcreateserial -CA ca.crt -CAkey ca.key -out client.crt -extensions v3_req -extensions usr_cert -extfile client.conf - -.PHONY: clean -clean: - @rm -f *.key *.crt *.pem *.csr *.srl diff --git a/logstash/pipelines/enrichment/11_lookups.conf b/logstash/pipelines/enrichment/11_lookups.conf index 3f4f7c2a2..722da6cec 100644 --- a/logstash/pipelines/enrichment/11_lookups.conf +++ b/logstash/pipelines/enrichment/11_lookups.conf @@ -6,6 +6,7 @@ filter { # if OUI lookup is requested, enable it mutate { + id => "mutate_add_field_env_logstash_oui_lookup" add_field => { "[@metadata][ENV_LOGSTASH_OUI_LOOKUP]" => "${LOGSTASH_OUI_LOOKUP:false}" } } if ([@metadata][ENV_LOGSTASH_OUI_LOOKUP] == "true") { @@ -133,6 +134,16 @@ filter { } } } + cidr { + id => "cidr_detect_network_type_ipv4_source" + add_field => { "[network][type]" => "ipv4" } + address => [ "%{srcIp}" ] + network => [ "0.0.0.0/0" ] + } + if (![network][type]) { + mutate { id => "mutate_add_network_type_ipv4_source" + add_field => { "[network][type]" => "ipv6" } } + } } # if ([srcIp]) if ([dstIp]) { @@ -197,10 +208,56 @@ filter { } } } - + } + if (![network][type]) { + cidr { + id => "cidr_detect_network_type_ipv4_dest" + add_field => { "[network][type]" => "ipv4" } + address => [ "%{dstIp}" ] + network => [ "0.0.0.0/0" ] + } + if (![network][type]) { + mutate { id => "mutate_add_network_type_ipv4_dest" + add_field => { "[network][type]" => "ipv6" } } + } } } # if ([dstIp]) + if ([dns][host]) { + # if requested, look up DNS queries using freq_server.py to get entropy scores + # I would do this in an http filter (like zeek_ssl.server_name) + ruby { + id => "ruby_dns_freq_lookup" + init => " + require 'net/http' + $freqLookupEnabled = ENV['FREQ_LOOKUP'] || 'false' + " + # freq_server.py returns a string like: (2.9333, 3.6353) + code => " + if ($freqLookupEnabled == 'true') then + scoresv1 = Array.new + scoresv2 = Array.new + scoresTmp = Array.new + begin + event.get('[dns][host]').each { |query| + if (query.length >= 4) and (query !~ /(ip6\.int|ip6\.arpa|in-addr\.arpa|b32\.i2p)$/i) then + scoresTmp.clear + scoresTmp.concat(Net::HTTP.get_response(URI.parse('http://freq:10004/measure/' + query)).body.gsub(/(^\(|\)$|\s+)/, '').split(',').map(&:to_f)) + if (scoresTmp.length == 2) then + scoresv1 << scoresTmp[0] + scoresv2 << scoresTmp[1] + end + end + } + rescue Exception => e + event.set('ruby_exception', 'ruby_dns_freq_lookup: ' + e.message) + end + event.set('[zeek][freq_score_v1]', scoresv1) unless (scoresv1.length == 0) + event.set('[zeek][freq_score_v2]', scoresv2) unless (scoresv2.length == 0) + end" + } + } # end if dns.ip + if ([dns][ip]) and ([dns][ip][0]) { # if this is a DNS record with an IP, GeoIP it as well geoip { @@ -284,6 +341,26 @@ filter { } # end if radius + if ([zeek_ssl][server_name]) { + mutate { + add_field => { "[@metadata][ENV_FREQ_LOOKUP]" => "${FREQ_LOOKUP:false}" } + } + if ([@metadata][ENV_FREQ_LOOKUP] == "true") { + # if requested, look up zeek_ssl.server_name queries using freq_server.py to get entropy scores + http { + id => "rest_zeek_ssl_server_name_freq_lookup" + url => "http://freq:10004/measure/%{[zeek_ssl][server_name]}" + target_body => "[@metadata][zeek_ssl_server_name_freq]" + } + if ([@metadata][zeek_ssl_server_name_freq]) { + grok { + id => "grok_zeek_ssl_server_name_freq_parse" + match => { "[@metadata][zeek_ssl_server_name_freq]" => [ "^\(%{NUMBER:[zeek][freq_score_v1]}, %{NUMBER:[zeek][freq_score_v2]}\)$" ] } + } + } + } + } # end if zeek_ssl.server_name + ################################################################################################ ######## JA3 community hashes lookup ########################################################### @@ -318,12 +395,20 @@ filter { add_field => { "[node]" => "logs" } } } + if ([log][file][path]) { + # trim path portion of log.file.path + mutate { id => "mutate_gsub_field_zeek_log_file_path" + gsub => [ "[log][file][path]", "^.*/", "" ] } + } + # remove some useless beats-related fields mutate { id => "mutate_remove_field_beats_useless" remove_field => [ "[beat]", + "[agent][ephemeral_id]", "[log][offset]", + "[input][type]", "[prospector]", "[message]" ] diff --git a/logstash/pipelines/enrichment/12_type_conv.conf b/logstash/pipelines/enrichment/12_type_conv.conf index 7b880319d..7a8861a8a 100644 --- a/logstash/pipelines/enrichment/12_type_conv.conf +++ b/logstash/pipelines/enrichment/12_type_conv.conf @@ -71,6 +71,8 @@ filter { "[userCnt]" => "integer" "[vlan]" => "integer" "[vlanCnt]" => "integer" + "[zeek][freq_score_v1]" => "float" + "[zeek][freq_score_v2]" => "float" } } diff --git a/logstash/pipelines/enrichment/18_tags_finalize.conf b/logstash/pipelines/enrichment/18_tags_finalize.conf index 71c18d408..7bae05368 100644 --- a/logstash/pipelines/enrichment/18_tags_finalize.conf +++ b/logstash/pipelines/enrichment/18_tags_finalize.conf @@ -5,6 +5,7 @@ filter { mutate { id => "mutate_enrichment_tags_remove" remove_tag => [ "beats_input_codec_plain_applied", "_grokparsefailure", + "_jsonparsefailure", "_dissectfailure", "_ouilookupfailure", "_geoip_lookup_failure" ] } diff --git a/logstash/pipelines/zeek/11_zeek_logs.conf b/logstash/pipelines/zeek/11_zeek_logs.conf index d0d559a88..25efdf272 100644 --- a/logstash/pipelines/zeek/11_zeek_logs.conf +++ b/logstash/pipelines/zeek/11_zeek_logs.conf @@ -8,7 +8,7 @@ # this monstrosity can be used to profile: # $ curl -XGET http://localhost:9600/_node/stats/pipelines | python -mjson.tool | grep -P '"(id|duration_in_millis)":' | sed "s/.*: //" | sed ':a;N;$!ba;s/",\n/ /g' | sed "s/[\",]//g" | awk -F " " '{printf("%s %s\n", $2, $1)}' | sort -n # -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. ####################### filter { @@ -223,10 +223,8 @@ filter { } } - mutate { - id => "mutate_add_field_zeek_conn_segmentCnt" - add_field => { "[segmentCnt]" => "1" } - } + mutate { id => "mutate_add_field_zeek_conn_segmentCnt" + add_field => { "[segmentCnt]" => "1" } } if ([zeek_cols][orig_ip_bytes]) and ([zeek_cols][orig_ip_bytes] != '-') and ([zeek_cols][orig_ip_bytes] != '(empty)') and ([zeek_cols][orig_ip_bytes] != '') { mutate { id => "mutate_add_field_zeek_srcBytes" @@ -394,7 +392,7 @@ filter { id => "dissect_zeek_dhcp_1_with_all_fields" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uids]} %{[zeek_cols][orig_h]} %{[zeek_cols][resp_h]} %{[zeek_cols][orig_l2_addr]} %{[zeek_cols][host_name]} %{[zeek_cols][client_fqdn]} %{[zeek_cols][domain]} %{[zeek_cols][requested_ip]} %{[zeek_cols][assigned_ip]} %{[zeek_cols][lease_time]} %{[zeek_cols][client_message]} %{[zeek_cols][server_message]} %{[zeek_cols][msg_types]} %{[zeek_cols][duration]}" + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][resp_h]} %{[zeek_cols][orig_l2_addr]} %{[zeek_cols][host_name]} %{[zeek_cols][client_fqdn]} %{[zeek_cols][domain]} %{[zeek_cols][requested_ip]} %{[zeek_cols][assigned_ip]} %{[zeek_cols][lease_time]} %{[zeek_cols][client_message]} %{[zeek_cols][server_message]} %{[zeek_cols][msg_types]} %{[zeek_cols][duration]}" } } @@ -424,18 +422,18 @@ filter { } ruby { id => "ruby_zip_zeek_dhcp" - init => "$zeek_dhcp_field_names = [ 'ts', 'uids', 'orig_h', 'resp_h', 'orig_l2_addr', 'host_name', 'client_fqdn', 'domain', 'requested_ip', 'assigned_ip', 'lease_time', 'client_message', 'server_message', 'msg_types', 'duration' ]" + init => "$zeek_dhcp_field_names = [ 'ts', 'uid', 'orig_h', 'resp_h', 'orig_l2_addr', 'host_name', 'client_fqdn', 'domain', 'requested_ip', 'assigned_ip', 'lease_time', 'client_message', 'server_message', 'msg_types', 'duration' ]" code => "event.set('[zeek_cols]', $zeek_dhcp_field_names.zip(event.get('[message]')).to_h)" } } - if ([zeek_cols][uids]) and ([zeek_cols][uids] != '(empty)') and ([zeek_cols][uids] != '') { + if ([zeek_cols][uid]) and ([zeek_cols][uid] != '(empty)') and ([zeek_cols][uid] != '') { mutate { id => "mutate_split_zeek_dhcp_uids" - split => { "[zeek_cols][uids]" => "," } } + split => { "[zeek_cols][uid]" => "," } } } - if ([zeek_cols][uids] and [zeek_cols][uids][0]) { + if ([zeek_cols][uid] and [zeek_cols][uid][0]) { mutate { id => "mutate_add_field_zeek_dhcp_uids" - add_field => { "[rootId]" => "%{[zeek_cols][uids][0]}" } } + add_field => { "[rootId]" => "%{[zeek_cols][uid][0]}" } } } if ((![zeek_cols][orig_p]) and (![zeek_cols][resp_p])) { @@ -1236,7 +1234,6 @@ filter { } } - } else if ([source] == "mqtt_subscribe") { ############################################################################################################################# # mqtt_subscribe.log @@ -1638,6 +1635,10 @@ filter { add_field => { "[zeek_cols][service]" => "rdp" } } + # remove RDP prefix from client_build (version) + mutate { id => "mutate_gsub_field_zeek_rdp_client_build" + gsub => [ "[zeek_cols][client_build]", "^RDP ", "" ] } + } else if ([source] == "rfb") { ############################################################################################################################# # rfb.log @@ -1755,11 +1756,53 @@ filter { add_field => { "[zeek_cols][service]" => "sip" } } + } else if ([source] == "smb_cmd") { + ############################################################################################################################# + # smb_cmd.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/smb/main.zeek.html#type-SMB::CmdInfo + # + # note that smb_cmd.referenced_file is exactly the same structure as the log line for smb_files. later on it will be + # merged up as its own top-level entity so I don't have to duplicate the parsing effort below + + dissect { + id => "dissect_zeek_smb_cmd" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][command]} %{[zeek_cols][sub_command]} %{[zeek_cols][argument]} %{[zeek_cols][status]} %{[zeek_cols][rtt]} %{[zeek_cols][version]} %{[zeek_cols][user]} %{[zeek_cols][tree]} %{[zeek_cols][tree_service]} %{[zeek_cols][referenced_file][ts]} %{[zeek_cols][referenced_file][uid]} %{[zeek_cols][referenced_file][orig_h]} %{[zeek_cols][referenced_file][orig_p]} %{[zeek_cols][referenced_file][resp_h]} %{[zeek_cols][referenced_file][resp_p]} %{[zeek_cols][referenced_file][fuid]} %{[zeek_cols][referenced_file][action]} %{[zeek_cols][referenced_file][path]} %{[zeek_cols][referenced_file][name]} %{[zeek_cols][referenced_file][size]} %{[zeek_cols][referenced_file][prev_name]} %{[zeek_cols][referenced_file][times_modified]} %{[zeek_cols][referenced_file][times_accessed]} %{[zeek_cols][referenced_file][times_created]} %{[zeek_cols][referenced_file][times_changed]} %{[zeek_cols][referenced_file][data_offset_req]} %{[zeek_cols][referenced_file][data_len_req]} %{[zeek_cols][referenced_file][data_len_rsp]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_smb_cmd" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_smb_cmd" + init => "$zeek_smb_cmd_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'command', 'sub_command', 'argument', 'status', 'rtt', 'version', 'user', 'tree', 'tree_service', 'referenced_file.ts', 'referenced_file.uid', 'referenced_file.orig_h', 'referenced_file.orig_p', 'referenced_file.resp_h', 'referenced_file.resp_p', 'referenced_file.fuid', 'referenced_file.action', 'referenced_file.path', 'referenced_file.name', 'referenced_file.size', 'referenced_file.prev_name', 'referenced_file.times_modified', 'referenced_file.times_accessed', 'referenced_file.times_created', 'referenced_file.times_changed', 'referenced_file.data_offset_req', 'referenced_file.data_len_req', 'referenced_file.data_len_rsp' ]" + code => "event.set('[zeek_cols]', $zeek_smb_cmd_field_names.zip(event.get('[message]')).to_h)" + } + } + + mutate { + id => "mutate_add_fields_zeek_smb_cmd" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "smb" + } + } + + # remove SMB prefix from version + mutate { id => "mutate_gsub_field_zeek_smb_cmd_version" + gsub => [ "[zeek_cols][version]", "^SMB", "" ] } + + mutate { id => "mutate_gsub_zeek_smb_cmd_command" + gsub => [ "[zeek_cols][command]", "^SMB::", "" ] } + } else if ([source] == "smb_files") { ############################################################################################################################# # smb_files.log # https://docs.zeek.org/en/stable/scripts/base/protocols/smb/main.zeek.html#type-SMB::FileInfo - # todo: also smb_cmd.log? if ([@metadata][zeek_fields_bitmap] and [@metadata][zeek_fields_bitmap_version]) { @@ -1831,6 +1874,9 @@ filter { } } + mutate { id => "mutate_gsub_zeek_smb_files_action" + gsub => [ "[zeek_cols][action]", "^SMB::", "" ] } + } else if ([source] == "smb_mapping") { ############################################################################################################################# # smb_mapping.log @@ -1873,7 +1919,7 @@ filter { id => "dissect_zeek_smtp" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_depth]} %{[zeek_cols][helo]} %{[zeek_cols][mailfrom]} %{[zeek_cols][rcptto]} %{[zeek_cols][date]} %{[zeek_cols][from]} %{[zeek_cols][to]} %{[zeek_cols][cc]} %{[zeek_cols][reply_to]} %{[zeek_cols][msg_id]} %{[zeek_cols][in_reply_to]} %{[zeek_cols][subject]} %{[zeek_cols][x_originating_ip]} %{[zeek_cols][first_received]} %{[zeek_cols][second_received]} %{[zeek_cols][last_reply]} %{[zeek_cols][path]} %{[zeek_cols][user_agent]} %{[zeek_cols][tls]} %{[zeek_cols][fuids]} %{[zeek_cols][is_webmail]}" + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_depth]} %{[zeek_cols][helo]} %{[zeek_cols][mailfrom]} %{[zeek_cols][rcptto]} %{[zeek_cols][date]} %{[zeek_cols][from]} %{[zeek_cols][to]} %{[zeek_cols][cc]} %{[zeek_cols][reply_to]} %{[zeek_cols][msg_id]} %{[zeek_cols][in_reply_to]} %{[zeek_cols][subject]} %{[zeek_cols][x_originating_ip]} %{[zeek_cols][first_received]} %{[zeek_cols][second_received]} %{[zeek_cols][last_reply]} %{[zeek_cols][path]} %{[zeek_cols][user_agent]} %{[zeek_cols][tls]} %{[zeek_cols][fuid]} %{[zeek_cols][is_webmail]}" } } if ("_dissectfailure" in [tags]) { @@ -1884,7 +1930,7 @@ filter { } ruby { id => "ruby_zip_zeek_smtp" - init => "$zeek_smtp_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_depth', 'helo', 'mailfrom', 'rcptto', 'date', 'from', 'to', 'cc', 'reply_to', 'msg_id', 'in_reply_to', 'subject', 'x_originating_ip', 'first_received', 'second_received', 'last_reply', 'path', 'user_agent', 'tls', 'fuids', 'is_webmail' ]" + init => "$zeek_smtp_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_depth', 'helo', 'mailfrom', 'rcptto', 'date', 'from', 'to', 'cc', 'reply_to', 'msg_id', 'in_reply_to', 'subject', 'x_originating_ip', 'first_received', 'second_received', 'last_reply', 'path', 'user_agent', 'tls', 'fuid', 'is_webmail' ]" code => "event.set('[zeek_cols]', $zeek_smtp_field_names.zip(event.get('[message]')).to_h)" } } @@ -2285,6 +2331,13 @@ filter { } } + + mutate { id => "mutate_gsub_zeek_tunnel_action" + gsub => [ "[zeek_cols][action]", "Tunnel::", "" ] } + + mutate { id => "mutate_gsub_zeek_tunnel_type" + gsub => [ "[zeek_cols][tunnel_type]", "Tunnel::", "" ] } + mutate { id => "mutate_add_fields_zeek_tunnel" add_field => { "[zeek_cols][service]" => "%{[zeek_cols][tunnel_type]}" } @@ -2292,8 +2345,6 @@ filter { mutate { id => "mutate_lowercase_zeek_tunnel_service" lowercase => [ "[zeek_cols][service]" ] } - mutate { id => "mutate_gsub_zeek_tunnel_service" - gsub => [ "[zeek_cols][service]", "tunnel::", "" ] } } else if ([source] == "weird") { ############################################################################################################################# @@ -2345,36 +2396,40 @@ filter { } } - mutate { - id => "mutate_add_fields_zeek_x509" - add_field => { - "[zeek_cols][service]" => "X.509" - "[certCnt]" => "1" - } - } + mutate { id => "mutate_add_fields_zeek_x509" + add_field => { "[zeek_cols][service]" => "X.509" + "[certCnt]" => "1" } } } else { - # some other unknown zeek log file. should start with ts at least! - csv { - id => "csv_zeek_unknown" - columns => [ - "ts"] - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - separator => " " - # there's no way to *disable* the csv quote char, so set it to something we'll never see - quote_char => " " + if ([source] =~ /\.\d{4}-\d{2}-\d{2}-\d{2}-\d{2}-\d{2}$/) { + # filebeat caught a file right in the middle of being renamed/moved (ie., renamed from conn.log to + # conn.2020-01-16-14-00-00.log). this has actually already been processed, so ignore this event. + drop { id => "drop_renamed_logfile" } - target => "[zeek_cols]" - } + } else { + # some other unknown zeek log file. should start with ts at least! + csv { + id => "csv_zeek_unknown" + columns => [ + "ts"] + + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + separator => " " + # there's no way to *disable* the csv quote char, so set it to something we'll never see + quote_char => " " + + target => "[zeek_cols]" + } - mutate { id => "mutate_add_tag_zeek_unknown" - add_tag => [ "_unknown_log_type" ] } + mutate { id => "mutate_add_tag_zeek_unknown" + add_tag => [ "_unknown_log_type" ] } + } } # if / else if for source type (conn.log, dns.log, etc.) if ([zeek_cols]) { - # remove unset (-) or "(empty)" field values + # remove unset (-) or "(empty)" top-level field values ruby { id => "ruby_zeek_remove_empty_values" code => " @@ -2395,18 +2450,20 @@ filter { # show up in many types of logs) mutate { id => "mutate_rename_zeek_common_fields" - rename => { "[zeek_%{[source]}][ts]" => "[zeek][ts]" } - rename => { "[zeek_%{[source]}][uid]" => "[zeek][uid]" } - rename => { "[zeek_%{[source]}][orig_h]" => "[zeek][orig_h]" } - rename => { "[zeek_%{[source]}][orig_p]" => "[zeek][orig_p]" } - rename => { "[zeek_%{[source]}][orig_l2_addr]" => "[zeek][orig_l2_addr]" } - rename => { "[zeek_%{[source]}][resp_h]" => "[zeek][resp_h]" } - rename => { "[zeek_%{[source]}][resp_p]" => "[zeek][resp_p]" } - rename => { "[zeek_%{[source]}][resp_l2_addr]" => "[zeek][resp_l2_addr]" } - rename => { "[zeek_%{[source]}][proto]" => "[zeek][proto]" } - rename => { "[zeek_%{[source]}][service]" => "[zeek][service]" } - rename => { "[zeek_%{[source]}][user]" => "[zeek][user]" } - rename => { "[zeek_%{[source]}][community_id]" => "[zeek][community_id]" } + rename => { "[zeek_%{[source]}][ts]" => "[zeek][ts]" } + rename => { "[zeek_%{[source]}][uid]" => "[zeek][uid]" } + rename => { "[zeek_%{[source]}][fuid]" => "[zeek][fuid]" } + rename => { "[zeek_%{[source]}][orig_h]" => "[zeek][orig_h]" } + rename => { "[zeek_%{[source]}][orig_p]" => "[zeek][orig_p]" } + rename => { "[zeek_%{[source]}][orig_l2_addr]" => "[zeek][orig_l2_addr]" } + rename => { "[zeek_%{[source]}][resp_h]" => "[zeek][resp_h]" } + rename => { "[zeek_%{[source]}][resp_p]" => "[zeek][resp_p]" } + rename => { "[zeek_%{[source]}][resp_l2_addr]" => "[zeek][resp_l2_addr]" } + rename => { "[zeek_%{[source]}][proto]" => "[zeek][proto]" } + rename => { "[zeek_%{[source]}][service]" => "[zeek][service]" } + rename => { "[zeek_%{[source]}][user]" => "[zeek][user]" } + rename => { "[zeek_%{[source]}][password]" => "[zeek][password]" } + rename => { "[zeek_%{[source]}][community_id]" => "[zeek][community_id]" } } if ([zeek][orig_h]) { mutate { id => "mutate_add_field_zeek_srcIp" @@ -2452,6 +2509,10 @@ filter { add_field => { "[zeek][uid]" => "%{[@metadata][uuid]}" } } } + # if present, FUIDs are always a vector (comma-separated) + if ([zeek][fuid]) { mutate { id => "mutate_split_zeek_fuids" + split => { "[zeek][fuid]" => "," } } } + if ([source] == "conn") { mutate { id => "mutate_add_field_zeek_conn_zeekLogDocId" add_field => { "[zeekLogDocId]" => "%{[zeek][uid]}" } } @@ -2631,6 +2692,7 @@ filter { split => { "[zeek_bacnet][data]" => "," } } #if ([zeek_bacnet][data_dict][date]) and ([zeek_bacnet][data_dict][time]) { + # TODO: #} } @@ -2645,10 +2707,8 @@ filter { } mutate { id => "mutate_merge_zeek_dhcp_mac" merge => { "[dhcp][mac]" => "[zeek][orig_l2_addr]" } } - ruby { - id => "ruby_zeek_dhcp_macCnt" - code => "event.set('[dhcp][macCnt]', event.get('[dhcp][mac]').length)" - } + mutate { id => "mutate_add_field_dhcp_macCnt" + add_field => { "[dhcp][macCnt]" => "1" } } } if ([zeek_dhcp][msg_types]) { @@ -2661,10 +2721,8 @@ filter { if ([zeek_dhcp][trans_id]) { mutate { id => "mutate_merge_zeek_dhcp_id" merge => { "[dhcp][id]" => "[zeek_dhcp][trans_id]" } } - ruby { - id => "ruby_zeek_dhcp_idCnt" - code => "event.set('[dhcp][idCnt]', event.get('[dhcp][id]').length)" - } + mutate { id => "mutate_add_field_dhcp_idCnt" + add_field => { "[dhcp][idCnt]" => "1" } } } if ([zeek_dhcp][host_name]) { @@ -2687,13 +2745,13 @@ filter { } else if ([source] == "dns") { ############################################################################################################################# # dns.log specific logic - # todo: adjust this regex so it at least sort of catches IPv6 as well # this must be done because [dns][ip] only handles IPv4 or IPv6 addresses # but [answers] can contain hostnames as well if ([zeek_dns][answers]) { ruby { id => "ruby_zeek_dns_answers_ip_extract" + # todo: adjust this regex so it at least sort of catches IPv6 as well code => "event.set('[@metadata][answers_ip]', event.get('[zeek_dns][answers]').scan(/\d+\.\d+\.\d+\.\d+/).join(','))" } mutate { id => "mutate_split_zeek_dns_answers" @@ -2712,73 +2770,41 @@ filter { add_field => { "[@metadata][opcode]" => "QUERY" } } mutate { id => "mutate_merge_zeek_opcode" merge => { "[dns][opcode]" => "[@metadata][opcode]" } } - } - if ([dns][host]) { - ruby { - id => "ruby_zeek_dns_hostCnt" - code => "event.set('[dns][hostCnt]', event.get('[dns][host]').length)" - } - } - if ([dns][opcode]) { - ruby { - id => "ruby_zeek_dns_opcodeCnt" - code => "event.set('[dns][opcodeCnt]', event.get('[dns][opcode]').length)" - } + mutate { id => "mutate_add_field_dns_hostCnt" + add_field => { "[dns][hostCnt]" => "1" } } + mutate { id => "mutate_add_field_dns_opcodeCnt" + add_field => { "[dns][opcodeCnt]" => "1" } } } if ([@metadata][answers_ip]) { mutate { id => "mutate_merge_zeek_dns_ip" merge => { "[dns][ip]" => "[@metadata][answers_ip]" } } + ruby { + id => "ruby_zeek_dns_ipCnt" + code => "event.set('[dns][ipCnt]', event.get('[dns][ip]').length)" + } } if ([zeek_dns][qclass_name]) { mutate { id => "mutate_merge_zeek_dns_qc" merge => { "[dns][qc]" => "[zeek_dns][qclass_name]" } } - ruby { - id => "ruby_zeek_dns_qcCnt" - code => "event.set('[dns][qcCnt]', event.get('[dns][qc]').length)" - } + mutate { id => "mutate_add_field_dns_qcCnt" + add_field => { "[dns][qcCnt]" => "1" } } } if ([zeek_dns][qtype_name]) { mutate { id => "mutate_merge_zeek_dns_qt" merge => { "[dns][qt]" => "[zeek_dns][qtype_name]" } } - ruby { - id => "ruby_zeek_dns_qtCnt" - code => "event.set('[dns][qtCnt]', event.get('[dns][qt]').length)" - } + mutate { id => "mutate_add_field_dns_qtCnt" + add_field => { "[dns][qtCnt]" => "1" } } } - if ([dns][ip]) { - ruby { - id => "ruby_zeek_dns_ipCnt" - code => "event.set('[dns][ipCnt]', event.get('[dns][ip]').length)" - } - } # if([dns][ip]) - } else if ([source] == "files") { ############################################################################################################################# # files.log specific logic - # collect all FUIDs under the parent [zeek][fuid] array - if ([zeek_files][fuid]) { - mutate { id => "mutate_split_zeek_files_fuid" - split => { "[zeek_files][fuid]" => "," } } - mutate { id => "mutate_merge_zeek_files_fuid" - merge => { "[zeek][fuid]" => "[zeek_files][fuid]" } } - } - if ([zeek_files][parent_fuid]) { - mutate { id => "mutate_split_zeek_files_parent_fuid" - split => { "[zeek_files][parent_fuid]" => "," } } - mutate { id => "mutate_merge_zeek_files_parent_fuid" - merge => { "[zeek][fuid]" => "[zeek_files][parent_fuid]" } } - } - # collect all filenames under the parent [zeek][filename] array - if ([zeek_files][filename]) { mutate { id => "mutate_merge_zeek_files_filename" - merge => { "[zeek][filename]" => "[zeek_files][filename]" } } } - # collect all mime types under the parent [zeek][filetype] array - if ([zeek_files][mime_type]) { mutate { id => "mutate_merge_zeek_files_mime_type" - merge => { "[zeek][filetype]" => "[zeek_files][mime_type]" } } } + if ([zeek_files][parent_fuid]) { mutate { id => "mutate_split_zeek_files_parent_fuid" + split => { "[zeek_files][parent_fuid]" => "," } } } if ([zeek_files][total_bytes]) { ruby { @@ -2807,18 +2833,6 @@ filter { } } - # collect all FUIDs under the parent [zeek][fuid] array - if ([zeek_ftp][fuid]) { - mutate { id => "mutate_split_zeek_ftp_fuid" - split => { "[zeek_ftp][fuid]" => "," } } - mutate { id => "mutate_merge_zeek_ftp_fuid" - merge => { "[zeek][fuid]" => "[zeek_ftp][fuid]" } } - } - - # collect all mime types under the parent [zeek][filetype] array - if ([zeek_ftp][mime_type]) { mutate { id => "mutate_merge_zeek_ftp_filetype" - merge => { "[zeek][filetype]" => "[zeek_ftp][mime_type]" } } } - } else if ([source] == "gquic") { ############################################################################################################################# # gquic.log specific logic @@ -2826,19 +2840,15 @@ filter { if ([zeek_gquic][user_agent]) { mutate { id => "mutate_merge_zeek_quic_useragent" merge => { "[quic][useragent]" => "[zeek_gquic][user_agent]" } } - mutate { - id => "mutate_add_field_zeek_quic_useragentCnt" - add_field => { "[quic][useragentCnt]" => "1" } - } + mutate { id => "mutate_add_field_zeek_quic_useragentCnt" + add_field => { "[quic][useragentCnt]" => "1" } } } if ([zeek_gquic][server_name]) { mutate { id => "mutate_merge_zeek_quic_host" merge => { "[quic][host]" => "[zeek_gquic][server_name]" } } - mutate { - id => "mutate_add_field_zeek_quic_hostCnt" - add_field => { "[quic][hostCnt]" => "1" } - } + mutate { id => "mutate_add_field_zeek_quic_hostCnt" + add_field => { "[quic][hostCnt]" => "1" } } } if ([zeek_gquic][version]) { @@ -2846,10 +2856,8 @@ filter { id => "ruby_zeek_set_quic_version" code => "event.set('[quic][version]', 'Q' + event.get('[zeek_gquic][version]').rjust(3, '0'))" } - mutate { - id => "mutate_add_field_zeek_quic_versionCnt" - add_field => { "[quic][versionCnt]" => "1" } - } + mutate { id => "mutate_add_field_zeek_quic_versionCnt" + add_field => { "[quic][versionCnt]" => "1" } } } @@ -2877,10 +2885,8 @@ filter { if ([zeek_http][host]) { mutate { id => "mutate_merge_zeek_http_host" merge => { "[http][host]" => "[zeek_http][host]" } } - ruby { - id => "ruby_zeek_http_hostCnt" - code => "event.set('[http][hostCnt]', event.get('[http][host]').length)" - } + mutate { id => "mutate_add_field_http_hostCnt" + add_field => { "[http][hostCnt]" => "1" } } } if ([zeek_http][uri]) { @@ -2898,69 +2904,52 @@ filter { merge => { "[http][uri]" => "[zeek_http][referrer]" } } } - if ([http][uri]) { - ruby { - id => "ruby_zeek_http_uriCnt" - code => "event.set('[http][uriCnt]', event.get('[http][uri]').length)" - } - } + if ([http][uri]) { mutate { id => "mutate_add_field_http_uriCnt" + add_field => { "[http][uriCnt]" => "1" } } } if ([zeek_http][user_agent]) { mutate { id => "mutate_merge_zeek_http_user_agent" merge => { "[http][useragent]" => "[zeek_http][user_agent]" } } - ruby { - id => "ruby_zeek_http_useragentCnt" - code => "event.set('[http][useragentCnt]', event.get('[http][useragent]').length)" - } + mutate { id => "mutate_add_field_http_useragentCnt" + add_field => { "[http][useragentCnt]" => "1" } } } if ([zeek_http][orig_mime_types]) { mutate { id => "mutate_merge_zeek_http_orig_mime_types" - merge => { "[@metadata][mime_types]" => "[zeek_http][orig_mime_types]" } } + merge => { "[http][bodyMagic]" => "[zeek_http][orig_mime_types]" } } } if ([zeek_http][resp_mime_types]) { mutate { id => "mutate_merge_zeek_http_resp_mime_types" - merge => { "[@metadata][mime_types]" => "[zeek_http][resp_mime_types]" } } + merge => { "[http][bodyMagic]" => "[zeek_http][resp_mime_types]" } } } - if ([@metadata][mime_types]) { - mutate { id => "mutate_merge_zeek_http_bodyMagic" - merge => { "[http][bodyMagic]" => "[@metadata][mime_types]" } } + if ([http][bodyMagic]) { ruby { id => "ruby_zeek_http_bodyMagicCnt" - code => "event.set('[http][bodyMagicCnt]', event.get('[@metadata][mime_types]').length)" + code => "event.set('[http][bodyMagicCnt]', event.get('[http][bodyMagic]').length)" } - # collect all mime types under the parent [zeek][filetype] array - mutate { id => "mutate_merge_zeek_http_filetype" - merge => { "[zeek][filetype]" => "[@metadata][mime_types]" } } } if ([zeek_http][version]) { mutate { id => "mutate_merge_zeek_http_clientVersion" merge => { "[http][clientVersion]" => "[zeek_http][version]" } } - ruby { - id => "ruby_zeek_http_clientVersionCnt" - code => "event.set('[http][clientVersionCnt]', event.get('[http][clientVersion]').length)" - } + mutate { id => "mutate_add_field_http_clientVersion" + add_field => { "[http][clientVersionCnt]" => "1" } } } if ([zeek_http][status_code]) { mutate { id => "mutate_merge_zeek_http_statuscode" merge => { "[http][statuscode]" => "[zeek_http][status_code]" } } - ruby { - id => "ruby_zeek_http_statuscodeCnt" - code => "event.set('[http][statuscodeCnt]', event.get('[http][statuscode]').length)" - } + mutate { id => "mutate_add_field_http_statuscodeCnt" + add_field => { "[http][statuscodeCnt]" => "1" } } } if ([zeek_http][method]) { mutate { id => "mutate_merge_zeek_http_method" merge => { "[http][method]" => "[zeek_http][method]" } } - ruby { - id => "ruby_zeek_http_methodCnt" - code => "event.set('[http][methodCnt]', event.get('[http][method]').length)" - } + mutate { id => "mutate_add_field_http_methodCnt" + add_field => { "[http][methodCnt]" => "1" } } } ruby { @@ -2968,77 +2957,34 @@ filter { code => "event.set('[totDataBytes]', event.get('[zeek_http][response_body_len]').to_i + event.get('[zeek_http][request_body_len]').to_i)" } - # collect all FUIDs under the parent [zeek][fuid] array - if ([zeek_http][orig_fuids]) { mutate { id => "mutate_merge_zeek_http_orig_fuids_to_fuid" - merge => { "[zeek][fuid]" => "[zeek_http][orig_fuids]" } } } - if ([zeek_http][resp_fuids]) { mutate { id => "mutate_merge_zeek_resp_fuids_to_fuid" - merge => { "[zeek][fuid]" => "[zeek_http][resp_fuids]" } } } - - # collect all filenames under the parent [zeek][filename] array - if ([zeek_http][orig_filenames]) { mutate { id => "mutate_merge_zeek_http_orig_filenames_to_filename" - merge => { "[zeek][filename]" => "[zeek_http][orig_filenames]" } } } - if ([zeek_http][resp_filenames]) { mutate { id => "mutate_merge_zeek_http_resp_filenames_to_filename" - merge => { "[zeek][filename]" => "[zeek_http][resp_filenames]" } } } - } else if ([source] == "irc") { ############################################################################################################################# # irc.log specific logic - # collect all FUIDs under the parent [zeek][fuid] array - if ([zeek_irc][fuid]) { - mutate { id => "mutate_split_zeek_irc_fuid" - split => { "[zeek_irc][fuid]" => "," } } - mutate { id => "mutate_merge_zeek_irc_fuid" - merge => { "[zeek][fuid]" => "[zeek_irc][fuid]" } } - } - - # collect all filenames under the parent [zeek][filename] array - if ([zeek_irc][dcc_file_name]) { mutate { id => "mutate_merge_zeek_irc_filename" - merge => { "[zeek][filename]" => "[zeek_irc][dcc_file_name]" } } } - - # collect all mime types under the parent [zeek][filetype] array - if ([zeek_irc][dcc_mime_type]) { mutate { id => "mutate_merge_zeek_irc_filetype" - merge => { "[zeek][filetype]" => "[zeek_irc][dcc_mime_type]" } } } - if ([zeek_irc][nick]) { mutate { id => "mutate_merge_zeek_irc_nick" merge => { "[irc][nick]" => "[zeek_irc][nick]" } } - ruby { - id => "ruby_zeek_irc_nickCnt" - code => "event.set('[irc][nickCnt]', event.get('[irc][nick]').length)" - } + mutate { id => "mutate_add_field_irc_nickCnt" + add_field => { "[irc][nickCnt]" => "1" } } + # store "nick" alongside "user" + mutate { id => "mutate_merge_irc_nick_user" + merge => { "[zeek][user]" => "[zeek_irc][nick]" } } } if ([zeek_irc][command]) and ([zeek_irc][value]) and (([zeek_irc][command] == "JOIN") or ([zeek_irc][command] == "PART")) { mutate { id => "mutate_merge_zeek_irc_channel" merge => { "[irc][channel]" => "[zeek_irc][value]" } } - ruby { - id => "ruby_zeek_irc_channelCnt" - code => "event.set('[irc][channelCnt]', event.get('[irc][channel]').length)" - } + mutate { id => "mutate_add_field_irc_channelCnt" + add_field => { "[irc][channelCnt]" => "1" } } } } else if ([source] == "intel") { ############################################################################################################################# # intel.log specific logic - if ([zeek_intel][sources]) { - mutate { id => "mutate_split_zeek_intel_sources" - split => { "[zeek_intel][sources]" => "," } } - } - - # collect all FUIDs under the parent [zeek][fuid] array - if ([zeek_intel][fuid]) { - mutate { id => "mutate_split_zeek_intel_fuid" - split => { "[zeek_intel][fuid]" => "," } } - mutate { id => "mutate_merge_zeek_intel_fuid" - merge => { "[zeek][fuid]" => "[zeek_intel][fuid]" } } - } - - # collect all mime types under the parent [zeek][filetype] array - if ([zeek_intel][file_mime_type]) { mutate { id => "mutate_merge_zeek_intel_filetype" - merge => { "[zeek][filetype]" => "[zeek_intel][file_mime_type]" } } } + if ([zeek_intel][sources]) { mutate { id => "mutate_split_zeek_intel_sources" + split => { "[zeek_intel][sources]" => "," } } } } else if ([source] == "kerberos") { @@ -3048,19 +2994,15 @@ filter { if ([zeek_kerberos][cname]) { mutate { id => "mutate_merge_zeek_kerberos_cname" merge => { "[krb5][cname]" => "[zeek_kerberos][cname]" } } - ruby { - id => "ruby_zeek_kerberos_cnameCnt" - code => "event.set('[krb5][cnameCnt]', event.get('[krb5][cname]').length)" - } + mutate { id => "mutate_add_field_kerberos_cnameCnt" + add_field => { "[krb5][cnameCnt]" => "1" } } } if ([zeek_kerberos][sname]) { mutate { id => "mutate_merge_zeek_kerberos_sname" merge => { "[krb5][sname]" => "[zeek_kerberos][sname]" } } - ruby { - id => "ruby_zeek_kerberos_snameCnt" - code => "event.set('[krb5][snameCnt]', event.get('[krb5][sname]').length)" - } + mutate { id => "mutate_add_field_kerberos_snameCnt" + add_field => { "[krb5][snameCnt]" => "1" } } } if ([zeek_kerberos][from]) { @@ -3070,7 +3012,7 @@ filter { target => "[@metadata][krb_time_from]" } if ([@metadata][krb_time_from]) { mutate { id => "mutate_replace_zeek_kerberos_from" - replace => { "[zeek_kerberos][from]" => "%{[@metadata][krb_time_from]}" } } } + replace => { "[zeek_kerberos][from]" => "%{[@metadata][krb_time_from]}" } } } } if ([zeek_kerberos][till]) { date { @@ -3082,23 +3024,11 @@ filter { replace => { "[zeek_kerberos][till]" => "%{[@metadata][krb_time_till]}" } } } } - # collect all FUIDs under the parent [zeek][fuid] array - if ([zeek_kerberos][client_cert_fuid]) { - mutate { id => "mutate_split_zeek_kerberos_client_cert_fuid" - split => { "[zeek_kerberos][client_cert_fuid]" => "," } } - mutate { id => "mutate_merge_zeek_kerberos_client_cert_fuid" - merge => { "[@metadata][cert_fuids]" => "[zeek_kerberos][client_cert_fuid]" } } - } - if ([zeek_kerberos][server_cert_fuid]) { - mutate { id => "mutate_split_zeek_kerberos_server_cert_fuid" - split => { "[zeek_kerberos][server_cert_fuid]" => "," } } - mutate { id => "mutate_merge_zeek_kerberos_server_cert_fuid" - merge => { "[@metadata][cert_fuids]" => "[zeek_kerberos][server_cert_fuid]" } } - } - if ([@metadata][cert_fuids]) { - mutate { id => "mutate_merge_zeek_kerberos_fuids_to_fuid" - merge => { "[zeek][fuid]" => "[@metadata][cert_fuids]" } } - } + if ([zeek_kerberos][client_cert_fuid]) { mutate { id => "mutate_split_zeek_kerberos_client_cert_fuid" + split => { "[zeek_kerberos][client_cert_fuid]" => "," } } } + + if ([zeek_kerberos][server_cert_fuid]) { mutate { id => "mutate_split_zeek_kerberos_server_cert_fuid" + split => { "[zeek_kerberos][server_cert_fuid]" => "," } } } } else if ([source] == "ldap") { ############################################################################################################################# @@ -3119,39 +3049,18 @@ filter { } } - mutate { - id => "mutate_zeek_ldap_convert" - convert => { - "[zeek_ldap][message_id]" => "integer" - "[zeek_ldap][result_code]" => "integer" - } - } - - } else if ([source] == "modbus_register_change") { - ############################################################################################################################# - # modbus_register_change.log specific logic - - mutate { - id => "mutate_zeek_modbus_register_change_convert" - convert => { - "[zeek_modbus_register_change][register]" => "integer" - "[zeek_modbus_register_change][old_val]" => "integer" - "[zeek_modbus_register_change][new_val]" => "integer" - "[zeek_modbus_register_change][delta]" => "float" - } - } - } else if ([source] == "mqtt_publish") { ############################################################################################################################# # mqtt_publish.log specific logic - mutate { - id => "mutate_zeek_mqtt_publish_convert_payload_len" - convert => { - "[zeek_mqtt_publish][payload_len]" => "integer" - } + # MQTT payload *may* be JSON, or it may not + json { + skip_on_invalid_json => true + source => "[zeek_mqtt_publish][payload]" + target => "[zeek_mqtt_publish][payload_dict]" } + } else if ([source] == "mqtt_subscribe") { ############################################################################################################################# # mqtt_subscribe.log specific logic @@ -3160,30 +3069,46 @@ filter { split => { "[zeek_mqtt_subscribe][topics]" => "," "[zeek_mqtt_subscribe][qos_levels]" => "," } } - mutate { - id => "mutate_zeek_mqtt_subscribe_convert_field" - convert => { - "[zeek_mqtt_subscribe][qos_levels]" => "integer" - "[zeek_mqtt_subscribe][granted_qos_level]" => "integer" - } - } - } else if ([source] == "notice") { ############################################################################################################################# # notice.log specific logic mutate { id => "mutate_split_zeek_notice_actions" split => { "[zeek_notice][actions]" => "," } } - # collect all FUIDs under the parent [zeek][fuid] array - if ([zeek_notice][fuid]) { - mutate { id => "mutate_split_zeek_notice_fuid" - split => { "[zeek_notice][fuid]" => "," } } - mutate { id => "mutate_merge_zeek_notice_fuid" - merge => { "[zeek][fuid]" => "[zeek_notice][fuid]" } } + # split "Category::Subcategory" into two different fields + ruby { + id => "ruby_zeek_notice_category_extract" + code => " + if (noticeNote = event.get('[zeek_notice][note]')) and (noticeParts = noticeNote.split('::')) then + if (noticeParts.length >= 2) then + event.set('[zeek_notice][category]', noticeParts[0]) + event.set('[zeek_notice][sub_category]', noticeParts[1]) + elsif (noticeParts.length == 1) then + event.set('[zeek_notice][category]', noticeParts[0]) + end + end" + } + + if ([zeek_notice][category] == "ATTACK") and ([zeek_notice][msg] =~ /(from|against|to)\s+host/) { + # ATTACK::Discovery - Detected activity from host 192.168.199.133, total attempts 5 within timeframe 5.0 mins + # but no IP addresses set :( + if (![srcIp]) { + grok { + id => "grok_zeek_notice_attack_src_hosts" + match => { "[zeek_notice][msg]" => [ "from%{SPACE}host%{SPACE}%{DATA:[srcIp]}%{SPACE}($|[^\d:\.\w-]+)" ] } + } + if ([srcIp]) { mutate { id => "mutate_add_field_zeek_orig_h_attack" + add_field => { "[zeek][orig_h]" => "%{[srcIp]}" } } } + } + if (![dstIp]) { + grok { + id => "grok_zeek_notice_attack_dst_hosts" + match => { "[zeek_notice][msg]" => [ "(against|to)%{SPACE}host%{SPACE}%{DATA:[dstIp]}%{SPACE}($|[^\d:\.\w-]+)" ] } + } + if ([dstIp]) { mutate { id => "mutate_add_field_zeek_resp_h_attack" + add_field => { "[zeek][resp_h]" => "%{[dstIp]}" } } } + } } - # collect all mime types under the parent [zeek][filetype] array - if ([zeek_notice][file_mime_type]) { mutate { id => "mutate_merge_zeek_notice_filetype" - merge => { "[zeek][filetype]" => "[zeek_notice][file_mime_type]" } } } } else if ([source] == "ntp") { ############################################################################################################################# @@ -3266,20 +3191,6 @@ filter { } } - # convert various data types - mutate { - id => "mutate_convert_zeek_ntp" - convert => { - "[zeek_ntp][mode]" => "integer" - "[zeek_ntp][num_exts]" => "float" - "[zeek_ntp][poll]" => "float" - "[zeek_ntp][precision]" => "float" - "[zeek_ntp][root_delay]" => "float" - "[zeek_ntp][root_disp]" => "float" - "[zeek_ntp][version]" => "integer" - } - } - } else if ([source] == "pe") { ############################################################################################################################# # pe.log specific logic @@ -3287,7 +3198,6 @@ filter { mutate { id => "mutate_split_zeek_pe_section_names" split => { "[zeek_pe][section_names]" => "," } } - if ([zeek_pe][compile_ts]) { if ([zeek_pe][compile_ts] == "0.000000") { mutate { @@ -3303,14 +3213,6 @@ filter { } } - # collect all FUIDs under the parent [zeek][fuid] array - if ([zeek_pe][fuid]) { - mutate { id => "mutate_split_zeek_pe_fuid" - split => { "[zeek_pe][fuid]" => "," } } - mutate { id => "mutate_merge_zeek_pe_fuid" - merge => { "[zeek][fuid]" => "[zeek_pe][fuid]" } } - } - } else if ([source] == "radius") { ############################################################################################################################# # radius.log specific logic @@ -3321,27 +3223,25 @@ filter { if ([zeek_radius][framed_addr]) { mutate { id => "mutate_merge_zeek_radius_framed_addr" merge => { "[radius][framedIp]" => "[zeek_radius][framed_addr]" } } - ruby { - id => "ruby_zeek_radius_framedIpCnt" - code => "event.set('[radius][framedIpCnt]', event.get('[radius][framedIp]').length)" - } + mutate { id => "mutate_add_field_radius_framedIpCnt" + add_field => { "[radius][framedIpCnt]" => "1" } } } if ([zeek_radius][tunnel_client]) { mutate { id => "mutate_merge_zeek_radius_tunnel_client" merge => { "[radius][endpointIp]" => "[zeek_radius][tunnel_client]" } } - ruby { - id => "ruby_zeek_radius_endpointIpCnt" - code => "event.set('[radius][endpointIpCnt]', event.get('[radius][endpointIp]').length)" - } + mutate { id => "mutate_add_field_radius_endpointIpCnt" + add_field => { "[radius][endpointIpCnt]" => "1" } } } if ([zeek_radius][mac]) { mutate { id => "mutate_merge_zeek_radius_mac" merge => { "[radius][mac]" => "[zeek_radius][mac]" } } - ruby { - id => "ruby_zeek_radius_macCnt" - code => "event.set('[radius][macCnt]', event.get('[radius][mac]').length)" + mutate { id => "mutate_add_field_radius_macCnt" + add_field => { "[radius][macCnt]" => "1" } } + if (![zeek][orig_l2_addr]) { + mutate { id => "mutate_merge_zeek_radius_zeek_mac" + merge => { "[zeek][orig_l2_addr]" => "[zeek_radius][mac]" } } } } @@ -3352,6 +3252,7 @@ filter { mutate { id => "mutate_split_zeek_rdp_client_channels" split => { "[zeek_rdp][client_channels]" => "," } } + } else if ([source] == "s7comm") { ############################################################################################################################# # s7comm.log specific logic @@ -3378,13 +3279,6 @@ filter { split => { "[zeek_s7comm][data_info]" => "," } } } - mutate { - id => "mutate_convert_zeek_s7comm_item_count" - convert => { - "[zeek_s7comm][item_count]" => "integer" - } - } - } else if ([source] == "signatures") { ############################################################################################################################# # signatures.log specific logic @@ -3392,12 +3286,12 @@ filter { if ("_carved" in [tags]) { # Malcolm does some "special" stuff in zeek_carve_logger.py for file carving, sort of hijacking signatures.log for it + # sub_message contains fuid(s) comma-separated if ([zeek_signatures][sub_message]) { - # sub_message contains fuid(s) comma-separated mutate { id => "mutate_split_zeek_signatures_sub_message" split => { "[zeek_signatures][sub_message]" => "," } } - mutate { id => "mutate_merge_zeek_signatures_fuid" - merge => { "[zeek][fuid]" => "[zeek_signatures][sub_message]" } } + mutate { id => "mutate_rename_zeek_signatures_sub_message" + rename => { "[zeek_signatures][sub_message]" => "[zeek][fuid]" } } } if ([zeek_signatures][event_message]) { @@ -3426,131 +3320,155 @@ filter { } # _carved - # signature_count is the number of hits - if ([zeek_signatures][signature_count]) { - mutate { - id => "mutate_convert_zeek_signatures_signature_count" - convert => { - "[zeek_signatures][signature_count]" => "integer" - } - } - } - - # signature_count is the number of engines which scanned the file - if ([zeek_signatures][host_count]) { - mutate { - id => "mutate_convert_zeek_signatures_host_count" - convert => { - "[zeek_signatures][host_count]" => "integer" - } - } - } - } else if ([source] == "sip") { ############################################################################################################################# # sip.log specific logic + ruby { + id => "ruby_zeek_field_zeek_sip_version" + code => ' + versions = Array.new + paths = [event.get("[zeek_sip][request_path]"), event.get("[zeek_sip][response_path]")].compact.join(",") + paths.scan(/\bSIP:?\/([\d\.]+)/i) { |match| versions << match[0] } + event.set("[zeek_sip][version]", versions.uniq)' + } + mutate { id => "mutate_split_zeek_sip_request_path" split => { "[zeek_sip][request_path]" => "," } } + mutate { id => "mutate_split_zeek_sip_response_path" split => { "[zeek_sip][response_path]" => "," } } - } else if ([source] == "smb_files") { + + } else if ([source] == "smb_cmd") or ([source] == "smb_files") { ############################################################################################################################# - # smb_files.log specific logic - - # collect all FUIDs under the parent [zeek][fuid] array - if ([zeek_smb_files][fuid]) { - mutate { id => "mutate_split_zeek_smb_files_fuid" - split => { "[zeek_smb_files][fuid]" => "," } } - mutate { id => "mutate_merge_zeek_smb_files_fuid" - merge => { "[zeek][fuid]" => "[zeek_smb_files][fuid]" } } - } - # collect all filenames under the parent [zeek][filename] array - if ([zeek_smb_files][name]) { mutate { id => "mutate_merge_zeek_smb_files_name_to_filename" - merge => { "[zeek][filename]" => "[zeek_smb_files][name]" } } } - if ([zeek_smb_files][prev_name]) { mutate { id => "mutate_merge_zeek_smb_files_prev_name_to_filename" - merge => { "[zeek][filename]" => "[zeek_smb_files][prev_name]" } } } - - if ([zeek][filename]) { - mutate { id => "mutate_merge_zeek_smb_files_filename" - merge => { "[smb][filename]" => "[zeek][filename]" } } - ruby { - id => "ruby_zeek_smb_files_filenameCnt" - code => "event.set('[smb][filenameCnt]', event.get('[smb][filename]').length)" - } - } + # smb_cmd.log and smb_files.log specific logic + # note that smb_cmd.referenced_file is exactly the same structure as the log line for smb_files, which is why I've combined + # the logic here to avoid duplication - if ([zeek_smb_files][path]) { - grok { - id => "grok_zeek_smb_files_path" - match => { "[zeek_smb_files][path]" => [ "^%{SPACE}[\\\/]+%{DATA:[@metadata][smb_host]}[\\\/]+%{DATA:[@metadata][smb_share]}(?:[\\\/]+%{GREEDYDATA:[@metadata][smb_path]})?$" ] } - } - if ([@metadata][smb_host]) { - mutate { id => "mutate_merge_zeek_smb_files_host" - merge => { "[smb][host]" => "[@metadata][smb_host]" } } + if ([zeek_smb_cmd]) { + + if ([zeek_smb_cmd][referenced_file]) { + + # move "up" referenced_file to its own smb_files top-level entity + mutate { + id => "mutate_rename_zeek_zeek_smb_cmd_referenced_file" + rename => { "[zeek_smb_cmd][referenced_file]" => "[zeek_smb_files]" } + } + + # remove unset (-) or "(empty)" referenced_file (now zeek_smb_files) subfield values ruby { - id => "ruby_zeek_smb_files_hostCnt" - code => "event.set('[smb][hostCnt]', event.get('[smb][host]').length)" + id => "ruby_zeek_remove_empty_smb_cmd_referenced_file_values" + code => " + fieldsHash = event.get('[zeek_smb_files]').to_hash + fieldsHash.delete_if{|_,v| ((v == nil) or (v == '') or (v == '-') or (v == '(empty)'))} + event.set('[zeek_smb_files]', fieldsHash) + " } - } - if ([@metadata][smb_share]) { - mutate { id => "mutate_merge_zeek_smb_files_share" - merge => { "[smb][share]" => "[@metadata][smb_share]" } } + + # collect referenced file FUID(s) at parent level (here rather than in 12_zeek_normalize.conf because + # this would have already been done as a root-level fuid array in the main "rename" above if we + # had not had to move it up a level just now) + if ([zeek_smb_files][fuid]) { + mutate { id => "mutate_merge_zeek_smb_files_fuid" + merge => { "[zeek][fuid]" => "[zeek_smb_files][fuid]" } } + mutate { id => "mutate_remove_zeek_smb_files_fuid" + remove_field => [ "[zeek_smb_files][fuid]" ] } + } + + if ([zeek_smb_files][action]) { mutate { id => "mutate_gsub_zeek_smb_cmd_referenced_file_action" + gsub => [ "[zeek_smb_files][action]", "^SMB::", "" ] } } + + # this timestamp conversion would have happened originally had this been its own line from smb_files + if ([zeek_smb_files][ts]) { + # convert @timestamp to UNIX to use native kibana features + date { + id => "date_zeek_smb_files_ts" + match => [ "[zeek_smb_files][ts]", "UNIX" ] + target => "[@metadata][zeek_smb_files_ts]" + } + mutate { id => "mutate_replace_zeek_smb_files_ts" + replace => { "[zeek_smb_files][ts]" => "%{[@metadata][zeek_smb_files_ts]}" } } + } # if ([zeek_smb_files][ts]) + + } # if ([zeek_smb_cmd][referenced_file]) + + } # if ([zeek_smb_cmd]) + + # this should now apply to either lines from smb_files.log or smb_cmd.referenced_file + if ([zeek_smb_files]) { + + if ([zeek_smb_files][name]) { mutate { id => "mutate_merge_zeek_smb_files_name_to_filename" + merge => { "[smb][filename]" => "[zeek_smb_files][name]" } } } + if ([zeek_smb_files][prev_name]) { mutate { id => "mutate_merge_zeek_smb_files_prev_name_to_filename" + merge => { "[smb][filename]" => "[zeek_smb_files][prev_name]" } } } + if ([smb][filename]) { ruby { - id => "ruby_zeek_smb_files_shareCnt" - code => "event.set('[smb][shareCnt]', event.get('[smb][share]').length)" + id => "ruby_zeek_smb_files_filenameCnt" + code => "event.set('[smb][filenameCnt]', event.get('[smb][filename]').length)" } } - } - # convert times to something more usable - if ([zeek_smb_files][times_modified]) { - date { - id => "date_zeek_smb_files_times_modified" - match => [ "[zeek_smb_files][times_modified]", "UNIX" ] - target => "[@metadata][smb_time_mod]" + if ([zeek_smb_files][path]) { + grok { + id => "grok_zeek_smb_files_path" + match => { "[zeek_smb_files][path]" => [ "^%{SPACE}[\\\/]+%{DATA:[@metadata][smb_host]}[\\\/]+%{DATA:[@metadata][smb_share]}(?:[\\\/]+%{GREEDYDATA:[@metadata][smb_path]})?$" ] } + } + if ([@metadata][smb_host]) { + mutate { id => "mutate_merge_zeek_smb_files_host" + merge => { "[smb][host]" => "[@metadata][smb_host]" } } + mutate { id => "mutate_add_field_smb_hostCnt" + add_field => { "[smb][hostCnt]" => "1" } } + } + if ([@metadata][smb_share]) { + mutate { id => "mutate_merge_zeek_smb_files_share" + merge => { "[smb][share]" => "[@metadata][smb_share]" } } + ruby { + id => "ruby_zeek_smb_files_shareCnt" + code => "event.set('[smb][shareCnt]', event.get('[smb][share]').length)" + } + } } - if ([@metadata][smb_time_mod]) { mutate { id => "mutate_replace_zeek_smb_files_times_modified" - replace => { "[zeek_smb_files][times_modified]" => "%{[@metadata][smb_time_mod]}" } } } - } - if ([zeek_smb_files][times_accessed]) { - date { - id => "date_zeek_smb_files_times_accessed" - match => [ "[zeek_smb_files][times_accessed]", "UNIX" ] - target => "[@metadata][smb_time_acc]" + + # convert times to something more usable + if ([zeek_smb_files][times_modified]) { + date { + id => "date_zeek_smb_files_times_modified" + match => [ "[zeek_smb_files][times_modified]", "UNIX" ] + target => "[@metadata][smb_time_mod]" + } + if ([@metadata][smb_time_mod]) { mutate { id => "mutate_replace_zeek_smb_files_times_modified" + replace => { "[zeek_smb_files][times_modified]" => "%{[@metadata][smb_time_mod]}" } } } } - if ([@metadata][smb_time_acc]) { mutate { id => "mutate_replace_zeek_smb_files_times_accessed" - replace => { "[zeek_smb_files][times_accessed]" => "%{[@metadata][smb_time_acc]}" } } } - } - if ([zeek_smb_files][times_created]) { - date { - id => "date_zeek_smb_files_times_created" - match => [ "[zeek_smb_files][times_created]", "UNIX" ] - target => "[@metadata][smb_time_cre]" + if ([zeek_smb_files][times_accessed]) { + date { + id => "date_zeek_smb_files_times_accessed" + match => [ "[zeek_smb_files][times_accessed]", "UNIX" ] + target => "[@metadata][smb_time_acc]" + } + if ([@metadata][smb_time_acc]) { mutate { id => "mutate_replace_zeek_smb_files_times_accessed" + replace => { "[zeek_smb_files][times_accessed]" => "%{[@metadata][smb_time_acc]}" } } } } - if ([@metadata][smb_time_cre]) { mutate { id => "mutate_replace_zeek_smb_files_times_created" - replace => { "[zeek_smb_files][times_created]" => "%{[@metadata][smb_time_cre]}" } } } - } - if ([zeek_smb_files][times_changed]) { - date { - id => "date_zeek_smb_files_times_changed" - match => [ "[zeek_smb_files][times_changed]", "UNIX" ] - target => "[@metadata][smb_time_cha]" + if ([zeek_smb_files][times_created]) { + date { + id => "date_zeek_smb_files_times_created" + match => [ "[zeek_smb_files][times_created]", "UNIX" ] + target => "[@metadata][smb_time_cre]" + } + if ([@metadata][smb_time_cre]) { mutate { id => "mutate_replace_zeek_smb_files_times_created" + replace => { "[zeek_smb_files][times_created]" => "%{[@metadata][smb_time_cre]}" } } } } - if ([@metadata][smb_time_cha]) { mutate { id => "mutate_replace_zeek_smb_files_times_changed" - replace => { "[zeek_smb_files][times_changed]" => "%{[@metadata][smb_time_cha]}" } } } - } - - mutate { - id => "mutate_zeek_smb_files_convert" - convert => { - "[zeek_smb_files][data_offset_req]" => "integer" - "[zeek_smb_files][data_len_req]" => "integer" - "[zeek_smb_files][data_len_rsp]" => "integer" - + if ([zeek_smb_files][times_changed]) { + date { + id => "date_zeek_smb_files_times_changed" + match => [ "[zeek_smb_files][times_changed]", "UNIX" ] + target => "[@metadata][smb_time_cha]" + } + if ([@metadata][smb_time_cha]) { mutate { id => "mutate_replace_zeek_smb_files_times_changed" + replace => { "[zeek_smb_files][times_changed]" => "%{[@metadata][smb_time_cha]}" } } } } - } + + } # if ([zeek_smb_files]) } else if ([source] == "smb_mapping") { ############################################################################################################################# @@ -3560,10 +3478,6 @@ filter { # todo: figure out how to replace \\ -> \ mutate { id => "mutate_merge_zeek_smb_mapping_share" merge => { "[smb][share]" => "[zeek_smb_mapping][path]" } } - ruby { - id => "ruby_zeek_smb_mapping_shareCnt_orig" - code => "event.set('[smb][shareCnt]', event.get('[smb][share]').length)" - } } if ([zeek_smb_mapping][path]) { @@ -3574,18 +3488,19 @@ filter { if ([@metadata][smb_host]) { mutate { id => "mutate_merge_zeek_smb_mapping_host" merge => { "[smb][host]" => "[@metadata][smb_host]" } } - ruby { - id => "ruby_zeek_smb_mapping_hostCnt" - code => "event.set('[smb][hostCnt]', event.get('[smb][host]').length)" - } + mutate { id => "mutate_add_field_smb_mapping_hostCnt" + add_field => { "[smb][hostCnt]" => "1" } } } if ([@metadata][smb_share]) { mutate { id => "mutate_merge_zeek_smb_mapping_share_from_path" merge => { "[smb][share]" => "[@metadata][smb_share]" } } - ruby { - id => "ruby_zeek_smb_mapping_shareCnt" - code => "event.set('[smb][shareCnt]', event.get('[smb][share]').length)" - } + } + } + + if ([smb][share]) { + ruby { + id => "ruby_zeek_smb_mapping_shareCnt" + code => "event.set('[smb][shareCnt]', event.get('[smb][share]').length)" } } @@ -3602,21 +3517,11 @@ filter { mutate { id => "mutate_split_zeek_smtp_path" split => { "[zeek_smtp][path]" => "," } } - # collect all FUIDs under the parent [zeek][fuid] array - if ([zeek_smtp][fuids]) { - mutate { id => "mutate_split_zeek_smtp_fuids" - split => { "[zeek_smtp][fuids]" => "," } } - mutate { id => "mutate_merge_zeek_smtp_fuids" - merge => { "[zeek][fuid]" => "[zeek_smtp][fuids]" } } - } - if ([zeek_smtp][user_agent]) { mutate { id => "mutate_merge_zeek_smtp_user_agent" merge => { "[email][useragent]" => "[zeek_smtp][user_agent]" } } - ruby { - id => "ruby_zeek_smtp_useragentCnt" - code => "event.set('[email][useragentCnt]', event.get('[email][useragent]').length)" - } + mutate { id => "mutate_add_field_email_useragentCnt" + add_field => { "[email][useragentCnt]" => "1" } } } if ([zeek_smtp][from]) { mutate { id => "mutate_merge_zeek_smtp_from" @@ -3660,10 +3565,8 @@ filter { if ([zeek_smtp][subject]) { mutate { id => "mutate_merge_zeek_smtp_subject" merge => { "[email][subject]" => "[zeek_smtp][subject]" } } - ruby { - id => "ruby_zeek_smtp_subjectCnt" - code => "event.set('[email][subjectCnt]', event.get('[email][subject]').length)" - } + mutate { id => "mutate_add_field_email_subjectCnt" + add_field => { "[email][subjectCnt]" => "1" } } } if ([zeek_smtp][msg_id]) { @@ -3704,19 +3607,16 @@ filter { # ssh.log specific logic if ([zeek_ssh][server]) { mutate { id => "mutate_merge_zeek_ssh_server_version" - merge => { "[ssh][version]" => "[zeek_ssh][server]" } } } + merge => { "[ssh][version]" => "[zeek_ssh][server]" } } } + if ([zeek_ssh][client]) { mutate { id => "mutate_merge_zeek_client_version" - merge => { "[ssh][version]" => "[zeek_ssh][client]" } } } - if (![ssh][version]) and ([zeek_ssh][version]) { - mutate { id => "mutate_merge_zeek_ssh_version" - merge => { "[ssh][version]" => "[zeek_ssh][version]" } } - } - if ([ssh][version]) { - ruby { - id => "ruby_zeek_ssh_versionCnt" - code => "event.set('[ssh][versionCnt]', event.get('[ssh][version]').length)" - } - } + merge => { "[ssh][version]" => "[zeek_ssh][client]" } } } + + if (![ssh][version]) and ([zeek_ssh][version]) { mutate { id => "mutate_merge_zeek_ssh_version" + merge => { "[ssh][version]" => "[zeek_ssh][version]" } } } + + if ([ssh][version]) { mutate { id => "mutate_add_field_ssh_versionCnt" + add_field => { "[ssh][versionCnt]" => "1" } } } if ([zeek_ssh][host_key] and [zeek_ssh][host_key_alg]) { # this is stupid, the %{} doesn't seem to be liked by mutate.merge @@ -3724,38 +3624,24 @@ filter { add_field => { "[@metadata][ssh_key_str]" => "%{[zeek_ssh][host_key_alg]} %{[zeek_ssh][host_key]}" } } mutate { id => "mutate_merge_zeek_ssh_key" merge => { "[ssh][key]" => "[@metadata][ssh_key_str]" } } - ruby { - id => "ruby_zeek_ssh_keyCnt" - code => "event.set('[ssh][keyCnt]', event.get('[ssh][key]').length)" - } + mutate { id => "mutate_add_field_ssh_keyCnt" + add_field => { "[ssh][keyCnt]" => "1" } } } # HASSH stuff (see https://github.com/salesforce/hassh/tree/master/bro) if ([zeek_ssh][hassh]) { - mutate { - id => "mutate_merge_zeek_ssh_hassh" - merge => { - "[ssh][hassh]" => "[zeek_ssh][hassh]" - } - } - mutate { - id => "mutate_add_field_zeek_ssh_hasshCnt" - add_field => { "[ssh][hasshCnt]" => "1" } - } + mutate { id => "mutate_merge_zeek_ssh_hassh" + merge => { "[ssh][hassh]" => "[zeek_ssh][hassh]" } } + mutate { id => "mutate_add_field_zeek_ssh_hasshCnt" + add_field => { "[ssh][hasshCnt]" => "1" } } } if ([zeek_ssh][hasshServer]) { - mutate { - id => "mutate_merge_zeek_ssh_hasshServer" - merge => { - "[ssh][hasshServer]" => "[zeek_ssh][hasshServer]" - } - } - mutate { - id => "mutate_add_field_zeek_ssh_hasshServerCnt" - add_field => { "[ssh][hasshServerCnt]" => "1" } - } + mutate { id => "mutate_merge_zeek_ssh_hasshServer" + merge => { "[ssh][hasshServer]" => "[zeek_ssh][hasshServer]" } } + mutate { id => "mutate_add_field_zeek_ssh_hasshServerCnt" + add_field => { "[ssh][hasshServerCnt]" => "1" } } } if ([zeek_ssh][hasshAlgorithms]) { mutate { id => "mutate_split_zeek_ssh_hasshAlgorithms" @@ -3868,19 +3754,15 @@ filter { if ([zeek_ssl][ssl_version]) { mutate { id => "mutate_merge_zeek_ssl_version" merge => { "[tls][version]" => "[zeek_ssl][ssl_version]" } } - ruby { - id => "ruby_zeek_ssl_versionCnt" - code => "event.set('[tls][versionCnt]', event.get('[tls][version]').length)" - } + mutate { id => "mutate_add_field_ssl_versionCnt" + add_field => { "[tls][versionCnt]" => "1" } } } if ([zeek_ssl][cipher]) { mutate { id => "mutate_merge_zeek_ssl_cipher" merge => { "[tls][cipher]" => "[zeek_ssl][cipher]" } } - ruby { - id => "ruby_zeek_ssl_cipherCnt" - code => "event.set('[tls][cipherCnt]', event.get('[tls][cipher]').length)" - } + mutate { id => "mutate_add_field_ssl_cipherCnt" + add_field => { "[tls][cipherCnt]" => "1" } } } if ([zeek_ssl][ja3]) { @@ -3897,23 +3779,11 @@ filter { add_field => { "[tls][ja3sCnt]" => "1" } } } - # collect all FUIDs under the parent [zeek][fuid] array - if ([zeek_ssl][cert_chain_fuids]) { - mutate { id => "mutate_split_zeek_ssl_cert_chain_fuids" - split => { "[zeek_ssl][cert_chain_fuids]" => "," } } - mutate { id => "mutate_merge_zeek_ssl_cert_chain_fuids" - merge => { "[@metadata][cert_fuids]" => "[cert_chain_fuids]" } } - } - if ([zeek_ssl][client_cert_chain_fuids]) { - mutate { id => "mutate_split_zeek_ssl_client_cert_chain_fuids" - split => { "[zeek_ssl][client_cert_chain_fuids]" => "," } } - mutate { id => "mutate_merge_zeek_ssl_client_cert_chain_fuids" - merge => { "[@metadata][cert_fuids]" => "[zeek_ssl][client_cert_chain_fuids]" } } - } - if ([@metadata][cert_fuids]) { - mutate { id => "mutate_merge_zeek_ssl_fuids_to_fuid" - merge => { "[zeek][fuid]" => "[@metadata][cert_fuids]" } } - } + if ([zeek_ssl][cert_chain_fuids]) { mutate { id => "mutate_split_zeek_ssl_cert_chain_fuids" + split => { "[zeek_ssl][cert_chain_fuids]" => "," } } } + + if ([zeek_ssl][client_cert_chain_fuids]) { mutate { id => "mutate_split_zeek_ssl_client_cert_chain_fuids" + split => { "[zeek_ssl][client_cert_chain_fuids]" => "," } } } } else if ([source] == "tds_rpc") { ############################################################################################################################# @@ -4055,13 +3925,6 @@ filter { } } - # collect all FUIDs under the parent [zeek][fuid] array - if ([zeek_x509][fuid]) { - mutate { id => "mutate_split_zeek_x509_fuid" - split => { "[zeek_x509][fuid]" => "," } } - mutate { id => "mutate_merge_zeek_x509_fuid" - merge => { "[zeek][fuid]" => "[zeek_x509][fuid]" } } - } } # end if/else if/else for specific log type logic ####################################################################################################### @@ -4070,6 +3933,15 @@ filter { mutate { id => "mutate_rename_zeek_logType" rename => { "[source]" => "[zeek][logType]" } } + # kind of a unique case, smb_cmd can also be smb_files + if ([zeek][logType] == "smb_cmd") and ([zeek_smb_files]) { + # seriously I do not get how merge works, why can't I just merge the string literal? + mutate { id => "mutate_add_field_zeek_tmp_logtype" + add_field => { "[@metadata][tmpLogType]" => "smb_files" } } + mutate { id => "mutate_merge_zeek_smb_cmd_and_smb_files_logType" + merge => { "[zeek][logType]" => "[@metadata][tmpLogType]" } } + } + # get counts for some arrays that each log type may contribute to individually if ([protocol]) { ruby { @@ -4084,14 +3956,4 @@ filter { } } - # set data types for fields that belong to various zeek logs - mutate { - id => "mutate_convert_zeek_misc" - convert => { - "[zeek][fuidCnt]" => "integer" - "[zeek][filenameCnt]" => "integer" - "[zeek][filetypeCnt]" => "integer" - } - } - } # end Filter diff --git a/logstash/pipelines/zeek/12_zeek_normalize.conf b/logstash/pipelines/zeek/12_zeek_normalize.conf new file mode 100644 index 000000000..0ea15f2a0 --- /dev/null +++ b/logstash/pipelines/zeek/12_zeek_normalize.conf @@ -0,0 +1,282 @@ +filter { + + # Protocol/service version ########################################################################################## + # collect protocol version under the parent zeek.service_version array + + if ([zeek_gquic][version]) { mutate { id => "mutate_merge_normalize_zeek_gquic_version" + merge => { "[zeek][service_version]" => "[zeek_gquic][version]" } } } + + if ([zeek_http][version]) { mutate { id => "mutate_merge_normalize_zeek_http_version" + merge => { "[zeek][service_version]" => "[zeek_http][version]" } } } + + if ([zeek_ntp][version]) { mutate { id => "mutate_merge_normalize_zeek_ntp_version" + merge => { "[zeek][service_version]" => "[zeek_ntp][version]" } } } + + if ([zeek_profinet][block_version]) { mutate { id => "mutate_merge_normalize_zeek_profinet_block_version" + merge => { "[zeek][service_version]" => "[zeek_profinet][block_version]" } } } + + if ([zeek_profinet_dce_rpc][version]) { mutate { id => "mutate_merge_normalize_zeek_profinet_dce_rpc_version" + merge => { "[zeek][service_version]" => "[zeek_profinet_dce_rpc][version]" } } } + + if ([zeek_rfb]) { + ruby { + id => "ruby_zeek_field_zeek_service_version_rfb" + code => ' + versions = Array.new + clientMajorVersion = event.get("[zeek_rfb][client_major_version]").sub!(/^0*/, "") + clientMinorVersion = event.get("[zeek_rfb][client_minor_version]").sub!(/^0*/, "") + serverMajorVersion = event.get("[zeek_rfb][server_major_version]").sub!(/^0*/, "") + serverMinorVersion = event.get("[zeek_rfb][server_minor_version]").sub!(/^0*/, "") + if clientMajorVersion then + versions << [clientMajorVersion, clientMinorVersion].join(".") + end + if serverMajorVersion then + versions << [serverMajorVersion, serverMinorVersion].join(".") + end + event.set("[zeek][service_version]", versions.uniq)' + } + } + + if ([zeek_rdp][client_build]) { mutate { id => "mutate_merge_normalize_zeek_rdp_client_build" + merge => { "[zeek][service_version]" => "[zeek_rdp][client_build]" } } } + + if ([zeek_sip][version]) { mutate { id => "mutate_merge_normalize_zeek_sip_version" + merge => { "[zeek][service_version]" => "[zeek_sip][version]" } } } + + if ([zeek_smb_cmd][version]) { mutate { id => "mutate_merge_normalize_zeek_smb_cmd_version" + merge => { "[zeek][service_version]" => "[zeek_smb_cmd][version]" } } } + + if ([zeek_snmp][version]) { mutate { id => "mutate_merge_normalize_zeek_snmp_version" + merge => { "[zeek][service_version]" => "[zeek_snmp][version]" } } } + + if ([zeek_socks][version]) { mutate { id => "mutate_merge_normalize_zeek_socks_version" + merge => { "[zeek][service_version]" => "[zeek_socks][version]" } } } + + if ([zeek_ssh][version]) { mutate { id => "mutate_merge_normalize_zeek_ssh_version" + merge => { "[zeek][service_version]" => "[zeek_ssh][version]" } } } + + if ([zeek_ssl][ssl_version]) { mutate { id => "mutate_merge_normalize_zeek_ssl_ssl_version" + merge => { "[zeek][service_version]" => "[zeek_ssl][ssl_version]" } } } + + if ([zeek][service_version]) { + ruby { + id => "ruby_zeek_service_version_uniq" + code => "event.set('[zeek][service_version]', event.get('[zeek][service_version]').uniq)" + } + } + + # Action ############################################################################################################ + # collect all actions/operations/commands under the parent [zeek][action] array + + if ([zeek_bacnet][service_choice]) { mutate { id => "mutate_merge_normalize_zeek_bacnet_service_choice" + merge => { "[zeek][action]" => "[zeek_bacnet][service_choice]" } } } + + if ([zeek_cip][cip_service]) { mutate { id => "mutate_merge_normalize_zeek_cip_cip_service" + merge => { "[zeek][action]" => "[zeek_cip][cip_service]" } } } + + if ([zeek_dce_rpc][operation]) { mutate { id => "mutate_merge_normalize_zeek_dce_rpc_operation" + merge => { "[zeek][action]" => "[zeek_dce_rpc][operation]" } } } + + if ([zeek_dnp3][fc_request]) { mutate { id => "mutate_merge_normalize_zeek_dnp3_fc_request" + merge => { "[zeek][action]" => "[zeek_dnp3][fc_request]" } } } + + if ([zeek_enip][command]) { mutate { id => "mutate_merge_normalize_zeek_enip_command" + merge => { "[zeek][action]" => "[zeek_enip][command]" } } } + + if ([zeek_ftp][command]) { mutate { id => "mutate_merge_normalize_zeek_ftp_command" + merge => { "[zeek][action]" => "[zeek_ftp][command]" } } } + + if ([zeek_http][method]) { mutate { id => "mutate_merge_normalize_zeek_http_method" + merge => { "[zeek][action]" => "[zeek_http][method]" } } } + + if ([zeek_irc][command]) { mutate { id => "mutate_merge_normalize_zeek_irc_command" + merge => { "[zeek][action]" => "[zeek_irc][command]" } } } + + if ([zeek_iso_cotp][pdu_type]) { mutate { id => "mutate_merge_normalize_zeek_iso_cotp_pdu_type" + merge => { "[zeek][action]" => "[zeek_iso_cotp][pdu_type]" } } } + + if ([zeek_kerberos][request_type]) { mutate { id => "mutate_merge_normalize_zeek_kerberos_request_type" + merge => { "[zeek][action]" => "[zeek_kerberos][request_type]" } } } + + if ([zeek_ldap][operation]) { mutate { id => "mutate_merge_normalize_zeek_ldap_operation" + merge => { "[zeek][action]" => "[zeek_ldap][operation]" } } } + + if ([zeek_modbus][func]) { mutate { id => "mutate_merge_normalize_zeek_modbus_func" + merge => { "[zeek][action]" => "[zeek_modbus][func]" } } } + + if ([zeek_mqtt_publish][payload_dict][messageType]) { + # not sure if this is a standard or just the PCAPs I found :/ + mutate { id => "mutate_merge_normalize_zeek_mqtt_publish_payload_dict_messageType" + merge => { "[zeek][action]" => "[zeek_mqtt_publish][payload_dict][messageType]" } } + } + + if ([zeek_mqtt_subscribe][action]) { mutate { id => "mutate_merge_normalize_zeek_mqtt_subscribe_action" + merge => { "[zeek][action]" => "[zeek_mqtt_subscribe][action]" } } } + + if ([zeek_mysql][cmd]) { mutate { id => "mutate_merge_normalize_zeek_mysql_cmd" + merge => { "[zeek][action]" => "[zeek_mysql][cmd]" } } } + + if ([zeek_ntp][mode_str]) { mutate { id => "mutate_merge_normalize_zeek_ntp_mode_str" + merge => { "[zeek][action]" => "[zeek_ntp][mode_str]" } } } + + if ([zeek_profinet][operation_type]) { mutate { id => "mutate_merge_normalize_zeek_profinet_operation_type" + merge => { "[zeek][action]" => "[zeek_profinet][operation_type]" } } } + + if ([zeek_profinet_dce_rpc][operation]) { mutate { id => "mutate_merge_normalize_zeek_profinet_dce_rpc_operation" + merge => { "[zeek][action]" => "[zeek_profinet_dce_rpc][operation]" } } } + + if ([zeek_s7comm]) { + ruby { + # action = rosctr:mode:type:sub + id => "ruby_zeek_s7comm_generate_action" + code => " + actions = Array.new unless (actions = event.get('[zeek][action]')) + actions.append([event.get('[zeek_s7comm][rosctr]'), + event.get('[zeek_s7comm][parameters][mode]'), + event.get('[zeek_s7comm][parameters][type]'), + event.get('[zeek_s7comm][parameters][sub]')].compact.join(':')) + event.set('[zeek][action]', actions)" + } + } + + if ([zeek_smb_cmd]) { + ruby { + # action = command:sub_command + id => "ruby_zeek_smb_cmd_generate_action" + code => " + cmd = event.get('[zeek_smb_cmd][command]') + subCmd = event.get('[zeek_smb_cmd][sub_command]') + actions = Array.new unless (actions = event.get('[zeek][action]')) + actions.append((cmd =~ /^\s*transaction\d*\s*$/i) ? subCmd : [cmd, subCmd].compact.join(':')) + event.set('[zeek][action]', actions)" + } + } + + if ([zeek_smb_files][action]) { mutate { id => "mutate_merge_normalize_zeek_smb_files_action" + merge => { "[zeek][action]" => "[zeek_smb_files][action]" } } } + + if ([zeek_sip][method]) { mutate { id => "mutate_merge_normalize_zeek_sip_method" + merge => { "[zeek][action]" => "[zeek_sip][method]" } } } + + if ([zeek_tds][command]) { mutate { id => "mutate_merge_normalize_zeek_tds_command" + merge => { "[zeek][action]" => "[zeek_tds][command]" } } } + + if ([zeek_tds_rpc][procedure_name]) { + + mutate { id => "mutate_add_field_zeek_tds_rpc_procedure_name_tmp" + add_field => { "[@metadata][zeek_tds_rpc_procedure_name_tmp]" => "%{[zeek_tds_rpc][procedure_name]}" } } + + # remove everything after the first $ + mutate { id => "mutate_gsub_field_zeek_tds_rpc_procedure_name_tmp" + gsub => [ "[@metadata][zeek_tds_rpc_procedure_name_tmp]", "\$.*", "" ] } + + mutate { id => "mutate_merge_normalize_zeek_tds_rpc_procedure_name" + merge => { "[zeek][action]" => "[@metadata][zeek_tds_rpc_procedure_name_tmp]" } } + } + + + if ([zeek_tunnel][action]) { mutate { id => "mutate_merge_normalize_zeek_tunnel_action" + merge => { "[zeek][action]" => "[zeek_tunnel][action]" } } } + + if ([zeek][action]) { + ruby { + id => "ruby_zeek_action_uniq" + code => "event.set('[zeek][action]', event.get('[zeek][action]').uniq)" + } + } + + # FUIDs ############################################################################################################# + # collect all other FUIDs under parent [zeek][fuid] array (some were already done at the root level in + # the "rename" in 11_zeek_logs.conf) + + if ([zeek_files][parent_fuid]) { mutate { id => "mutate_merge_normalize_zeek_files_parent_fuid" + merge => { "[zeek][fuid]" => "[zeek_files][parent_fuid]" } } } + + if ([zeek_http][orig_fuids]) { mutate { id => "mutate_merge_normalize_zeek_http_orig_fuids" + merge => { "[zeek][fuid]" => "[zeek_http][orig_fuids]" } } } + + if ([zeek_http][resp_fuids]) { mutate { id => "mutate_merge_normalize_zeek_http_resp_fuids" + merge => { "[zeek][fuid]" => "[zeek_http][resp_fuids]" } } } + + if ([zeek_kerberos][client_cert_fuid]) { mutate { id => "mutate_merge_normalize_zeek_kerberos_client_cert_fuid" + merge => { "[zeek][fuid]" => "[zeek_kerberos][client_cert_fuid]" } } } + + if ([zeek_kerberos][server_cert_fuid]) { mutate { id => "mutate_merge_normalize_zeek_kerberos_server_cert_fuid" + merge => { "[zeek][fuid]" => "[zeek_kerberos][server_cert_fuid]" } } } + + if ([zeek_ssl][cert_chain_fuids]) { mutate { id => "mutate_merge_normalize_zeek_ssl_cert_chain_fuids" + merge => { "[zeek][fuid]" => "[zeek_ssl][cert_chain_fuids]" } } } + + if ([zeek_ssl][client_cert_chain_fuids]) { mutate { id => "mutate_merge_normalize_zeek_ssl_client_cert_chain_fuids" + merge => { "[zeek][fuid]" => "[zeek_ssl][client_cert_chain_fuids]" } } } + + if ([zeek][fuid]) { + ruby { + id => "ruby_zeek_fuid_uniq" + code => "event.set('[zeek][fuid]', event.get('[zeek][fuid]').uniq)" + } + } + + # File/MIME types ################################################################################################### + # collect all file/MIME types under the parent [zeek][filetype] array + + if ([zeek_files][mime_type]) { mutate { id => "mutate_merge_normalize_zeek_files_mime_type" + merge => { "[zeek][filetype]" => "[zeek_files][mime_type]" } } } + + if ([zeek_ftp][mime_type]) { mutate { id => "mutate_merge_normalize_zeek_ftp_mime_type" + merge => { "[zeek][filetype]" => "[zeek_ftp][mime_type]" } } } + + if ([zeek_http][orig_mime_types]) { mutate { id => "mutate_merge_normalize_zeek_http_orig_mime_types" + merge => { "[zeek][filetype]" => "[zeek_http][orig_mime_types]" } } } + + if ([zeek_http][resp_mime_types]) { mutate { id => "mutate_merge_normalize_zeek_http_resp_mime_types" + merge => { "[zeek][filetype]" => "[zeek_http][resp_mime_types]" } } } + + if ([zeek_irc][dcc_mime_type]) { mutate { id => "mutate_merge_normalize_zeek_irc_dcc_mime_type" + merge => { "[zeek][filetype]" => "[zeek_irc][dcc_mime_type]" } } } + + if ([zeek_intel][file_mime_type]) { mutate { id => "mutate_merge_normalize_zeek_intel_file_mime_type" + merge => { "[zeek][filetype]" => "[zeek_intel][file_mime_type]" } } } + + if ([zeek_notice][file_mime_type]) { mutate { id => "mutate_merge_normalize_zeek_notice_file_mime_type" + merge => { "[zeek][filetype]" => "[zeek_notice][file_mime_type]" } } } + + if ([zeek_sip][content_type]) { mutate { id => "mutate_merge_normalize_zeek_sip_content_type" + merge => { "[zeek][filetype]" => "[zeek_sip][content_type]" } } } + + if ([zeek][filetype]) { + ruby { + id => "ruby_zeek_filetype_uniq" + code => "event.set('[zeek][filetype]', event.get('[zeek][filetype]').uniq)" + } + } + + # Filenames ######################################################################################################### + # collect all filenames under the parent [zeek][filename] array + + if ([zeek_files][filename]) { mutate { id => "mutate_merge_normalize_zeek_files_filename" + merge => { "[zeek][filename]" => "[zeek_files][filename]" } } } + + if ([zeek_http][orig_filenames]) { mutate { id => "mutate_merge_normalize_zeek_http_orig_filenames" + merge => { "[zeek][filename]" => "[zeek_http][orig_filenames]" } } } + + if ([zeek_http][resp_filenames]) { mutate { id => "mutate_merge_normalize_zeek_http_resp_filenames" + merge => { "[zeek][filename]" => "[zeek_http][resp_filenames]" } } } + + if ([zeek_irc][dcc_file_name]) { mutate { id => "mutate_merge_normalize_zeek_irc_dcc_file_name" + merge => { "[zeek][filename]" => "[zeek_irc][dcc_file_name]" } } } + + if ([zeek_smb_files][name]) { mutate { id => "mutate_merge_normalize_zeek_smb_files_name" + merge => { "[zeek][filename]" => "[zeek_smb_files][name]" } } } + + if ([zeek_smb_files][prev_name]) { mutate { id => "mutate_merge_normalize_zeek_smb_files_prev_name" + merge => { "[zeek][filename]" => "[zeek_smb_files][prev_name]" } } } + + if ([zeek][filename]) { + ruby { + id => "ruby_zeek_filename_uniq" + code => "event.set('[zeek][filename]', event.get('[zeek][filename]').uniq)" + } + } + +} \ No newline at end of file diff --git a/logstash/pipelines/zeek/13_zeek_convert.conf b/logstash/pipelines/zeek/13_zeek_convert.conf new file mode 100644 index 000000000..7b14756d8 --- /dev/null +++ b/logstash/pipelines/zeek/13_zeek_convert.conf @@ -0,0 +1,35 @@ +filter { + + # set data types for fields that belong to various zeek logs + mutate { + id => "mutate_convert_zeek_bulk" + convert => { + "[zeek_dce_rpc][rtt]" => "float" + "[zeek_dns][rtt]" => "float" + "[zeek_ldap][message_id]" => "integer" + "[zeek_ldap][result_code]" => "integer" + "[zeek_modbus_register][delta]" => "float" + "[zeek_modbus_register][new_val]" => "integer" + "[zeek_modbus_register][old_val]" => "integer" + "[zeek_modbus_register][register]" => "integer" + "[zeek_mqtt_publish][payload_len]" => "integer" + "[zeek_mqtt_subscribe][granted_qos_level]" => "integer" + "[zeek_mqtt_subscribe][qos_levels]" => "integer" + "[zeek_ntp][mode]" => "integer" + "[zeek_ntp][num_exts]" => "float" + "[zeek_ntp][poll]" => "float" + "[zeek_ntp][precision]" => "float" + "[zeek_ntp][root_delay]" => "float" + "[zeek_ntp][root_disp]" => "float" + "[zeek_ntp][version]" => "integer" + "[zeek_s7comm][item_count]" => "integer" + "[zeek_signatures][host_count]" => "integer" + "[zeek_signatures][signature_count]" => "integer" + "[zeek_smb_cmd][rtt]" => "float" + "[zeek_smb_files][data_len_req]" => "integer" + "[zeek_smb_files][data_len_rsp]" => "integer" + "[zeek_smb_files][data_offset_req]" => "integer" + } + } + +} \ No newline at end of file diff --git a/logstash/scripts/ip-to-segment-logstash.py b/logstash/scripts/ip-to-segment-logstash.py index eae0795f1..3fe5c9010 100755 --- a/logstash/scripts/ip-to-segment-logstash.py +++ b/logstash/scripts/ip-to-segment-logstash.py @@ -1,7 +1,7 @@ #!/usr/bin/env python2 # -*- coding: utf-8 -*- -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. from __future__ import print_function @@ -12,6 +12,7 @@ import struct import ipaddress import itertools +import json import pprint import uuid from collections import defaultdict @@ -20,11 +21,31 @@ HOST_LIST_IDX = 0 SEGMENT_LIST_IDX = 1 +JSON_MAP_TYPE_SEGMENT = 'segment' +JSON_MAP_TYPE_HOST = 'host' +JSON_MAP_KEY_ADDR = 'address' +JSON_MAP_KEY_NAME = 'name' +JSON_MAP_KEY_TAG = 'tag' +JSON_MAP_KEY_TYPE = 'type' + ################################################################################################### # print to stderr def eprint(*args, **kwargs): print(*args, file=sys.stderr, **kwargs) +################################################################################################### +# recursively convert unicode strings to utf-8 strings +def byteify(input): + if isinstance(input, dict): + return {byteify(key): byteify(value) + for key, value in input.iteritems()} + elif isinstance(input, list): + return [byteify(element) for element in input] + elif isinstance(input, unicode): + return input.encode('utf-8') + else: + return input + ################################################################################################### # main def main(): @@ -32,6 +53,7 @@ def main(): # extract arguments from the command line # print (sys.argv[1:]); parser = argparse.ArgumentParser(description='Logstash IP address to Segment Filter Creator', add_help=False, usage='ip-to-segment-logstash.py ') + parser.add_argument('-m', '--mixed', dest='mixedInput', metavar='', type=str, nargs='*', default='', help='Input mixed JSON mapping file(s)') parser.add_argument('-s', '--segment', dest='segmentInput', metavar='', type=str, nargs='*', default='', help='Input segment mapping file(s)') parser.add_argument('-h', '--host', dest='hostInput', metavar='', type=str, nargs='*', default='', help='Input host mapping file(s)') parser.add_argument('-o', '--output', dest='output', metavar='', type=str, default='-', help='Output file') @@ -42,9 +64,10 @@ def main(): parser.print_help() exit(2) - # read segment input files into a single list, and host input files into another + # read each input file into its own list segmentLines = [] hostLines = [] + mixedEntries = [] for inFile in args.segmentInput: if os.path.isfile(inFile): @@ -54,11 +77,19 @@ def main(): if os.path.isfile(inFile): hostLines.extend([line.strip() for line in open(inFile)]) + for inFile in args.mixedInput: + try: + tmpMixedEntries = json.load(open(inFile, 'r')) + if isinstance(tmpMixedEntries, list): + mixedEntries.extend(byteify(tmpMixedEntries)); + except: + pass + # remove comments segmentLines = list(filter(lambda x: (len(x) > 0) and (not x.startswith('#')), segmentLines)) hostLines = list(filter(lambda x: (len(x) > 0) and (not x.startswith('#')), hostLines)) - if (len(segmentLines) > 0) or (len(hostLines) > 0): + if (len(segmentLines) > 0) or (len(hostLines) > 0) or (len(mixedEntries) > 0): filterId = 0 addedFields = set() @@ -142,6 +173,50 @@ def main(): else: eprint('"{}" is not formatted correctly, ignoring'.format(line)) + # handle mixed entries from the JSON-formatted file + for entry in mixedEntries: + + # the entry must at least contain type, address, name; may optionally contain tag + if (isinstance(entry, dict) and + all(key in entry for key in (JSON_MAP_KEY_TYPE, JSON_MAP_KEY_NAME, JSON_MAP_KEY_ADDR)) and + entry[JSON_MAP_KEY_TYPE] in (JSON_MAP_TYPE_SEGMENT, JSON_MAP_TYPE_HOST) and + (len(entry[JSON_MAP_KEY_NAME]) > 0) and + (len(entry[JSON_MAP_KEY_ADDR]) > 0)): + + addressList = [] + networkList = [] + + tagReq = entry[JSON_MAP_KEY_TAG] if (JSON_MAP_KEY_TAG in entry) and (len(entry[JSON_MAP_KEY_TAG]) > 0) else UNSPECIFIED_TAG + + # account for comma-separated multiple addresses per 'address' value + for addr in ''.join(entry[JSON_MAP_KEY_ADDR].split()).split(','): + + if (entry[JSON_MAP_KEY_TYPE] == JSON_MAP_TYPE_SEGMENT): + # potentially interpret address as a CIDR-formatted subnet + try: + networkList.append(str(ipaddress.ip_network(unicode(addr))).lower() if ('/' in addr) else str(ipaddress.ip_address(unicode(addr))).lower()) + except ValueError: + eprint('"{}" is not a valid IP address, ignoring'.format(addr)) + + else: + # should be an IP or MAC address + try: + # see if it's an IP address + addressList.append(str(ipaddress.ip_address(unicode(addr))).lower()) + except ValueError: + # see if it's a MAC address + if re.match(macAddrRegex, addr): + # prepend _ temporarily to distinguish a mac address + addressList.append("_{}".format(addr.replace('-', ':').lower())) + else: + eprint('"{}" is not a valid IP or MAC address, ignoring'.format(ip)) + + if (len(networkList) > 0): + tagListMap[tagReq][SEGMENT_LIST_IDX][entry[JSON_MAP_KEY_NAME]].extend(networkList) + + if (len(addressList) > 0): + tagListMap[tagReq][HOST_LIST_IDX][entry[JSON_MAP_KEY_NAME]].extend(addressList) + # go through the lists of segments/hosts, which will now be organized by required tag first, then # segment/host name, then the list of addresses for tag, nameMaps in tagListMap.iteritems(): @@ -156,7 +231,7 @@ def main(): for hostName, addrList in nameMaps[HOST_LIST_IDX].iteritems(): # ip addresses mapped to hostname - ipList = [a for a in addrList if not a.startswith('_')] + ipList = list(set([a for a in addrList if not a.startswith('_')])) if (len(ipList) >= 1): for source in ['orig', 'resp']: filterId += 1 @@ -171,7 +246,7 @@ def main(): addedFields.add("[zeek][{}]".format(newFieldName)) # mac addresses mapped to hostname - macList = [a for a in addrList if a.startswith('_')] + macList = list(set([a for a in addrList if a.startswith('_')])) if (len(macList) >= 1): for source in ['orig', 'resp']: filterId += 1 @@ -187,6 +262,7 @@ def main(): # for the segment(s) to be checked, create two cidr filters, one for source IP and one for dest IP for segmentName, ipList in nameMaps[SEGMENT_LIST_IDX].iteritems(): + ipList = list(set(ipList)) for source in ['orig', 'resp']: filterId += 1 # ip addresses/ranges mapped to network segment names diff --git a/logstash/scripts/logstash-start.sh b/logstash/scripts/logstash-start.sh index fb7979b80..13aae3f35 100755 --- a/logstash/scripts/logstash-start.sh +++ b/logstash/scripts/logstash-start.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. set -e @@ -20,6 +20,7 @@ export PIPELINE_EXTRA_CONF_FILE="00_config.conf" # files defining IP->host and MAC->host mapping INPUT_CIDR_MAP="/usr/share/logstash/config/cidr-map.txt" INPUT_HOST_MAP="/usr/share/logstash/config/host-map.txt" +INPUT_MIXED_MAP="/usr/share/logstash/config/net-map.json" # the name of the enrichment pipeline subdirectory under $PIPELINES_DIR ENRICHMENT_PIPELINE=${LOGSTASH_ENRICHMENT_PIPELINE:-"enrichment"} @@ -32,7 +33,7 @@ export ELASTICSEARCH_PIPELINE_ADDRESS_INTERNAL=${LOGSTASH_ELASTICSEARCH_PIPELINE export ELASTICSEARCH_PIPELINE_ADDRESS_EXTERNAL=${LOGSTASH_ELASTICSEARCH_PIPELINE_ADDRESS_EXTERNAL:-"external-es"} ELASTICSEARCH_OUTPUT_PIPELINE_ADDRESSES=${LOGSTASH_ELASTICSEARCH_OUTPUT_PIPELINE_ADDRESSES:-"$ELASTICSEARCH_PIPELINE_ADDRESS_INTERNAL,$ELASTICSEARCH_PIPELINE_ADDRESS_EXTERNAL"} -# ip-to-segment-logstash.py translate $INPUT_CIDR_MAP and $INPUT_HOST_MAP into this logstash filter file +# ip-to-segment-logstash.py translate $INPUT_CIDR_MAP, $INPUT_HOST_MAP, $INPUT_MIXED_MAP into this logstash filter file NETWORK_MAP_OUTPUT_FILTER="$PIPELINES_DIR"/"$ENRICHMENT_PIPELINE"/16_host_segment_filters.conf #################################################################################################################### @@ -63,7 +64,8 @@ find "$PIPELINES_DIR" -mindepth 1 -maxdepth 1 -type d -print0 2>/dev/null | sort ' # create filters for network segment and host mapping in the enrichment directory -/usr/local/bin/ip-to-segment-logstash.py --segment "$INPUT_CIDR_MAP" --host "$INPUT_HOST_MAP" -o "$NETWORK_MAP_OUTPUT_FILTER" +rm -f "$NETWORK_MAP_OUTPUT_FILTER" +/usr/local/bin/ip-to-segment-logstash.py --mixed "$INPUT_MIXED_MAP" --segment "$INPUT_CIDR_MAP" --host "$INPUT_HOST_MAP" -o "$NETWORK_MAP_OUTPUT_FILTER" if [[ -z "$ES_EXTERNAL_HOSTS" ]]; then # external ES host destination is not specified, remove external destination from enrichment pipeline output @@ -78,12 +80,8 @@ MALCOLM_ELASTICSEARCH_OUTPUT_PIPELINES=$(printf '"%s"\n' "${ELASTICSEARCH_OUTPUT find "$PIPELINES_DIR" -type f -name "*.conf" -exec sed -i "s/_MALCOLM_ELASTICSEARCH_OUTPUT_PIPELINES_/${MALCOLM_ELASTICSEARCH_OUTPUT_PIPELINES}/g" "{}" \; 2>/dev/null find "$PIPELINES_DIR" -type f -name "*.conf" -exec sed -i "s/_MALCOLM_PARSE_PIPELINE_ADDRESSES_/${MALCOLM_PARSE_PIPELINE_ADDRESSES}/g" "{}" \; 2>/dev/null -# experimental java execution engine (https://www.elastic.co/blog/meet-the-new-logstash-java-execution-engine) -if [[ "$LOGSTASH_JAVA_EXECUTION_ENGINE" == 'true' ]]; then - LOGSTASH_JAVA_FLAG="--java-execution" -else - LOGSTASH_JAVA_FLAG="" -fi -# start logstash -/usr/local/bin/docker-entrypoint $LOGSTASH_JAVA_FLAG +# start logstash (adapted from docker-entrypoint) +env2yaml /usr/share/logstash/config/logstash.yml +export LS_JAVA_OPTS="-Dls.cgroup.cpuacct.path.override=/ -Dls.cgroup.cpu.path.override=/ $LS_JAVA_OPTS" +exec logstash diff --git a/logstash/scripts/set_es_external_keystore.sh b/logstash/scripts/set_es_external_keystore.sh index 1f87f56b0..185a00079 100755 --- a/logstash/scripts/set_es_external_keystore.sh +++ b/logstash/scripts/set_es_external_keystore.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. set -e diff --git a/logstash/supervisord.conf b/logstash/supervisord.conf new file mode 100644 index 000000000..7e23e2ee3 --- /dev/null +++ b/logstash/supervisord.conf @@ -0,0 +1,30 @@ +; Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. + +[inet_http_server] +port=0.0.0.0:9001 + +[supervisord] +nodaemon=true +logfile=/var/log/supervisor/supervisord.log +pidfile=/var/run/supervisord.pid +childlogdir=/var/log/supervisor + +[rpcinterface:supervisor] +supervisor.rpcinterface_factory=supervisor.rpcinterface:make_main_rpcinterface + +[supervisorctl] +serverurl=http://127.0.0.1:9001 + +[program:logstash] +command=/usr/local/bin/logstash-start.sh +user=logstash +autostart=true +startsecs=0 +startretries=0 +stopwaitsecs=60 +stopasgroup=true +killasgroup=true +stopsignal=INT +stdout_logfile=/dev/fd/1 +stdout_logfile_maxbytes=0 +redirect_stderr=true diff --git a/malcolm-iso/build.sh b/malcolm-iso/build.sh index 8c0092501..479f89a09 100755 --- a/malcolm-iso/build.sh +++ b/malcolm-iso/build.sh @@ -50,6 +50,7 @@ if [ -d "$WORKDIR" ]; then mkdir -p ./output "./work/$IMAGE_NAME-Live-Build" pushd "./work/$IMAGE_NAME-Live-Build" >/dev/null 2>&1 rsync -a "$SCRIPT_PATH/config" . + rsync -a "$SCRIPT_PATH/../shared/vbox-guest-build" . mkdir -p ./config/hooks/live pushd ./config/hooks/live @@ -80,6 +81,17 @@ if [ -d "$WORKDIR" ]; then echo "firmware-misc-nonfree=$(dpkg -s firmware-misc-nonfree | grep ^Version: | cut -d' ' -f2)" >> ./config/package-lists/kernel.list.chroot echo "firmware-amd-graphics=$(dpkg -s firmware-amd-graphics | grep ^Version: | cut -d' ' -f2)" >> ./config/package-lists/kernel.list.chroot + # virtualbox-guest .deb package(s) in its own clean environment (rather than in hooks/) + mkdir -p ./config/packages.chroot/ + bash ./vbox-guest-build/build-docker-image.sh + docker run --rm -v "$(pwd)"/vbox-guest-build:/build vboxguest-build:latest -o /build + rm -f ./vbox-guest-build/*-source*.deb \ + ./vbox-guest-build/*-dbgsym*.deb \ + ./vbox-guest-build/virtualbox_*.deb \ + ./vbox-guest-build/virtualbox-dkms_*.deb \ + ./vbox-guest-build/virtualbox-qt_*.deb + mv ./vbox-guest-build/*.deb ./config/packages.chroot/ + # grab things from the Malcolm parent directory into /etc/skel so the user's got it set up in their home/Malcolm dir pushd "$SCRIPT_PATH/.." >/dev/null 2>&1 MALCOLM_DEST_DIR="$WORKDIR/work/$IMAGE_NAME-Live-Build/config/includes.chroot/etc/skel/Malcolm" @@ -104,19 +116,23 @@ if [ -d "$WORKDIR" ]; then YML_IMAGE_VERSION="$(grep -P "^\s+image:\s*malcolm" ./docker-compose-standalone.yml | awk '{print $2}' | cut -d':' -f2 | uniq -c | sort -nr | awk '{print $2}' | head -n 1)" [[ -n $YML_IMAGE_VERSION ]] && IMAGE_VERSION="$YML_IMAGE_VERSION" cp ./docker-compose-standalone.yml "$MALCOLM_DEST_DIR/docker-compose.yml" - cp ./docker-compose-standalone-zeek-live.yml "$MALCOLM_DEST_DIR/docker-compose-zeek-live.yml" cp ./cidr-map.txt "$MALCOLM_DEST_DIR/" cp ./host-map.txt "$MALCOLM_DEST_DIR/" - cp ./scripts/auth_setup.sh "$MALCOLM_DEST_DIR/scripts/" - cp ./scripts/start.sh "$MALCOLM_DEST_DIR/scripts/" - cp ./scripts/stop.sh "$MALCOLM_DEST_DIR/scripts/" - cp ./scripts/restart.sh "$MALCOLM_DEST_DIR/scripts/" - cp ./scripts/wipe.sh "$MALCOLM_DEST_DIR/scripts/" - cp ./scripts/logs.sh "$MALCOLM_DEST_DIR/scripts/" + cp ./net-map.json "$MALCOLM_DEST_DIR/" cp ./scripts/install.py "$MALCOLM_DEST_DIR/scripts/" + cp ./scripts/control.py "$MALCOLM_DEST_DIR/scripts/" + pushd "$MALCOLM_DEST_DIR/scripts/" >/dev/null 2>&1 + ln -s ./control.py start + ln -s ./control.py stop + ln -s ./control.py restart + ln -s ./control.py wipe + ln -s ./control.py logs + ln -s ./control.py auth_setup + sed -i 's@#!/usr/bin/env[[:space:]]*python$@#!/usr/bin/env python3@g' *.py + popd >/dev/null 2>&1 + cp ./scripts/malcolm_common.py "$MALCOLM_DEST_DIR/scripts/" cp ./README.md "$MALCOLM_DEST_DIR/" - cp ./nginx/certs/*.sh "$MALCOLM_DEST_DIR/nginx/certs/" - cp ./logstash/certs/Makefile ./logstash/certs/*.conf "$MALCOLM_DEST_DIR/logstash/certs/" + cp ./logstash/certs/*.conf "$MALCOLM_DEST_DIR/logstash/certs/" cp ./elastalert/config/* "$MALCOLM_DEST_DIR/elastalert/config/" cp ./elastalert/rules/* "$MALCOLM_DEST_DIR/elastalert/rules/" 2>/dev/null || true cp ./elastalert/sample-rules/* "$MALCOLM_DEST_DIR/elastalert/sample-rules/" 2>/dev/null || true @@ -156,7 +172,7 @@ if [ -d "$WORKDIR" ]; then --bootloaders "syslinux,grub-efi" \ --memtest none \ --chroot-filesystem squashfs \ - --backports false \ + --backports true \ --security true \ --updates true \ --source false \ diff --git a/malcolm-iso/config/hooks/normal/0169-pip-installs.hook.chroot b/malcolm-iso/config/hooks/normal/0169-pip-installs.hook.chroot index 5ee761fa7..5e39cd2e8 100755 --- a/malcolm-iso/config/hooks/normal/0169-pip-installs.hook.chroot +++ b/malcolm-iso/config/hooks/normal/0169-pip-installs.hook.chroot @@ -6,6 +6,7 @@ export LANG=C.UTF-8 # python 3 pip3 install --no-compile --no-cache-dir --force-reinstall --upgrade \ beautifulsoup4 \ + colorama \ debinterface \ docker-compose \ netifaces \ diff --git a/malcolm-iso/config/hooks/normal/0910-agg-build.hook.chroot b/malcolm-iso/config/hooks/normal/0910-agg-build.hook.chroot index b2b91769e..1a5544982 100755 --- a/malcolm-iso/config/hooks/normal/0910-agg-build.hook.chroot +++ b/malcolm-iso/config/hooks/normal/0910-agg-build.hook.chroot @@ -1,6 +1,6 @@ #!/bin/bash -BEATS_VER="7.5.1" +BEATS_VER="7.6.2" BEATS_OSS="-oss" BEATS_DEB_URL_TEMPLATE_REPLACER="XXXXX" BEATS_DEB_URL_TEMPLATE="https://artifacts.elastic.co/downloads/beats/$BEATS_DEB_URL_TEMPLATE_REPLACER/$BEATS_DEB_URL_TEMPLATE_REPLACER$BEATS_OSS-$BEATS_VER-amd64.deb" diff --git a/malcolm-iso/config/hooks/normal/0911-get-stig-scripts.hook.chroot b/malcolm-iso/config/hooks/normal/0911-get-stig-scripts.hook.chroot index 9f02a6be0..ab545bd53 100755 --- a/malcolm-iso/config/hooks/normal/0911-get-stig-scripts.hook.chroot +++ b/malcolm-iso/config/hooks/normal/0911-get-stig-scripts.hook.chroot @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. # clone STIG-4-Debian and harbian-audit and clean up some stuff we don't need mkdir -p /opt diff --git a/malcolm-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot b/malcolm-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot index 936d054c7..42a615b15 100755 --- a/malcolm-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot +++ b/malcolm-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot @@ -1,7 +1,7 @@ #!/bin/bash # remove development packages -apt-get -y --purge remove checkinstall $(dpkg --get-selections | grep -v deinstall$ | cut -f1 | grep -P -- '-dev(:\w+)?$') || true +apt-get -y --purge remove build-essential $(dpkg --get-selections | grep -v deinstall$ | cut -f1 | grep -P -- '-dev(:\w+)?$' | grep -Pv -- '^(dpkg|libgcc)') || true # remove unwanted packages apt-get -y --purge remove bluez-firmware \ @@ -10,7 +10,6 @@ apt-get -y --purge remove bluez-firmware \ enchant \ ffmpeg \ gnome-accessibility-themes \ - gnome-user-guide \ gucharmap \ libasound2-plugins \ libcupsfilters1 \ diff --git a/malcolm-iso/config/hooks/normal/0998-localepurge.hook.chroot b/malcolm-iso/config/hooks/normal/0998-localepurge.hook.chroot index 37680b216..48e8ea2e3 100755 --- a/malcolm-iso/config/hooks/normal/0998-localepurge.hook.chroot +++ b/malcolm-iso/config/hooks/normal/0998-localepurge.hook.chroot @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. # remove excess locales if [ -f /etc/localepurge-preseed.cfg ] ; then diff --git a/malcolm-iso/config/includes.binary/boot/grub/grub.cfg b/malcolm-iso/config/includes.binary/boot/grub/grub.cfg index 299529456..37131c27c 100644 --- a/malcolm-iso/config/includes.binary/boot/grub/grub.cfg +++ b/malcolm-iso/config/includes.binary/boot/grub/grub.cfg @@ -39,6 +39,11 @@ menuentry "Install Malcolm Base (advanced configuration)" { initrd /install/initrd.gz } +menuentry "Install Malcolm Base (virtual machine single partition quick install)" { + linux /install/vmlinuz auto=true priority=high vga=normal locales=en_US.UTF-8 keyboard-layouts=us preseed/file=/cdrom/install/preseed_vmware.cfg + initrd /install/initrd.gz +} + menuentry "Rescue system in text mode" { linux /install/vmlinuz rescue/enable=true vga=normal initrd /install/initrd.gz diff --git a/malcolm-iso/config/includes.binary/install/preseed.cfg b/malcolm-iso/config/includes.binary/install/preseed.cfg index 9d0092775..d1a4a66a7 100644 --- a/malcolm-iso/config/includes.binary/install/preseed.cfg +++ b/malcolm-iso/config/includes.binary/install/preseed.cfg @@ -1,4 +1,4 @@ -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. d-i debian-installer/locale string en_US.UTF-8 d-i console-setup/ask_detect boolean false diff --git a/malcolm-iso/config/includes.binary/install/preseed_base.cfg b/malcolm-iso/config/includes.binary/install/preseed_base.cfg index feef22f77..411f8bac2 100644 --- a/malcolm-iso/config/includes.binary/install/preseed_base.cfg +++ b/malcolm-iso/config/includes.binary/install/preseed_base.cfg @@ -1,4 +1,4 @@ -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. d-i hw-detect/load_firmware boolean true d-i clock-setup/utc boolean true @@ -18,7 +18,7 @@ d-i localepurge/remove_no note # d-i passwd/username string analyst # d-i passwd/user-fullname string analyst -d-i passwd/user-default-groups string audio cdrom video netdev plugdev docker +d-i passwd/user-default-groups string audio cdrom video netdev plugdev docker vboxsf d-i passwd/root-login boolean true # crypted passwords via: mkpasswd -m sha-512 -S $(pwgen -ns 16 1) @@ -34,6 +34,8 @@ d-i preseed/late_command string \ echo 'deb http://security.debian.org/debian-security buster/updates main contrib non-free' >> /target/etc/apt/sources.list; \ echo 'deb http://deb.debian.org/debian buster-updates main contrib non-free' >> /target/etc/apt/sources.list; \ in-target bash /usr/local/bin/agg-init.sh; \ + in-target bash -c "(dmidecode -s system-product-name | grep -q VMware) || apt-get purge -y open-vm-tools-desktop"; \ + in-target bash -c "(dmidecode -s system-product-name | grep -q VirtualBox) || apt-get purge -y virtualbox-guest*"; \ in-target sed -r -i 's@(^.+\s+/(tmp|var/tmp)\s+ext4\s+.*defaults)@\1,nosuid,nodev,noexec@g' /etc/fstab; \ in-target sed -r -i 's@(^.+/media/cdrom[0-9]*.+)(noauto)(.*)@\1\2,nosuid,nodev,noexec\3@g' /etc/fstab; \ in-target sed -r -i 's@(^.+\s+/(home)\s+ext4\s+.*defaults)@\1,nosuid,nodev@g' /etc/fstab; \ diff --git a/malcolm-iso/config/includes.binary/install/preseed_vmware.cfg b/malcolm-iso/config/includes.binary/install/preseed_vmware.cfg new file mode 100644 index 000000000..ced2fc714 --- /dev/null +++ b/malcolm-iso/config/includes.binary/install/preseed_vmware.cfg @@ -0,0 +1,91 @@ +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. + +d-i debian-installer/locale string en_US.UTF-8 +d-i console-setup/ask_detect boolean false +d-i keyboard-configuration/xkb-keymap skip-config +d-i keyboard-configuration/layout string "American English" + +d-i preseed/include string preseed_base.cfg + +################################################################################################### +# install root filesystem on smallest non-USB disk + +d-i partman/early_command string \ + ROOT_DISK=$(parted_devices | egrep "^($(find /sys/block -mindepth 1 -maxdepth 1 -type l \( -name '[hs]d*' -o -name 'nvme*' \) -exec ls -l '{}' ';' | grep -v "usb" | sed 's@^.*\([hs]d[a-z]\+\|nvme[0-9]\+\).*$@/dev/\1@' | sed -e :a -e '$!N; s/\n/|/; ta'))" | sort -k2n | head -1 | cut -f1); \ + pvremove -ff -y "$ROOT_DISK"*; \ + debconf-set partman-auto/disk "$ROOT_DISK"; \ + debconf-set grub-installer/bootdev "$ROOT_DISK"; \ + sed -i.bak 's/-f $id\/skip_erase/-d $id/g' /lib/partman/lib/crypto-base.sh; + +d-i grub-installer/only_debian boolean true +d-i grub-installer/with_other_os boolean true + +d-i partman-auto/method string lvm +d-i partman-auto-lvm/new_vg_name string main +d-i partman-auto-lvm/guided_size string max + +d-i partman-lvm/device_remove_lvm boolean true +d-i partman-lvm/confirm boolean true +d-i partman-lvm/confirm_nooverwrite boolean true + +d-i partman-md/device_remove_md boolean true +d-i partman-md/confirm boolean true +d-i partman-md/confirm_nooverwrite boolean true + +d-i partman-partitioning/confirm_write_new_label boolean true +d-i partman/choose_partition select finish +d-i partman/confirm boolean true +d-i partman/confirm_nooverwrite boolean true +d-i partman-basicmethods/method_only boolean false +d-i partman-efi/non_efi_system boolean true + +d-i partman-basicfilesystems/choose_label string gpt +d-i partman-basicfilesystems/default_label string gpt +d-i partman-partitioning/choose_label string gpt +d-i partman-partitioning/default_label string gpt +d-i partman/choose_label string gpt +d-i partman/default_label string gpt + +d-i partman/mount_style select uuid + +d-i partman-auto/choose_recipe select custom +d-i partman-auto/expert_recipe string \ + custom :: \ + 1 1 1 free \ + $bios_boot{ } \ + method{ biosgrub } \ + . \ + 256 256 256 fat32 \ + $primary{ } \ + $iflabel{ gpt } \ + $reusemethod{ } \ + method{ efi } format{ } \ + mountpoint{ /boot/efi } \ + . \ + 1024 1024 1024 ext4 \ + $primary{ } \ + $bootable{ } \ + method{ format } \ + format{ } \ + use_filesystem{ } \ + filesystem{ ext4 } \ + mountpoint{ /boot } \ + . \ + 150% 150% 150% linux-swap \ + $defaultignore{ } \ + $lvmok{ } \ + in_vg { main } lv_name{ swap } \ + method{ swap } \ + format{ } \ + . \ + 12000 16000 1000000000 ext4 \ + $defaultignore{ } \ + $lvmok{ } \ + in_vg { main } lv_name{ root } \ + method{ format } \ + format{ } \ + use_filesystem{ } \ + filesystem{ ext4 } \ + mountpoint{ / } \ + . +################################################################################################### diff --git a/malcolm-iso/config/includes.chroot/etc/live/config.conf b/malcolm-iso/config/includes.chroot/etc/live/config.conf index 14d9e9b90..5400a4626 100644 --- a/malcolm-iso/config/includes.chroot/etc/live/config.conf +++ b/malcolm-iso/config/includes.chroot/etc/live/config.conf @@ -2,5 +2,5 @@ LIVE_LOCALES="en_US.UTF-8" LIVE_HOSTNAME="malcolm-live" LIVE_USERNAME="analyst" LIVE_USER_FULLNAME="Malcolm Live Analyst" -LIVE_USER_DEFAULT_GROUPS="adm audio cdrom disk docker netdev plugdev sudo video" +LIVE_USER_DEFAULT_GROUPS="adm audio cdrom disk docker netdev plugdev sudo video vboxsf" diff --git a/malcolm-iso/config/includes.chroot/etc/skel/.config/lxpanel/LXDE/panels/malcolm b/malcolm-iso/config/includes.chroot/etc/skel/.config/lxpanel/LXDE/panels/malcolm index 919da157b..81c06872e 100644 --- a/malcolm-iso/config/includes.chroot/etc/skel/.config/lxpanel/LXDE/panels/malcolm +++ b/malcolm-iso/config/includes.chroot/etc/skel/.config/lxpanel/LXDE/panels/malcolm @@ -62,6 +62,9 @@ Plugin { Button { id=malcolm-upload.desktop } + Button { + id=malcolm-mapping.desktop + } Button { id=malcolm-users.desktop } diff --git a/malcolm-iso/config/includes.chroot/usr/share/applications/malcolm-logs.desktop b/malcolm-iso/config/includes.chroot/usr/share/applications/malcolm-logs.desktop index bf6244f9b..41e731b98 100644 --- a/malcolm-iso/config/includes.chroot/usr/share/applications/malcolm-logs.desktop +++ b/malcolm-iso/config/includes.chroot/usr/share/applications/malcolm-logs.desktop @@ -1,7 +1,7 @@ #!/usr/bin/env xdg-open [Desktop Entry] Name=Malcolm Debug Logs -Exec=lxterminal --command=/bin/bash\ -l\ -c\ ~/Malcolm/scripts/logs.sh +Exec=lxterminal --command=/bin/bash\ -l\ -c\ "/usr/bin/python3\ ~/Malcolm/scripts/control.py\ --logs" Comment=Monitor the debug output of Malcolm containers Terminal=false Type=Application diff --git a/malcolm-iso/config/includes.chroot/usr/share/applications/malcolm-mapping.desktop b/malcolm-iso/config/includes.chroot/usr/share/applications/malcolm-mapping.desktop new file mode 100644 index 000000000..fd8e27ff3 --- /dev/null +++ b/malcolm-iso/config/includes.chroot/usr/share/applications/malcolm-mapping.desktop @@ -0,0 +1,11 @@ +[Desktop Entry] +Version=1.0 +Name=Malcolm - Host and Subnet Name Mapping +Exec=/usr/bin/chromium https://localhost/name-map-ui/ +Terminal=false +X-MultipleArgs=false +Type=Application +Icon=server.png +Categories=Network; +StartupWMClass=chromium +StartupNotify=true diff --git a/malcolm-iso/config/includes.chroot/usr/share/applications/malcolm-restart.desktop b/malcolm-iso/config/includes.chroot/usr/share/applications/malcolm-restart.desktop index 52974d132..1329aa8ae 100644 --- a/malcolm-iso/config/includes.chroot/usr/share/applications/malcolm-restart.desktop +++ b/malcolm-iso/config/includes.chroot/usr/share/applications/malcolm-restart.desktop @@ -1,7 +1,7 @@ #!/usr/bin/env xdg-open [Desktop Entry] Name=Restart Malcolm -Exec=lxterminal --command=/bin/bash\ -l\ -c\ ~/Malcolm/scripts/restart.sh +Exec=lxterminal --command=/bin/bash\ -l\ -c\ "/usr/bin/python3\ ~/Malcolm/scripts/control.py\ --restart" Comment=Restart Malcolm Terminal=false Type=Application diff --git a/malcolm-iso/config/includes.chroot/usr/share/applications/malcolm-start.desktop b/malcolm-iso/config/includes.chroot/usr/share/applications/malcolm-start.desktop index 3e1d6cac0..c4a3861a0 100644 --- a/malcolm-iso/config/includes.chroot/usr/share/applications/malcolm-start.desktop +++ b/malcolm-iso/config/includes.chroot/usr/share/applications/malcolm-start.desktop @@ -1,7 +1,7 @@ #!/usr/bin/env xdg-open [Desktop Entry] Name=Start Malcolm -Exec=lxterminal --command=/bin/bash\ -l\ -c\ ~/Malcolm/scripts/start.sh +Exec=lxterminal --command=/bin/bash\ -l\ -c\ "/usr/bin/python3\ ~/Malcolm/scripts/control.py\ --start" Comment=Start Malcolm Terminal=false Type=Application diff --git a/malcolm-iso/config/includes.chroot/usr/share/applications/malcolm-stop.desktop b/malcolm-iso/config/includes.chroot/usr/share/applications/malcolm-stop.desktop index 96aaa9aed..16d8b0560 100644 --- a/malcolm-iso/config/includes.chroot/usr/share/applications/malcolm-stop.desktop +++ b/malcolm-iso/config/includes.chroot/usr/share/applications/malcolm-stop.desktop @@ -1,7 +1,7 @@ #!/usr/bin/env xdg-open [Desktop Entry] Name=Stop Malcolm -Exec=lxterminal --command=/bin/bash\ -l\ -c\ ~/Malcolm/scripts/stop.sh +Exec=lxterminal --command=/bin/bash\ -l\ -c\ "/usr/bin/python3\ ~/Malcolm/scripts/control.py\ --stop" Comment=Stop Malcolm Terminal=false Type=Application diff --git a/malcolm-iso/config/includes.chroot/usr/share/auditbeat/kibana/7/dashboard-custom/Auditbeat-auditd-overview-custom.json b/malcolm-iso/config/includes.chroot/usr/share/auditbeat/kibana/7/dashboard-custom/Auditbeat-auditd-overview-custom.json index dc292c4e9..1bb9304f7 100644 --- a/malcolm-iso/config/includes.chroot/usr/share/auditbeat/kibana/7/dashboard-custom/Auditbeat-auditd-overview-custom.json +++ b/malcolm-iso/config/includes.chroot/usr/share/auditbeat/kibana/7/dashboard-custom/Auditbeat-auditd-overview-custom.json @@ -1,5 +1,5 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "072befc0-ffba-11e8-a854-ad7782ef6a55", diff --git a/malcolm-iso/config/includes.chroot/usr/share/filebeat/kibana/7/dashboard-custom/Filebeat-syslog-custom.json b/malcolm-iso/config/includes.chroot/usr/share/filebeat/kibana/7/dashboard-custom/Filebeat-syslog-custom.json index d2afbf94f..ba4da7d03 100644 --- a/malcolm-iso/config/includes.chroot/usr/share/filebeat/kibana/7/dashboard-custom/Filebeat-syslog-custom.json +++ b/malcolm-iso/config/includes.chroot/usr/share/filebeat/kibana/7/dashboard-custom/Filebeat-syslog-custom.json @@ -1,5 +1,5 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "1ca59220-ffb0-11e8-a854-ad7782ef6a55", diff --git a/malcolm-iso/config/package-lists/desktopmanager.list.chroot b/malcolm-iso/config/package-lists/desktopmanager.list.chroot index b723e3c11..7a1dc55c2 100644 --- a/malcolm-iso/config/package-lists/desktopmanager.list.chroot +++ b/malcolm-iso/config/package-lists/desktopmanager.list.chroot @@ -1,10 +1,12 @@ arandr dconf-cli -fonts-noto-color-emoji +fonts-symbola +libnotify-bin lightdm lxde lxpanel lxsession +open-vm-tools-desktop x11-apps x11-session-utils x11-xfs-utils @@ -13,5 +15,6 @@ xinit xorg xscreensaver xserver-xorg +xserver-xorg-core xserver-xorg-video-qxl xserver-xorg-video-vmware diff --git a/malcolm-iso/config/package-lists/system.list.chroot b/malcolm-iso/config/package-lists/system.list.chroot index 8de13da7c..d66ceecfc 100644 --- a/malcolm-iso/config/package-lists/system.list.chroot +++ b/malcolm-iso/config/package-lists/system.list.chroot @@ -26,6 +26,7 @@ cryptsetup-bin curl debsums dialog +dmidecode dosfstools ebtables efibootmgr diff --git a/malcolm-iso/vagrant/Vagrantfile b/malcolm-iso/vagrant/Vagrantfile index d6a3962d8..5151aed27 100644 --- a/malcolm-iso/vagrant/Vagrantfile +++ b/malcolm-iso/vagrant/Vagrantfile @@ -1,7 +1,16 @@ +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. + unless Vagrant.has_plugin?("vagrant-reload") raise 'vagrant-reload plugin is not installed!' end +# hack: https://github.com/hashicorp/vagrant/issues/8878#issuecomment-345112810 +class VagrantPlugins::ProviderVirtualBox::Action::Network + def dhcp_server_matches_config?(dhcp_server, config) + true + end +end + Vagrant.configure("2") do |config| config.vm.box = "bento/debian-10" @@ -16,7 +25,7 @@ Vagrant.configure("2") do |config| end config.vm.provider "virtualbox" do |vb| - vb.memory = "4096" + vb.memory = "8192" vb.cpus = 4 end @@ -25,6 +34,8 @@ Vagrant.configure("2") do |config| apt-get update apt-get dist-upgrade -y sed -i "s/main/main contrib non-free/g" /etc/apt/sources.list + echo "deb http://httpredir.debian.org/debian/ buster-backports main contrib non-free" >> /etc/apt/sources.list + echo "deb-src http://httpredir.debian.org/debian/ buster-backports main contrib non-free" >> /etc/apt/sources.list apt-get update export KERNEL_VERSION=$(apt-cache search linux-image-4 | grep -Pv -- '(-(rt|cloud)-amd64|amd64-(dbg|unsigned))' | sort -r --sort=version | awk '{print $1}' | head -n 1 | sed 's/^linux-image-//' | sed 's/-amd64$//') apt-get install -y \ @@ -38,6 +49,12 @@ Vagrant.configure("2") do |config| export DEBIAN_FRONTEND=noninteractive apt-get update apt-get install -y \ - rsync git live-build debootstrap xorriso squashfs-tools genisoimage pandoc imagemagick + rsync git live-build debootstrap xorriso squashfs-tools genisoimage pandoc imagemagick \ + apt-transport-https ca-certificates curl gnupg2 software-properties-common + curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add - + add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable" + apt-get update + sudo apt-get install -y docker-ce docker-ce-cli containerd.io + usermod -a -G docker vagrant STEP2 end diff --git a/moloch/etc/config.ini b/moloch/etc/config.ini index 0daa3b34d..2f3c0c9c5 100644 --- a/moloch/etc/config.ini +++ b/moloch/etc/config.ini @@ -12,9 +12,9 @@ httpRealm=Moloch interface=eth0 wiseHost=127.0.0.1 wisePort=8081 -pcapDir=/data/moloch/raw +pcapDir=/data/pcap/processed readTruncatedPackets=true -maxFileSizeG=12 +maxFileSizeG=1 tcpTimeout=600 tcpSaveTimeout=720 udpTimeout=30 diff --git a/moloch/moloch_regression_test_harness/Dockerfiles/moloch.Dockerfile b/moloch/moloch_regression_test_harness/Dockerfiles/moloch.Dockerfile new file mode 100644 index 000000000..c5bdbcdfd --- /dev/null +++ b/moloch/moloch_regression_test_harness/Dockerfiles/moloch.Dockerfile @@ -0,0 +1,72 @@ +FROM debian:buster-slim AS build + +ENV DEBIAN_FRONTEND noninteractive + +ENV GITHUB_URL "https://github.com/mmguero-dev/moloch/" +ENV GITHUB_BRANCH "topic/netdiff_2.2.3" +ENV MOLOCHDIR "/data/moloch" +ENV MOLOCHUSER "moloch" + +USER root + +RUN apt-get -q update && \ + apt-get install -q -y --no-install-recommends \ + binutils \ + bison \ + cmake \ + curl \ + file \ + flex \ + g++ \ + gcc \ + gettext \ + git \ + groff \ + groff-base \ + libcap-dev \ + libjson-perl \ + libkrb5-dev \ + libmaxminddb-dev \ + libpcap0.8-dev \ + libssl-dev \ + libtool \ + libwww-perl \ + libyaml-dev \ + make \ + patch \ + python \ + python-dev \ + rename \ + sudo \ + swig \ + vim-tiny \ + wget \ + zlib1g-dev + +RUN mkdir /data && \ + groupadd --gid 1000 $MOLOCHUSER && \ + useradd -M --uid 1000 --gid 1000 --home $MOLOCHDIR --no-create-home $MOLOCHUSER && \ + chown -R $MOLOCHUSER:$MOLOCHUSER /data && \ + usermod -aG sudo $MOLOCHUSER && \ + sed -i /etc/sudoers -re 's/^%sudo.*/%sudo ALL=(ALL:ALL) NOPASSWD: ALL/g' && \ + sed -i /etc/sudoers -re 's/^root.*/root ALL=(ALL:ALL) NOPASSWD: ALL/g' + +USER $MOLOCHUSER + +RUN git clone --recursive --depth=1 --single-branch -b "$GITHUB_BRANCH" "$GITHUB_URL" "$MOLOCHDIR" && \ + cd "$MOLOCHDIR" && \ + bash -c 'for i in /data/patches/*; do patch -p 1 -r - --no-backup-if-mismatch < $i || true; done' && \ + export PATH="$MOLOCHDIR/bin:${PATH}" && \ + sudo ln -sfr $MOLOCHDIR/bin/npm /usr/local/bin/npm && \ + sudo ln -sfr $MOLOCHDIR/bin/node /usr/local/bin/node && \ + sudo ln -sfr $MOLOCHDIR/bin/npx /usr/local/bin/npx && \ + ./easybutton-build.sh && \ + (make check || true) + +ENV PATH="/data:$MOLOCHDIR/bin:${PATH}" + +EXPOSE 8000 8005 8081 + +WORKDIR $MOLOCHDIR/tests + +CMD bash diff --git a/moloch/moloch_regression_test_harness/docker-compose.yml b/moloch/moloch_regression_test_harness/docker-compose.yml new file mode 100644 index 000000000..3e1372328 --- /dev/null +++ b/moloch/moloch_regression_test_harness/docker-compose.yml @@ -0,0 +1,47 @@ +version: '3.7' + +services: + elasticsearch: + image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.6.2 + restart: "no" + environment: + logger.level : 'INFO' + bootstrap.memory_lock : 'true' + ES_JAVA_OPTS : '-Xms4g -Xmx4g -Xss256k -Djava.security.egd=file:/dev/./urandom' + discovery.type : 'single-node' + # cluster.initial_master_nodes : 'elasticsearch' + cluster.routing.allocation.disk.threshold_enabled : 'false' + cluster.routing.allocation.node_initial_primaries_recoveries : 8 + expose: + - 9200 + ulimits: + memlock: + soft: -1 + hard: -1 + cap_add: + - IPC_LOCK + healthcheck: + test: ["CMD", "curl", "-f", "http://localhost:9200"] + interval: 30s + timeout: 15s + retries: 3 + start_period: 30s + network_mode: host + moloch: + build: + context: . + dockerfile: Dockerfiles/moloch.Dockerfile + image: molochtest:latest + restart: "no" + ulimits: + memlock: + soft: -1 + hard: -1 + depends_on: + - elasticsearch + expose: + - 8000 + - 8005 + - 8081 + network_mode: host + command: tail -F /dev/null diff --git a/moloch/patch/remove_upload.patch b/moloch/patch/remove_upload.patch new file mode 100644 index 000000000..8eb19d01d --- /dev/null +++ b/moloch/patch/remove_upload.patch @@ -0,0 +1,24 @@ +diff --git a/viewer/vueapp/src/router/index.js b/viewer/vueapp/src/router/index.js +index 02494926..a3c974f9 100644 +--- a/viewer/vueapp/src/router/index.js ++++ b/viewer/vueapp/src/router/index.js +@@ -11,7 +11,6 @@ import Spiview from '@/components/spiview/Spiview'; + import Spigraph from '@/components/spigraph/Spigraph'; + import Connections from '@/components/connections/Connections'; + import Settings from '@/components/settings/Settings'; +-import Upload from '@/components/upload/Upload'; + import Hunt from '@/components/hunt/Hunt'; + import Moloch404 from '@/components/utils/404'; + +@@ -86,11 +85,6 @@ const router = new Router({ + name: 'Settings', + component: Settings + }, +- { +- path: '/upload', +- name: 'Upload', +- component: Upload +- }, + { + path: '/hunt', + name: 'Hunt', diff --git a/moloch/scripts/initmoloch.sh b/moloch/scripts/initmoloch.sh index 28914ca78..f5af90edc 100755 --- a/moloch/scripts/initmoloch.sh +++ b/moloch/scripts/initmoloch.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. rm -f $MOLOCHDIR/initialized $MOLOCHDIR/runwise diff --git a/moloch/scripts/moloch-needs-upgrade.sh b/moloch/scripts/moloch-needs-upgrade.sh index f79f0a3f7..d61d13497 100755 --- a/moloch/scripts/moloch-needs-upgrade.sh +++ b/moloch/scripts/moloch-needs-upgrade.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. # this script returns: # 0 - an UPGRADE IS NEEDED for Moloch indices diff --git a/moloch/scripts/moloch_update_geo.sh b/moloch/scripts/moloch_update_geo.sh index a195e9303..309ebc74d 100755 --- a/moloch/scripts/moloch_update_geo.sh +++ b/moloch/scripts/moloch_update_geo.sh @@ -1,6 +1,6 @@ #!/bin/sh -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. cd "/data/moloch/etc" diff --git a/moloch/scripts/viewer_service.sh b/moloch/scripts/viewer_service.sh index da6f19c3a..eea39a825 100755 --- a/moloch/scripts/viewer_service.sh +++ b/moloch/scripts/viewer_service.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. while true; do diff --git a/moloch/scripts/wipemoloch.sh b/moloch/scripts/wipemoloch.sh index b1b0fec69..91d8fd94c 100755 --- a/moloch/scripts/wipemoloch.sh +++ b/moloch/scripts/wipemoloch.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. echo "Checking Elasticsearch..." diff --git a/moloch/scripts/wise_service.sh b/moloch/scripts/wise_service.sh index 86d9d6fcd..ef4380dd4 100755 --- a/moloch/scripts/wise_service.sh +++ b/moloch/scripts/wise_service.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. while true; do diff --git a/moloch/supervisord.conf b/moloch/supervisord.conf index 2cd500ae0..adccd3b80 100644 --- a/moloch/supervisord.conf +++ b/moloch/supervisord.conf @@ -1,4 +1,4 @@ -; Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +; Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. [unix_http_server] file=/var/run/supervisor.sock ; (the path to the socket file) diff --git a/moloch/wise/source.zeeklogs.js b/moloch/wise/source.zeeklogs.js index 9b4e48255..ab7d12bcd 100755 --- a/moloch/wise/source.zeeklogs.js +++ b/moloch/wise/source.zeeklogs.js @@ -10,7 +10,7 @@ var wiseSource = require('./wiseSource.js') // Data may be populated with Malcolm's Zeek Logstash filters: // (particularly https://raw.githubusercontent.com/idaholab/Malcolm/master/logstash/pipeline-main/11_zeek_logs.conf) // -// Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +// Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. // see https://raw.githubusercontent.com/idaholab/Malcolm/master/License.txt ////////////////////////////////////////////////////////////////////////////////// function ZeekLogs (api, section) { @@ -46,7 +46,12 @@ function ZeekLogs (api, section) { this.destination_geo_countryField = this.api.addField("field:zeek.destination_geo.country_name;db:zeek.destination_geo.country_name;kind:termfield;friendly:Responding GeoIP Country;help:Responding GeoIP Country"); this.protoField = this.api.addField("field:zeek.proto;db:zeek.proto;kind:lotermfield;friendly:Protocol;help:Protocol"); this.serviceField = this.api.addField("field:zeek.service;db:zeek.service;kind:termfield;friendly:Service;help:Service"); + this.service_versionField = this.api.addField("field:zeek.service_version;db:zeek.service_version;kind:termfield;friendly:Service Version;help:Service Version"); + this.actionField = this.api.addField("field:zeek.action;db:zeek.action;kind:termfield;friendly:Action;help:Action"); this.userField = this.api.addField("field:zeek.user;db:zeek.user;kind:termfield;friendly:User;help:User"); + this.passwordField = this.api.addField("field:zeek.password;db:zeek.password;kind:termfield;friendly:Password;help:Password"); + this.freq_score_v1 = this.api.addField("field:zeek.freq_score_v1;db:zeek_dns.freq_score_v1;kind:termfield;friendly:Freq Score v1;help:Freq Score v1"); + this.freq_score_v2 = this.api.addField("field:zeek.freq_score_v2;db:zeek_dns.freq_score_v2;kind:termfield;friendly:Freq Score v2;help:Freq Score v2"); // file information this.fuidField = this.api.addField("field:zeek.fuid;db:zeek.fuid;kind:termfield;friendly:File ID;help:File ID"); @@ -162,7 +167,6 @@ function ZeekLogs (api, section) { // files.log // https://docs.zeek.org/en/stable/scripts/base/frameworks/files/main.zeek.html#type-Files::Info - this.files_fuidField = this.api.addField("field:zeek_files.fuid;db:zeek_files.fuid;kind:termfield;friendly:File ID;help:File ID"); this.files_tx_hostsField = this.api.addField("field:zeek_files.tx_hosts;db:zeek_files.tx_hosts;kind:termfield;friendly:Transmitter;help:Transmitter"); this.files_rx_hostsField = this.api.addField("field:zeek_files.rx_hosts;db:zeek_files.rx_hosts;kind:termfield;friendly:Receiver;help:Receiver"); this.files_conn_uidsField = this.api.addField("field:zeek_files.conn_uids;db:zeek_files.conn_uids;kind:termfield;friendly:Connection ID;help:Connection ID"); @@ -189,7 +193,6 @@ function ZeekLogs (api, section) { // ftp.log // https://docs.zeek.org/en/stable/scripts/base/protocols/ftp/info.zeek.html#type-FTP::Info - this.ftp_passwordField = this.api.addField("field:zeek_ftp.password;db:zeek_ftp.password;kind:termfield;friendly:Password;help:Password"); this.ftp_commandField = this.api.addField("field:zeek_ftp.command;db:zeek_ftp.command;kind:termfield;friendly:Command;help:Command"); this.ftp_argField = this.api.addField("field:zeek_ftp.arg;db:zeek_ftp.arg;kind:termfield;friendly:Argument;help:Argument"); this.ftp_mime_typeField = this.api.addField("field:zeek_ftp.mime_type;db:zeek_ftp.mime_type;kind:termfield;friendly:File Magic;help:File Magic"); @@ -200,7 +203,6 @@ function ZeekLogs (api, section) { this.ftp_data_channel_orig_hField = this.api.addField("field:zeek_ftp.data_channel_orig_h;db:zeek_ftp.data_channel_orig_h;kind:termfield;friendly:Data Originating Host;help:Data Originating Host"); this.ftp_data_channel_resp_hField = this.api.addField("field:zeek_ftp.data_channel_resp_h;db:zeek_ftp.data_channel_resp_h;kind:termfield;friendly:Data Responding Host;help:Data Responding Host"); this.ftp_data_channel_resp_pField = this.api.addField("field:zeek_ftp.data_channel_resp_p;db:zeek_ftp.data_channel_resp_p;kind:integer;friendly:Data Responding Port;help:Data Responding Port"); - this.ftp_fuidField = this.api.addField("field:zeek_ftp.fuid;db:zeek_ftp.fuid;kind:termfield;friendly:File ID;help:File ID"); // gquic.log // https://github.com/salesforce/GQUIC_Protocol_Analyzer/blob/master/scripts/Salesforce/GQUIC/main.bro @@ -228,8 +230,6 @@ function ZeekLogs (api, section) { this.http_info_codeField = this.api.addField("field:zeek_http.info_code;db:zeek_http.info_code;kind:integer;friendly:Informational Code;help:Informational Code"); this.http_info_msgField = this.api.addField("field:zeek_http.info_msg;db:zeek_http.info_msg;kind:termfield;friendly:Informational Message;help:Informational Message"); this.http_tagsField = this.api.addField("field:zeek_http.tags;db:zeek_http.tags;kind:termfield;friendly:HTTP Tag;help:HTTP Tag"); - this.http_userField = this.api.addField("field:zeek_http.user;db:zeek_http.user;kind:termfield;friendly:User;help:User"); - this.http_passwordField = this.api.addField("field:zeek_http.password;db:zeek_http.password;kind:termfield;friendly:Password;help:Password"); this.http_proxiedField = this.api.addField("field:zeek_http.proxied;db:zeek_http.proxied;kind:termfield;friendly:Proxy Header;help:Proxy Header"); this.http_orig_fuidsField = this.api.addField("field:zeek_http.orig_fuids;db:zeek_http.orig_fuids;kind:termfield;friendly:Originating File ID;help:Originating File ID"); this.http_orig_filenamesField = this.api.addField("field:zeek_http.orig_filenames;db:zeek_http.orig_filenames;kind:termfield;friendly:Originating Filename;help:Originating Filename"); @@ -246,7 +246,6 @@ function ZeekLogs (api, section) { this.intel_seen_nodeField = this.api.addField("field:zeek_intel.seen_node;db:zeek_intel.seen_node;kind:termfield;friendly:Discovered Node;help:Discovered Node"); this.intel_matchedField = this.api.addField("field:zeek_intel.matched;db:zeek_intel.matched;kind:termfield;friendly:Match Indicator;help:Match Indicator"); this.intel_sourcesField = this.api.addField("field:zeek_intel.sources;db:zeek_intel.sources;kind:termfield;friendly:Match Source;help:Match Source"); - this.intel_fuidField = this.api.addField("field:zeek_intel.fuid;db:zeek_intel.fuid;kind:termfield;friendly:File ID;help:File ID"); this.intel_mimetypeField = this.api.addField("field:zeek_intel.mimetype;db:zeek_intel.mimetype;kind:termfield;friendly:File Magic;help:File Magic"); this.intel_file_descriptionField = this.api.addField("field:zeek_intel.file_description;db:zeek_intel.file_description;kind:termfield;friendly:File Description;help:File Description"); @@ -259,7 +258,6 @@ function ZeekLogs (api, section) { this.irc_dcc_file_nameField = this.api.addField("field:zeek_irc.dcc_file_name;db:zeek_irc.dcc_file_name;kind:termfield;friendly:DCC Filename;help:DCC Filename"); this.irc_dcc_file_sizeField = this.api.addField("field:zeek_irc.dcc_file_size;db:zeek_irc.dcc_file_size;kind:integer;friendly:DCC File Size;help:DCC File Size"); this.irc_dcc_mime_typeField = this.api.addField("field:zeek_irc.dcc_mime_type;db:zeek_irc.dcc_mime_type;kind:termfield;friendly:DCC File Magic;help:DCC File Magic"); - this.irc_fuidField = this.api.addField("field:zeek_irc.fuid;db:zeek_irc.fuid;kind:termfield;friendly:File ID;help:File ID"); // iso_cotp.log // https://github.com/amzn/zeek-plugin-s7comm/blob/master/scripts/main.zeek @@ -350,10 +348,11 @@ function ZeekLogs (api, section) { // notice.log // https://docs.zeek.org/en/stable/scripts/base/frameworks/notice/main.zeek.html#type-Notice::Info - this.notice_fuidField = this.api.addField("field:zeek_notice.fuid;db:zeek_notice.fuid;kind:termfield;friendly:File ID;help:File ID"); this.notice_file_mime_typeField = this.api.addField("field:zeek_notice.file_mime_type;db:zeek_notice.file_mime_type;kind:termfield;friendly:File Magic;help:File Magic"); this.notice_file_descField = this.api.addField("field:zeek_notice.file_desc;db:zeek_notice.file_desc;kind:termfield;friendly:File Description;help:File Description"); this.notice_noteField = this.api.addField("field:zeek_notice.note;db:zeek_notice.note;kind:termfield;friendly:Notice Type;help:Notice Type"); + this.notice_categoryField = this.api.addField("field:zeek_notice.category;db:zeek_notice.category;kind:termfield;friendly:Category;help:Category"); + this.notice_sub_categoryField = this.api.addField("field:zeek_notice.sub_category;db:zeek_notice.sub_category;kind:termfield;friendly:Subcategory;help:Subcategory"); this.notice_msgField = this.api.addField("field:zeek_notice.msg;db:zeek_notice.msg;kind:termfield;friendly:Message;help:Message"); this.notice_subField = this.api.addField("field:zeek_notice.sub;db:zeek_notice.sub;kind:termfield;friendly:Submessage;help:Submessage"); this.notice_srcField = this.api.addField("field:zeek_notice.src;db:zeek_notice.src;kind:termfield;friendly:Notice Source;help:Notice Source"); @@ -399,7 +398,6 @@ function ZeekLogs (api, section) { // pe.log // https://docs.zeek.org/en/stable/scripts/base/files/pe/main.zeek.html#type-PE::Info - this.pe_fuidField = this.api.addField("field:zeek_pe.fuid;db:zeek_pe.fuid;kind:termfield;friendly:File ID;help:File ID"); this.pe_machineField = this.api.addField("field:zeek_pe.machine;db:zeek_pe.machine;kind:termfield;friendly:Target Machine;help:Target Machine"); this.pe_compile_tsField = this.api.addField("field:zeek_pe.compile_ts;db:zeek_pe.compile_ts;kind:termfield;friendly:Compile Timestamp;help:Compile Timestamp"); this.pe_osField = this.api.addField("field:zeek_pe.os;db:zeek_pe.os;kind:termfield;friendly:Target OS;help:Target Operating System"); @@ -522,10 +520,21 @@ function ZeekLogs (api, section) { this.sip_request_body_lenField = this.api.addField("field:zeek_sip.request_body_len;db:zeek_sip.request_body_len;kind:integer;friendly:Request Body Length;help:Request Body Length"); this.sip_response_body_lenField = this.api.addField("field:zeek_sip.response_body_len;db:zeek_sip.response_body_len;kind:integer;friendly:Response Body Length;help:Response Body Length"); this.sip_content_typeField = this.api.addField("field:zeek_sip.content_type;db:zeek_sip.content_type;kind:termfield;friendly:Content Type Header;help:Content Type Header"); + this.sip_versionField = this.api.addField("field:zeek_sip.version;db:zeek_sip.version;kind:termfield;friendly:Version;help:Version"); + + // smb_cmd.log + // https://docs.zeek.org/en/stable/scripts/base/protocols/smb/main.zeek.html#type-SMB::CmdInfo + this.smb_cmd_commandField = this.api.addField("field:zeek_smb_cmd.command;db:zeek_smb_cmd.command;kind:termfield;friendly:Command;help:Command"); + this.smb_cmd_sub_commandField = this.api.addField("field:zeek_smb_cmd.sub_command;db:zeek_smb_cmd.sub_command;kind:termfield;friendly:Subcommand;help:Subcommand"); + this.smb_cmd_argumentField = this.api.addField("field:zeek_smb_cmd.argument;db:zeek_smb_cmd.argument;kind:termfield;friendly:Argument;help:Argument"); + this.smb_cmd_statusField = this.api.addField("field:zeek_smb_cmd.status;db:zeek_smb_cmd.status;kind:termfield;friendly:Status;help:Status"); + this.smb_cmd_rttField = this.api.addField("field:zeek_smb_cmd.rtt;db:zeek_smb_cmd.rtt;kind:termfield;friendly:Round Trip Time;help:Round Trip Time"); + this.smb_cmd_versionField = this.api.addField("field:zeek_smb_cmd.version;db:zeek_smb_cmd.version;kind:termfield;friendly:Version;help:Version"); + this.smb_cmd_treeField = this.api.addField("field:zeek_smb_cmd.tree;db:zeek_smb_cmd.tree;kind:termfield;friendly:Tree;help:Tree"); + this.smb_cmd_tree_serviceField = this.api.addField("field:zeek_smb_cmd.tree_service;db:zeek_smb_cmd.tree_service;kind:termfield;friendly:Tree Service;help:Tree Service"); // smb_files.log // https://docs.zeek.org/en/stable/scripts/base/protocols/smb/main.zeek.html#type-SMB::FileInfo - this.smb_files_fuidField = this.api.addField("field:zeek_smb_files.fuid;db:zeek_smb_files.fuid;kind:termfield;friendly:File ID;help:File ID"); this.smb_files_actionField = this.api.addField("field:zeek_smb_files.action;db:zeek_smb_files.action;kind:termfield;friendly:Action;help:Action"); this.smb_files_pathField = this.api.addField("field:zeek_smb_files.path;db:zeek_smb_files.path;kind:termfield;friendly:File Path;help:File Path"); this.smb_files_nameField = this.api.addField("field:zeek_smb_files.name;db:zeek_smb_files.name;kind:termfield;friendly:File Name;help:File Name"); @@ -567,7 +576,6 @@ function ZeekLogs (api, section) { this.smtp_pathField = this.api.addField("field:zeek_smtp.path;db:zeek_smtp.path;kind:termfield;friendly:Tranmission Path;help:Tranmission Path"); this.smtp_user_agentField = this.api.addField("field:zeek_smtp.user_agent;db:zeek_smtp.user_agent;kind:termfield;friendly:User Agent;help:User Agent"); this.smtp_tlsField = this.api.addField("field:zeek_smtp.tls;db:zeek_smtp.tls;kind:termfield;friendly:TLS;help:TLS"); - this.smtp_fuidsField = this.api.addField("field:zeek_smtp.fuids;db:zeek_smtp.fuids;kind:termfield;friendly:File ID;help:File ID"); this.smtp_is_webmailField = this.api.addField("field:zeek_smtp.is_webmail;db:zeek_smtp.is_webmail;kind:termfield;friendly:Is Webmail;help:Is Webmail"); // snmp.log @@ -585,7 +593,6 @@ function ZeekLogs (api, section) { // socks.log // https://docs.zeek.org/en/stable/scripts/base/protocols/socks/main.zeek.html#type-SOCKS::Info this.socks_versionField = this.api.addField("field:zeek_socks.version;db:zeek_socks.version;kind:integer;friendly:Version;help:Version"); - this.socks_passwordField = this.api.addField("field:zeek_socks.password;db:zeek_socks.password;kind:termfield;friendly:Password;help:Password"); this.socks_server_statusField = this.api.addField("field:zeek_socks.server_status;db:zeek_socks.server_status;kind:termfield;friendly:Server Status;help:Server Status"); this.socks_request_hostField = this.api.addField("field:zeek_socks.request_host;db:zeek_socks.request_host;kind:termfield;friendly:Client Address;help:Client Address"); this.socks_request_nameField = this.api.addField("field:zeek_socks.request_name;db:zeek_socks.request_name;kind:termfield;friendly:Client Name;help:Client Name"); @@ -742,7 +749,6 @@ function ZeekLogs (api, section) { // x509.log // https://docs.zeek.org/en/stable/scripts/base/files/x509/main.zeek.html#type-X509::Info - this.x509_fuidField = this.api.addField("field:zeek_x509.fuid;db:zeek_x509.fuid;kind:termfield;friendly:File ID;help:fuid"); this.x509_certificate_versionField = this.api.addField("field:zeek_x509.certificate_version;db:zeek_x509.certificate_version;kind:integer;friendly:Version;help:Version"); this.x509_certificate_serialField = this.api.addField("field:zeek_x509.certificate_serial;db:zeek_x509.certificate_serial;kind:termfield;friendly:Serial Number;help:Serial Number"); this.x509_certificate_subject_fullField = this.api.addField("field:zeek_x509.certificate_subject_full;db:zeek_x509.certificate_subject_full;kind:termfield;friendly:Subject;help:Subject"); @@ -795,7 +801,7 @@ function ZeekLogs (api, section) { // add right-clicks for pivoting into Kibana from Moloch (see nginx.conf) var filterLabel = "Filter %DBFIELD% in Kibana"; var filterUrl = "idmol2kib/filter?start=%ISOSTART%&stop=%ISOSTOP%&field=%DBFIELD%&value=%TEXT%"; - var allFieldsStr = "communityId,host.name,ip.protocol,mac.dst,mac.src,node,oui.dst,oui.src,protocols,rootId,tags,zeek.community_id,zeek.destination_geo.city_name,zeek.destination_geo.country_name,zeek.destination_ip_reverse_dns,zeek.filename,zeek.filetype,zeek.fuid,zeek.logType,zeek.orig_h,zeek.orig_hostname,zeek.orig_l2_addr,zeek.orig_l2_oui,zeek.orig_p,zeek.orig_segment,zeek.proto,zeek.resp_h,zeek.resp_hostname,zeek.resp_l2_addr,zeek.resp_l2_oui,zeek.resp_p,zeek.resp_segment,zeek.service,zeek.source_geo.city_name,zeek.source_geo.country_name,zeek.source_ip_reverse_dns,zeek.ts,zeek.uid,zeek.user,zeek_bacnet.apdu_type,zeek_bacnet.bvlc_function,zeek_bacnet.bvlc_len,zeek_bacnet.data,zeek_bacnet.data_dict.date,zeek_bacnet.data_dict.low_limit,zeek_bacnet.data_dict.high_limit,zeek_bacnet.data_dict.object,zeek_bacnet.data_dict.property,zeek_bacnet.data_dict.result,zeek_bacnet.data_dict.time,zeek_bacnet.data_dict.ttl,zeek_bacnet.service_choice,zeek_cip.cip_service,zeek_cip.cip_tags,zeek_cip.status,zeek_conn.conn_state,zeek_conn.conn_state_description,zeek_conn.duration,zeek_conn.history,zeek_conn.inner_vlan,zeek_conn.local_orig,zeek_conn.local_resp,zeek_conn.missed_bytes,zeek_conn.orig_bytes,zeek_conn.orig_ip_bytes,zeek_conn.orig_pkts,zeek_conn.resp_bytes,zeek_conn.resp_ip_bytes,zeek_conn.resp_pkts,zeek_conn.tunnel_parents,zeek_conn.vlan,zeek_dce_rpc.endpoint,zeek_dce_rpc.named_pipe,zeek_dce_rpc.operation,zeek_dce_rpc.rtt,zeek_dhcp.assigned_ip,zeek_dhcp.lease_time,zeek_dhcp.mac,zeek_dhcp.trans_id,zeek_dnp3.fc_reply,zeek_dnp3.fc_request,zeek_dnp3.iin,zeek_dns.AA,zeek_dns.answers,zeek_dns.qclass,zeek_dns.qclass_name,zeek_dns.qtype,zeek_dns.qtype_name,zeek_dns.query,zeek_dns.RA,zeek_dns.rcode,zeek_dns.rcode_name,zeek_dns.RD,zeek_dns.rejected,zeek_dns.rtt,zeek_dns.TC,zeek_dns.trans_id,zeek_dns.TTLs,zeek_dns.Z,zeek_dpd.failure_reason,zeek_dpd.service,zeek_enip.command,zeek_enip.length,zeek_enip.options,zeek_enip.sender_context,zeek_enip.session_handle,zeek_enip.status,zeek_enip_list_identity.device_ip,zeek_enip_list_identity.device_type,zeek_enip_list_identity.product_code,zeek_enip_list_identity.product_name,zeek_enip_list_identity.revision,zeek_enip_list_identity.serial_number,zeek_enip_list_identity.state,zeek_enip_list_identity.status,zeek_enip_list_identity.vendor,zeek_files.analyzers,zeek_files.conn_uids,zeek_files.depth,zeek_files.duration,zeek_files.extracted,zeek_files.extracted_cutoff,zeek_files.extracted_size,zeek_files.filename,zeek_files.fuid,zeek_files.is_orig,zeek_files.local_orig,zeek_files.md5,zeek_files.mime_type,zeek_files.missing_bytes,zeek_files.overflow_bytes,zeek_files.parent_fuid,zeek_files.rx_hosts,zeek_files.seen_bytes,zeek_files.sha1,zeek_files.sha256,zeek_files.source,zeek_files.timedout,zeek_files.total_bytes,zeek_files.tx_hosts,zeek_ftp.arg,zeek_ftp.command,zeek_ftp.data_channel_orig_h,zeek_ftp.data_channel_passive,zeek_ftp.data_channel_resp_h,zeek_ftp.data_channel_resp_p,zeek_ftp.file_size,zeek_ftp.fuid,zeek_ftp.mime_type,zeek_ftp.password,zeek_ftp.reply_code,zeek_ftp.reply_msg,zeek_gquic.cyu,zeek_gquic.cyutags,zeek_gquic.server_name,zeek_gquic.tag_count,zeek_gquic.user_agent,zeek_gquic.version,zeek_http.host,zeek_http.info_code,zeek_http.info_msg,zeek_http.method,zeek_http.orig_filenames,zeek_http.orig_fuids,zeek_http.orig_mime_types,zeek_http.origin,zeek_http.password,zeek_http.proxied,zeek_http.referrer,zeek_http.request_body_len,zeek_http.resp_filenames,zeek_http.resp_fuids,zeek_http.resp_mime_types,zeek_http.response_body_len,zeek_http.status_code,zeek_http.status_msg,zeek_http.tags,zeek_http.trans_depth,zeek_http.uri,zeek_http.user,zeek_http.user_agent,zeek_http.version,zeek_intel.file_description,zeek_intel.fuid,zeek_intel.indicator,zeek_intel.indicator_type,zeek_intel.matched,zeek_intel.mimetype,zeek_intel.seen_node,zeek_intel.seen_where,zeek_intel.sources,zeek_irc.addl,zeek_irc.command,zeek_irc.dcc_file_name,zeek_irc.dcc_file_size,zeek_irc.dcc_mime_type,zeek_irc.fuid,zeek_irc.nick,zeek_irc.value,zeek_iso_cotp.pdu_type,zeek_kerberos.cipher,zeek_kerberos.client_cert_fuid,zeek_kerberos.client_cert_subject,zeek_kerberos.cname,zeek_kerberos.error_msg,zeek_kerberos.forwardable,zeek_kerberos.from,zeek_kerberos.renewable,zeek_kerberos.server_cert_fuid,zeek_kerberos.server_cert_subject,zeek_kerberos.sname,zeek_kerberos.success,zeek_kerberos.till,zeek_known_certs.issuer_subject,zeek_known_certs.serial,zeek_known_certs.subject,zeek_known_modbus.device_type,zeek_ldap.message_id,zeek_ldap.operation,zeek_ldap.value,zeek_ldap.entry,zeek_ldap.result,zeek_ldap.result_code,zeek_ldap.error,zeek_modbus.exception,zeek_modbus.func,modbus_register_change.register,modbus_register_change.old_val,modbus_register_change.new_val,modbus_register_change.delta,zeek_mqtt_connect.client_id,zeek_mqtt_connect.connect_status,zeek_mqtt_connect.proto_name,zeek_mqtt_connect.proto_version,zeek_mqtt_connect.will_payload,zeek_mqtt_connect.will_topic,zeek_mqtt_publish.from_client,zeek_mqtt_publish.retain,zeek_mqtt_publish.qos,zeek_mqtt_publish.status,zeek_mqtt_publish.topic,zeek_mqtt_publish.payload,zeek_mqtt_publish.payload_len,zeek_mqtt_subscribe.action,zeek_mqtt_subscribe.topics,zeek_mqtt_subscribe.qos_levels,zeek_mqtt_subscribe.granted_qos_level,zeek_mqtt_subscribe.ack,zeek_mysql.arg,zeek_mysql.cmd,zeek_mysql.response,zeek_mysql.rows,zeek_mysql.success,zeek_notice.actions,zeek_notice.dropped,zeek_notice.dst,zeek_notice.file_desc,zeek_notice.file_mime_type,zeek_notice.fuid,zeek_notice.msg,zeek_notice.n,zeek_notice.note,zeek_notice.p,zeek_notice.peer_descr,zeek_notice.remote_location_city,zeek_notice.remote_location_cityremote_location_latitude,zeek_notice.remote_location_country_code,zeek_notice.remote_location_latitude,zeek_notice.remote_location_longitude,zeek_notice.remote_location_region,zeek_notice.src,zeek_notice.sub,zeek_notice.suppress_for,zeek_ntlm.domain,zeek_ntlm.host,zeek_ntlm.status,zeek_ntlm.success,zeek_ntlm.server_nb_computer,zeek_ntlm.server_dns_computer,zeek_ntlm.server_tree,zeek_ntp.mode,zeek_ntp.mode_str,zeek_ntp.num_exts,zeek_ntp.org_time,zeek_ntp.poll,zeek_ntp.precision,zeek_ntp.rec_time,zeek_ntp.ref_id,zeek_ntp.ref_time,zeek_ntp.root_delay,zeek_ntp.root_disp,zeek_ntp.stratum,zeek_ntp.version,zeek_ntp.xmt_time,zeek_pe.compile_ts,zeek_pe.fuid,zeek_pe.has_cert_table,zeek_pe.has_debug_data,zeek_pe.has_export_table,zeek_pe.has_import_table,zeek_pe.is_64bit,zeek_pe.is_exe,zeek_pe.machine,zeek_pe.os,zeek_pe.section_names,zeek_pe.subsystem,zeek_pe.uses_aslr,zeek_pe.uses_code_integrity,zeek_pe.uses_dep,zeek_pe.uses_seh,zeek_profinet.block_version,zeek_profinet.index,zeek_profinet.operation_type,zeek_profinet.slot_number,zeek_profinet.subslot_number,zeek_profinet_dce_rpc.activity_uuid,zeek_profinet_dce_rpc.interface_uuid,zeek_profinet_dce_rpc.object_uuid,zeek_profinet_dce_rpc.operation,zeek_profinet_dce_rpc.packet_type,zeek_profinet_dce_rpc.server_boot_time,zeek_profinet_dce_rpc.version,zeek_radius.connect_info,zeek_radius.framed_addr,zeek_radius.mac,zeek_radius.tunnel_client,zeek_radius.reply_msg,zeek_radius.result,zeek_radius.ttl,zeek_rdp.cert_count,zeek_rdp.cert_permanent,zeek_rdp.cert_type,zeek_rdp.client_build,zeek_rdp.client_channels,zeek_rdp.client_dig_product_id,zeek_rdp.client_name,zeek_rdp.cookie,zeek_rdp.desktop_height,zeek_rdp.desktop_width,zeek_rdp.encryption_level,zeek_rdp.encryption_method,zeek_rdp.keyboard_layout,zeek_rdp.requested_color_depth,zeek_rdp.result,zeek_rdp.security_protocol,zeek_rfb.auth,zeek_rfb.authentication_method,zeek_rfb.client_major_version,zeek_rfb.client_minor_version,zeek_rfb.desktop_name,zeek_rfb.height,zeek_rfb.server_major_version,zeek_rfb.server_minor_version,zeek_rfb.share_flag,zeek_rfb.width,zeek_s7comm.data_info,zeek_s7comm.item_count,zeek_s7comm.parameter,zeek_s7comm.parameters.class,zeek_s7comm.parameters.code,zeek_s7comm.parameters.group,zeek_s7comm.parameters.mode,zeek_s7comm.parameters.sub,zeek_s7comm.parameters.type,zeek_s7comm.rosctr,zeek_signatures.engine,zeek_signatures.event_message,zeek_signatures.hits,zeek_signatures.host_count,zeek_signatures.note,zeek_signatures.signature_count,zeek_signatures.signature_id,zeek_signatures.sub_message,zeek_sip.call_id,zeek_sip.content_type,zeek_sip.date,zeek_sip.method,zeek_sip.reply_to,zeek_sip.request_body_len,zeek_sip.request_from,zeek_sip.request_path,zeek_sip.request_to,zeek_sip.response_body_len,zeek_sip.response_from,zeek_sip.response_path,zeek_sip.response_to,zeek_sip.seq,zeek_sip.status_code,zeek_sip.status_msg,zeek_sip.subject,zeek_sip.trans_depth,zeek_sip.uri,zeek_sip.user_agent,zeek_sip.warning,zeek_smb_files.action,zeek_smb_files.fuid,zeek_smb_files.name,zeek_smb_files.path,zeek_smb_files.prev_name,zeek_smb_files.size,zeek_smb_files.times_accessed,zeek_smb_files.times_changed,zeek_smb_files.data_offset_req,zeek_smb_files.data_len_req,zeek_smb_files.data_len_rsp,zeek_smb_files.times_created,zeek_smb_files.times_modified,zeek_smb_mapping.native_file_system,zeek_smb_mapping.path,zeek_smb_mapping.resource_type,zeek_smb_mapping.share_type,zeek_smtp.cc,zeek_smtp.date,zeek_smtp.first_received,zeek_smtp.from,zeek_smtp.fuids,zeek_smtp.helo,zeek_smtp.in_reply_to,zeek_smtp.is_webmail,zeek_smtp.last_reply,zeek_smtp.mailfrom,zeek_smtp.msg_id,zeek_smtp.path,zeek_smtp.rcptto,zeek_smtp.reply_to,zeek_smtp.second_received,zeek_smtp.subject,zeek_smtp.tls,zeek_smtp.to,zeek_smtp.trans_depth,zeek_smtp.user_agent,zeek_smtp.x_originating_ip,zeek_snmp.community,zeek_snmp.display_string,zeek_snmp.duration,zeek_snmp.get_bulk_requests,zeek_snmp.get_requests,zeek_snmp.get_responses,zeek_snmp.set_requests,zeek_snmp.up_since,zeek_snmp.version,zeek_socks.bound_host,zeek_socks.bound_name,zeek_socks.bound_port,zeek_socks.password,zeek_socks.request_host,zeek_socks.request_name,zeek_socks.request_port,zeek_socks.server_status,zeek_socks.version,zeek_software.name,zeek_software.software_type,zeek_software.unparsed_version,zeek_software.version_addl,zeek_software.version_major,zeek_software.version_minor,zeek_software.version_minor2,zeek_software.version_minor3,zeek_ssh.auth_attempts,zeek_ssh.auth_success,zeek_ssh.cipher_alg,zeek_ssh.client,zeek_ssh.compression_alg,zeek_ssh.cshka,zeek_ssh.direction,zeek_ssh.hassh,zeek_ssh.hasshAlgorithms,zeek_ssh.hasshServer,zeek_ssh.hasshServerAlgorithms,zeek_ssh.hasshVersion,zeek_ssh.host_key,zeek_ssh.host_key_alg,zeek_ssh.kex_alg,zeek_ssh.mac_alg,zeek_ssh.remote_location_city,zeek_ssh.remote_location_country_code,zeek_ssh.remote_location_latitude,zeek_ssh.remote_location_longitude,zeek_ssh.remote_location_region,zeek_ssh.server,zeek_ssh.sshka,zeek_ssh.version,zeek_ssl.cert_chain_fuids,zeek_ssl.cipher,zeek_ssl.client_cert_chain_fuids,zeek_ssl.client_issuer.C,zeek_ssl.client_issuer.CN,zeek_ssl.client_issuer.DC,zeek_ssl.client_issuer.emailAddress,zeek_ssl.client_issuer.GN,zeek_ssl.client_issuer.initials,zeek_ssl.client_issuer.L,zeek_ssl.client_issuer.O,zeek_ssl.client_issuer.OU,zeek_ssl.client_issuer.pseudonym,zeek_ssl.client_issuer.serialNumber,zeek_ssl.client_issuer.SN,zeek_ssl.client_issuer.ST,zeek_ssl.client_issuer.title,zeek_ssl.client_issuer_full,zeek_ssl.client_subject.C,zeek_ssl.client_subject.CN,zeek_ssl.client_subject.emailAddress,zeek_ssl.client_subject.GN,zeek_ssl.client_subject.initials,zeek_ssl.client_subject.L,zeek_ssl.client_subject.O,zeek_ssl.client_subject.OU,zeek_ssl.client_subject.pseudonym,zeek_ssl.client_subject.serialNumber,zeek_ssl.client_subject.SN,zeek_ssl.client_subject.ST,zeek_ssl.client_subject.title,zeek_ssl.client_subject_full,zeek_ssl.curve,zeek_ssl.established,zeek_ssl.issuer.C,zeek_ssl.issuer.CN,zeek_ssl.issuer.DC,zeek_ssl.issuer.emailAddress,zeek_ssl.issuer.GN,zeek_ssl.issuer.initials,zeek_ssl.issuer.L,zeek_ssl.issuer.O,zeek_ssl.issuer.OU,zeek_ssl.issuer.pseudonym,zeek_ssl.issuer.serialNumber,zeek_ssl.issuer.SN,zeek_ssl.issuer.ST,zeek_ssl.issuer.title,zeek_ssl.issuer_full,zeek_ssl.ja3,zeek_ssl.ja3_desc,zeek_ssl.ja3s,zeek_ssl.ja3s_desc,zeek_ssl.last_alert,zeek_ssl.next_protocol,zeek_ssl.resumed,zeek_ssl.server_name,zeek_ssl.ssl_version,zeek_ssl.subject.C,zeek_ssl.subject.CN,zeek_ssl.subject.emailAddress,zeek_ssl.subject.GN,zeek_ssl.subject.initials,zeek_ssl.subject.L,zeek_ssl.subject.O,zeek_ssl.subject.OU,zeek_ssl.subject.pseudonym,zeek_ssl.subject.serialNumber,zeek_ssl.subject.SN,zeek_ssl.subject.ST,zeek_ssl.subject.title,zeek_ssl.subject_full,zeek_ssl.validation_status,zeek_syslog.facility,zeek_syslog.message,zeek_syslog.severity,zeek_tds.command,zeek_tds_rpc.parameters,zeek_tds_rpc.procedure_name,zeek_tds_sql_batch.header_type,zeek_tds_sql_batch.query,zeek_tunnel.action,zeek_tunnel.tunnel_type,zeek_weird.addl,zeek_weird.name,zeek_weird.notice,zeek_weird.peer,zeek_x509.basic_constraints_ca,zeek_x509.basic_constraints_path_len,zeek_x509.certificate_curve,zeek_x509.certificate_exponent,zeek_x509.certificate_issuer.C,zeek_x509.certificate_issuer.CN,zeek_x509.certificate_issuer.emailAddress,zeek_x509.certificate_issuer.GN,zeek_x509.certificate_issuer.initials,zeek_x509.certificate_issuer.L,zeek_x509.certificate_issuer.O,zeek_x509.certificate_issuer.OU,zeek_x509.certificate_issuer.pseudonym,zeek_x509.certificate_issuer.serialNumber,zeek_x509.certificate_issuer.SN,zeek_x509.certificate_issuer.ST,zeek_x509.certificate_issuer.title,zeek_x509.certificate_issuer_full,zeek_x509.certificate_key_alg,zeek_x509.certificate_key_length,zeek_x509.certificate_key_type,zeek_x509.certificate_not_valid_after,zeek_x509.certificate_not_valid_before,zeek_x509.certificate_serial,zeek_x509.certificate_sig_alg,zeek_x509.certificate_subject.C,zeek_x509.certificate_subject.CN,zeek_x509.certificate_subject.DC,zeek_x509.certificate_subject.emailAddress,zeek_x509.certificate_subject.GN,zeek_x509.certificate_subject.initials,zeek_x509.certificate_subject.L,zeek_x509.certificate_subject.O,zeek_x509.certificate_subject.OU,zeek_x509.certificate_subject.pseudonym,zeek_x509.certificate_subject.serialNumber,zeek_x509.certificate_subject.SN,zeek_x509.certificate_subject.ST,zeek_x509.certificate_subject.title,zeek_x509.certificate_subject_full,zeek_x509.certificate_version,zeek_x509.fuid,zeek_x509.san_dns,zeek_x509.san_email,zeek_x509.san_ip,zeek_x509.san_uri"; + var allFieldsStr = "communityId,host.name,ip.protocol,mac.dst,mac.src,node,oui.dst,oui.src,protocols,rootId,tags,zeek.action,zeek.community_id,zeek.destination_geo.city_name,zeek.destination_geo.country_name,zeek.destination_ip_reverse_dns,zeek.filename,zeek.filetype,zeek.fuid,zeek.logType,zeek.orig_h,zeek.orig_hostname,zeek.orig_l2_addr,zeek.orig_l2_oui,zeek.orig_p,zeek.orig_segment,zeek.proto,zeek.resp_h,zeek.resp_hostname,zeek.resp_l2_addr,zeek.resp_l2_oui,zeek.resp_p,zeek.resp_segment,zeek.service,zeek.service_version,zeek.source_geo.city_name,zeek.source_geo.country_name,zeek.source_ip_reverse_dns,zeek.ts,zeek.uid,zeek.user,zeek.password,zeek.freq_score_v1,zeek.freq_score_v2,zeek_bacnet.apdu_type,zeek_bacnet.bvlc_function,zeek_bacnet.bvlc_len,zeek_bacnet.data,zeek_bacnet.data_dict.date,zeek_bacnet.data_dict.low_limit,zeek_bacnet.data_dict.high_limit,zeek_bacnet.data_dict.object,zeek_bacnet.data_dict.property,zeek_bacnet.data_dict.result,zeek_bacnet.data_dict.time,zeek_bacnet.data_dict.ttl,zeek_bacnet.service_choice,zeek_cip.cip_service,zeek_cip.cip_tags,zeek_cip.status,zeek_conn.conn_state,zeek_conn.conn_state_description,zeek_conn.duration,zeek_conn.history,zeek_conn.inner_vlan,zeek_conn.local_orig,zeek_conn.local_resp,zeek_conn.missed_bytes,zeek_conn.orig_bytes,zeek_conn.orig_ip_bytes,zeek_conn.orig_pkts,zeek_conn.resp_bytes,zeek_conn.resp_ip_bytes,zeek_conn.resp_pkts,zeek_conn.tunnel_parents,zeek_conn.vlan,zeek_dce_rpc.endpoint,zeek_dce_rpc.named_pipe,zeek_dce_rpc.operation,zeek_dce_rpc.rtt,zeek_dhcp.assigned_ip,zeek_dhcp.lease_time,zeek_dhcp.mac,zeek_dhcp.trans_id,zeek_dnp3.fc_reply,zeek_dnp3.fc_request,zeek_dnp3.iin,zeek_dns.AA,zeek_dns.answers,zeek_dns.qclass,zeek_dns.qclass_name,zeek_dns.qtype,zeek_dns.qtype_name,zeek_dns.query,zeek_dns.RA,zeek_dns.rcode,zeek_dns.rcode_name,zeek_dns.RD,zeek_dns.rejected,zeek_dns.rtt,zeek_dns.TC,zeek_dns.trans_id,zeek_dns.TTLs,zeek_dns.Z,zeek_dpd.failure_reason,zeek_dpd.service,zeek_enip.command,zeek_enip.length,zeek_enip.options,zeek_enip.sender_context,zeek_enip.session_handle,zeek_enip.status,zeek_enip_list_identity.device_ip,zeek_enip_list_identity.device_type,zeek_enip_list_identity.product_code,zeek_enip_list_identity.product_name,zeek_enip_list_identity.revision,zeek_enip_list_identity.serial_number,zeek_enip_list_identity.state,zeek_enip_list_identity.status,zeek_enip_list_identity.vendor,zeek_files.analyzers,zeek_files.conn_uids,zeek_files.depth,zeek_files.duration,zeek_files.extracted,zeek_files.extracted_cutoff,zeek_files.extracted_size,zeek_files.filename,zeek_files.is_orig,zeek_files.local_orig,zeek_files.md5,zeek_files.mime_type,zeek_files.missing_bytes,zeek_files.overflow_bytes,zeek_files.parent_fuid,zeek_files.rx_hosts,zeek_files.seen_bytes,zeek_files.sha1,zeek_files.sha256,zeek_files.source,zeek_files.timedout,zeek_files.total_bytes,zeek_files.tx_hosts,zeek_ftp.arg,zeek_ftp.command,zeek_ftp.data_channel_orig_h,zeek_ftp.data_channel_passive,zeek_ftp.data_channel_resp_h,zeek_ftp.data_channel_resp_p,zeek_ftp.file_size,zeek_ftp.mime_type,zeek_ftp.reply_code,zeek_ftp.reply_msg,zeek_gquic.cyu,zeek_gquic.cyutags,zeek_gquic.server_name,zeek_gquic.tag_count,zeek_gquic.user_agent,zeek_gquic.version,zeek_http.host,zeek_http.info_code,zeek_http.info_msg,zeek_http.method,zeek_http.orig_filenames,zeek_http.orig_fuids,zeek_http.orig_mime_types,zeek_http.origin,zeek_http.proxied,zeek_http.referrer,zeek_http.request_body_len,zeek_http.resp_filenames,zeek_http.resp_fuids,zeek_http.resp_mime_types,zeek_http.response_body_len,zeek_http.status_code,zeek_http.status_msg,zeek_http.tags,zeek_http.trans_depth,zeek_http.uri,zeek_http.user_agent,zeek_http.version,zeek_intel.file_description,zeek_intel.indicator,zeek_intel.indicator_type,zeek_intel.matched,zeek_intel.mimetype,zeek_intel.seen_node,zeek_intel.seen_where,zeek_intel.sources,zeek_irc.addl,zeek_irc.command,zeek_irc.dcc_file_name,zeek_irc.dcc_file_size,zeek_irc.dcc_mime_type,zeek_irc.nick,zeek_irc.value,zeek_iso_cotp.pdu_type,zeek_kerberos.cipher,zeek_kerberos.client_cert_fuid,zeek_kerberos.client_cert_subject,zeek_kerberos.cname,zeek_kerberos.error_msg,zeek_kerberos.forwardable,zeek_kerberos.from,zeek_kerberos.renewable,zeek_kerberos.server_cert_fuid,zeek_kerberos.server_cert_subject,zeek_kerberos.sname,zeek_kerberos.success,zeek_kerberos.till,zeek_known_certs.issuer_subject,zeek_known_certs.serial,zeek_known_certs.subject,zeek_known_modbus.device_type,zeek_ldap.message_id,zeek_ldap.operation,zeek_ldap.value,zeek_ldap.entry,zeek_ldap.result,zeek_ldap.result_code,zeek_ldap.error,zeek_modbus.exception,zeek_modbus.func,modbus_register_change.register,modbus_register_change.old_val,modbus_register_change.new_val,modbus_register_change.delta,zeek_mqtt_connect.client_id,zeek_mqtt_connect.connect_status,zeek_mqtt_connect.proto_name,zeek_mqtt_connect.proto_version,zeek_mqtt_connect.will_payload,zeek_mqtt_connect.will_topic,zeek_mqtt_publish.from_client,zeek_mqtt_publish.retain,zeek_mqtt_publish.qos,zeek_mqtt_publish.status,zeek_mqtt_publish.topic,zeek_mqtt_publish.payload,zeek_mqtt_publish.payload_len,zeek_mqtt_subscribe.action,zeek_mqtt_subscribe.topics,zeek_mqtt_subscribe.qos_levels,zeek_mqtt_subscribe.granted_qos_level,zeek_mqtt_subscribe.ack,zeek_mysql.arg,zeek_mysql.cmd,zeek_mysql.response,zeek_mysql.rows,zeek_mysql.success,zeek_notice.actions,zeek_notice.category,zeek_notice.dropped,zeek_notice.dst,zeek_notice.file_desc,zeek_notice.file_mime_type,zeek_notice.msg,zeek_notice.n,zeek_notice.note,zeek_notice.p,zeek_notice.peer_descr,zeek_notice.remote_location_city,zeek_notice.remote_location_cityremote_location_latitude,zeek_notice.remote_location_country_code,zeek_notice.remote_location_latitude,zeek_notice.remote_location_longitude,zeek_notice.remote_location_region,zeek_notice.src,zeek_notice.sub,zeek_notice.sub_category,zeek_notice.suppress_for,zeek_ntlm.domain,zeek_ntlm.host,zeek_ntlm.status,zeek_ntlm.success,zeek_ntlm.server_nb_computer,zeek_ntlm.server_dns_computer,zeek_ntlm.server_tree,zeek_ntp.mode,zeek_ntp.mode_str,zeek_ntp.num_exts,zeek_ntp.org_time,zeek_ntp.poll,zeek_ntp.precision,zeek_ntp.rec_time,zeek_ntp.ref_id,zeek_ntp.ref_time,zeek_ntp.root_delay,zeek_ntp.root_disp,zeek_ntp.stratum,zeek_ntp.version,zeek_ntp.xmt_time,zeek_pe.compile_ts,zeek_pe.has_cert_table,zeek_pe.has_debug_data,zeek_pe.has_export_table,zeek_pe.has_import_table,zeek_pe.is_64bit,zeek_pe.is_exe,zeek_pe.machine,zeek_pe.os,zeek_pe.section_names,zeek_pe.subsystem,zeek_pe.uses_aslr,zeek_pe.uses_code_integrity,zeek_pe.uses_dep,zeek_pe.uses_seh,zeek_profinet.block_version,zeek_profinet.index,zeek_profinet.operation_type,zeek_profinet.slot_number,zeek_profinet.subslot_number,zeek_profinet_dce_rpc.activity_uuid,zeek_profinet_dce_rpc.interface_uuid,zeek_profinet_dce_rpc.object_uuid,zeek_profinet_dce_rpc.operation,zeek_profinet_dce_rpc.packet_type,zeek_profinet_dce_rpc.server_boot_time,zeek_profinet_dce_rpc.version,zeek_radius.connect_info,zeek_radius.framed_addr,zeek_radius.mac,zeek_radius.tunnel_client,zeek_radius.reply_msg,zeek_radius.result,zeek_radius.ttl,zeek_rdp.cert_count,zeek_rdp.cert_permanent,zeek_rdp.cert_type,zeek_rdp.client_build,zeek_rdp.client_channels,zeek_rdp.client_dig_product_id,zeek_rdp.client_name,zeek_rdp.cookie,zeek_rdp.desktop_height,zeek_rdp.desktop_width,zeek_rdp.encryption_level,zeek_rdp.encryption_method,zeek_rdp.keyboard_layout,zeek_rdp.requested_color_depth,zeek_rdp.result,zeek_rdp.security_protocol,zeek_rfb.auth,zeek_rfb.authentication_method,zeek_rfb.client_major_version,zeek_rfb.client_minor_version,zeek_rfb.desktop_name,zeek_rfb.height,zeek_rfb.server_major_version,zeek_rfb.server_minor_version,zeek_rfb.share_flag,zeek_rfb.width,zeek_s7comm.data_info,zeek_s7comm.item_count,zeek_s7comm.parameter,zeek_s7comm.parameters.class,zeek_s7comm.parameters.code,zeek_s7comm.parameters.group,zeek_s7comm.parameters.mode,zeek_s7comm.parameters.sub,zeek_s7comm.parameters.type,zeek_s7comm.rosctr,zeek_signatures.engine,zeek_signatures.event_message,zeek_signatures.hits,zeek_signatures.host_count,zeek_signatures.note,zeek_signatures.signature_count,zeek_signatures.signature_id,zeek_signatures.sub_message,zeek_sip.call_id,zeek_sip.content_type,zeek_sip.date,zeek_sip.method,zeek_sip.reply_to,zeek_sip.request_body_len,zeek_sip.request_from,zeek_sip.request_path,zeek_sip.request_to,zeek_sip.response_body_len,zeek_sip.response_from,zeek_sip.response_path,zeek_sip.response_to,zeek_sip.seq,zeek_sip.status_code,zeek_sip.status_msg,zeek_sip.subject,zeek_sip.trans_depth,zeek_sip.uri,zeek_sip.user_agent,zeek_sip.warning,zeek_sip.version,zeek_smb_cmd.command,zeek_smb_cmd.sub_command,zeek_smb_cmd.argument,zeek_smb_cmd.status,zeek_smb_cmd.rtt,zeek_smb_cmd.version,zeek_smb_cmd.user,zeek_smb_cmd.tree,zeek_smb_cmd.tree_service,zeek_smb_files.action,zeek_smb_files.name,zeek_smb_files.path,zeek_smb_files.prev_name,zeek_smb_files.size,zeek_smb_files.times_accessed,zeek_smb_files.times_changed,zeek_smb_files.data_offset_req,zeek_smb_files.data_len_req,zeek_smb_files.data_len_rsp,zeek_smb_files.times_created,zeek_smb_files.times_modified,zeek_smb_mapping.native_file_system,zeek_smb_mapping.path,zeek_smb_mapping.resource_type,zeek_smb_mapping.share_type,zeek_smtp.cc,zeek_smtp.date,zeek_smtp.first_received,zeek_smtp.from,zeek_smtp.helo,zeek_smtp.in_reply_to,zeek_smtp.is_webmail,zeek_smtp.last_reply,zeek_smtp.mailfrom,zeek_smtp.msg_id,zeek_smtp.path,zeek_smtp.rcptto,zeek_smtp.reply_to,zeek_smtp.second_received,zeek_smtp.subject,zeek_smtp.tls,zeek_smtp.to,zeek_smtp.trans_depth,zeek_smtp.user_agent,zeek_smtp.x_originating_ip,zeek_snmp.community,zeek_snmp.display_string,zeek_snmp.duration,zeek_snmp.get_bulk_requests,zeek_snmp.get_requests,zeek_snmp.get_responses,zeek_snmp.set_requests,zeek_snmp.up_since,zeek_snmp.version,zeek_socks.bound_host,zeek_socks.bound_name,zeek_socks.bound_port,zeek_socks.request_host,zeek_socks.request_name,zeek_socks.request_port,zeek_socks.server_status,zeek_socks.version,zeek_software.name,zeek_software.software_type,zeek_software.unparsed_version,zeek_software.version_addl,zeek_software.version_major,zeek_software.version_minor,zeek_software.version_minor2,zeek_software.version_minor3,zeek_ssh.auth_attempts,zeek_ssh.auth_success,zeek_ssh.cipher_alg,zeek_ssh.client,zeek_ssh.compression_alg,zeek_ssh.cshka,zeek_ssh.direction,zeek_ssh.hassh,zeek_ssh.hasshAlgorithms,zeek_ssh.hasshServer,zeek_ssh.hasshServerAlgorithms,zeek_ssh.hasshVersion,zeek_ssh.host_key,zeek_ssh.host_key_alg,zeek_ssh.kex_alg,zeek_ssh.mac_alg,zeek_ssh.remote_location_city,zeek_ssh.remote_location_country_code,zeek_ssh.remote_location_latitude,zeek_ssh.remote_location_longitude,zeek_ssh.remote_location_region,zeek_ssh.server,zeek_ssh.sshka,zeek_ssh.version,zeek_ssl.cert_chain_fuids,zeek_ssl.cipher,zeek_ssl.client_cert_chain_fuids,zeek_ssl.client_issuer.C,zeek_ssl.client_issuer.CN,zeek_ssl.client_issuer.DC,zeek_ssl.client_issuer.emailAddress,zeek_ssl.client_issuer.GN,zeek_ssl.client_issuer.initials,zeek_ssl.client_issuer.L,zeek_ssl.client_issuer.O,zeek_ssl.client_issuer.OU,zeek_ssl.client_issuer.pseudonym,zeek_ssl.client_issuer.serialNumber,zeek_ssl.client_issuer.SN,zeek_ssl.client_issuer.ST,zeek_ssl.client_issuer.title,zeek_ssl.client_issuer_full,zeek_ssl.client_subject.C,zeek_ssl.client_subject.CN,zeek_ssl.client_subject.emailAddress,zeek_ssl.client_subject.GN,zeek_ssl.client_subject.initials,zeek_ssl.client_subject.L,zeek_ssl.client_subject.O,zeek_ssl.client_subject.OU,zeek_ssl.client_subject.pseudonym,zeek_ssl.client_subject.serialNumber,zeek_ssl.client_subject.SN,zeek_ssl.client_subject.ST,zeek_ssl.client_subject.title,zeek_ssl.client_subject_full,zeek_ssl.curve,zeek_ssl.established,zeek_ssl.issuer.C,zeek_ssl.issuer.CN,zeek_ssl.issuer.DC,zeek_ssl.issuer.emailAddress,zeek_ssl.issuer.GN,zeek_ssl.issuer.initials,zeek_ssl.issuer.L,zeek_ssl.issuer.O,zeek_ssl.issuer.OU,zeek_ssl.issuer.pseudonym,zeek_ssl.issuer.serialNumber,zeek_ssl.issuer.SN,zeek_ssl.issuer.ST,zeek_ssl.issuer.title,zeek_ssl.issuer_full,zeek_ssl.ja3,zeek_ssl.ja3_desc,zeek_ssl.ja3s,zeek_ssl.ja3s_desc,zeek_ssl.last_alert,zeek_ssl.next_protocol,zeek_ssl.resumed,zeek_ssl.server_name,zeek_ssl.ssl_version,zeek_ssl.subject.C,zeek_ssl.subject.CN,zeek_ssl.subject.emailAddress,zeek_ssl.subject.GN,zeek_ssl.subject.initials,zeek_ssl.subject.L,zeek_ssl.subject.O,zeek_ssl.subject.OU,zeek_ssl.subject.pseudonym,zeek_ssl.subject.serialNumber,zeek_ssl.subject.SN,zeek_ssl.subject.ST,zeek_ssl.subject.title,zeek_ssl.subject_full,zeek_ssl.validation_status,zeek_syslog.facility,zeek_syslog.message,zeek_syslog.severity,zeek_tds.command,zeek_tds_rpc.parameters,zeek_tds_rpc.procedure_name,zeek_tds_sql_batch.header_type,zeek_tds_sql_batch.query,zeek_tunnel.action,zeek_tunnel.tunnel_type,zeek_weird.addl,zeek_weird.name,zeek_weird.notice,zeek_weird.peer,zeek_x509.basic_constraints_ca,zeek_x509.basic_constraints_path_len,zeek_x509.certificate_curve,zeek_x509.certificate_exponent,zeek_x509.certificate_issuer.C,zeek_x509.certificate_issuer.CN,zeek_x509.certificate_issuer.emailAddress,zeek_x509.certificate_issuer.GN,zeek_x509.certificate_issuer.initials,zeek_x509.certificate_issuer.L,zeek_x509.certificate_issuer.O,zeek_x509.certificate_issuer.OU,zeek_x509.certificate_issuer.pseudonym,zeek_x509.certificate_issuer.serialNumber,zeek_x509.certificate_issuer.SN,zeek_x509.certificate_issuer.ST,zeek_x509.certificate_issuer.title,zeek_x509.certificate_issuer_full,zeek_x509.certificate_key_alg,zeek_x509.certificate_key_length,zeek_x509.certificate_key_type,zeek_x509.certificate_not_valid_after,zeek_x509.certificate_not_valid_before,zeek_x509.certificate_serial,zeek_x509.certificate_sig_alg,zeek_x509.certificate_subject.C,zeek_x509.certificate_subject.CN,zeek_x509.certificate_subject.DC,zeek_x509.certificate_subject.emailAddress,zeek_x509.certificate_subject.GN,zeek_x509.certificate_subject.initials,zeek_x509.certificate_subject.L,zeek_x509.certificate_subject.O,zeek_x509.certificate_subject.OU,zeek_x509.certificate_subject.pseudonym,zeek_x509.certificate_subject.serialNumber,zeek_x509.certificate_subject.SN,zeek_x509.certificate_subject.ST,zeek_x509.certificate_subject.title,zeek_x509.certificate_subject_full,zeek_x509.certificate_version,zeek_x509.san_dns,zeek_x509.san_email,zeek_x509.san_ip,zeek_x509.san_uri"; this.api.addRightClick("malcolm_kibana_cat_ip", {name:filterLabel, url:"idmol2kib/filter?start=%ISOSTART%&stop=%ISOSTOP%&field=%DBFIELD%&value=%TEXT%", category:"ip"}); this.api.addRightClick("malcolm_kibana_cat_port", {name:filterLabel, url:filterUrl, category:"port"}); this.api.addRightClick("malcolm_kibana_cat_country", {name:filterLabel, url:filterUrl, category:"country"}); @@ -820,7 +826,8 @@ function ZeekLogs (api, section) { // basic connection information " if (session.zeek.orig_h || session.zeek.orig_p || session.zeek.orig_l2_addr || session.zeek.resp_h || " + " session.zeek.resp_p || session.zeek.resp_l2_addr || session.zeek.proto || session.zeek.service || " + - " session.zeek.user)\n" + + " session.zeek.service_version || session.zeek.user || session.zeek.password || " + + " session.zeek.action || session.zeek.freq_score_v1 || session.zeek.freq_score_v2 )\n" + " dl.sessionDetailMeta(suffix=\"Basic Connection Info\")\n" + " +arrayList(session.zeek, 'orig_h', 'Originating Host', 'zeek.orig_h')\n" + " +arrayList(session.zeek, 'orig_l2_addr', 'Originating MAC', 'zeek.orig_l2_addr')\n" + @@ -842,7 +849,12 @@ function ZeekLogs (api, section) { " +arrayList(session.zeek, 'resp_p', 'Responding Port', 'zeek.resp_p')\n" + " +arrayList(session.zeek, 'proto', 'Protocol', 'zeek.proto')\n" + " +arrayList(session.zeek, 'service', 'Service', 'zeek.service')\n" + + " +arrayList(session.zeek, 'service_version', 'Service Version', 'zeek.service_version')\n" + + " +arrayList(session.zeek, 'action', 'Action', 'zeek.action')\n" + " +arrayList(session.zeek, 'user', 'User', 'zeek.user')\n" + + " +arrayList(session.zeek, 'password', 'Password', 'zeek.password')\n" + + " +arrayList(session.zeek, 'freq_score_v1', 'Freq Score v1', 'zeek.freq_score_v1')\n" + + " +arrayList(session.zeek, 'freq_score_v2', 'Freq Score v2', 'zeek.freq_score_v2')\n" + // file information " if (session.zeek.fuid || session.zeek.filename || session.zeek.filetype)\n" + @@ -864,12 +876,12 @@ function ZeekLogs (api, section) { this.api.addView("zeek_dpd", "require:zeek_dpd;title:Zeek dpd.log;fields:zeek_dpd.service,zeek_dpd.failure_reason") this.api.addView("zeek_enip", "require:zeek_enip;title:Zeek enip.log;fields:zeek_enip.command,zeek_enip.length,zeek_enip.session_handle,zeek_enip.status,zeek_enip.sender_context,zeek_enip.options") this.api.addView("zeek_enip_list_identity", "require:zeek_enip_list_identity;title:Zeek enip_list_identity.log;fields:zeek_enip_list_identity.device_type,zeek_enip_list_identity.vendor,zeek_enip_list_identity.product_name,zeek_enip_list_identity.serial_number,zeek_enip_list_identity.product_code,zeek_enip_list_identity.revision,zeek_enip_list_identity.status,zeek_enip_list_identity.state,zeek_enip_list_identity.device_ip") - this.api.addView("zeek_files", "require:zeek_files;title:Zeek files.log;fields:zeek_files.fuid,zeek_files.tx_hosts,zeek_files.rx_hosts,zeek_files.conn_uids,zeek_files.source,zeek_files.depth,zeek_files.analyzers,zeek_files.mime_type,zeek_files.filename,zeek_files.duration,zeek_files.local_orig,zeek_files.is_orig,zeek_files.seen_bytes,zeek_files.total_bytes,zeek_files.missing_bytes,zeek_files.overflow_bytes,zeek_files.timedout,zeek_files.parent_fuid,zeek_files.md5,zeek_files.sha1,zeek_files.sha256,zeek_files.extracted,zeek_files.extracted_cutoff,zeek_files.extracted_size") - this.api.addView("zeek_ftp", "require:zeek_ftp;title:Zeek ftp.log;fields:zeek_ftp.password,zeek_ftp.command,zeek_ftp.arg,zeek_ftp.mime_type,zeek_ftp.file_size,zeek_ftp.reply_code,zeek_ftp.reply_msg,zeek_ftp.data_channel_passive,zeek_ftp.data_channel_orig_h,zeek_ftp.data_channel_resp_h,zeek_ftp.data_channel_resp_p,zeek_ftp.fuid") + this.api.addView("zeek_files", "require:zeek_files;title:Zeek files.log;fields:zeek_files.tx_hosts,zeek_files.rx_hosts,zeek_files.conn_uids,zeek_files.source,zeek_files.depth,zeek_files.analyzers,zeek_files.mime_type,zeek_files.filename,zeek_files.duration,zeek_files.local_orig,zeek_files.is_orig,zeek_files.seen_bytes,zeek_files.total_bytes,zeek_files.missing_bytes,zeek_files.overflow_bytes,zeek_files.timedout,zeek_files.parent_fuid,zeek_files.md5,zeek_files.sha1,zeek_files.sha256,zeek_files.extracted,zeek_files.extracted_cutoff,zeek_files.extracted_size") + this.api.addView("zeek_ftp", "require:zeek_ftp;title:Zeek ftp.log;fields:zeek_ftp.command,zeek_ftp.arg,zeek_ftp.mime_type,zeek_ftp.file_size,zeek_ftp.reply_code,zeek_ftp.reply_msg,zeek_ftp.data_channel_passive,zeek_ftp.data_channel_orig_h,zeek_ftp.data_channel_resp_h,zeek_ftp.data_channel_resp_p") this.api.addView("zeek_gquic", "require:zeek_gquic;title:Zeek gquic.log;fields:zeek_gquic.version,zeek_gquic.server_name,zeek_gquic.user_agent,zeek_gquic.tag_count,zeek_gquic.cyu,zeek_gquic.cyutags") - this.api.addView("zeek_http", "require:zeek_http;title:Zeek http.log;fields:zeek_http.trans_depth,zeek_http.method,zeek_http.host,zeek_http.uri,zeek_http.origin,zeek_http.referrer,zeek_http.version,zeek_http.user_agent,zeek_http.request_body_len,zeek_http.response_body_len,zeek_http.status_code,zeek_http.status_msg,zeek_http.info_code,zeek_http.info_msg,zeek_http.tags,zeek_http.user,zeek_http.password,zeek_http.proxied,zeek_http.orig_fuids,zeek_http.orig_filenames,zeek_http.orig_mime_types,zeek_http.resp_fuids,zeek_http.resp_filenames,zeek_http.resp_mime_types") - this.api.addView("zeek_intel", "require:zeek_intel;title:Zeek intel.log;fields:zeek_intel.indicator,zeek_intel.indicator_type,zeek_intel.seen_where,zeek_intel.seen_node,zeek_intel.matched,zeek_intel.sources,zeek_intel.fuid,zeek_intel.mimetype,zeek_intel.file_description") - this.api.addView("zeek_irc", "require:zeek_irc;title:Zeek irc.log;fields:zeek_irc.nick,zeek_irc.command,zeek_irc.value,zeek_irc.addl,zeek_irc.dcc_file_name,zeek_irc.dcc_file_size,zeek_irc.dcc_mime_type,zeek_irc.fuid") + this.api.addView("zeek_http", "require:zeek_http;title:Zeek http.log;fields:zeek_http.trans_depth,zeek_http.method,zeek_http.host,zeek_http.uri,zeek_http.origin,zeek_http.referrer,zeek_http.version,zeek_http.user_agent,zeek_http.request_body_len,zeek_http.response_body_len,zeek_http.status_code,zeek_http.status_msg,zeek_http.info_code,zeek_http.info_msg,zeek_http.tags,zeek_http.proxied,zeek_http.orig_fuids,zeek_http.orig_filenames,zeek_http.orig_mime_types,zeek_http.resp_fuids,zeek_http.resp_filenames,zeek_http.resp_mime_types") + this.api.addView("zeek_intel", "require:zeek_intel;title:Zeek intel.log;fields:zeek_intel.indicator,zeek_intel.indicator_type,zeek_intel.seen_where,zeek_intel.seen_node,zeek_intel.matched,zeek_intel.sources,zeek_intel.mimetype,zeek_intel.file_description") + this.api.addView("zeek_irc", "require:zeek_irc;title:Zeek irc.log;fields:zeek_irc.nick,zeek_irc.command,zeek_irc.value,zeek_irc.addl,zeek_irc.dcc_file_name,zeek_irc.dcc_file_size,zeek_irc.dcc_mime_type") this.api.addView("zeek_iso_cotp", "require:zeek_iso_cotp;title:Zeek iso_cotp.log;fields:zeek_iso_cotp.pdu_type") this.api.addView("zeek_kerberos", "require:zeek_kerberos;title:Zeek kerberos.log;fields:zeek_kerberos.cname,zeek_kerberos.sname,zeek_kerberos.success,zeek_kerberos.error_msg,zeek_kerberos.from,zeek_kerberos.till,zeek_kerberos.cipher,zeek_kerberos.forwardable,zeek_kerberos.renewable,zeek_kerberos.client_cert_subject,zeek_kerberos.client_cert_fuid,zeek_kerberos.server_cert_subject,zeek_kerberos.server_cert_fuid") this.api.addView("zeek_known_certs", "require:zeek_known_certs;title:Zeek known_certs.log;fields:zeek_known_certs.subject,zeek_known_certs.issuer_subject,zeek_known_certs.serial") @@ -881,10 +893,10 @@ function ZeekLogs (api, section) { this.api.addView("zeek_mqtt_publish", "require:zeek_mqtt_publish;title:Zeek mqtt_publish.log;fields:zeek_mqtt_publish.from_client,zeek_mqtt_publish.retain,zeek_mqtt_publish.qos,zeek_mqtt_publish.status,zeek_mqtt_publish.topic,zeek_mqtt_publish.payload,zeek_mqtt_publish.payload_len") this.api.addView("zeek_mqtt_subscribe", "require:zeek_mqtt_subscribe;title:Zeek mqtt_subscribe.log;fields:zeek_mqtt_subscribe.action,zeek_mqtt_subscribe.topics,zeek_mqtt_subscribe.qos_levels,zeek_mqtt_subscribe.granted_qos_level,zeek_mqtt_subscribe.ack") this.api.addView("zeek_mysql", "require:zeek_mysql;title:Zeek mysql.log;fields:zeek_mysql.cmd,zeek_mysql.arg,zeek_mysql.success,zeek_mysql.rows,zeek_mysql.response") - this.api.addView("zeek_notice", "require:zeek_notice;title:Zeek notice.log;fields:zeek_notice.fuid,zeek_notice.file_mime_type,zeek_notice.file_desc,zeek_notice.note,zeek_notice.msg,zeek_notice.sub,zeek_notice.src,zeek_notice.dst,zeek_notice.p,zeek_notice.n,zeek_notice.peer_descr,zeek_notice.actions,zeek_notice.suppress_for,zeek_notice.dropped,zeek_notice.remote_location_country_code,zeek_notice.remote_location_region,zeek_notice.remote_location_cityremote_location_latitude,zeek_notice.remote_location_longitude") + this.api.addView("zeek_notice", "require:zeek_notice;title:Zeek notice.log;fields:zeek_notice.file_mime_type,zeek_notice.file_desc,zeek_notice.note,zeek_notice.msg,zeek_notice.sub,zeek_notice.src,zeek_notice.dst,zeek_notice.p,zeek_notice.n,zeek_notice.peer_descr,zeek_notice.actions,zeek_notice.suppress_for,zeek_notice.dropped,zeek_notice.remote_location_country_code,zeek_notice.remote_location_region,zeek_notice.remote_location_cityremote_location_latitude,zeek_notice.remote_location_longitude,zeek_notice.category,zeek_notice.sub_category") this.api.addView("zeek_ntlm", "require:zeek_ntlm;title:Zeek ntlm.log;fields:zeek_ntlm.host,zeek_ntlm.domain,zeek_ntlm.success,zeek_ntlm.status,zeek_ntlm.server_nb_computer,zeek_ntlm.server_dns_computer,zeek_ntlm.server_tree") this.api.addView("zeek_ntp", "require:zeek_ntp;title:Zeek ntp.log;fields:zeek_ntp.version,zeek_ntp.mode,zeek_ntp.mode_str,zeek_ntp.stratum,zeek_ntp.poll,zeek_ntp.precision,zeek_ntp.root_delay,zeek_ntp.root_disp,zeek_ntp.ref_id,zeek_ntp.ref_time,zeek_ntp.org_time,zeek_ntp.rec_time,zeek_ntp.xmt_time,zeek_ntp.num_exts") - this.api.addView("zeek_pe", "require:zeek_pe;title:Zeek pe.log;fields:zeek_pe.fuid,zeek_pe.machine,zeek_pe.compile_ts,zeek_pe.os,zeek_pe.subsystem,zeek_pe.is_exe,zeek_pe.is_64bit,zeek_pe.uses_aslr,zeek_pe.uses_dep,zeek_pe.uses_code_integrity,zeek_pe.uses_seh,zeek_pe.has_import_table,zeek_pe.has_export_table,zeek_pe.has_cert_table,zeek_pe.has_debug_data,zeek_pe.section_names") + this.api.addView("zeek_pe", "require:zeek_pe;title:Zeek pe.log;fields:zeek_pe.machine,zeek_pe.compile_ts,zeek_pe.os,zeek_pe.subsystem,zeek_pe.is_exe,zeek_pe.is_64bit,zeek_pe.uses_aslr,zeek_pe.uses_dep,zeek_pe.uses_code_integrity,zeek_pe.uses_seh,zeek_pe.has_import_table,zeek_pe.has_export_table,zeek_pe.has_cert_table,zeek_pe.has_debug_data,zeek_pe.section_names") this.api.addView("zeek_profinet", "require:zeek_profinet;title:Zeek profinet.log;fields:zeek_profinet.operation_type,zeek_profinet.block_version,zeek_profinet.slot_number,zeek_profinet.subslot_number,zeek_profinet.index") this.api.addView("zeek_profinet_dce_rpc", "require:zeek_profinet_dce_rpc;title:Zeek profinet_dce_rpc.log;fields:zeek_profinet_dce_rpc.version,zeek_profinet_dce_rpc.packet_type,zeek_profinet_dce_rpc.object_uuid,zeek_profinet_dce_rpc.interface_uuid,zeek_profinet_dce_rpc.activity_uuid,zeek_profinet_dce_rpc.server_boot_time,zeek_profinet_dce_rpc.operation") this.api.addView("zeek_radius", "require:zeek_radius;title:Zeek radius.log;fields:zeek_radius.mac,zeek_radius.framed_addr,zeek_radius.tunnel_client,zeek_radius.connect_info,zeek_radius.reply_msg,zeek_radius.result,zeek_radius.ttl") @@ -892,12 +904,13 @@ function ZeekLogs (api, section) { this.api.addView("zeek_rfb", "require:zeek_rfb;title:Zeek rfb.log;fields:zeek_rfb.client_major_version,zeek_rfb.client_minor_version,zeek_rfb.server_major_version,zeek_rfb.server_minor_version,zeek_rfb.authentication_method,zeek_rfb.auth,zeek_rfb.share_flag,zeek_rfb.desktop_name,zeek_rfb.width,zeek_rfb.height") this.api.addView("zeek_s7comm", "require:zeek_s7comm;title:Zeek s7comm.log;fields:zeek_s7comm.rosctr,zeek_s7comm.parameter,zeek_s7comm.parameters.class,zeek_s7comm.parameters.code,zeek_s7comm.parameters.group,zeek_s7comm.parameters.mode,zeek_s7comm.parameters.sub,zeek_s7comm.parameters.type,zeek_s7comm.item_count,zeek_s7comm.data_info") this.api.addView("zeek_signatures", "require:zeek_signatures;title:Zeek signatures.log;fields:zeek_signatures.note,zeek_signatures.signature_id,zeek_signatures.engine,zeek_signatures.event_message,zeek_signatures.sub_message,zeek_signatures.signature_count,zeek_signatures.host_count") - this.api.addView("zeek_sip", "require:zeek_sip;title:Zeek sip.log;fields:zeek_sip.trans_depth,zeek_sip.method,zeek_sip.uri,zeek_sip.date,zeek_sip.request_from,zeek_sip.request_to,zeek_sip.response_from,zeek_sip.response_to,zeek_sip.reply_to,zeek_sip.call_id,zeek_sip.seq,zeek_sip.subject,zeek_sip.request_path,zeek_sip.response_path,zeek_sip.user_agent,zeek_sip.status_code,zeek_sip.status_msg,zeek_sip.warning,zeek_sip.request_body_len,zeek_sip.response_body_len,zeek_sip.content_type") - this.api.addView("zeek_smb_files", "require:zeek_smb_files;title:Zeek smb_files.log;fields:zeek_smb_files.fuid,zeek_smb_files.action,zeek_smb_files.path,zeek_smb_files.name,zeek_smb_files.size,zeek_smb_files.prev_name,zeek_smb_files.times_modified,zeek_smb_files.times_accessed,zeek_smb_files.times_created,zeek_smb_files.times_changed,zeek_smb_files.data_offset_req,zeek_smb_files.data_len_req,zeek_smb_files.data_len_rsp") + this.api.addView("zeek_sip", "require:zeek_sip;title:Zeek sip.log;fields:zeek_sip.trans_depth,zeek_sip.method,zeek_sip.uri,zeek_sip.date,zeek_sip.request_from,zeek_sip.request_to,zeek_sip.response_from,zeek_sip.response_to,zeek_sip.reply_to,zeek_sip.call_id,zeek_sip.seq,zeek_sip.subject,zeek_sip.request_path,zeek_sip.response_path,zeek_sip.user_agent,zeek_sip.status_code,zeek_sip.status_msg,zeek_sip.warning,zeek_sip.request_body_len,zeek_sip.response_body_len,zeek_sip.content_type,zeek_sip.version") + this.api.addView("zeek_smb_cmd", "require:zeek_smb_cmd;title:Zeek smb_cmd.log;fields:zeek_smb_cmd.command,zeek_smb_cmd.sub_command,zeek_smb_cmd.argument,zeek_smb_cmd.status,zeek_smb_cmd.rtt,zeek_smb_cmd.version,zeek_smb_cmd.user,zeek_smb_cmd.tree,zeek_smb_cmd.tree_service") + this.api.addView("zeek_smb_files", "require:zeek_smb_files;title:Zeek smb_files.log;fields:zeek_smb_files.action,zeek_smb_files.path,zeek_smb_files.name,zeek_smb_files.size,zeek_smb_files.prev_name,zeek_smb_files.times_modified,zeek_smb_files.times_accessed,zeek_smb_files.times_created,zeek_smb_files.times_changed,zeek_smb_files.data_offset_req,zeek_smb_files.data_len_req,zeek_smb_files.data_len_rsp") this.api.addView("zeek_smb_mapping", "require:zeek_smb_mapping;title:Zeek smb_mapping.log;fields:zeek_smb_mapping.path,zeek_smb_mapping.resource_type,zeek_smb_mapping.native_file_system,zeek_smb_mapping.share_type") - this.api.addView("zeek_smtp", "require:zeek_smtp;title:Zeek smtp.log;fields:zeek_smtp.trans_depth,zeek_smtp.helo,zeek_smtp.mailfrom,zeek_smtp.rcptto,zeek_smtp.date,zeek_smtp.from,zeek_smtp.to,zeek_smtp.cc,zeek_smtp.reply_to,zeek_smtp.msg_id,zeek_smtp.in_reply_to,zeek_smtp.subject,zeek_smtp.x_originating_ip,zeek_smtp.first_received,zeek_smtp.second_received,zeek_smtp.last_reply,zeek_smtp.path,zeek_smtp.user_agent,zeek_smtp.tls,zeek_smtp.fuids,zeek_smtp.is_webmail") + this.api.addView("zeek_smtp", "require:zeek_smtp;title:Zeek smtp.log;fields:zeek_smtp.trans_depth,zeek_smtp.helo,zeek_smtp.mailfrom,zeek_smtp.rcptto,zeek_smtp.date,zeek_smtp.from,zeek_smtp.to,zeek_smtp.cc,zeek_smtp.reply_to,zeek_smtp.msg_id,zeek_smtp.in_reply_to,zeek_smtp.subject,zeek_smtp.x_originating_ip,zeek_smtp.first_received,zeek_smtp.second_received,zeek_smtp.last_reply,zeek_smtp.path,zeek_smtp.user_agent,zeek_smtp.tls,zeek_smtp.is_webmail") this.api.addView("zeek_snmp", "require:zeek_snmp;title:Zeek snmp.log;fields:zeek_snmp.duration,zeek_snmp.version,zeek_snmp.community,zeek_snmp.get_requests,zeek_snmp.get_bulk_requests,zeek_snmp.get_responses,zeek_snmp.set_requests,zeek_snmp.display_string,zeek_snmp.up_since") - this.api.addView("zeek_socks", "require:zeek_socks;title:Zeek socks.log;fields:zeek_socks.version,zeek_socks.password,zeek_socks.server_status,zeek_socks.request_host,zeek_socks.request_name,zeek_socks.request_port,zeek_socks.bound_host,zeek_socks.bound_name,zeek_socks.bound_port") + this.api.addView("zeek_socks", "require:zeek_socks;title:Zeek socks.log;fields:zeek_socks.version,zeek_socks.server_status,zeek_socks.request_host,zeek_socks.request_name,zeek_socks.request_port,zeek_socks.bound_host,zeek_socks.bound_name,zeek_socks.bound_port") this.api.addView("zeek_software", "require:zeek_software;title:Zeek software.log;fields:zeek_software.software_type,zeek_software.name,zeek_software.version_major,zeek_software.version_minor,zeek_software.version_minor2,zeek_software.version_minor3,zeek_software.version_addl,zeek_software.unparsed_version") this.api.addView("zeek_ssh", "require:zeek_ssh;title:Zeek ssh.log;fields:zeek_ssh.version,zeek_ssh.auth_success,zeek_ssh.auth_attempts,zeek_ssh.direction,zeek_ssh.client,zeek_ssh.server,zeek_ssh.cipher_alg,zeek_ssh.mac_alg,zeek_ssh.compression_alg,zeek_ssh.kex_alg,zeek_ssh.host_key_alg,zeek_ssh.host_key,zeek_ssh.remote_location_country_code,zeek_ssh.remote_location_region,zeek_ssh.remote_location_city,zeek_ssh.remote_location_latitude,zeek_ssh.remote_location_longitude,zeek_ssh.hassh,zeek_ssh.hasshServer,zeek_ssh.hasshAlgorithms,zeek_ssh.hasshServerAlgorithms,zeek_ssh.cshka,zeek_ssh.sshka") this.api.addView("zeek_ssl", "require:zeek_ssl;title:Zeek ssl.log;fields:zeek_ssl.ssl_version,zeek_ssl.cipher,zeek_ssl.curve,zeek_ssl.server_name,zeek_ssl.resumed,zeek_ssl.last_alert,zeek_ssl.next_protocol,zeek_ssl.established,zeek_ssl.ja3,zeek_ssl.ja3_desc,zeek_ssl.ja3s,zeek_ssl.ja3s_desc,zeek_ssl.cert_chain_fuids,zeek_ssl.client_cert_chain_fuids,zeek_ssl.subject.CN,zeek_ssl.subject.C,zeek_ssl.subject.O,zeek_ssl.subject.OU,zeek_ssl.subject.ST,zeek_ssl.subject.SN,zeek_ssl.subject.L,zeek_ssl.subject.GN,zeek_ssl.subject.pseudonym,zeek_ssl.subject.serialNumber,zeek_ssl.subject.title,zeek_ssl.subject.initials,zeek_ssl.subject.emailAddress,zeek_ssl.client_subject.CN,zeek_ssl.client_subject.C,zeek_ssl.client_subject.O,zeek_ssl.client_subject.OU,zeek_ssl.client_subject.ST,zeek_ssl.client_subject.SN,zeek_ssl.client_subject.L,zeek_ssl.client_subject.GN,zeek_ssl.client_subject.pseudonym,zeek_ssl.client_subject.serialNumber,zeek_ssl.client_subject.title,zeek_ssl.client_subject.initials,zeek_ssl.client_subject.emailAddress,zeek_ssl.issuer.CN,zeek_ssl.issuer.C,zeek_ssl.issuer.O,zeek_ssl.issuer.OU,zeek_ssl.issuer.ST,zeek_ssl.issuer.SN,zeek_ssl.issuer.L,zeek_ssl.issuer.DC,zeek_ssl.issuer.GN,zeek_ssl.issuer.pseudonym,zeek_ssl.issuer.serialNumber,zeek_ssl.issuer.title,zeek_ssl.issuer.initials,zeek_ssl.issuer.emailAddress,zeek_ssl.client_issuer.CN,zeek_ssl.client_issuer.C,zeek_ssl.client_issuer.O,zeek_ssl.client_issuer.OU,zeek_ssl.client_issuer.ST,zeek_ssl.client_issuer.SN,zeek_ssl.client_issuer.L,zeek_ssl.client_issuer.DC,zeek_ssl.client_issuer.GN,zeek_ssl.client_issuer.pseudonym,zeek_ssl.client_issuer.serialNumber,zeek_ssl.client_issuer.title,zeek_ssl.client_issuer.initials,zeek_ssl.client_issuer.emailAddress,zeek_ssl.validation_status") @@ -907,7 +920,7 @@ function ZeekLogs (api, section) { this.api.addView("zeek_tds_sql_batch", "require:zeek_tds_sql_batch;title:Zeek tds_sql_batch.log;fields:zeek_tds_sql_batch.header_type,zeek_tds_sql_batch.query") this.api.addView("zeek_tunnel", "require:zeek_tunnel;title:Zeek tunnel.log;fields:zeek_tunnel.tunnel_type,zeek_tunnel.action") this.api.addView("zeek_weird", "require:zeek_weird;title:Zeek weird.log;fields:zeek_weird.name,zeek_weird.addl,zeek_weird.notice,zeek_weird.peer") - this.api.addView("zeek_x509", "require:zeek_x509;title:Zeek x509.log;fields:zeek_x509.fuid,zeek_x509.certificate_version,zeek_x509.certificate_serial,zeek_x509.certificate_subject.CN,zeek_x509.certificate_subject.C,zeek_x509.certificate_subject.O,zeek_x509.certificate_subject.OU,zeek_x509.certificate_subject.ST,zeek_x509.certificate_subject.SN,zeek_x509.certificate_subject.L,zeek_x509.certificate_subject.DC,zeek_x509.certificate_subject.GN,zeek_x509.certificate_subject.pseudonym,zeek_x509.certificate_subject.serialNumber,zeek_x509.certificate_subject.title,zeek_x509.certificate_subject.initials,zeek_x509.certificate_subject.emailAddress,zeek_x509.certificate_issuer.CN,zeek_x509.certificate_issuer.C,zeek_x509.certificate_issuer.O,zeek_x509.certificate_issuer.OU,zeek_x509.certificate_issuer.ST,zeek_x509.certificate_issuer.SN,zeek_x509.certificate_issuer.L,zeek_x509.certificate_issuer.GN,zeek_x509.certificate_issuer.pseudonym,zeek_x509.certificate_issuer.serialNumber,zeek_x509.certificate_issuer.title,zeek_x509.certificate_issuer.initials,zeek_x509.certificate_issuer.emailAddress,zeek_x509.certificate_not_valid_before,zeek_x509.certificate_not_valid_after,zeek_x509.certificate_key_alg,zeek_x509.certificate_sig_alg,zeek_x509.certificate_key_type,zeek_x509.certificate_key_length,zeek_x509.certificate_exponent,zeek_x509.certificate_curve,zeek_x509.san_dns,zeek_x509.san_uri,zeek_x509.san_email,zeek_x509.san_ip,zeek_x509.basic_constraints_ca,zeek_x509.basic_constraints_path_len") + this.api.addView("zeek_x509", "require:zeek_x509;title:Zeek x509.log;fields:zeek_x509.certificate_version,zeek_x509.certificate_serial,zeek_x509.certificate_subject.CN,zeek_x509.certificate_subject.C,zeek_x509.certificate_subject.O,zeek_x509.certificate_subject.OU,zeek_x509.certificate_subject.ST,zeek_x509.certificate_subject.SN,zeek_x509.certificate_subject.L,zeek_x509.certificate_subject.DC,zeek_x509.certificate_subject.GN,zeek_x509.certificate_subject.pseudonym,zeek_x509.certificate_subject.serialNumber,zeek_x509.certificate_subject.title,zeek_x509.certificate_subject.initials,zeek_x509.certificate_subject.emailAddress,zeek_x509.certificate_issuer.CN,zeek_x509.certificate_issuer.C,zeek_x509.certificate_issuer.O,zeek_x509.certificate_issuer.OU,zeek_x509.certificate_issuer.ST,zeek_x509.certificate_issuer.SN,zeek_x509.certificate_issuer.L,zeek_x509.certificate_issuer.GN,zeek_x509.certificate_issuer.pseudonym,zeek_x509.certificate_issuer.serialNumber,zeek_x509.certificate_issuer.title,zeek_x509.certificate_issuer.initials,zeek_x509.certificate_issuer.emailAddress,zeek_x509.certificate_not_valid_before,zeek_x509.certificate_not_valid_after,zeek_x509.certificate_key_alg,zeek_x509.certificate_sig_alg,zeek_x509.certificate_key_type,zeek_x509.certificate_key_length,zeek_x509.certificate_exponent,zeek_x509.certificate_curve,zeek_x509.san_dns,zeek_x509.san_uri,zeek_x509.san_email,zeek_x509.san_ip,zeek_x509.basic_constraints_ca,zeek_x509.basic_constraints_path_len") // Add the source as available this.api.addSource("zeek", this); diff --git a/name-map-ui/config/fpm-pool.conf b/name-map-ui/config/fpm-pool.conf new file mode 100644 index 000000000..a3a6b288f --- /dev/null +++ b/name-map-ui/config/fpm-pool.conf @@ -0,0 +1,56 @@ +[global] +; Log to /dev/fd/1 for docker +error_log = /dev/fd/1 + +[www] +; The address on which to accept FastCGI requests. +; Valid syntaxes are: +; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on +; a specific port; +; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on +; a specific port; +; 'port' - to listen on a TCP socket to all addresses +; (IPv6 and IPv4-mapped) on a specific port; +; '/path/to/unix/socket' - to listen on a unix socket. +; Note: This value is mandatory. +listen = 127.0.0.1:9000 + +; Enable status page +pm.status_path = /fpm-status + +; Ondemand process manager +pm = ondemand + +; The number of child processes to be created when pm is set to 'static' and the +; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'. +; This value sets the limit on the number of simultaneous requests that will be +; served. Equivalent to the ApacheMaxClients directive with mpm_prefork. +; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP +; CGI. The below defaults are based on a server without much resources. Don't +; forget to tweak pm.* to fit your needs. +; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand' +; Note: This value is mandatory. +pm.max_children = 100 + +; The number of seconds after which an idle process will be killed. +; Note: Used only when pm is set to 'ondemand' +; Default Value: 10s +pm.process_idle_timeout = 10s; + +; The number of requests each child process should execute before respawning. +; This can be useful to work around memory leaks in 3rd party libraries. For +; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS. +; Default Value: 0 +pm.max_requests = 1000 + +; Make sure the FPM workers can reach the environment variables for configuration +clear_env = no + +; Catch output from PHP +catch_workers_output = yes + +; Remove the 'child 10 said into stderr' prefix in the log and only show the actual message +decorate_workers_output = no + +; Enable ping page to use in healthcheck +ping.path = /fpm-ping diff --git a/name-map-ui/config/nginx.conf b/name-map-ui/config/nginx.conf new file mode 100644 index 000000000..97b316e81 --- /dev/null +++ b/name-map-ui/config/nginx.conf @@ -0,0 +1,92 @@ +worker_processes 1; +error_log stderr warn; +pid /run/nginx.pid; + +events { + worker_connections 1024; +} + +http { + include mime.types; + default_type application/octet-stream; + + # Define custom log format to include reponse times + log_format main_timed '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for" ' + '$request_time $upstream_response_time $pipe $upstream_cache_status'; + + access_log /dev/stdout main_timed; + error_log /dev/stderr notice; + + keepalive_timeout 65; + + # Write temporary files to /tmp so they can be created as a non-privileged user + client_body_temp_path /tmp/client_temp; + proxy_temp_path /tmp/proxy_temp_path; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + + # Default server definition + server { + listen 8080 default_server; + server_name _; + + sendfile off; + + root /var/www/html; + index index.php index.html; + + location / { + # First attempt to serve request as file, then + # as directory, then fall back to index.php + try_files $uri $uri/ /index.php?q=$uri&$args; + } + + location ~* maps/.+\.(txt|json)$ { + expires -1; + add_header 'Cache-Control' 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; + } + + # Redirect server error pages to the static page /50x.html + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /var/lib/nginx/html; + } + + # Pass the PHP scripts to PHP-FPM listening on 127.0.0.1:9000 + location ~ \.php$ { + try_files $uri =404; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass 127.0.0.1:9000; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param SCRIPT_NAME $fastcgi_script_name; + fastcgi_index index.php; + include fastcgi_params; + } + + location ~* \.(jpg|jpeg|gif|png|css|js|ico|xml)$ { + expires 5d; + } + + # Deny access to . files, for security + location ~ /\. { + log_not_found off; + deny all; + } + + # Allow fpm ping and status from localhost + location ~ ^/(fpm-status|fpm-ping)$ { + access_log off; + allow 127.0.0.1; + deny all; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include fastcgi_params; + fastcgi_pass 127.0.0.1:9000; + } + } + + # Include other server configs + include /etc/nginx/conf.d/*.conf; +} diff --git a/name-map-ui/config/php.ini b/name-map-ui/config/php.ini new file mode 100644 index 000000000..d91b95891 --- /dev/null +++ b/name-map-ui/config/php.ini @@ -0,0 +1,7 @@ +[PHP] +file_uploads = On +upload_max_filesize = 64M +max_file_uploads = 4 + +[Date] +date.timezone="UTC" diff --git a/name-map-ui/config/supervisor_logstash_ctl.conf b/name-map-ui/config/supervisor_logstash_ctl.conf new file mode 100644 index 000000000..de572adcf --- /dev/null +++ b/name-map-ui/config/supervisor_logstash_ctl.conf @@ -0,0 +1,10 @@ +; Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. + +[supervisord] +nodaemon=true +logfile=/dev/null +logfile_maxbytes=0 +pidfile=/run/supervisord.pid + +[supervisorctl] +serverurl=http://logstash:9001 diff --git a/name-map-ui/config/supervisord.conf b/name-map-ui/config/supervisord.conf new file mode 100644 index 000000000..c01f68e10 --- /dev/null +++ b/name-map-ui/config/supervisord.conf @@ -0,0 +1,48 @@ +; Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. + +[unix_http_server] +file=/tmp/supervisor.sock ; (the path to the socket file) +chmod=0700 + +[supervisord] +nodaemon=true +logfile=/dev/null +logfile_maxbytes=0 +pidfile=/run/supervisord.pid + +[rpcinterface:supervisor] +supervisor.rpcinterface_factory=supervisor.rpcinterface:make_main_rpcinterface + +[supervisorctl] +serverurl=unix:///tmp/supervisor.sock + +[program:php-fpm] +command=php-fpm7 -F +stopasgroup=true +killasgroup=true +stdout_logfile=/dev/fd/1 +stdout_logfile_maxbytes=0 +redirect_stderr=true +autorestart=false +startretries=0 + +[program:nginx] +command=nginx -g 'daemon off;' +stopasgroup=true +killasgroup=true +stdout_logfile=/dev/fd/1 +stdout_logfile_maxbytes=0 +redirect_stderr=true +autorestart=false +startretries=0 + +[program:watch-upload] +command=/bin/bash -c "sleep 15 && /usr/local/bin/name-map-save-watch.sh" +startsecs=20 +startretries=1 +stopasgroup=true +killasgroup=true +directory=/var/www/html/upload +stdout_logfile=/dev/fd/1 +stdout_logfile_maxbytes=0 +redirect_stderr=true diff --git a/name-map-ui/scripts/name-map-save-watch.sh b/name-map-ui/scripts/name-map-save-watch.sh new file mode 100755 index 000000000..666bf8437 --- /dev/null +++ b/name-map-ui/scripts/name-map-save-watch.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. + +PROCESS_DIR=${NAME_MAP_SAVE_DIR:-/var/www/html/upload/} +DEST_MAP=${NAME_MAP_JSON:-/var/www/html/maps/net-map.json} + +inotifywait -m -e close_write --format '%w%f' "${PROCESS_DIR}" | while read NEWFILE +do + sleep 0.1 + # verify that the file is json|txt and that it is valid JSON + FILEMIME=$(file -b --mime-type "$NEWFILE") + if ( echo "$FILEMIME" | grep -q -e "\(application/json\|text/plain\)" ) && ( python3 -mjson.tool "$NEWFILE" >/dev/null 2>&1 ); then + # move the new net-map.json file into its final location + # (done like this with "tee" since we may not be able to cp overwrite a volume-mounted file) + (>/dev/null tee "$DEST_MAP" < "$NEWFILE") && echo "\"$NEWFILE\" -> \"$DEST_MAP\"" + rm -f "$NEWFILE" + else + # invalud or unhandled file type uploaded, delete it + (>&2 rm -f "$NEWFILE") && echo "Removed \"$NEWFILE\" (\"$FILEMIME\"): invalid file type or format" + fi +done diff --git a/name-map-ui/site/index.html b/name-map-ui/site/index.html new file mode 100644 index 000000000..cb984edcf --- /dev/null +++ b/name-map-ui/site/index.html @@ -0,0 +1,523 @@ + + + + + + + + + + + + + + + + Host and Network Segment Name Mapping + + + + +
+
+
+ +

Host and Network Segment Name Mapping

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + +
TypeAddressNameTag + +
+ + + + + + + + + + + + +
+ + + + + + + + + +
+
+
+
+
+ + + + + + \ No newline at end of file diff --git a/name-map-ui/site/mapping.css b/name-map-ui/site/mapping.css new file mode 100644 index 000000000..40b45c36e --- /dev/null +++ b/name-map-ui/site/mapping.css @@ -0,0 +1,229 @@ +/* Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. */ + +html { + font-family: sans-serif; + line-height: 1.15; +} + +body { + margin: 0; + font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, "Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji"; + font-size: 0.9375rem; + font-weight: 400; + line-height: 1.5; + color: #cecece; + text-align: left; + background-color: #272B30; +} + +body, +div, +dl, +dt, +dd, +ul, +ol, +li, +h1, +h2, +h3, +h4, +h5, +h6, +pre, +form, +fieldset, +input, +textarea, +p, +blockquote, +th, +td { + margin-top: 0; + margin-bottom: 0.5rem +} + +table { + border-collapse: collapse; + border-spacing: 0; +} + +fieldset, +img { + border: 0; +} + +img.center { + display: block; + margin-left: auto; + margin-right: auto; + width: 50%; +} + +ol, +ul, +dl { + margin-top: 0; + margin-bottom: 0.5rem +} + +caption, +th { + text-align: left; +} + +header { + float: left; + margin-bottom: 20px; + width: 100%; +} + +address { + margin-bottom: 1rem; + line-height: inherit +} + +#container { + width: 800px; + margin-top: auto; + margin-bottom: auto; + margin-right: auto; + margin-left: auto; +} + +.c1 { + width: 800px; + float: left; +} + +.c2 { + width: 355px; + float: left; +} + +.c3 { + width: 235px; + float: left; +} + +p { + margin-top: 0; + margin-bottom: 1rem +} + +h1 { + letter-spacing: 1px; + text-align: center; + text-shadow: #262729 0 -1px 0; +} + +h2 { + color: #bbb; + text-shadow: #262729 0 -1px 0; + font-weight: 300; + text-align: center; +} + +input { + padding: 2px 10px; + border-radius: 10px; + border: solid 1px #555; + float: left; + margin-right: 10px; + margin-bottom: 15px; +} + +input:focus { + border: none; + outline: none; + color: #007bff; + font-weight: bold; + border-top: solid 1px #aaa; + border-right: solid 1px #e6e6e6; + border-bottom: solid 1px #e6e6e6; + border-left: solid 1px #aaa; +} + +table { + width: 100%; + margin-bottom: 10px; +} + +th { + background-color: rgba(23, 25, 28, .8); + border: solid 1px rgba(255, 255, 255, .1); + padding: 10px 10px; + text-align: center; + font-weight: bold; + color: #ddd; + width: auto; +} + +tr:hover { + background-color: #454c54; +} + +td { + padding: 10px 10px; + border: solid 1px rgba(255, 255, 255, .1); + width: auto; +} + +td.update, +td.remove, +td.type { + text-align: center; +} + +td.address { + font-family: monospace; +} + +button.add-btn, +button.update-btn, +button.cancel-btn, +button.edit-item-btn, +button.remove-item-btn { + font-size: 1.33rem; + border: 2px #ddd; + border-radius: 4px; +} + +button.save-btn, +button.export-btn, +button.import-btn, +button.restart-btn { + font-size: 0.9rem; +} + +#container.mapping-page { + margin-top: 10px; +} + +#mapping { + margin-bottom: 20px; +} + +#mapping td.update, +#mapping td.remove { + width: 130px; +} + +#mapping td.add { + width: 300px; + text-align: center; +} + +#mapping td.foot { + text-align: center; +} + +#mapping input { + width: 130px; + margin: 0; + border-radius: 5px; +} + +#mapping input.search { + width: 185px; +} \ No newline at end of file diff --git a/name-map-ui/site/restart-logstash.php b/name-map-ui/site/restart-logstash.php new file mode 100644 index 000000000..fe1bb405c --- /dev/null +++ b/name-map-ui/site/restart-logstash.php @@ -0,0 +1,6 @@ +$output"; +} +?> diff --git a/name-map-ui/site/upload.html b/name-map-ui/site/upload.html new file mode 100644 index 000000000..01bdc734a --- /dev/null +++ b/name-map-ui/site/upload.html @@ -0,0 +1,8 @@ + + +
+ Choose a file to upload: + +
+ + diff --git a/name-map-ui/site/upload.php b/name-map-ui/site/upload.php new file mode 100644 index 000000000..98f85246c --- /dev/null +++ b/name-map-ui/site/upload.php @@ -0,0 +1,57 @@ + 67108864) { + throw new RuntimeException('Exceeded filesize limit'); + } + + // check upload MIME type + $finfo = new finfo(FILEINFO_MIME_TYPE); + $fmime = $finfo->file($_FILES['upfile']['tmp_name']); + if (false === $ext = array_search($fmime, + array('json' => 'application/json', + 'txt' => 'text/plain'), + true)) { + throw new RuntimeException(sprintf('Invalid file format: "%s"', $fmime)); + } + + // give file unique name based on sha + $ftmpname = $_FILES['upfile']['tmp_name']; + $fdstname = sprintf('./upload/%s.%s', + sha1_file($_FILES['upfile']['tmp_name']), + $ext); + if (!move_uploaded_file($ftmpname, $fdstname)) { + throw new RuntimeException(sprintf('Failed to move uploaded file ("%s" -> "%s")', $ftmpname, $fdstname)); + } + + echo 'Success'; + +} catch (RuntimeException $e) { + error_log ($e->getMessage()); + echo $e->getMessage(); +} + +?> \ No newline at end of file diff --git a/net-map.json b/net-map.json new file mode 100644 index 000000000..0637a088a --- /dev/null +++ b/net-map.json @@ -0,0 +1 @@ +[] \ No newline at end of file diff --git a/nginx/certs/.gitignore b/nginx/certs/.gitignore new file mode 100644 index 000000000..a5baada18 --- /dev/null +++ b/nginx/certs/.gitignore @@ -0,0 +1,3 @@ +* +!.gitignore + diff --git a/nginx/certs/gen_self_signed_certs.sh b/nginx/certs/gen_self_signed_certs.sh deleted file mode 100755 index 7d5988009..000000000 --- a/nginx/certs/gen_self_signed_certs.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash - -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. - - -# one may wish to consider not using self-signed certificates in production -openssl dhparam -out dhparam.pem 2048 -openssl req -subj '/CN=localhost' -x509 -newkey rsa:4096 -nodes -keyout key.pem -out cert.pem -days 3650 diff --git a/nginx/nginx.conf b/nginx/nginx.conf index 9be5cf675..8c1c0e25f 100644 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -1,4 +1,4 @@ -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. daemon off; @@ -10,14 +10,21 @@ http { include /etc/nginx/mime.types; sendfile on; + client_max_body_size 20m; - fastcgi_buffers 16 16k; - fastcgi_buffer_size 32k; - fastcgi_read_timeout 600; - proxy_read_timeout 600; - proxy_buffer_size 128k; - proxy_buffers 4 256k; - proxy_busy_buffers_size 256k; + + fastcgi_buffers 16 64k; + fastcgi_buffer_size 256k; + fastcgi_read_timeout 300s; + fastcgi_busy_buffers_size 384k; + fastcgi_request_buffering off; + + proxy_connect_timeout 180s; + proxy_read_timeout 300s; + proxy_send_timeout 300s; + proxy_buffer_size 512k; + proxy_buffers 16 4m; + proxy_busy_buffers_size 16m; # if LDAP authentication is enabled, this will configure the ldap_server section include /etc/nginx/nginx_ldap_rt.conf; @@ -58,6 +65,10 @@ http { server logstash:9600; } + upstream docker-name-map-ui { + server name-map-ui:8080; + } + # htadmin (htpasswd/user management) server { listen 488 ssl; @@ -89,9 +100,23 @@ http { # Malcolm file upload location /upload { - proxy_pass http://docker-upload; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_pass http://docker-upload/; + proxy_redirect off; + proxy_set_header Host upload.malcolm.local; + proxy_request_buffering off; + proxy_buffering off; + client_max_body_size 20G; + } + location /server/php { + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_pass http://docker-upload/server/php/; proxy_redirect off; proxy_set_header Host upload.malcolm.local; + proxy_request_buffering off; + proxy_buffering off; client_max_body_size 20G; } @@ -131,7 +156,6 @@ http { proxy_set_header Host kibana.malcolm.local; } - # already prepended /kibana to match the server.basePath in kibana's YML config file location /kibana { proxy_pass http://docker-kibana; @@ -146,6 +170,21 @@ http { proxy_set_header Host kibana.malcolm.local; } + # offline region maps for kibana + location /world.geojson { + proxy_pass http://docker-kibana-maps; + proxy_redirect off; + proxy_set_header Host kibana.malcolm.local; + } + + # name-map-ui (UI for mapping names to network hosts and subnets) + location /name-map-ui { + proxy_pass http://docker-name-map-ui/; + proxy_redirect off; + proxy_set_header Host name-map-ui.malcolm.local; + proxy_cache off; + } + location = /favicon.ico { alias /etc/nginx/favicon.ico; } @@ -188,9 +227,13 @@ http { } location / { + proxy_http_version 1.1; + proxy_set_header Connection ""; proxy_pass http://docker-upload; proxy_redirect off; proxy_set_header Host upload.malcolm.local; + proxy_request_buffering off; + proxy_buffering off; client_max_body_size 20G; } } @@ -224,21 +267,6 @@ http { } } - # Kibana offline map server - server { - listen 28991; - - location = /favicon.ico { - alias /etc/nginx/favicon.ico; - } - - location / { - proxy_pass http://docker-kibana-maps; - proxy_redirect off; - proxy_set_header Host kibana.malcolm.local; - } - } - # Elasticsearch API server { listen 9200 ssl; diff --git a/nginx/supervisord.conf b/nginx/supervisord.conf index 784ce2b32..0382d9163 100644 --- a/nginx/supervisord.conf +++ b/nginx/supervisord.conf @@ -1,4 +1,4 @@ -; Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +; Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. [unix_http_server] file=/var/run/supervisor.sock ; (the path to the socket file) @@ -26,15 +26,29 @@ stdout_logfile=/dev/fd/1 stdout_logfile_maxbytes=0 redirect_stderr=true -[program:dockergen] -command=/usr/local/bin/docker-gen -watch -notify "nginx -s reload" /etc/nginx/nginx.tmpl /etc/nginx/conf.d/default.conf -startsecs=5 +[program:logaccess] +command=/usr/bin/tail -F /var/log/nginx/access.log +startsecs=10 startretries=2000000000 stopasgroup=true killasgroup=true stdout_logfile=/dev/fd/1 stdout_logfile_maxbytes=0 -redirect_stderr=true +stderr_logfile=/dev/null +stdout_logfile_maxbytes=0 +redirect_stderr=false + +[program:logerrors] +command=/usr/bin/tail -F /var/log/nginx/error.log +startsecs=10 +startretries=2000000000 +stopasgroup=true +killasgroup=true +stdout_logfile=/dev/fd/1 +stdout_logfile_maxbytes=0 +stderr_logfile=/dev/null +stdout_logfile_maxbytes=0 +redirect_stderr=false [program:stunnel] command=/usr/bin/stunnel /etc/stunnel/stunnel.conf diff --git a/pcap-capture/scripts/netsniff-roll.sh b/pcap-capture/scripts/netsniff-roll.sh index 0290b5851..3ebd50281 100755 --- a/pcap-capture/scripts/netsniff-roll.sh +++ b/pcap-capture/scripts/netsniff-roll.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. lastmod(){ expr $(date +%s) - $(stat -c %X "$1") diff --git a/pcap-capture/scripts/supervisor.sh b/pcap-capture/scripts/supervisor.sh index 8070480c0..c17490f1e 100755 --- a/pcap-capture/scripts/supervisor.sh +++ b/pcap-capture/scripts/supervisor.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. set -e diff --git a/pcap-capture/supervisord.conf b/pcap-capture/supervisord.conf index c42ea2300..e779e8b99 100644 --- a/pcap-capture/supervisord.conf +++ b/pcap-capture/supervisord.conf @@ -1,4 +1,4 @@ -; Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +; Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. [unix_http_server] file=/var/run/supervisor.sock ; (the path to the socket file) diff --git a/pcap-capture/templates/tcpdump.template b/pcap-capture/templates/tcpdump.template index 819a5630d..aa9f7c3d3 100644 --- a/pcap-capture/templates/tcpdump.template +++ b/pcap-capture/templates/tcpdump.template @@ -1,5 +1,5 @@ [program:tcpdump-$IFACE] -command=/usr/sbin/tcpdump -i "$IFACE" -s %(ENV_PCAP_SNAPLEN)s -w "tcpdump-$IFACE_%(ENV_PCAP_TCPDUMP_FILENAME_PATTERN)s.pcap" -G %(ENV_PCAP_ROTATE_SECONDS)s -C %(ENV_PCAP_ROTATE_MEGABYTES)s -K -n "%(ENV_PCAP_FILTER)s" +command=/usr/sbin/tcpdump -i "$IFACE" -s %(ENV_PCAP_SNAPLEN)s -w "tcpdump-$IFACE_%(ENV_PCAP_TCPDUMP_FILENAME_PATTERN)s" -G %(ENV_PCAP_ROTATE_SECONDS)s -C %(ENV_PCAP_ROTATE_MEGABYTES)s -K -n "%(ENV_PCAP_FILTER)s" startsecs=5 startretries=3 stopasgroup=true diff --git a/pcap-monitor/scripts/watch-pcap-uploads-folder.sh b/pcap-monitor/scripts/watch-pcap-uploads-folder.sh index f8eae211e..e751eef22 100755 --- a/pcap-monitor/scripts/watch-pcap-uploads-folder.sh +++ b/pcap-monitor/scripts/watch-pcap-uploads-folder.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. PCAP_BASE_PATH=${PCAP_PATH:-"/pcap"} ZEEK_BASE_PATH=${ZEEK_PATH:-"/zeek"} diff --git a/pcap-monitor/supervisord.conf b/pcap-monitor/supervisord.conf index 15112edc6..50a95152c 100644 --- a/pcap-monitor/supervisord.conf +++ b/pcap-monitor/supervisord.conf @@ -1,4 +1,4 @@ -; Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +; Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. [unix_http_server] file=/var/run/supervisor.sock ; (the path to the socket file) diff --git a/scripts/auth_setup b/scripts/auth_setup new file mode 120000 index 000000000..c910cf9d6 --- /dev/null +++ b/scripts/auth_setup @@ -0,0 +1 @@ +./control.py \ No newline at end of file diff --git a/scripts/auth_setup.sh b/scripts/auth_setup.sh deleted file mode 100755 index a8a47d3cb..000000000 --- a/scripts/auth_setup.sh +++ /dev/null @@ -1,207 +0,0 @@ -#!/bin/bash - -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. - -if [ -z "$BASH_VERSION" ]; then - echo "Wrong interpreter, please run \"$0\" with bash" - exit 1 -fi - -set -e - -if docker version >/dev/null 2>&1; then - DOCKER_BIN=docker -elif grep -q Microsoft /proc/version && docker.exe version >/dev/null 2>&1; then - DOCKER_BIN=docker.exe -fi - -if [ "$1" ]; then - CONFIG_FILE="$1" -else - CONFIG_FILE="docker-compose.yml" -fi - -# force-navigate to Malcolm base directory (parent of scripts/ directory) -[[ "$(uname -s)" = 'Darwin' ]] && REALPATH=grealpath || REALPATH=realpath -[[ "$(uname -s)" = 'Darwin' ]] && DIRNAME=gdirname || DIRNAME=dirname -if ! (type "$REALPATH" && type "$DIRNAME") > /dev/null; then - echo "$(basename "${BASH_SOURCE[0]}") requires $REALPATH and $DIRNAME" - exit 1 -fi -SCRIPT_PATH="$($DIRNAME $($REALPATH -e "${BASH_SOURCE[0]}"))" -pushd "$SCRIPT_PATH/.." >/dev/null 2>&1 - -USERNAME="" -PASSWORD="" -PASSWORD_CONFIRM="" - -read -p "Administrator username: " USERNAME -while true; do - read -s -p "${USERNAME} password: " PASSWORD - echo - read -s -p "${USERNAME} password (again): " PASSWORD_CONFIRM - echo - [ "$PASSWORD" = "$PASSWORD_CONFIRM" ] && break - echo "Passwords do not match" -done -PASSWORD_ENCRYPTED="$(echo $PASSWORD | openssl passwd -1 -stdin)" - -# get previous admin username to remove from htpasswd file if it's changed -unset USERNAME_PREVIOUS -[[ -r auth.env ]] && source auth.env && USERNAME_PREVIOUS="$MALCOLM_USERNAME" - -cat < auth.env -# Malcolm Administrator username and encrypted password for nginx reverse proxy (and upload server's SFTP access) -MALCOLM_USERNAME=$USERNAME -MALCOLM_PASSWORD=$PASSWORD_ENCRYPTED -EOF -chmod 600 ./auth.env - -pushd ./nginx/ >/dev/null 2>&1 -# create or update the htpasswd file -[[ ! -f ./htpasswd ]] && HTPASSWD_CREATE_FLAG="-c" || HTPASSWD_CREATE_FLAG="" -htpasswd -b $HTPASSWD_CREATE_FLAG -B ./htpasswd "$USERNAME" "$PASSWORD" >/dev/null 2>&1 - -# if the admininstrator username has changed, remove the previous administrator username from htpasswd -[[ -n "$USERNAME_PREVIOUS" ]] && [ "$USERNAME" != "$USERNAME_PREVIOUS" ] && sed -i "/^$USERNAME_PREVIOUS:/d" ./htpasswd - -source ../.ldap_config_defaults 2>/dev/null || true -LDAP_DEFAULT_PROTO=${LDAP_PROTO:-"ldap://"} -LDAP_DEFAULT_HOST=${LDAP_HOST:-"ds.example.com"} -LDAP_DEFAULT_PORT=${LDAP_PORT:-"3268"} -LDAP_DEFAULT_SERVER_TYPE=${LDAP_SERVER_TYPE:-"winldap"} -if [[ "$LDAP_DEFAULT_SERVER_TYPE" = 'openldap' ]]; then - LDAP_DEFAULT_URI='DC=example,DC=com?uid?sub?(objectClass=posixAccount)' - LDAP_DEFAULT_GROUP_ATTR=memberuid -else - LDAP_DEFAULT_URI='DC=example,DC=com?sAMAccountName?sub?(objectClass=person)' - LDAP_DEFAULT_GROUP_ATTR=member -fi - -[[ ! -f nginx_ldap.conf ]] && cat < nginx_ldap.conf -# This is a sample configuration for the ldap_server section of nginx.conf. -# Yours will vary depending on how your Active Directory/LDAP server is configured. -# See https://github.com/kvspb/nginx-auth-ldap#available-config-parameters for options. - -ldap_server ad_server { - url "${LDAP_DEFAULT_PROTO}${LDAP_DEFAULT_HOST}:${LDAP_DEFAULT_PORT}/${LDAP_DEFAULT_URI}"; - - binddn "bind_dn"; - binddn_passwd "bind_dn_password"; - - group_attribute ${LDAP_DEFAULT_GROUP_ATTR}; - group_attribute_is_dn on; - require group "CN=malcolm,OU=groups,DC=example,DC=com"; - require valid_user; - satisfy all; -} - -auth_ldap_cache_enabled on; -auth_ldap_cache_expiration_time 10000; -auth_ldap_cache_size 1000; -EOF - -popd >/dev/null 2>&1 - -pushd ./htadmin/ >/dev/null 2>&1 -cat < config.ini -; HTAdmin config file. - -[application] -; Change this to customize your title: -app_title = Malcolm User Management - -; htpasswd file -secure_path = ./config/htpasswd -; metadata file -metadata_path = ./config/metadata - -; administrator user/password (htpasswd -b -c -B ...) -admin_user = $USERNAME - -; username field quality checks -; -min_username_len = 4 -max_username_len = 12 - -; Password field quality checks -; -min_password_len = 6 -max_password_len = 20 - -EOF -touch metadata -popd >/dev/null 2>&1 - -if [[ ! -f ./elastalert/config/smtp-auth.yaml ]]; then - # create a sample smtp-auth.yaml for if/when we want to do elastalert email - pushd ./elastalert/config/ >/dev/null 2>&1 - cat < smtp-auth.yaml -user: "user@gmail.com" -password: "abcdefg1234567" -EOF - chmod 600 ./smtp-auth.yaml - popd >/dev/null 2>&1 -fi - -unset CONFIRMATION -echo "" -read -p "(Re)generate self-signed certificates for HTTPS access [Y/n]? " CONFIRMATION -CONFIRMATION=${CONFIRMATION:-Y} -if [[ $CONFIRMATION =~ ^[Yy]$ ]]; then - pushd ./nginx/certs >/dev/null 2>&1 - rm -f *.pem - /bin/bash ./gen_self_signed_certs.sh >/dev/null 2>&1 - popd >/dev/null 2>&1 -fi - -unset CONFIRMATION -echo "" -read -p "(Re)generate self-signed certificates for a remote log forwarder [Y/n]? " CONFIRMATION -CONFIRMATION=${CONFIRMATION:-Y} -if [[ $CONFIRMATION =~ ^[Yy]$ ]]; then - pushd ./logstash/certs/ >/dev/null 2>&1 - make clean >/dev/null 2>&1 - make >/dev/null 2>&1 - mkdir -p ../../filebeat/certs - rm -f ../../filebeat/certs/* - cp ca.crt ../../filebeat/certs - mv client.key client.crt ../../filebeat/certs - rm -f *.srl *.csr *.pem - popd >/dev/null 2>&1 -fi - -unset CONFIRMATION -echo "" -read -p "Store username/password for forwarding Logstash events to a secondary, external Elasticsearch instance [y/N]? " CONFIRMATION -CONFIRMATION=${CONFIRMATION:-N} -if [[ $CONFIRMATION =~ ^[Yy]$ ]]; then - - EXT_USERNAME="" - EXT_PASSWORD="" - EXT_PASSWORD_CONFIRM="" - read -p "External Elasticsearch username: " EXT_USERNAME - while true; do - read -s -p "${EXT_USERNAME} password: " EXT_PASSWORD - echo - read -s -p "${EXT_USERNAME} password (again): " EXT_PASSWORD_CONFIRM - echo - [ "$EXT_PASSWORD" = "$EXT_PASSWORD_CONFIRM" ] && break - echo "Passwords do not match" - done - echo - - pushd ./logstash/certs/ >/dev/null 2>&1 - rm -f ./logstash.keystore - $DOCKER_BIN run --rm --entrypoint /bin/bash \ - -v "$(pwd)":/usr/share/logstash/config:rw \ - -w /usr/share/logstash/config \ - -u logstash \ - -e EXT_USERNAME="$EXT_USERNAME" \ - -e EXT_PASSWORD="$EXT_PASSWORD" \ - "$(grep "image: malcolmnetsec/logstash" ../../"$CONFIG_FILE" | awk '{print $2}')" \ - /usr/local/bin/set_es_external_keystore.sh - popd >/dev/null 2>&1 -fi - -popd >/dev/null 2>&1 diff --git a/scripts/build.sh b/scripts/build.sh index 093878601..044bc5472 100755 --- a/scripts/build.sh +++ b/scripts/build.sh @@ -1,16 +1,24 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. if [ -z "$BASH_VERSION" ]; then echo "Wrong interpreter, please run \"$0\" with bash" exit 1 fi +[[ "$(uname -s)" = 'Darwin' ]] && REALPATH=grealpath || REALPATH=realpath +[[ "$(uname -s)" = 'Darwin' ]] && DIRNAME=gdirname || DIRNAME=dirname +[[ "$(uname -s)" = 'Darwin' ]] && GREP=ggrep || GREP=grep +if ! (type "$REALPATH" && type "$DIRNAME" && type "$GREP") > /dev/null; then + echo "$(basename "${BASH_SOURCE[0]}") requires $REALPATH and $DIRNAME and $GREP" + exit 1 +fi + if docker-compose version >/dev/null 2>&1; then DOCKER_COMPOSE_BIN=docker-compose DOCKER_BIN=docker -elif grep -q Microsoft /proc/version && docker-compose.exe version >/dev/null 2>&1; then +elif $GREP -q Microsoft /proc/version && docker-compose.exe version >/dev/null 2>&1; then DOCKER_COMPOSE_BIN=docker-compose.exe DOCKER_BIN=docker.exe fi @@ -26,17 +34,11 @@ fi function filesize_in_image() { FILESPEC="$2" - IMAGE="$(grep -P "^\s+image:.*$1" docker-compose-standalone.yml | awk '{print $2}')" + IMAGE="$($GREP -P "^\s+image:.*$1" docker-compose-standalone.yml | awk '{print $2}')" $DOCKER_BIN run --rm --entrypoint /bin/sh "$IMAGE" -c "stat --printf='%s' \"$FILESPEC\"" } # force-navigate to Malcolm base directory (parent of scripts/ directory) -[[ "$(uname -s)" = 'Darwin' ]] && REALPATH=grealpath || REALPATH=realpath -[[ "$(uname -s)" = 'Darwin' ]] && DIRNAME=gdirname || DIRNAME=dirname -if ! (type "$REALPATH" && type "$DIRNAME") > /dev/null; then - echo "$(basename "${BASH_SOURCE[0]}") requires $REALPATH and $DIRNAME" - exit 1 -fi SCRIPT_PATH="$($DIRNAME $($REALPATH -e "${BASH_SOURCE[0]}"))" pushd "$SCRIPT_PATH/.." >/dev/null 2>&1 @@ -59,7 +61,7 @@ read -p "Malcolm Docker images will now be built and/or pulled, force full clean CONFIRMATION=${CONFIRMATION:-N} BUILD_DATE="$(date -u +'%Y-%m-%dT%H:%M:%SZ')" -MALCOLM_VERSION="$(grep -P "^\s+image:\s*malcolm" "$CONFIG_FILE" | awk '{print $2}' | cut -d':' -f2 | uniq -c | sort -nr | awk '{print $2}' | head -n 1)" +MALCOLM_VERSION="$($GREP -P "^\s+image:\s*malcolm" "$CONFIG_FILE" | awk '{print $2}' | cut -d':' -f2 | uniq -c | sort -nr | awk '{print $2}' | head -n 1)" VCS_REVISION="$(git rev-parse --short HEAD 2>/dev/null || echo unknown)" # MaxMind now requires a (free) license key to download the free versions of their GeoIP databases. @@ -68,7 +70,7 @@ if [ ${#MAXMIND_GEOIP_DB_LICENSE_KEY} -gt 1 ]; then MAXMIND_API_KEY="$MAXMIND_GEOIP_DB_LICENSE_KEY" else # but default to what they have saved in the docker-compose YML file - MAXMIND_API_KEY="$(grep -P "^\s*MAXMIND_GEOIP_DB_LICENSE_KEY\s*:\s" "$CONFIG_FILE" | cut -d: -f2 | tr -d '[:space:]'\'\" | head -n 1)" + MAXMIND_API_KEY="$($GREP -P "^\s*MAXMIND_GEOIP_DB_LICENSE_KEY\s*:\s" "$CONFIG_FILE" | cut -d: -f2 | tr -d '[:space:]'\'\" | head -n 1)" fi if [[ $CONFIRMATION =~ ^[Yy] ]]; then diff --git a/scripts/control.py b/scripts/control.py new file mode 100755 index 000000000..d52eb7ce1 --- /dev/null +++ b/scripts/control.py @@ -0,0 +1,589 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- + +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. + +from __future__ import print_function + +import argparse +import errno +import glob +import os +import platform +import re +import shutil +import stat +import sys + +from malcolm_common import * +from collections import defaultdict, namedtuple +from subprocess import (PIPE, STDOUT, Popen, check_call, CalledProcessError) + +################################################################################################### +ScriptName = os.path.basename(__file__) + +PY3 = (sys.version_info.major >= 3) +pyPlatform = platform.system() + +args = None +dockerBin = None +dockerComposeBin = None +opensslBin = None + +################################################################################################### +try: + FileNotFoundError +except NameError: + FileNotFoundError = IOError + +try: + from colorama import init as ColoramaInit, Fore, Back, Style + ColoramaInit() + coloramaImported = True +except: + coloramaImported = False + +################################################################################################### +def logs(): + global args + global dockerBin + global dockerComposeBin + + # noisy logs (a lot of it is NGINX logs from health checks) + ignoreRegEx = re.compile(r""" + .+( + deprecated + | elastalert-server:\s+Routes: + | eshealth + | update_mapping + | throttling\s+index + | but\s+there\s+are\s+no\s+living\s+connections + | saved_objects + | \b(d|es)?stats\.json + | /_ns_/nstest\.html + | esindices/list + | _cat/indices + | use_field_mapping + | reaped\s+unknown\s+pid + | Successfully\s+handled\s+GET\s+request\s+for\s+'/' + | GET\s+/(_cat/health|api/status|sessions2-).+HTTP/[\d\.].+\b200\b + | POST\s+/(d?stats/d?stat|_bulk|fields/field/_search).+HTTP/[\d\.].+\b20[01]\b + | POST\s+HTTP/[\d\.].+\b200\b + | POST\s+/server/php/\s+HTTP/\d+\.\d+"\s+\d+\s+\d+.*:8443/ + | curl.+localhost.+GET\s+/api/status\s+200 + | \b1.+GET\s+/\s+.+401.+curl + ) + """, re.VERBOSE | re.IGNORECASE) + + err, out = run_process([dockerComposeBin, '-f', args.composeFile, 'ps'], debug=args.debug) + print("\n".join(out)) + + process = Popen([dockerComposeBin, '-f', args.composeFile, 'logs', '-f'], stdout=PIPE) + while True: + output = process.stdout.readline() + if (len(output) == 0) and (process.poll() is not None): + break + if output: + outputStr = output.decode().strip() + outputStrEscaped = EscapeAnsi(outputStr) + if not ignoreRegEx.match(outputStrEscaped): + print(outputStr if coloramaImported else outputStrEscaped) + else: + pass + # print('!!!!!!!: {}'.format(outputStr)) + else: + time.sleep(0.5) + process.poll() + +################################################################################################### +def stop(wipe=False): + global args + global dockerBin + global dockerComposeBin + + if wipe: + # attempt to DELETE _template/zeek_template in Elasticsearch + err, out = run_process([dockerComposeBin, '-f', args.composeFile, 'exec', 'moloch', 'bash', '-c', 'curl -fs --output /dev/null -H"Content-Type: application/json" -XDELETE "http://$ES_HOST:$ES_PORT/_template/zeek_template"'], debug=args.debug) + + # if stop.sh is being called with wipe.sh (after the docker-compose file) + # then also remove named and anonymous volumes (not external volumes, of course) + err, out = run_process([dockerComposeBin, '-f', args.composeFile, 'down', '--volumes'][:5 if wipe else -1], debug=args.debug) + if (err == 0): + eprint("Stopped Malcolm\n") + else: + eprint("Malcolm failed to stop\n") + eprint("\n".join(out)) + exit(err) + + if wipe: + # delete elasticsearch database + shutil.rmtree(os.path.join(MalcolmPath, 'elasticsearch/nodes'), ignore_errors=True) + + # delete data files (backups, zeek logs, moloch logs, PCAP files, captured PCAP files) + for dataDir in ['elasticsearch-backup', 'zeek-logs', 'moloch-logs', 'pcap', 'moloch-raw']: + for root, dirnames, filenames in os.walk(os.path.join(MalcolmPath, dataDir), topdown=True, onerror=None): + for file in filenames: + fileSpec = os.path.join(root, file) + if (os.path.isfile(fileSpec) or os.path.islink(fileSpec)) and (not file.startswith('.git')): + try: + os.remove(fileSpec) + except: + pass + + # clean up empty directories + for dataDir in [os.path.join('elasticsearch-backup', 'logs'), os.path.join('zeek-logs', 'processed'), os.path.join('zeek-logs', 'current')]: + RemoveEmptyFolders(dataDir, removeRoot=False) + + eprint("Malcolm has been stopped and its data cleared\n") + +################################################################################################### +def start(): + global args + global dockerBin + global dockerComposeBin + + # make sure the auth files exist. if we are in an interactive shell and we're + # missing any of the auth files, prompt to create them now + if sys.__stdin__.isatty() and (not MalcolmAuthFilesExist()): + check_call(['bash', os.path.join(ScriptPath, 'auth_setup')]) + + # still missing? sorry charlie + if (not MalcolmAuthFilesExist()): + raise Exception('Malcolm administrator account authentication files are missing, please run ./scripts/auth_setup to generate them') + + # touch the metadata file + open(os.path.join(MalcolmPath, os.path.join('htadmin', 'metadata')), 'a').close() + + smtpAuthFile = os.path.join(MalcolmPath, os.path.join('elastalert', os.path.join('config', 'smtp-auth.yaml'))) + if (not os.path.isfile(smtpAuthFile)): + # create a sample smtp-auth.yaml for if/when we want to do elastalert email + with open(smtpAuthFile, 'w') as f: + f.write('user: "user@gmail.com"\n') + f.write('password: "abcdefg1234567"\n') + os.chmod(smtpAuthFile, stat.S_IRUSR | stat.S_IWUSR) + + # make sure permissions are set correctly for the nginx worker processes + for authFile in [os.path.join(MalcolmPath, os.path.join('nginx', 'htpasswd')), + os.path.join(MalcolmPath, os.path.join('nginx', 'nginx_ldap.conf')), + os.path.join(MalcolmPath, os.path.join('htadmin', 'config.ini')), + os.path.join(MalcolmPath, os.path.join('htadmin', 'metadata'))]: + # chmod 644 authFile + os.chmod(authFile, stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH) + + # make sure some directories exist before we start + for path in [os.path.join(MalcolmPath, 'elasticsearch'), + os.path.join(MalcolmPath, 'elasticsearch-backup'), + os.path.join(MalcolmPath, os.path.join('pcap', 'upload')), + os.path.join(MalcolmPath, os.path.join('pcap', 'processed')), + os.path.join(MalcolmPath, os.path.join('zeek-logs', 'current')), + os.path.join(MalcolmPath, os.path.join('zeek-logs', 'upload')), + os.path.join(MalcolmPath, os.path.join('zeek-logs', 'processed')), + os.path.join(MalcolmPath, os.path.join('zeek-logs', 'extract_files'))]: + try: + os.makedirs(path) + except OSError as exc: + if (exc.errno == errno.EEXIST) and os.path.isdir(path): + pass + else: + raise + + # start docker + err, out = run_process([dockerComposeBin, '-f', args.composeFile, 'up', '--detach'], debug=args.debug) + if (err == 0): + eprint("Started Malcolm\n\n") + eprint("In a few minutes, Malcolm services will be accessible via the following URLs:") + eprint("------------------------------------------------------------------------------") + eprint(" - Moloch: https://localhost/") + eprint(" - Kibana: https://localhost/kibana/") + eprint(" - PCAP upload (web): https://localhost/upload/") + eprint(" - PCAP upload (sftp): sftp://username@127.0.0.1:8022/files/") + eprint(" - Host and subnet name mapping editor: https://localhost/name-map-ui/\n") + eprint(" - Account management: https://localhost:488/\n") + else: + eprint("Malcolm failed to start\n") + eprint("\n".join(out)) + exit(err) + +################################################################################################### +def authSetup(wipe=False): + global args + global dockerBin + global dockerComposeBin + global opensslBin + + # prompt usernamd and password + usernamePrevious = None + password = None + passwordConfirm = None + passwordEncrypted = '' + username = AskForString("Administrator username") + + while True: + password = AskForPassword("{} password: ".format(username)) + passwordConfirm = AskForPassword("{} password (again): ".format(username)) + if (password == passwordConfirm): + break + eprint("Passwords do not match") + + # get previous admin username to remove from htpasswd file if it's changed + authEnvFile = os.path.join(MalcolmPath, 'auth.env') + if os.path.isfile(authEnvFile): + prevAuthInfo = defaultdict(str) + with open(authEnvFile, 'r') as f: + for line in f: + try: + k, v = line.rstrip().split("=") + prevAuthInfo[k] = v.strip('"') + except: + pass + if (len(prevAuthInfo['MALCOLM_USERNAME']) > 0): + usernamePrevious = prevAuthInfo['MALCOLM_USERNAME'] + + # get openssl hash of password + err, out = run_process([opensslBin, 'passwd', '-1', '-stdin'], stdin=password, stderr=False, debug=args.debug) + if (err == 0) and (len(out) > 0) and (len(out[0]) > 0): + passwordEncrypted = out[0] + else: + raise Exception('Unable to generate password hash with openssl') + + # write auth.env (used by htadmin and file-upload containers) + with open(authEnvFile, 'w') as f: + f.write("# Malcolm Administrator username and encrypted password for nginx reverse proxy (and upload server's SFTP access)\n") + f.write('MALCOLM_USERNAME={}\n'.format(username)) + f.write('MALCOLM_PASSWORD={}\n'.format(passwordEncrypted)) + os.chmod(authEnvFile, stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH) + + # create or update the htpasswd file + htpasswdFile = os.path.join(MalcolmPath, os.path.join('nginx', 'htpasswd')) + htpasswdCmd = ['htpasswd', + '-i', + '-B', + htpasswdFile, + username] + if not os.path.isfile(htpasswdFile): + htpasswdCmd.insert(1, '-c') + err, out = run_process(htpasswdCmd, stdin=password, stderr=True, debug=args.debug) + if (err != 0): + raise Exception('Unable to generate htpasswd file: {}'.format(out)) + + # if the admininstrator username has changed, remove the previous administrator username from htpasswd + if (usernamePrevious is not None) and (usernamePrevious != username): + htpasswdLines = list() + with open(htpasswdFile, 'r') as f: + htpasswdLines = f.readlines() + with open(htpasswdFile, 'w') as f: + for line in htpasswdLines: + if not line.startswith("{}:".format(usernamePrevious)): + f.write(line) + + # configure default LDAP stuff (they'll have to edit it by hand later) + ldapConfFile = os.path.join(MalcolmPath, os.path.join('nginx', 'nginx_ldap.conf')) + if not os.path.isfile(ldapConfFile): + ldapDefaults = defaultdict(str) + if os.path.isfile(os.path.join(MalcolmPath, '.ldap_config_defaults')): + ldapDefaults = defaultdict(str) + with open(os.path.join(MalcolmPath, '.ldap_config_defaults'), 'r') as f: + for line in f: + try: + k, v = line.rstrip().split("=") + ldapDefaults[k] = v.strip('"') + except: + pass + ldapProto = ldapDefaults.get("LDAP_PROTO", "ldap://") + ldapHost = ldapDefaults.get("LDAP_HOST", "ds.example.com") + ldapPort = ldapDefaults.get("LDAP_PORT", "3268") + ldapType = ldapDefaults.get("LDAP_SERVER_TYPE", "winldap") + if (ldapType == "openldap"): + ldapUri = 'DC=example,DC=com?uid?sub?(objectClass=posixAccount)' + ldapGroupAttr = "memberuid" + else: + ldapUri = 'DC=example,DC=com?sAMAccountName?sub?(objectClass=person)' + ldapGroupAttr = "member" + with open(ldapConfFile, 'w') as f: + f.write('# This is a sample configuration for the ldap_server section of nginx.conf.\n') + f.write('# Yours will vary depending on how your Active Directory/LDAP server is configured.\n') + f.write('# See https://github.com/kvspb/nginx-auth-ldap#available-config-parameters for options.\n\n') + f.write('ldap_server ad_server {\n') + f.write(' url "{}{}:{}/{}";\n\n'.format(ldapProto, ldapHost, ldapPort, ldapUri)) + f.write(' binddn "bind_dn";\n') + f.write(' binddn_passwd "bind_dn_password";\n\n') + f.write(' group_attribute {};\n'.format(ldapGroupAttr)) + f.write(' group_attribute_is_dn on;\n') + f.write(' require group "CN=malcolm,OU=groups,DC=example,DC=com";\n') + f.write(' require valid_user;\n') + f.write(' satisfy all;\n') + f.write('}\n\n') + f.write('auth_ldap_cache_enabled on;\n') + f.write('auth_ldap_cache_expiration_time 10000;\n') + f.write('auth_ldap_cache_size 1000;\n') + os.chmod(ldapConfFile, stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH) + + # populate htadmin config file + with open(os.path.join(MalcolmPath, os.path.join('htadmin', 'config.ini')), 'w') as f: + f.write('; HTAdmin config file.\n\n') + f.write('[application]\n') + f.write('; Change this to customize your title:\n') + f.write('app_title = Malcolm User Management\n\n') + f.write('; htpasswd file\n') + f.write('secure_path = ./config/htpasswd\n') + f.write('; metadata file\n') + f.write('metadata_path = ./config/metadata\n\n') + f.write('; administrator user/password (htpasswd -b -c -B ...)\n') + f.write('admin_user = {}\n\n'.format(username)) + f.write('; username field quality checks\n') + f.write(';\n') + f.write('min_username_len = 4\n') + f.write('max_username_len = 12\n\n') + f.write('; Password field quality checks\n') + f.write(';\n') + f.write('min_password_len = 6\n') + f.write('max_password_len = 20\n\n') + + # touch the metadata file + open(os.path.join(MalcolmPath, os.path.join('htadmin', 'metadata')), 'a').close() + + # create a sample smtp-auth.yaml for if/when we want to do elastalert email + smtpAuthFile = os.path.join(MalcolmPath, os.path.join('elastalert', os.path.join('config', 'smtp-auth.yaml'))) + if not os.path.isfile(smtpAuthFile): + with open(smtpAuthFile, 'w') as f: + f.write('user: "user@gmail.com"\n') + f.write('password: "abcdefg1234567"\n') + os.chmod(smtpAuthFile, stat.S_IRUSR | stat.S_IWUSR) + + # generate HTTPS self-signed certificates + if YesOrNo('(Re)generate self-signed certificates for HTTPS access', default=True): + os.chdir(os.path.join(MalcolmPath, os.path.join('nginx', 'certs'))) + try: + + # remove previous files + for oldfile in glob.glob("*.pem"): + os.remove(oldfile) + + # generate dhparam ------------------------------- + err, out = run_process([opensslBin, 'dhparam', '-out', 'dhparam.pem', '2048'], stderr=True, debug=args.debug) + if (err != 0): + raise Exception('Unable to generate dhparam.pem file: {}'.format(out)) + + # generate key/cert ------------------------------- + err, out = run_process([opensslBin, 'req', '-subj', '/CN=localhost', '-x509', '-newkey', 'rsa:4096', '-nodes', '-keyout', 'key.pem', '-out', 'cert.pem', '-days', '3650'], stderr=True, debug=args.debug) + if (err != 0): + raise Exception('Unable to generate key.pem/cert.pem file(s): {}'.format(out)) + + finally: + os.chdir(MalcolmPath) + + # generate beats/logstash self-signed certificates + logstashPath = os.path.join(MalcolmPath, os.path.join('logstash', 'certs')) + filebeatPath = os.path.join(MalcolmPath, os.path.join('filebeat', 'certs')) + if YesOrNo('(Re)generate self-signed certificates for a remote log forwarder', default=True): + os.chdir(logstashPath) + try: + + # make clean to clean previous files + for pat in ['*.srl', '*.csr', '*.key', '*.crt', '*.pem']: + for oldfile in glob.glob(pat): + os.remove(oldfile) + + # ----------------------------------------------- + # generate new ca/server/client certificates/keys + # ca ------------------------------- + err, out = run_process([opensslBin, 'genrsa', '-out', 'ca.key', '2048'], stderr=True, debug=args.debug) + if (err != 0): raise Exception('Unable to generate ca.key: {}'.format(out)) + + err, out = run_process([opensslBin, 'req', '-x509', '-new', '-nodes', '-key', 'ca.key', '-sha256', '-days', '9999', '-subj', '/C=US/ST=ID/O=sensor/OU=ca', '-out', 'ca.crt'], stderr=True, debug=args.debug) + if (err != 0): raise Exception('Unable to generate ca.crt: {}'.format(out)) + + # server ------------------------------- + err, out = run_process([opensslBin, 'genrsa', '-out', 'server.key', '2048'], stderr=True, debug=args.debug) + if (err != 0): raise Exception('Unable to generate server.key: {}'.format(out)) + + err, out = run_process([opensslBin, 'req', '-sha512', '-new', '-key', 'server.key', '-out', 'server.csr', '-config', 'server.conf'], stderr=True, debug=args.debug) + if (err != 0): raise Exception('Unable to generate server.csr: {}'.format(out)) + + err, out = run_process([opensslBin, 'x509', '-days', '3650', '-req', '-sha512', '-in', 'server.csr', '-CAcreateserial', '-CA', 'ca.crt', '-CAkey', 'ca.key', '-out', 'server.crt', '-extensions', 'v3_req', '-extfile', 'server.conf'], stderr=True, debug=args.debug) + if (err != 0): raise Exception('Unable to generate server.crt: {}'.format(out)) + + shutil.move("server.key", "server.key.pem") + err, out = run_process([opensslBin, 'pkcs8', '-in', 'server.key.pem', '-topk8', '-nocrypt', '-out', 'server.key'], stderr=True, debug=args.debug) + if (err != 0): raise Exception('Unable to generate server.key: {}'.format(out)) + + # client ------------------------------- + err, out = run_process([opensslBin, 'genrsa', '-out', 'client.key', '2048'], stderr=True, debug=args.debug) + if (err != 0): raise Exception('Unable to generate client.key: {}'.format(out)) + + err, out = run_process([opensslBin, 'req', '-sha512', '-new', '-key', 'client.key', '-out', 'client.csr', '-config', 'client.conf'], stderr=True, debug=args.debug) + if (err != 0): raise Exception('Unable to generate client.csr: {}'.format(out)) + + err, out = run_process([opensslBin, 'x509', '-days', '3650', '-req', '-sha512', '-in', 'client.csr', '-CAcreateserial', '-CA', 'ca.crt', '-CAkey', 'ca.key', '-out', 'client.crt', '-extensions', 'v3_req', '-extensions', 'usr_cert', '-extfile', 'client.conf'], stderr=True, debug=args.debug) + if (err != 0): raise Exception('Unable to generate client.crt: {}'.format(out)) + # ----------------------------------------------- + + # mkdir filebeat/certs if it doesn't exist + try: + os.makedirs(filebeatPath) + except OSError as exc: + if (exc.errno == errno.EEXIST) and os.path.isdir(filebeatPath): + pass + else: + raise + + # remove previous files in filebeat/certs + for oldfile in glob.glob(os.path.join(filebeatPath, "*")): + os.remove(oldfile) + + # copy the ca so logstasn and filebeat both have it + shutil.copy2(os.path.join(logstashPath, "ca.crt"), filebeatPath) + + # move the client certs for filebeat + for f in ['client.key', 'client.crt']: + shutil.move(os.path.join(logstashPath, f), filebeatPath) + + # remove leftovers + for pat in ['*.srl', '*.csr', '*.pem']: + for oldfile in glob.glob(pat): + os.remove(oldfile) + + finally: + os.chdir(MalcolmPath) + + # create and populate keystore for remote + if YesOrNo('Store username/password for forwarding Logstash events to a secondary, external Elasticsearch instance', default=False): + + # prompt usernamd and password + esPassword = None + esPasswordConfirm = None + esUsername = AskForString("External Elasticsearch username") + + while True: + esPassword = AskForPassword("{} password: ".format(esUsername)) + esPasswordConfirm = AskForPassword("{} password (again): ".format(esUsername)) + if (esPassword == esPasswordConfirm): + break + eprint("Passwords do not match") + + # use the logstash image to run set_es_external_keystore to generate the keystore + + logstashImage = None + composeFileLines = list() + with open(args.composeFile, 'r') as f: + composeFileLines = [x for x in f.readlines() if 'image: malcolmnetsec/logstash' in x] + if (len(composeFileLines) > 0) and (len(composeFileLines[0]) > 0): + imageLineValues = composeFileLines[0].split() + if (len(imageLineValues) > 1): + logstashImage = imageLineValues[1] + + if logstashImage is not None: + os.chdir(logstashPath) + try: + if os.path.isfile('logstash.keystore'): + os.remove('logstash.keystore') + + dockerCmd = [dockerBin, + 'run', + '--rm', + '--entrypoint', + '/bin/bash', + '-v', '{}:/usr/share/logstash/config:rw'.format(logstashPath), + '-w', '/usr/share/logstash/config', + '-u', 'logstash', + '-e', 'EXT_USERNAME={}'.format(esUsername), + '-e', 'EXT_PASSWORD={}'.format(esPassword), + logstashImage, + '/usr/local/bin/set_es_external_keystore.sh'] + + err, out = run_process(dockerCmd, stderr=True, debug=args.debug) + if (err != 0) or not os.path.isfile('logstash.keystore'): + raise Exception('Unable to generate logstash keystore: {}'.format(out)) + + finally: + os.chdir(MalcolmPath) + else: + raise Exception('Failed to determine logstash image from {}'.format(args.composeFile)) + + +################################################################################################### +# main +def main(): + global args + global dockerBin + global dockerComposeBin + global opensslBin + + # extract arguments from the command line + # print (sys.argv[1:]); + parser = argparse.ArgumentParser(description='Malcolm control script', add_help=False, usage='{} '.format(ScriptName)) + parser.add_argument('-v', '--verbose', dest='debug', type=str2bool, nargs='?', const=True, default=False, help="Verbose output") + parser.add_argument('-f', '--file', required=False, dest='composeFile', metavar='', type=str, default='docker-compose.yml', help='docker-compose YML file') + parser.add_argument('-l', '--logs', dest='cmdLogs', type=str2bool, nargs='?', const=True, default=False, help="Tail Malcolm logs") + parser.add_argument('--start', dest='cmdStart', type=str2bool, nargs='?', const=True, default=False, help="Start Malcolm") + parser.add_argument('--restart', dest='cmdRestart', type=str2bool, nargs='?', const=True, default=False, help="Stop and restart Malcolm") + parser.add_argument('--stop', dest='cmdStop', type=str2bool, nargs='?', const=True, default=False, help="Stop Malcolm") + parser.add_argument('--wipe', dest='cmdWipe', type=str2bool, nargs='?', const=True, default=False, help="Stop Malcolm and delete all data") + parser.add_argument('--auth', dest='cmdAuthSetup', type=str2bool, nargs='?', const=True, default=False, help="Configure Malcolm authentication") + + try: + parser.error = parser.exit + args = parser.parse_args() + except SystemExit: + parser.print_help() + exit(2) + + if args.debug: + eprint(os.path.join(ScriptPath, ScriptName)) + eprint("Arguments: {}".format(sys.argv[1:])) + eprint("Arguments: {}".format(args)) + eprint("Malcolm path:", MalcolmPath) + else: + sys.tracebacklimit = 0 + + os.chdir(MalcolmPath) + + # make sure docker/docker-compose is available + dockerBin = 'docker.exe' if ((pyPlatform == PLATFORM_WINDOWS) and Which('docker.exe')) else 'docker' + dockerComposeBin = 'docker-compose.exe' if ((pyPlatform == PLATFORM_WINDOWS) and Which('docker-compose.exe')) else 'docker-compose' + err, out = run_process([dockerBin, 'info'], debug=args.debug) + if (err != 0): + raise Exception('{} requires docker, please run install.py'.format(ScriptName)) + err, out = run_process([dockerComposeBin, '-f', args.composeFile, 'version'], debug=args.debug) + if (err != 0): + raise Exception('{} requires docker-compose, please run install.py'.format(ScriptName)) + + # identify openssl binary + opensslBin = 'openssl.exe' if ((pyPlatform == PLATFORM_WINDOWS) and Which('openssl.exe')) else 'openssl' + + # if executed via a symlink, figure out what was intended via the symlink name + if os.path.islink(os.path.join(ScriptPath, ScriptName)): + if (ScriptName == "logs"): + args.cmdLogs = True + elif (ScriptName == "start"): + args.cmdStart = True + elif (ScriptName == "restart"): + args.cmdRestart = True + elif (ScriptName == "stop"): + args.cmdStop = True + elif (ScriptName == "wipe"): + args.cmdWipe = True + elif (ScriptName.startswith("auth")): + args.cmdAuthSetup = True + + # stop Malcolm (and wipe data if requestsed) + if args.cmdRestart or args.cmdStop or args.cmdWipe: + stop(wipe=args.cmdWipe) + + # configure Malcolm authentication + if args.cmdAuthSetup: + authSetup() + + # start Malcolm + if args.cmdStart or args.cmdRestart: + start() + + # tail Malcolm logs + if args.cmdStart or args.cmdRestart or args.cmdLogs: + logs() + +if __name__ == '__main__': + main() + if coloramaImported: + print(Style.RESET_ALL) + diff --git a/scripts/install.py b/scripts/install.py index c74deb4c1..7da37381a 100755 --- a/scripts/install.py +++ b/scripts/install.py @@ -1,7 +1,7 @@ #!/usr/bin/env python # -*- coding: utf-8 -*- -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. from __future__ import print_function @@ -22,62 +22,31 @@ import tempfile import time -from pwd import getpwuid -from subprocess import (PIPE, STDOUT, Popen, CalledProcessError) +try: + from pwd import getpwuid +except ImportError: + getpwuid = None from collections import defaultdict, namedtuple -################################################################################################### -DOCKER_COMPOSE_INSTALL_VERSION="1.24.0" +from malcolm_common import * -PLATFORM_WINDOWS = "Windows" -PLATFORM_MAC = "Darwin" -PLATFORM_LINUX = "Linux" -PLATFORM_LINUX_CENTOS = 'centos' -PLATFORM_LINUX_DEBIAN = 'debian' -PLATFORM_LINUX_FEDORA = 'fedora' -PLATFORM_LINUX_UBUNTU = 'ubuntu' +################################################################################################### +DOCKER_COMPOSE_INSTALL_VERSION="1.25.1" DEB_GPG_KEY_FINGERPRINT = '0EBFCD88' # used to verify GPG key for Docker Debian repository MAC_BREW_DOCKER_PACKAGE = 'docker-edge' MAC_BREW_DOCKER_SETTINGS = '/Users/{}/Library/Group Containers/group.com.docker/settings.json' -# URLS for figuring things out if something goes wrong -DOCKER_INSTALL_URLS = defaultdict(lambda: 'https://docs.docker.com/install/') -DOCKER_INSTALL_URLS[PLATFORM_WINDOWS] = ['https://stefanscherer.github.io/how-to-install-docker-the-chocolatey-way/', - 'https://docs.docker.com/docker-for-windows/install/'] -DOCKER_INSTALL_URLS[PLATFORM_LINUX_UBUNTU] = 'https://docs.docker.com/install/linux/docker-ce/ubuntu/' -DOCKER_INSTALL_URLS[PLATFORM_LINUX_DEBIAN] = 'https://docs.docker.com/install/linux/docker-ce/debian/' -DOCKER_INSTALL_URLS[PLATFORM_LINUX_CENTOS] = 'https://docs.docker.com/install/linux/docker-ce/centos/' -DOCKER_INSTALL_URLS[PLATFORM_LINUX_FEDORA] = 'https://docs.docker.com/install/linux/docker-ce/fedora/' -DOCKER_INSTALL_URLS[PLATFORM_MAC] = ['https://www.code2bits.com/how-to-install-docker-on-macos-using-homebrew/', - 'https://docs.docker.com/docker-for-mac/install/'] -DOCKER_COMPOSE_INSTALL_URLS = defaultdict(lambda: 'https://docs.docker.com/compose/install/') -HOMEBREW_INSTALL_URLS = defaultdict(lambda: 'https://brew.sh/') - ################################################################################################### -args = None -PY3 = (sys.version_info.major >= 3) -scriptName = os.path.basename(__file__) -scriptPath = os.path.dirname(os.path.realpath(__file__)) +ScriptName = os.path.basename(__file__) origPath = os.getcwd() ################################################################################################### -# print to stderr -def eprint(*args, **kwargs): - print(*args, file=sys.stderr, **kwargs) +args = None +PY3 = (sys.version_info.major >= 3) ################################################################################################### -if not PY3: - if hasattr(__builtins__, 'raw_input'): input = raw_input - -# attempt to import requests, will cover failure later -try: - import requests - requestsImported = True -except ImportError: - requestsImported = False - try: FileNotFoundError except NameError: @@ -85,210 +54,15 @@ def eprint(*args, **kwargs): ################################################################################################### # get interactive user response to Y/N question -def YesOrNo(question, default=None, forceInteraction=False): +def InstallerYesOrNo(question, default=None, forceInteraction=False): global args - - if default == True: - questionStr = "\n{} (Y/n): ".format(question) - elif default == False: - questionStr = "\n{} (y/N): ".format(question) - else: - questionStr = "\n{} (y/n): ".format(question) - - if args.acceptDefaults and (default is not None) and (not forceInteraction): - reply = '' - else: - while True: - reply = str(input(questionStr)).lower().strip() - if (len(reply) > 0) or (default is not None): - break - - if (len(reply) == 0): - reply = 'y' if default else 'n' - - if reply[0] == 'y': - return True - elif reply[0] == 'n': - return False - else: - return YesOrNo(question, default=default) + return YesOrNo(question, default=default, forceInteraction=forceInteraction, acceptDefault=args.acceptDefaults) ################################################################################################### # get interactive user response -def AskForString(question, default=None, forceInteraction=False): - global args - - if args.acceptDefaults and (default is not None) and (not forceInteraction): - reply = default - else: - reply = str(input('\n{}: '.format(question))).strip() - - return reply - -################################################################################################### -# convenient boolean argument parsing -def str2bool(v): - if v.lower() in ('yes', 'true', 't', 'y', '1'): - return True - elif v.lower() in ('no', 'false', 'f', 'n', '0'): - return False - else: - raise argparse.ArgumentTypeError('Boolean value expected.') - -################################################################################################### -# determine if a program/script exists and is executable in the system path -def Which(cmd): - global args - - result = any(os.access(os.path.join(path, cmd), os.X_OK) for path in os.environ["PATH"].split(os.pathsep)) - if args.debug: - eprint("Which {} returned {}".format(cmd, result)) - return result - -################################################################################################### -# nice human-readable file sizes -def SizeHumanFormat(num, suffix='B'): - for unit in ['','Ki','Mi','Gi','Ti','Pi','Ei','Zi']: - if abs(num) < 1024.0: - return "%3.1f%s%s" % (num, unit, suffix) - num /= 1024.0 - return "%.1f%s%s" % (num, 'Yi', suffix) - -################################################################################################### -# download to file -def DownloadToFile(url, local_filename): - global args - - r = requests.get(url, stream=True, allow_redirects=True) - with open(local_filename, 'wb') as f: - for chunk in r.iter_content(chunk_size=1024): - if chunk: f.write(chunk) - fExists = os.path.isfile(local_filename) - fSize = os.path.getsize(local_filename) - if args.debug: - eprint("Download of {} to {} {} ({})".format(url, local_filename, "succeeded" if fExists else "failed", SizeHumanFormat(fSize))) - return fExists and (fSize > 0) - -################################################################################################### -# run command with arguments and return its exit code, stdout, and stderr -def check_output_input(*popenargs, **kwargs): - - if 'stdout' in kwargs: - raise ValueError('stdout argument not allowed, it will be overridden') - - if 'stderr' in kwargs: - raise ValueError('stderr argument not allowed, it will be overridden') - - if 'input' in kwargs and kwargs['input']: - if 'stdin' in kwargs: - raise ValueError('stdin and input arguments may not both be used') - inputdata = kwargs['input'] - kwargs['stdin'] = PIPE - else: - inputdata = None - kwargs.pop('input', None) - - process = Popen(*popenargs, stdout=PIPE, stderr=PIPE, **kwargs) - try: - output, errput = process.communicate(inputdata) - except: - process.kill() - process.wait() - raise - - retcode = process.poll() - - return retcode, output, errput - -#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -def run_process(command, stdout=True, stderr=True, stdin=None, retry=0, retrySleepSec=5, debug=False): - retcode = -1 - output = [] - - try: - # run the command - retcode, cmdout, cmderr = check_output_input(command, input=stdin.encode() if (PY3 and stdin) else stdin) - - # split the output on newlines to return a list - if PY3: - if stderr and (len(cmderr) > 0): output.extend(cmderr.decode(sys.getdefaultencoding()).split('\n')) - if stdout and (len(cmdout) > 0): output.extend(cmdout.decode(sys.getdefaultencoding()).split('\n')) - else: - if stderr and (len(cmderr) > 0): output.extend(cmderr.split('\n')) - if stdout and (len(cmdout) > 0): output.extend(cmdout.split('\n')) - - except (FileNotFoundError, OSError, IOError) as e: - if stderr: - output.append("Command {} not found or unable to execute".format(command)) - - if debug: - eprint("{}{} returned {}: {}".format(command, "({})".format(stdin[:80] + bool(stdin[80:]) * '...' if stdin else ""), retcode, output)) - - if (retcode != 0) and retry and (retry > 0): - # sleep then retry - time.sleep(retrySleepSec) - return run_process(command, stdout, stderr, stdin, retry-1, retrySleepSec, debug) - else: - return retcode, output - -################################################################################################### -# make sure we can import requests properly and take care of it automatically if possible -def ImportRequests(): +def InstallerAskForString(question, default=None, forceInteraction=False): global args - global requestsImported - - if not requestsImported: - # see if we can help out by installing the requests module - - pyPlatform = platform.system() - pyExec = sys.executable - pipCmd = 'pip3' if PY3 else 'pip2' - if not Which(pipCmd): pipCmd = 'pip' - - eprint('{} requires the requests module under Python {} ({})'.format(scriptName, platform.python_version(), pyExec)) - - if Which(pipCmd): - if YesOrNo('Importing the requests module failed. Attempt to install via {}?'.format(pipCmd), default=True): - installCmd = None - - if (pyPlatform == PLATFORM_LINUX) or (pyPlatform == PLATFORM_MAC): - # for linux/mac, we're going to try to figure out if this python is owned by root or the script user - if (getpass.getuser() == getpwuid(os.stat(pyExec).st_uid).pw_name): - # we're running a user-owned python, regular pip should work - installCmd = [pipCmd, 'install', 'requests'] - else: - # python is owned by system, so make sure to pass the --user flag - installCmd = [pipCmd, 'install', '--user', 'requests'] - else: - # on windows (or whatever other platform this is) I don't know any other way other than pip - installCmd = [pipCmd, 'install', 'requests'] - - err, out = run_process(installCmd, debug=args.debug) - if err == 0: - eprint("Installation of requests module apparently succeeded") - try: - import requests - requestsImported = True - except ImportError as e: - eprint("Importing the requests module still failed: {}".format(e)) - else: - eprint("Installation of requests module failed: {}".format(out)) - - if not requestsImported: - eprint("System-wide installation varies by platform and Python configuration. Please consult platform-specific documentation for installing Python modules.") - if (platform.system() == PLATFORM_MAC): - eprint('You *may* be able to install pip and requests manually via: sudo sh -c "easy_install pip && pip install requests"') - elif (pyPlatform == PLATFORM_LINUX): - if Which('apt-get'): - eprint('You *may* be able to install requests manually via: sudo apt-get install {}'.format('python3-requests' if PY3 else 'python-requests')) - elif Which('apt'): - eprint('You *may* be able to install requests manually via: sudo apt install {}'.format('python3-requests' if PY3 else 'python-requests')) - elif Which('dnf'): - eprint('You *may* be able to install requests manually via: sudo dnf install {}'.format('python3-requests' if PY3 else 'python2-requests')) - elif Which('yum'): - eprint('You *may* be able to install requests manually via: sudo yum install {}'.format('python-requests')) - - return requestsImported + return AskForString(question, default=default, forceInteraction=forceInteraction, acceptDefault=args.acceptDefaults) ################################################################################################### class Installer(object): @@ -305,7 +79,7 @@ def __init__(self, debug=False): self.requiredPackages = [] self.pipCmd = 'pip3' if PY3 else 'pip2' - if not Which(self.pipCmd): self.pipCmd = 'pip' + if not Which(self.pipCmd, debug=self.debug): self.pipCmd = 'pip' self.tempDirName = tempfile.mkdtemp() @@ -363,7 +137,7 @@ def install_required_packages(self): #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ def install_docker_images(self, docker_image_file): result = False - if docker_image_file and os.path.isfile(docker_image_file) and YesOrNo('Load Malcolm Docker images from {}'.format(docker_image_file), default=True, forceInteraction=True): + if docker_image_file and os.path.isfile(docker_image_file) and InstallerYesOrNo('Load Malcolm Docker images from {}'.format(docker_image_file), default=True, forceInteraction=True): ecode, out = self.run_process(['docker', 'load', '-q', '-i', docker_image_file], privileged=True) if (ecode == 0): result = True @@ -375,12 +149,12 @@ def install_docker_images(self, docker_image_file): def install_malcolm_files(self, malcolm_install_file): result = False installPath = None - if malcolm_install_file and os.path.isfile(malcolm_install_file) and YesOrNo('Extract Malcolm runtime files from {}'.format(malcolm_install_file), default=True, forceInteraction=True): + if malcolm_install_file and os.path.isfile(malcolm_install_file) and InstallerYesOrNo('Extract Malcolm runtime files from {}'.format(malcolm_install_file), default=True, forceInteraction=True): # determine and create destination path for installation while True: defaultPath = os.path.join(origPath, 'malcolm') - installPath = AskForString('Enter installation path for Malcolm [{}]'.format(defaultPath), default=defaultPath, forceInteraction=True) + installPath = InstallerAskForString('Enter installation path for Malcolm [{}]'.format(defaultPath), default=defaultPath, forceInteraction=True) if (len(installPath) == 0): installPath = defaultPath if os.path.isdir(installPath): eprint("{} already exists, please specify a different installation path".format(installPath)) @@ -469,52 +243,52 @@ def tweak_malcolm_runtime(self, malcolm_install_path, expose_logstash_default=Fa esMemory = '8g' lsMemory = '3g' - while not YesOrNo('Setting {} for Elasticsearch and {} for Logstash. Is this OK?'.format(esMemory, lsMemory), default=True): - esMemory = AskForString('Enter memory for Elasticsearch (e.g., 16g, 9500m, etc.)') - lsMemory = AskForString('Enter memory for LogStash (e.g., 4g, 2500m, etc.)') + while not InstallerYesOrNo('Setting {} for Elasticsearch and {} for Logstash. Is this OK?'.format(esMemory, lsMemory), default=True): + esMemory = InstallerAskForString('Enter memory for Elasticsearch (e.g., 16g, 9500m, etc.)') + lsMemory = InstallerAskForString('Enter memory for LogStash (e.g., 4g, 2500m, etc.)') restartMode = None allowedRestartModes = ('no', 'on-failure', 'always', 'unless-stopped') - if YesOrNo('Restart Malcolm upon system or Docker daemon restart?', default=restart_mode_default): + if InstallerYesOrNo('Restart Malcolm upon system or Docker daemon restart?', default=restart_mode_default): while restartMode not in allowedRestartModes: - restartMode = AskForString('Select Malcolm restart behavior {}'.format(allowedRestartModes), default='unless-stopped') + restartMode = InstallerAskForString('Select Malcolm restart behavior {}'.format(allowedRestartModes), default='unless-stopped') else: restartMode = 'no' if (restartMode == 'no'): restartMode = '"no"' ldapStartTLS = False ldapServerType = 'winldap' - useBasicAuth = not YesOrNo('Authenticate against Lightweight Directory Access Protocol (LDAP) server?', default=False) + useBasicAuth = not InstallerYesOrNo('Authenticate against Lightweight Directory Access Protocol (LDAP) server?', default=False) if not useBasicAuth: allowedLdapModes = ('winldap', 'openldap') ldapServerType = None while ldapServerType not in allowedLdapModes: - ldapServerType = AskForString('Select LDAP server compatibility type {}'.format(allowedLdapModes), default='winldap') - ldapStartTLS = YesOrNo('Use StartTLS for LDAP connection security?', default=True) + ldapServerType = InstallerAskForString('Select LDAP server compatibility type {}'.format(allowedLdapModes), default='winldap') + ldapStartTLS = InstallerYesOrNo('Use StartTLS for LDAP connection security?', default=True) try: - with open(os.path.join(os.path.realpath(os.path.join(scriptPath, "..")), ".ldap_config_defaults"), "w") as ldapDefaultsFile: + with open(os.path.join(os.path.realpath(os.path.join(ScriptPath, "..")), ".ldap_config_defaults"), "w") as ldapDefaultsFile: print("LDAP_SERVER_TYPE='{}'".format(ldapServerType), file=ldapDefaultsFile) print("LDAP_PROTO='{}'".format('ldap://' if useBasicAuth or ldapStartTLS else 'ldaps://'), file=ldapDefaultsFile) print("LDAP_PORT='{}'".format(3268 if ldapStartTLS else 3269), file=ldapDefaultsFile) except: pass - curatorSnapshots = YesOrNo('Create daily snapshots (backups) of Elasticsearch indices?', default=False) + curatorSnapshots = InstallerYesOrNo('Create daily snapshots (backups) of Elasticsearch indices?', default=False) curatorSnapshotDir = './elasticsearch-backup' if curatorSnapshots: - if not YesOrNo('Store snapshots locally in {}?'.format(os.path.join(malcolm_install_path, 'elasticsearch-backup')), default=True): + if not InstallerYesOrNo('Store snapshots locally in {}?'.format(os.path.join(malcolm_install_path, 'elasticsearch-backup')), default=True): while True: - curatorSnapshotDir = AskForString('Enter Elasticsearch index snapshot directory') + curatorSnapshotDir = InstallerAskForString('Enter Elasticsearch index snapshot directory') if (len(curatorSnapshotDir) > 1) and os.path.isdir(curatorSnapshotDir): curatorSnapshotDir = os.path.realpath(curatorSnapshotDir) break curatorCloseUnits = 'years' curatorCloseCount = '5' - if YesOrNo('Periodically close old Elasticsearch indices?', default=False): - while not YesOrNo('Indices older than {} {} will be periodically closed. Is this OK?'.format(curatorCloseCount, curatorCloseUnits), default=True): + if InstallerYesOrNo('Periodically close old Elasticsearch indices?', default=False): + while not InstallerYesOrNo('Indices older than {} {} will be periodically closed. Is this OK?'.format(curatorCloseCount, curatorCloseUnits), default=True): while True: - curatorPeriod = AskForString('Enter index close threshold (e.g., 90 days, 2 years, etc.)').lower().split() + curatorPeriod = InstallerAskForString('Enter index close threshold (e.g., 90 days, 2 years, etc.)').lower().split() if (len(curatorPeriod) == 2) and (not curatorPeriod[1].endswith('s')): curatorPeriod[1] += 's' if ((len(curatorPeriod) == 2) and @@ -529,10 +303,10 @@ def tweak_malcolm_runtime(self, malcolm_install_path, expose_logstash_default=Fa curatorDeleteUnits = 'years' curatorDeleteCount = '10' - if YesOrNo('Periodically delete old Elasticsearch indices?', default=False): - while not YesOrNo('Indices older than {} {} will be periodically deleted. Is this OK?'.format(curatorDeleteCount, curatorDeleteUnits), default=True): + if InstallerYesOrNo('Periodically delete old Elasticsearch indices?', default=False): + while not InstallerYesOrNo('Indices older than {} {} will be periodically deleted. Is this OK?'.format(curatorDeleteCount, curatorDeleteUnits), default=True): while True: - curatorPeriod = AskForString('Enter index delete threshold (e.g., 90 days, 2 years, etc.)').lower().split() + curatorPeriod = InstallerAskForString('Enter index delete threshold (e.g., 90 days, 2 years, etc.)').lower().split() if (len(curatorPeriod) == 2) and (not curatorPeriod[1].endswith('s')): curatorPeriod[1] += 's' if ((len(curatorPeriod) == 2) and @@ -546,26 +320,27 @@ def tweak_malcolm_runtime(self, malcolm_install_path, expose_logstash_default=Fa curatorDeleteCount = '99' curatorDeleteOverGigs = '10000' - if YesOrNo('Periodically delete the oldest Elasticsearch indices when the database exceeds a certain size?', default=False): - while not YesOrNo('Indices will be deleted when the database exceeds {} gigabytes. Is this OK?'.format(curatorDeleteOverGigs), default=True): + if InstallerYesOrNo('Periodically delete the oldest Elasticsearch indices when the database exceeds a certain size?', default=False): + while not InstallerYesOrNo('Indices will be deleted when the database exceeds {} gigabytes. Is this OK?'.format(curatorDeleteOverGigs), default=True): while True: - curatorSize = AskForString('Enter index threshold in gigabytes') + curatorSize = InstallerAskForString('Enter index threshold in gigabytes') if (len(curatorSize) > 0) and curatorSize.isdigit(): curatorDeleteOverGigs = curatorSize break else: curatorDeleteOverGigs = '9000000' - autoZeek = YesOrNo('Automatically analyze all PCAP files with Zeek?', default=True) - reverseDns = YesOrNo('Perform reverse DNS lookup locally for source and destination IP addresses in Zeek logs?', default=False) - autoOui = YesOrNo('Perform hardware vendor OUI lookups for MAC addresses?', default=True) - logstashOpen = YesOrNo('Expose Logstash port to external hosts?', default=expose_logstash_default) - logstashSsl = logstashOpen and YesOrNo('Should Logstash require SSL for Zeek logs? (Note: This requires the forwarder to be similarly configured and a corresponding copy of the client SSL files.)', default=False) - externalEsForward = YesOrNo('Forward Logstash logs to external Elasticstack instance?', default=False) + autoZeek = InstallerYesOrNo('Automatically analyze all PCAP files with Zeek?', default=True) + reverseDns = InstallerYesOrNo('Perform reverse DNS lookup locally for source and destination IP addresses in Zeek logs?', default=False) + autoOui = InstallerYesOrNo('Perform hardware vendor OUI lookups for MAC addresses?', default=True) + autoFreq = InstallerYesOrNo('Perform string randomness scoring on some fields?', default=False) + logstashOpen = InstallerYesOrNo('Expose Logstash port to external hosts?', default=expose_logstash_default) + logstashSsl = logstashOpen and InstallerYesOrNo('Should Logstash require SSL for Zeek logs? (Note: This requires the forwarder to be similarly configured and a corresponding copy of the client SSL files.)', default=False) + externalEsForward = InstallerYesOrNo('Forward Logstash logs to external Elasticstack instance?', default=False) if externalEsForward: - externalEsHost = AskForString('Enter external Elasticstack host:port (e.g., 10.0.0.123:9200)') - externalEsSsl = YesOrNo('Connect to "{}" using SSL?'.format(externalEsHost), default=True) - externalEsSslVerify = externalEsSsl and YesOrNo('Require SSL certificate validation for communication with "{}"?'.format(externalEsHost), default=False) + externalEsHost = InstallerAskForString('Enter external Elasticstack host:port (e.g., 10.0.0.123:9200)') + externalEsSsl = InstallerYesOrNo('Connect to "{}" using SSL?'.format(externalEsHost), default=True) + externalEsSslVerify = externalEsSsl and InstallerYesOrNo('Require SSL certificate validation for communication with "{}"?'.format(externalEsHost), default=False) else: externalEsHost = "" externalEsSsl = False @@ -582,18 +357,18 @@ def tweak_malcolm_runtime(self, malcolm_install_path, expose_logstash_default=Fa clamAvScan = False clamAvUpdate = False - if YesOrNo('Enable file extraction with Zeek?', default=False): + if InstallerYesOrNo('Enable file extraction with Zeek?', default=False): while fileCarveMode not in allowedFileCarveModes: - fileCarveMode = AskForString('Select file extraction behavior {}'.format(allowedFileCarveModes), default=allowedFileCarveModes[0]) + fileCarveMode = InstallerAskForString('Select file extraction behavior {}'.format(allowedFileCarveModes), default=allowedFileCarveModes[0]) while filePreserveMode not in allowedFilePreserveModes: - filePreserveMode = AskForString('Select file preservation behavior {}'.format(allowedFilePreserveModes), default=allowedFilePreserveModes[0]) + filePreserveMode = InstallerAskForString('Select file preservation behavior {}'.format(allowedFilePreserveModes), default=allowedFilePreserveModes[0]) if fileCarveMode is not None: - if YesOrNo('Scan extracted files with ClamAV?', default=False): + if InstallerYesOrNo('Scan extracted files with ClamAV?', default=False): clamAvScan = True - clamAvUpdate = YesOrNo('Download updated ClamAV virus signatures periodically?', default=True) - elif YesOrNo('Lookup extracted file hashes with VirusTotal?', default=False): + clamAvUpdate = InstallerYesOrNo('Download updated ClamAV virus signatures periodically?', default=True) + elif InstallerYesOrNo('Lookup extracted file hashes with VirusTotal?', default=False): while (len(vtotApiKey) <= 1): - vtotApiKey = AskForString('Enter VirusTotal API key') + vtotApiKey = InstallerAskForString('Enter VirusTotal API key') if fileCarveMode not in allowedFileCarveModes: fileCarveMode = allowedFileCarveModes[0] @@ -606,12 +381,12 @@ def tweak_malcolm_runtime(self, malcolm_install_path, expose_logstash_default=Fa pcapNetSniff = False pcapTcpDump = False pcapIface = 'lo' - if YesOrNo('Should Malcolm capture network traffic to PCAP files?', default=False): + if InstallerYesOrNo('Should Malcolm capture network traffic to PCAP files?', default=False): pcapIface = '' while (len(pcapIface) <= 0): - pcapIface = AskForString('Specify capture interface(s) (comma-separated)') - pcapNetSniff = YesOrNo('Capture packets using netsniff-ng?', default=True) - pcapTcpDump = YesOrNo('Capture packets using tcpdump?', default=(not pcapNetSniff)) + pcapIface = InstallerAskForString('Specify capture interface(s) (comma-separated)') + pcapNetSniff = InstallerYesOrNo('Capture packets using netsniff-ng?', default=True) + pcapTcpDump = InstallerYesOrNo('Capture packets using tcpdump?', default=(not pcapNetSniff)) # modify specified values in-place in docker-compose files for composeFile in composeFiles: @@ -698,6 +473,9 @@ def tweak_malcolm_runtime(self, malcolm_install_path, expose_logstash_default=Fa elif 'LOGSTASH_OUI_LOOKUP' in line: # automatic MAC OUI lookup line = re.sub(r'(LOGSTASH_OUI_LOOKUP\s*:\s*)(\S+)', r'\g<1>{}'.format("'true'" if autoOui else "'false'"), line) + elif 'FREQ_LOOKUP' in line: + # freq.py string randomness calculations + line = re.sub(r'(FREQ_LOOKUP\s*:\s*)(\S+)', r'\g<1>{}'.format("'true'" if autoFreq else "'false'"), line) elif 'BEATS_SSL' in line: # enable/disable beats SSL line = re.sub(r'(BEATS_SSL\s*:\s*)(\S+)', r'\g<1>{}'.format("'true'" if logstashOpen and logstashSsl else "'false'"), line) @@ -758,10 +536,10 @@ def tweak_malcolm_runtime(self, malcolm_install_path, expose_logstash_default=Fa # if the Malcolm dir is owned by root, see if they want to reassign ownership to a non-root user if (((self.platform == PLATFORM_LINUX) or (self.platform == PLATFORM_MAC)) and (self.scriptUser == "root") and (getpwuid(os.stat(malcolm_install_path).st_uid).pw_uid == self.scriptUser) and - YesOrNo('Set ownership of {} to an account other than {}?'.format(malcolm_install_path, self.scriptUser), default=True, forceInteraction=True)): + InstallerYesOrNo('Set ownership of {} to an account other than {}?'.format(malcolm_install_path, self.scriptUser), default=True, forceInteraction=True)): tmpUser = '' while (len(tmpUser) == 0): - tmpUser = AskForString('Enter user account').strip() + tmpUser = InstallerAskForString('Enter user account').strip() err, out = self.run_process(['id', '-g', '-n', tmpUser], stderr=True) if (err == 0) and (len(out) > 0) and (len(out[0]) > 0): tmpUser = "{}:{}".format(tmpUser, out[0]) @@ -782,28 +560,75 @@ def __init__(self, debug=False): else: super(LinuxInstaller, self).__init__(debug) - self.distro = "linux" + self.distro = None self.codename = None + self.release = None # determine the distro (e.g., ubuntu) and code name (e.g., bionic) if applicable - err, out = self.run_process(['lsb_release', '-is'], stderr=False) - if (err == 0) and (len(out) > 0): - self.distro = out[0].lower() + + # check /etc/os-release values first + if os.path.isfile('/etc/os-release'): + osInfo = dict() + + with open("/etc/os-release", 'r') as f: + for line in f: + try: + k, v = line.rstrip().split("=") + osInfo[k] = v.strip('"') + except: + pass + + if ('NAME' in osInfo) and (len(osInfo['NAME']) > 0): + distro = osInfo['NAME'].lower().split()[0] + + if ('VERSION_CODENAME' in osInfo) and (len(osInfo['VERSION_CODENAME']) > 0): + codename = osInfo['VERSION_CODENAME'].lower().split()[0] + + if ('VERSION_ID' in osInfo) and (len(osInfo['VERSION_ID']) > 0): + release = osInfo['VERSION_ID'].lower().split()[0] + + # try lsb_release next + if (self.distro is None): + err, out = self.run_process(['lsb_release', '-is'], stderr=False) + if (err == 0) and (len(out) > 0): + self.distro = out[0].lower() + + if (self.codename is None): err, out = self.run_process(['lsb_release', '-cs'], stderr=False) if (err == 0) and (len(out) > 0): self.codename = out[0].lower() - else: + + if (self.release is None): + err, out = self.run_process(['lsb_release', '-rs'], stderr=False) + if (err == 0) and (len(out) > 0): + self.release = out[0].lower() + + # try release-specific files + if (self.distro is None): + if os.path.isfile('/etc/centos-release'): + distroFile = '/etc/centos-release' if os.path.isfile('/etc/redhat-release'): distroFile = '/etc/redhat-release' elif os.path.isfile('/etc/issue'): distroFile = '/etc/issue' else: distroFile = None - if distroFile: + if (distroFile is not None): with open(distroFile, 'r') as f: - self.distro = f.read().lower().split()[0] + distroVals = f.read().lower().split() + distroNums = [x for x in distroVals if x[0].isdigit()] + self.distro = distroVals[0] + if (self.release is None) and (len(distroNums) > 0): + self.release = distroNums[0] + + if (self.distro is None): + self.distro = "linux" + if self.debug: - eprint("distro: {}{}".format(self.distro, " {}".format(self.codename) if self.codename else "")) + eprint("distro: {}{}{}".format(self.distro, + " {}".format(self.codename) if self.codename else "", + " {}".format(self.release) if self.release else "")) + if not self.codename: self.codename = self.distro # determine packages required by Malcolm itself (not docker, those will be done later) @@ -820,27 +645,27 @@ def __init__(self, debug=False): self.sudoCmd = ["sudo", "-n"] err, out = self.run_process(['whoami'], privileged=True) if (err != 0) or (len(out) == 0) or (out[0] != 'root'): - raise Exception('{} must be run as root, or {} must be available'.format(scriptName, self.sudoCmd)) + raise Exception('{} must be run as root, or {} must be available'.format(ScriptName, self.sudoCmd)) # determine command to use to query if a package is installed - if Which('dpkg'): + if Which('dpkg', debug=self.debug): os.environ["DEBIAN_FRONTEND"] = "noninteractive" self.checkPackageCmds.append(['dpkg', '-s']) - elif Which('rpm'): + elif Which('rpm', debug=self.debug): self.checkPackageCmds.append(['rpm', '-q']) - elif Which('dnf'): + elif Which('dnf', debug=self.debug): self.checkPackageCmds.append(['dnf', 'list', 'installed']) - elif Which('yum'): + elif Which('yum', debug=self.debug): self.checkPackageCmds.append(['yum', 'list', 'installed']) # determine command to install a package from the distro's repos - if Which('apt-get'): + if Which('apt-get', debug=self.debug): self.installPackageCmds.append(['apt-get', 'install', '-y', '-qq']) - elif Which('apt'): + elif Which('apt', debug=self.debug): self.installPackageCmds.append(['apt', 'install', '-y', '-qq']) - elif Which('dnf'): - self.installPackageCmds.append(['dnf', '-y', 'install']) - elif Which('yum'): + elif Which('dnf', debug=self.debug): + self.installPackageCmds.append(['dnf', '-y', 'install', '--nobest']) + elif Which('yum', debug=self.debug): self.installPackageCmds.append(['yum', '-y', 'install']) # determine total system memory @@ -879,9 +704,9 @@ def install_docker(self): if (err == 0): result = True - elif YesOrNo('"docker info" failed, attempt to install Docker?', default=True): + elif InstallerYesOrNo('"docker info" failed, attempt to install Docker?', default=True): - if YesOrNo('Attempt to install Docker using official repositories?', default=True): + if InstallerYesOrNo('Attempt to install Docker using official repositories?', default=True): # install required packages for repo-based install if self.distro == PLATFORM_LINUX_UBUNTU: @@ -956,9 +781,9 @@ def install_docker(self): # the user either chose not to use the official repos, the official repo installation failed, or there are not official repos available # see if we want to attempt using the convenience script at https://get.docker.com (see https://github.com/docker/docker-install) - if not result and YesOrNo('Docker not installed via official repositories. Attempt to install Docker via convenience script (please read https://github.com/docker/docker-install)?', default=False): + if not result and InstallerYesOrNo('Docker not installed via official repositories. Attempt to install Docker via convenience script (please read https://github.com/docker/docker-install)?', default=False): tempFileName = os.path.join(self.tempDirName, 'docker-install.sh') - if DownloadToFile("https://get.docker.com/", tempFileName): + if DownloadToFile("https://get.docker.com/", tempFileName, debug=self.debug): os.chmod(tempFileName, 493) # 493 = 0o755 err, out = self.run_process(([tempFileName]), privileged=True) if (err == 0): @@ -988,8 +813,8 @@ def install_docker(self): # add non-root user to docker group if required usersToAdd = [] if self.scriptUser == 'root': - while YesOrNo('Add {} non-root user to the "docker" group?'.format('a' if len(usersToAdd) == 0 else 'another')): - tmpUser = AskForString('Enter user account') + while InstallerYesOrNo('Add {} non-root user to the "docker" group?'.format('a' if len(usersToAdd) == 0 else 'another')): + tmpUser = InstallerAskForString('Enter user account') if (len(tmpUser) > 0): usersToAdd.append(tmpUser) else: usersToAdd.append(self.scriptUser) @@ -1004,7 +829,7 @@ def install_docker(self): elif (err != 0): result = False - raise Exception('{} requires docker, please see {}'.format(scriptName, DOCKER_INSTALL_URLS[self.distro])) + raise Exception('{} requires docker, please see {}'.format(ScriptName, DOCKER_INSTALL_URLS[self.distro])) return result @@ -1013,7 +838,7 @@ def install_docker_compose(self): result = False dockerComposeCmd = 'docker-compose' - if not Which(dockerComposeCmd) and os.path.isfile('/usr/local/bin/docker-compose'): + if not Which(dockerComposeCmd, debug=self.debug) and os.path.isfile('/usr/local/bin/docker-compose'): dockerComposeCmd = '/usr/local/bin/docker-compose' # first see if docker-compose is already installed and runnable (try non-root and root) @@ -1021,9 +846,9 @@ def install_docker_compose(self): if (err != 0): err, out = self.run_process([dockerComposeCmd, 'version'], privileged=True) - if (err != 0) and YesOrNo('"docker-compose version" failed, attempt to install docker-compose?', default=True): + if (err != 0) and InstallerYesOrNo('"docker-compose version" failed, attempt to install docker-compose?', default=True): - if YesOrNo('Install docker-compose directly from docker github?', default=True): + if InstallerYesOrNo('Install docker-compose directly from docker github?', default=True): # download docker-compose from github and put it in /usr/local/bin # need to know some linux platform info @@ -1036,7 +861,7 @@ def install_docker_compose(self): # download docker-compose from github and save it to a temporary file tempFileName = os.path.join(self.tempDirName, dockerComposeCmd) dockerComposeUrl = "https://github.com/docker/compose/releases/download/{}/docker-compose-{}-{}".format(DOCKER_COMPOSE_INSTALL_VERSION, unames[0], unames[1]) - if DownloadToFile(dockerComposeUrl, tempFileName): + if DownloadToFile(dockerComposeUrl, tempFileName, debug=self.debug): os.chmod(tempFileName, 493) # 493 = 0o755, mark as executable # put docker-compose into /usr/local/bin err, out = self.run_process((['cp', '-f', tempFileName, '/usr/local/bin/docker-compose']), privileged=True) @@ -1049,7 +874,7 @@ def install_docker_compose(self): else: eprint("Downloading {} to {} failed".format(dockerComposeUrl, tempFileName)) - elif YesOrNo('Install docker-compose via pip (privileged)?', default=False): + elif InstallerYesOrNo('Install docker-compose via pip (privileged)?', default=False): # install docker-compose via pip (as root) err, out = self.run_process([self.pipCmd, 'install', dockerComposeCmd], privileged=True) if (err == 0): @@ -1057,7 +882,7 @@ def install_docker_compose(self): else: eprint("Install docker-compose via pip failed with {}, {}".format(err, out)) - elif YesOrNo('Install docker-compose via pip (user)?', default=True): + elif InstallerYesOrNo('Install docker-compose via pip (user)?', default=True): # install docker-compose via pip (regular user) err, out = self.run_process([self.pipCmd, 'install', dockerComposeCmd], privileged=False) if (err == 0): @@ -1076,7 +901,7 @@ def install_docker_compose(self): eprint('"docker-compose version" succeeded') else: - raise Exception('{} requires docker-compose, please see {}'.format(scriptName, DOCKER_COMPOSE_INSTALL_URLS[self.platform])) + raise Exception('{} requires docker-compose, please see {}'.format(ScriptName, DOCKER_COMPOSE_INSTALL_URLS[self.platform])) return result @@ -1147,14 +972,14 @@ def tweak_system_files(self): 'vm.dirty_ratio defines the maximum percentage of dirty system memory before committing everything', ['# maximum % of dirty system memory before committing everything', 'vm.dirty_ratio=80']), - ConfigLines(['centos'], + ConfigLines(['centos', 'core'], '/etc/systemd/system.conf.d/limits.conf', '', '/etc/systemd/system.conf.d/limits.conf increases the allowed maximums for file handles and memlocked segments', ['[Manager]', 'DefaultLimitNOFILE=65535:65535', 'DefaultLimitMEMLOCK=infinity']), - ConfigLines(['bionic', 'cosmic', 'disco', 'stretch', 'buster', 'sid', 'fedora'], + ConfigLines(['bionic', 'cosmic', 'disco', 'eoan', 'stretch', 'buster', 'sid', 'fedora'], '/etc/security/limits.d/limits.conf', '', '/etc/security/limits.d/limits.conf increases the allowed maximums for file handles and memlocked segments', @@ -1166,14 +991,14 @@ def tweak_system_files(self): for config in configLinesToAdd: if (((len(config.distros) == 0) or (self.codename in config.distros)) and - (os.path.isfile(config.filename) or YesOrNo('\n{}\n{} does not exist, create it?'.format(config.description, config.filename), default=True))): + (os.path.isfile(config.filename) or InstallerYesOrNo('\n{}\n{} does not exist, create it?'.format(config.description, config.filename), default=True))): confFileLines = [line.rstrip('\n') for line in open(config.filename)] if os.path.isfile(config.filename) else [] if ((len(confFileLines) == 0) or (not os.path.isfile(config.filename) and (len(config.prefix) == 0)) or ((len(list(filter(lambda x: x.startswith(config.prefix), confFileLines))) == 0) and - YesOrNo('\n{}\n{} appears to be missing from {}, append it?'.format(config.description, config.prefix, config.filename), default=True))): + InstallerYesOrNo('\n{}\n{} appears to be missing from {}, append it?'.format(config.description, config.prefix, config.filename), default=True))): err, out = self.run_process(['bash', '-c', "mkdir -p {} && echo -n -e '\\n{}\\n' >> '{}'".format(os.path.dirname(config.filename), "\\n".join(config.lines), @@ -1181,10 +1006,11 @@ def tweak_system_files(self): # install haveged if (not self.package_is_installed('haveged') and - YesOrNo('The "haveged" utility may help improve Malcolm startup times by providing entropy for the Linux kernel. Install haveged?', default=False)): + InstallerYesOrNo('The "haveged" utility may help improve Malcolm startup times by providing entropy for the Linux kernel. Install haveged?', default=False)): + if (self.distro == PLATFORM_LINUX_CENTOS) and (self.release is not None): + eprint("Installing EPEL repo") + self.install_package(['https://dl.fedoraproject.org/pub/epel/epel-release-latest-{}.noarch.rpm'.format(self.release.split('.')[0])]) havegedPackages = ['haveged'] - if self.distro == PLATFORM_LINUX_CENTOS: - havegedPackages.append('https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm') eprint("Installing haveged packages: {}".format(havegedPackages)) if self.install_package(havegedPackages): eprint("Installation of haveged packages apparently succeeded") @@ -1214,14 +1040,14 @@ def __init__(self, debug=False): err, out = self.run_process(['brew', 'info']) brewInstalled = (err == 0) - if brewInstalled and YesOrNo('Homebrew is installed: continue with Homebrew?', default=True): + if brewInstalled and InstallerYesOrNo('Homebrew is installed: continue with Homebrew?', default=True): self.useBrew = True else: self.useBrew = False eprint('Docker can be installed and maintained with Homebrew, or manually.') - if (not brewInstalled) and (not YesOrNo('Homebrew is not installed: continue with manual installation?', default=False)): - raise Exception('Follow the steps at {} to install Homebrew, then re-run {}'.format(HOMEBREW_INSTALL_URLS[self.platform], scriptName)) + if (not brewInstalled) and (not InstallerYesOrNo('Homebrew is not installed: continue with manual installation?', default=False)): + raise Exception('Follow the steps at {} to install Homebrew, then re-run {}'.format(HOMEBREW_INSTALL_URLS[self.platform], ScriptName)) if self.useBrew: # make sure we have brew cask @@ -1279,7 +1105,7 @@ def install_docker(self): # if docker is installed via brew, but not running, prompt them to start it eprint('{} appears to be installed via Homebrew, but "docker info" failed'.format(MAC_BREW_DOCKER_PACKAGE)) while True: - response = AskForString('Starting Docker the first time may require user interaction. Please find and start Docker in the Applications folder, then return here and type YES').lower() + response = InstallerAskForString('Starting Docker the first time may require user interaction. Please find and start Docker in the Applications folder, then return here and type YES').lower() if (response == 'yes'): break err, out = self.run_process(['docker', 'info'], retry=12, retrySleepSec=5) @@ -1288,7 +1114,7 @@ def install_docker(self): if (err == 0): result = True - elif YesOrNo('"docker info" failed, attempt to install Docker?', default=True): + elif InstallerYesOrNo('"docker info" failed, attempt to install Docker?', default=True): if self.useBrew: # install docker via brew cask (requires user interaction) @@ -1297,7 +1123,7 @@ def install_docker(self): if self.install_package(dockerPackages): eprint("Installation of docker packages apparently succeeded") while True: - response = AskForString('Starting Docker the first time may require user interaction. Please find and start Docker in the Applications folder, then return here and type YES').lower() + response = InstallerAskForString('Starting Docker the first time may require user interaction. Please find and start Docker in the Applications folder, then return here and type YES').lower() if (response == 'yes'): break else: @@ -1310,9 +1136,9 @@ def install_docker(self): tempFileName = os.path.join(dlDirName, 'Docker.dmg') else: tempFileName = os.path.join(self.tempDirName, 'Docker.dmg') - if DownloadToFile('https://download.docker.com/mac/edge/Docker.dmg', tempFileName): + if DownloadToFile('https://download.docker.com/mac/edge/Docker.dmg', tempFileName, debug=self.debug): while True: - response = AskForString('Installing and starting Docker the first time may require user interaction. Please open Finder and install {}, start Docker from the Applications folder, then return here and type YES'.format(tempFileName)).lower() + response = InstallerAskForString('Installing and starting Docker the first time may require user interaction. Please open Finder and install {}, start Docker from the Applications folder, then return here and type YES'.format(tempFileName)).lower() if (response == 'yes'): break @@ -1324,14 +1150,14 @@ def install_docker(self): eprint('"docker info" succeeded') elif (err != 0): - raise Exception('{} requires docker edge, please see {}'.format(scriptName, DOCKER_INSTALL_URLS[self.platform])) + raise Exception('{} requires docker edge, please see {}'.format(ScriptName, DOCKER_INSTALL_URLS[self.platform])) elif (err != 0): - raise Exception('{} requires docker edge, please see {}'.format(scriptName, DOCKER_INSTALL_URLS[self.platform])) + raise Exception('{} requires docker edge, please see {}'.format(ScriptName, DOCKER_INSTALL_URLS[self.platform])) # tweak CPU/RAM usage for Docker in Mac settingsFile = MAC_BREW_DOCKER_SETTINGS.format(self.scriptUser) - if result and os.path.isfile(settingsFile) and YesOrNo('Configure Docker resource usage in {}?'.format(settingsFile), default=True): + if result and os.path.isfile(settingsFile) and InstallerYesOrNo('Configure Docker resource usage in {}?'.format(settingsFile), default=True): # adjust CPU and RAM based on system resources if self.totalCores >= 16: @@ -1360,9 +1186,9 @@ def install_docker(self): else: newMemoryGiB = 2 - while not YesOrNo('Setting {} for CPU cores and {} GiB for RAM. Is this OK?'.format(newCpus if newCpus else "(unchanged)", newMemoryGiB if newMemoryGiB else "(unchanged)"), default=True): - newCpus = AskForString('Enter Docker CPU cores (e.g., 4, 8, 16)') - newMemoryGiB = AskForString('Enter Docker RAM MiB (e.g., 8, 16, etc.)') + while not InstallerYesOrNo('Setting {} for CPU cores and {} GiB for RAM. Is this OK?'.format(newCpus if newCpus else "(unchanged)", newMemoryGiB if newMemoryGiB else "(unchanged)"), default=True): + newCpus = InstallerAskForString('Enter Docker CPU cores (e.g., 4, 8, 16)') + newMemoryGiB = InstallerAskForString('Enter Docker RAM MiB (e.g., 8, 16, etc.)') if newCpus or newMemoryMiB: with open(settingsFile, 'r+') as f: @@ -1393,7 +1219,7 @@ def install_docker(self): else: eprint("Restarting Docker automatically failed: {}".format(out)) while True: - response = AskForString('Please restart Docker via the system taskbar, then return here and type YES').lower() + response = InstallerAskForString('Please restart Docker via the system taskbar, then return here and type YES').lower() if (response == 'yes'): break @@ -1406,7 +1232,7 @@ def main(): # extract arguments from the command line # print (sys.argv[1:]); - parser = argparse.ArgumentParser(description='Malcolm install script', add_help=False, usage='{} '.format(scriptName)) + parser = argparse.ArgumentParser(description='Malcolm install script', add_help=False, usage='{} '.format(ScriptName)) parser.add_argument('-v', '--verbose', dest='debug', type=str2bool, nargs='?', const=True, default=False, help="Verbose output") parser.add_argument('-m', '--malcolm-file', required=False, dest='mfile', metavar='', type=str, default='', help='Malcolm .tar.gz file for installation') parser.add_argument('-i', '--image-file', required=False, dest='ifile', metavar='', type=str, default='', help='Malcolm docker images .tar.gz file for installation') @@ -1424,13 +1250,13 @@ def main(): exit(2) if args.debug: - eprint(os.path.join(scriptPath, scriptName)) + eprint(os.path.join(ScriptPath, ScriptName)) eprint("Arguments: {}".format(sys.argv[1:])) eprint("Arguments: {}".format(args)) else: sys.tracebacklimit = 0 - if not ImportRequests(): + if not ImportRequests(debug=args.debug): exit(2) # If Malcolm and images tarballs are provided, we will use them. @@ -1445,7 +1271,7 @@ def main(): # find the most recent non-image tarball, first checking in the pwd then in the script path files = list(filter(lambda x: "_images" not in x, glob.glob(os.path.join(origPath, '*.tar.gz')))) if (len(files) == 0): - files = list(filter(lambda x: "_images" not in x, glob.glob(os.path.join(scriptPath, '*.tar.gz')))) + files = list(filter(lambda x: "_images" not in x, glob.glob(os.path.join(ScriptPath, '*.tar.gz')))) files.sort(key=lambda x: os.path.getmtime(x), reverse=True) if (len(files) > 0): malcolmFile = files[0] @@ -1471,7 +1297,7 @@ def main(): elif installerPlatform == PLATFORM_MAC: installer = MacInstaller(debug=args.debug) elif installerPlatform == PLATFORM_WINDOWS: - raise Exception('{} is not yet supported on {}'.format(scriptName, installerPlatform)) + raise Exception('{} is not yet supported on {}'.format(ScriptName, installerPlatform)) installer = WindowsInstaller(debug=args.debug) success = False @@ -1483,7 +1309,7 @@ def main(): if (not args.configOnly) and hasattr(installer, 'install_docker_images'): success = installer.install_docker_images(imageFile) if args.configOnly or (args.configFile and os.path.isfile(args.configFile)): if not args.configFile: - for testPath in [origPath, scriptPath, os.path.realpath(os.path.join(scriptPath, ".."))]: + for testPath in [origPath, ScriptPath, os.path.realpath(os.path.join(ScriptPath, ".."))]: if os.path.isfile(os.path.join(testPath, "docker-compose.yml")): installPath = testPath else: diff --git a/scripts/logs b/scripts/logs new file mode 120000 index 000000000..c910cf9d6 --- /dev/null +++ b/scripts/logs @@ -0,0 +1 @@ +./control.py \ No newline at end of file diff --git a/scripts/logs.sh b/scripts/logs.sh deleted file mode 100755 index 576c9b5ff..000000000 --- a/scripts/logs.sh +++ /dev/null @@ -1,46 +0,0 @@ -#!/bin/bash - -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. - -if [ -z "$BASH_VERSION" ]; then - echo "Wrong interpreter, please run \"$0\" with bash" - exit 1 -fi - -if docker-compose version >/dev/null 2>&1; then - DOCKER_COMPOSE_BIN=docker-compose -elif grep -q Microsoft /proc/version && docker-compose.exe version >/dev/null 2>&1; then - DOCKER_COMPOSE_BIN=docker-compose.exe -fi - -# if the docker-compose config file was specified, use it, otherwise -# let docker-compose figure it out -if [ "$1" ]; then - CONFIG_FILE="$1" - DOCKER_COMPOSE_COMMAND="$DOCKER_COMPOSE_BIN -f "$CONFIG_FILE"" -else - CONFIG_FILE="docker-compose.yml" - DOCKER_COMPOSE_COMMAND="$DOCKER_COMPOSE_BIN" -fi - -# force-navigate to Malcolm base directory (parent of scripts/ directory) -[[ "$(uname -s)" = 'Darwin' ]] && REALPATH=grealpath || REALPATH=realpath -[[ "$(uname -s)" = 'Darwin' ]] && DIRNAME=gdirname || DIRNAME=dirname -if ! (type "$REALPATH" && type "$DIRNAME") > /dev/null; then - echo "$(basename "${BASH_SOURCE[0]}") requires $REALPATH and $DIRNAME" - exit 1 -fi -SCRIPT_PATH="$($DIRNAME $($REALPATH -e "${BASH_SOURCE[0]}"))" -pushd "$SCRIPT_PATH/.." >/dev/null 2>&1 -BASE_PATH=`pwd`; - -# tail logs -$DOCKER_COMPOSE_COMMAND ps -echo "" -IGNORE_LOG_TEXT="(deprecated|eshealth|update_mapping|throttling index|but no there are no living connections|saved_objects|\b(d|es)?stats\.json|esindices\/list|_cat\/indices|use_field_mapping|reaped unknown pid|Successfully handled GET request for '/'|GET /(_cat/health|api/status).+HTTP/[\d\.].+\b200\b|POST /(d?stats/d?stat|_bulk|fields/field/_search).+HTTP/[\d\.].+\b20[01]\b|POST HTTP/[\d\.].+\b200\b|POST\s+/server/php/\s+HTTP/\d+\.\d+\"\s+\d+\s+\d+.*:8443/|kibana.+curl.+localhost.+GET /api/status 200)" - -$DOCKER_COMPOSE_COMMAND logs -f | grep --line-buffered -Piv "$IGNORE_LOG_TEXT" - -echo "" - -popd >/dev/null 2>&1 diff --git a/scripts/malcolm_appliance_packager.sh b/scripts/malcolm_appliance_packager.sh index c594f516b..a9a37868a 100755 --- a/scripts/malcolm_appliance_packager.sh +++ b/scripts/malcolm_appliance_packager.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. if [ -z "$BASH_VERSION" ]; then echo "Wrong interpreter, please run \"$0\" with bash" @@ -80,26 +80,29 @@ if mkdir "$DESTDIR"; then mkdir $VERBOSE -p "$DESTDIR/zeek-logs/extract_files/" mkdir $VERBOSE -p "$DESTDIR/scripts/" cp $VERBOSE ./docker-compose-standalone.yml "$DESTDIR/docker-compose.yml" - cp $VERBOSE ./docker-compose-standalone-zeek-live.yml "$DESTDIR/docker-compose-zeek-live.yml" cp $VERBOSE ./auth.env "$DESTDIR/" cp $VERBOSE ./cidr-map.txt "$DESTDIR/" cp $VERBOSE ./host-map.txt "$DESTDIR/" - cp $VERBOSE ./scripts/auth_setup.sh "$DESTDIR/scripts/" - cp $VERBOSE ./scripts/start.sh "$DESTDIR/scripts/" - cp $VERBOSE ./scripts/stop.sh "$DESTDIR/scripts/" - cp $VERBOSE ./scripts/restart.sh "$DESTDIR/scripts/" - cp $VERBOSE ./scripts/wipe.sh "$DESTDIR/scripts/" - cp $VERBOSE ./scripts/logs.sh "$DESTDIR/scripts/" + cp $VERBOSE ./net-map.json "$DESTDIR/" cp $VERBOSE ./scripts/install.py "$DESTDIR/scripts/" + cp $VERBOSE ./scripts/control.py "$DESTDIR/scripts/" + cp $VERBOSE ./scripts/malcolm_common.py "$DESTDIR/scripts/" cp $VERBOSE ./README.md "$DESTDIR/" - cp $VERBOSE ./nginx/certs/*.sh "$DESTDIR/nginx/certs/" - cp $VERBOSE ./logstash/certs/Makefile ./logstash/certs/*.conf "$DESTDIR/logstash/certs/" + cp $VERBOSE ./logstash/certs/*.conf "$DESTDIR/logstash/certs/" cp $VERBOSE ./elastalert/config/* "$DESTDIR/elastalert/config/" cp $VERBOSE ./elastalert/rules/* "$DESTDIR/elastalert/rules/" 2>/dev/null || true cp $VERBOSE ./elastalert/sample-rules/* "$DESTDIR/elastalert/sample-rules/" 2>/dev/null || true pushd "$DESTDIR" >/dev/null 2>&1 + pushd "./scripts" >/dev/null 2>&1 + ln -s ./control.py start + ln -s ./control.py stop + ln -s ./control.py restart + ln -s ./control.py wipe + ln -s ./control.py logs + ln -s ./control.py auth_setup + popd >/dev/null 2>&1 echo "You must set an administrator username and password for Malcolm, and self-signed X.509 certificates will be generated" - ./scripts/auth_setup.sh + ./scripts/auth_setup rm -rf logstash/certs/ca.key pushd .. >/dev/null 2>&1 DESTNAME="$RUN_PATH/$(basename $DESTDIR).tar.gz" @@ -107,6 +110,7 @@ if mkdir "$DESTDIR"; then README_HTML="$RUN_PATH/$(basename $DESTDIR).README.html" docker run --rm --entrypoint /bin/bash "$(grep -E 'image: *malcolmnetsec/moloch' "$DESTDIR/docker-compose.yml" | awk '{print $2}')" -c "cat /data/moloch/doc/README.html" > "$README_HTML" || true cp $VERBOSE "$SCRIPT_PATH/install.py" "$RUN_PATH/" + cp $VERBOSE "$SCRIPT_PATH/malcolm_common.py" "$RUN_PATH/" tar -czf $VERBOSE "$DESTNAME" "./$(basename $DESTDIR)/" echo "Packaged Malcolm to \"$DESTNAME\"" echo "" @@ -130,18 +134,19 @@ if mkdir "$DESTDIR"; then echo "" | tee -a "$README" echo "To start, stop, restart, etc. Malcolm:" | tee -a "$README" echo " Use the control scripts in the \"scripts/\" directory:" | tee -a "$README" - echo " - start.sh (start Malcolm)" | tee -a "$README" - echo " - stop.sh (stop Malcolm)" | tee -a "$README" - echo " - restart.sh (restart Malcolm)" | tee -a "$README" - echo " - logs.sh (monitor Malcolm logs)" | tee -a "$README" - echo " - wipe.sh (stop Malcolm and clear its database)" | tee -a "$README" - echo " - auth_setup.sh (change authentication-related settings)" | tee -a "$README" + echo " - start (start Malcolm)" | tee -a "$README" + echo " - stop (stop Malcolm)" | tee -a "$README" + echo " - restart (restart Malcolm)" | tee -a "$README" + echo " - logs (monitor Malcolm logs)" | tee -a "$README" + echo " - wipe (stop Malcolm and clear its database)" | tee -a "$README" + echo " - auth_setup (change authentication-related settings)" | tee -a "$README" echo "" | tee -a "$README" echo "A minute or so after starting Malcolm, the following services will be accessible:" | tee -a "$README" echo " - Moloch: https://localhost/" | tee -a "$README" echo " - Kibana: https://localhost/kibana/" | tee -a "$README" - echo " - PCAP Upload (web): https://localhost/upload/" | tee -a "$README" - echo " - PCAP Upload (sftp): sftp://USERNAME@127.0.0.1:8022/files/" | tee -a "$README" + echo " - PCAP upload (web): https://localhost/upload/" | tee -a "$README" + echo " - PCAP upload (sftp): sftp://USERNAME@127.0.0.1:8022/files/" | tee -a "$README" + echo " - Host and subnet name mapping editor: https://localhost/name-map-ui/" | tee -a "$README" echo " - Account management: https://localhost:488/" | tee -a "$README" popd >/dev/null 2>&1 popd >/dev/null 2>&1 diff --git a/scripts/malcolm_common.py b/scripts/malcolm_common.py new file mode 100644 index 000000000..645f69bc9 --- /dev/null +++ b/scripts/malcolm_common.py @@ -0,0 +1,315 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- + +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. + +from __future__ import print_function + +import getpass +import os +import platform +import re +import sys +import time + +from collections import defaultdict +try: + from pwd import getpwuid +except ImportError: + getpwuid = None +from subprocess import (PIPE, STDOUT, Popen, CalledProcessError) + +################################################################################################### +ScriptPath = os.path.dirname(os.path.realpath(__file__)) +MalcolmPath = os.path.abspath(os.path.join(ScriptPath, os.pardir)) + +################################################################################################### +# python 2/3 portability + +PY3 = (sys.version_info.major >= 3) + +# bind raw_input to input in older versions of python +try: + input = raw_input +except NameError: + pass + +# attempt to import requests, will cover failure later +try: + import requests + RequestsImported = True +except ImportError: + RequestsImported = False + +try: + FileNotFoundError +except NameError: + FileNotFoundError = IOError + +################################################################################################### +PLATFORM_WINDOWS = "Windows" +PLATFORM_MAC = "Darwin" +PLATFORM_LINUX = "Linux" +PLATFORM_LINUX_CENTOS = 'centos' +PLATFORM_LINUX_DEBIAN = 'debian' +PLATFORM_LINUX_FEDORA = 'fedora' +PLATFORM_LINUX_UBUNTU = 'ubuntu' + +# URLS for figuring things out if something goes wrong +DOCKER_INSTALL_URLS = defaultdict(lambda: 'https://docs.docker.com/install/') +DOCKER_INSTALL_URLS[PLATFORM_WINDOWS] = ['https://stefanscherer.github.io/how-to-install-docker-the-chocolatey-way/', + 'https://docs.docker.com/docker-for-windows/install/'] +DOCKER_INSTALL_URLS[PLATFORM_LINUX_UBUNTU] = 'https://docs.docker.com/install/linux/docker-ce/ubuntu/' +DOCKER_INSTALL_URLS[PLATFORM_LINUX_DEBIAN] = 'https://docs.docker.com/install/linux/docker-ce/debian/' +DOCKER_INSTALL_URLS[PLATFORM_LINUX_CENTOS] = 'https://docs.docker.com/install/linux/docker-ce/centos/' +DOCKER_INSTALL_URLS[PLATFORM_LINUX_FEDORA] = 'https://docs.docker.com/install/linux/docker-ce/fedora/' +DOCKER_INSTALL_URLS[PLATFORM_MAC] = ['https://www.code2bits.com/how-to-install-docker-on-macos-using-homebrew/', + 'https://docs.docker.com/docker-for-mac/install/'] +DOCKER_COMPOSE_INSTALL_URLS = defaultdict(lambda: 'https://docs.docker.com/compose/install/') +HOMEBREW_INSTALL_URLS = defaultdict(lambda: 'https://brew.sh/') + +################################################################################################### +# print to stderr +def eprint(*args, **kwargs): + print(*args, file=sys.stderr, **kwargs) + +################################################################################################### +def EscapeAnsi(line): + ansiEscape = re.compile(r'(?:\x1B[@-_]|[\x80-\x9F])[0-?]*[ -/]*[@-~]') + return ansiEscape.sub('', line) + +################################################################################################### +# get interactive user response to Y/N question +def YesOrNo(question, default=None, forceInteraction=False, acceptDefault=False): + + if default == True: + questionStr = "\n{} (Y/n): ".format(question) + elif default == False: + questionStr = "\n{} (y/N): ".format(question) + else: + questionStr = "\n{} (y/n): ".format(question) + + if acceptDefault and (default is not None) and (not forceInteraction): + reply = '' + else: + while True: + reply = str(input(questionStr)).lower().strip() + if (len(reply) > 0) or (default is not None): + break + + if (len(reply) == 0): + reply = 'y' if default else 'n' + + if reply[0] == 'y': + return True + elif reply[0] == 'n': + return False + else: + return YesOrNo(question, default=default) + +################################################################################################### +# get interactive user response +def AskForString(question, default=None, forceInteraction=False, acceptDefault=False): + + if acceptDefault and (default is not None) and (not forceInteraction): + reply = default + else: + reply = str(input('\n{}: '.format(question))).strip() + + return reply + +################################################################################################### +# get interactive password (without echoing) +def AskForPassword(prompt): + reply = getpass.getpass(prompt=prompt) + return reply + +################################################################################################### +# convenient boolean argument parsing +def str2bool(v): + if v.lower() in ('yes', 'true', 't', 'y', '1'): + return True + elif v.lower() in ('no', 'false', 'f', 'n', '0'): + return False + else: + raise ValueError('Boolean value expected') + +################################################################################################### +# determine if a program/script exists and is executable in the system path +def Which(cmd, debug=False): + result = any(os.access(os.path.join(path, cmd), os.X_OK) for path in os.environ["PATH"].split(os.pathsep)) + if debug: + eprint("Which {} returned {}".format(cmd, result)) + return result + +################################################################################################### +# nice human-readable file sizes +def SizeHumanFormat(num, suffix='B'): + for unit in ['','Ki','Mi','Gi','Ti','Pi','Ei','Zi']: + if abs(num) < 1024.0: + return "%3.1f%s%s" % (num, unit, suffix) + num /= 1024.0 + return "%.1f%s%s" % (num, 'Yi', suffix) + +################################################################################################### +# run command with arguments and return its exit code, stdout, and stderr +def check_output_input(*popenargs, **kwargs): + + if 'stdout' in kwargs: + raise ValueError('stdout argument not allowed, it will be overridden') + + if 'stderr' in kwargs: + raise ValueError('stderr argument not allowed, it will be overridden') + + if 'input' in kwargs and kwargs['input']: + if 'stdin' in kwargs: + raise ValueError('stdin and input arguments may not both be used') + inputdata = kwargs['input'] + kwargs['stdin'] = PIPE + else: + inputdata = None + kwargs.pop('input', None) + + process = Popen(*popenargs, stdout=PIPE, stderr=PIPE, **kwargs) + try: + output, errput = process.communicate(inputdata) + except: + process.kill() + process.wait() + raise + + retcode = process.poll() + + return retcode, output, errput + +#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +def run_process(command, stdout=True, stderr=True, stdin=None, retry=0, retrySleepSec=5, debug=False): + retcode = -1 + output = [] + + try: + # run the command + retcode, cmdout, cmderr = check_output_input(command, input=stdin.encode() if (PY3 and stdin) else stdin) + + # split the output on newlines to return a list + if PY3: + if stderr and (len(cmderr) > 0): output.extend(cmderr.decode(sys.getdefaultencoding()).split('\n')) + if stdout and (len(cmdout) > 0): output.extend(cmdout.decode(sys.getdefaultencoding()).split('\n')) + else: + if stderr and (len(cmderr) > 0): output.extend(cmderr.split('\n')) + if stdout and (len(cmdout) > 0): output.extend(cmdout.split('\n')) + + except (FileNotFoundError, OSError, IOError) as e: + if stderr: + output.append("Command {} not found or unable to execute".format(command)) + + if debug: + eprint("{}{} returned {}: {}".format(command, "({})".format(stdin[:80] + bool(stdin[80:]) * '...' if stdin else ""), retcode, output)) + + if (retcode != 0) and retry and (retry > 0): + # sleep then retry + time.sleep(retrySleepSec) + return run_process(command, stdout, stderr, stdin, retry-1, retrySleepSec, debug) + else: + return retcode, output + +################################################################################################### +# make sure we can import requests properly and take care of it automatically if possible +def ImportRequests(debug=False): + global RequestsImported + + if not RequestsImported: + # see if we can help out by installing the requests module + + pyPlatform = platform.system() + pyExec = sys.executable + pipCmd = 'pip3' if PY3 else 'pip2' + if not Which(pipCmd, debug=debug): pipCmd = 'pip' + + eprint('The requests module is required under Python {} ({})'.format(platform.python_version(), pyExec)) + + if Which(pipCmd, debug=debug): + if YesOrNo('Importing the requests module failed. Attempt to install via {}?'.format(pipCmd)): + installCmd = None + + if (pyPlatform == PLATFORM_LINUX) or (pyPlatform == PLATFORM_MAC): + # for linux/mac, we're going to try to figure out if this python is owned by root or the script user + if (getpass.getuser() == getpwuid(os.stat(pyExec).st_uid).pw_name): + # we're running a user-owned python, regular pip should work + installCmd = [pipCmd, 'install', 'requests'] + else: + # python is owned by system, so make sure to pass the --user flag + installCmd = [pipCmd, 'install', '--user', 'requests'] + else: + # on windows (or whatever other platform this is) I don't know any other way other than pip + installCmd = [pipCmd, 'install', 'requests'] + + err, out = run_process(installCmd, debug=debug) + if err == 0: + eprint("Installation of requests module apparently succeeded") + try: + import requests + RequestsImported = True + except ImportError as e: + eprint("Importing the requests module still failed: {}".format(e)) + else: + eprint("Installation of requests module failed: {}".format(out)) + + if not RequestsImported: + eprint("System-wide installation varies by platform and Python configuration. Please consult platform-specific documentation for installing Python modules.") + if (platform.system() == PLATFORM_MAC): + eprint('You *may* be able to install pip and requests manually via: sudo sh -c "easy_install pip && pip install requests"') + elif (pyPlatform == PLATFORM_LINUX): + if Which('apt-get', debug=debug): + eprint('You *may* be able to install requests manually via: sudo apt-get install {}'.format('python3-requests' if PY3 else 'python-requests')) + elif Which('apt', debug=debug): + eprint('You *may* be able to install requests manually via: sudo apt install {}'.format('python3-requests' if PY3 else 'python-requests')) + elif Which('dnf', debug=debug): + eprint('You *may* be able to install requests manually via: sudo dnf install {}'.format('python3-requests' if PY3 else 'python2-requests')) + elif Which('yum', debug=debug): + eprint('You *may* be able to install requests manually via: sudo yum install {}'.format('python-requests')) + + return RequestsImported + +################################################################################################### +# do the required auth files for Malcolm exist? +def MalcolmAuthFilesExist(): + return os.path.isfile(os.path.join(MalcolmPath, os.path.join('nginx', 'htpasswd'))) and \ + os.path.isfile(os.path.join(MalcolmPath, os.path.join('nginx', 'nginx_ldap.conf'))) and \ + os.path.isfile(os.path.join(MalcolmPath, os.path.join('htadmin', 'config.ini'))) and \ + os.path.isfile(os.path.join(MalcolmPath, os.path.join('nginx', os.path.join('certs', 'cert.pem')))) and \ + os.path.isfile(os.path.join(MalcolmPath, os.path.join('nginx', os.path.join('certs', 'key.pem')))) and \ + os.path.isfile(os.path.join(MalcolmPath, 'auth.env')) + +################################################################################################### +# download to file +def DownloadToFile(url, local_filename, debug=False): + r = requests.get(url, stream=True, allow_redirects=True) + with open(local_filename, 'wb') as f: + for chunk in r.iter_content(chunk_size=1024): + if chunk: f.write(chunk) + fExists = os.path.isfile(local_filename) + fSize = os.path.getsize(local_filename) + if debug: + eprint("Download of {} to {} {} ({})".format(url, local_filename, "succeeded" if fExists else "failed", SizeHumanFormat(fSize))) + return fExists and (fSize > 0) + +################################################################################################### +# recursively remove empty subfolders +def RemoveEmptyFolders(path, removeRoot=True): + if not os.path.isdir(path): + return + + files = os.listdir(path) + if len(files): + for f in files: + fullpath = os.path.join(path, f) + if os.path.isdir(fullpath): + RemoveEmptyFolders(fullpath) + + files = os.listdir(path) + if len(files) == 0 and removeRoot: + try: + os.rmdir(path) + except: + pass \ No newline at end of file diff --git a/scripts/package_zeek_logs.sh b/scripts/package_zeek_logs.sh new file mode 100755 index 000000000..371902184 --- /dev/null +++ b/scripts/package_zeek_logs.sh @@ -0,0 +1,121 @@ +#!/bin/bash + +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. + +# package up Zeek logs in a format more suitable for upload to Malcolm +# +# directory containing Zeek logs is a parent directory of directories/files named like smb_mapping.04/00/00-05/00/00.log.gz +# + +set -e +set -u +set -o pipefail + +ENCODING="utf-8" + +# options +# -v (verbose) +# -d dir (base directory containing logs, e.g., the parent directory of smb_mapping.04/00/00-05/00/00.log.gz ) + +# parse command-line options +VERBOSE_FLAG="" +LOG_BASE_DIR=$(pwd) +while getopts 'vd:' OPTION; do + case "$OPTION" in + v) + VERBOSE_FLAG="-v" + ;; + + d) + LOG_BASE_DIR="$OPTARG" + ;; + + ?) + echo "script usage: $(basename $0) [-v] [-d directory]" >&2 + exit 1 + ;; + esac +done +shift "$(($OPTIND -1))" + +# fsize - display byte sizes human readable +function fsize () { + echo "$1" | awk 'function human(x) { + s=" B KiB MiB GiB TiB EiB PiB YiB ZiB" + while (x>=1024 && length(s)>1) + {x/=1024; s=substr(s,5)} + s=substr(s,1,4) + xf=(s==" B ")?"%5d ":"%0.2f" + return sprintf( xf"%s", x, s) + } + {gsub(/^[0-9]+/, human($1)); print}' +} + +function fdir () { + [[ -f "$1" ]] && echo "$(dirname "$1")" || echo "$1" +} + +# create a temporary directory to store our results in (make sure /tmp is big enough to extract all of these logs into!) +WORKDIR="$(mktemp -d -t malcolm-zeek-XXXXXX)" + +# chdir to the base directory containing the logs +pushd "$LOG_BASE_DIR" >/dev/null 2>&1 +FULL_PWD="$(realpath "$(pwd)")" + +# cleanup - on exit ensure the temporary directory is removed +function cleanup { + popd >/dev/null 2>&1 + if ! rm -rf "$WORKDIR"; then + echo "Failed to remove temporary directory '$WORKDIR'" >&2 + exit 1 + fi +} + +if [ -d "$WORKDIR" ]; then + # ensure that if we "grabbed a lock", we release it (works for clean exit, SIGTERM, and SIGINT/Ctrl-C) + trap "cleanup" EXIT + + # year month day type hour.0 min.0 sec.0 hour.1 min.1 sec.1 + PATTERN='(\./)?([0-9]+)-([0-9]+)-([0-9]+)/(.+)\.([0-9]+):([0-9]+):([0-9]+)-([0-9]+):([0-9]+):([0-9]+)\.log\.gz$' + + # find and unzip the compressed zeek logs below this directory into temporary subdirectories that make sense + for GZ_LOG_FILE in $(find . -type f -name "*.log.gz"); do + GZ_LOG_FILE_SUBDIR="$(dirname "$GZ_LOG_FILE")" + GZ_LOG_FILE_DESTDIR="$WORKDIR"/"$GZ_LOG_FILE_SUBDIR" + mkdir -p "$GZ_LOG_FILE_DESTDIR" + if [[ $GZ_LOG_FILE =~ $PATTERN ]]; then + LOG_TYPE=${BASH_REMATCH[5]} + DIR_DATE=${BASH_REMATCH[2]}_${BASH_REMATCH[3]}_${BASH_REMATCH[4]}_${BASH_REMATCH[6]} + LOG_BASENAME="$(echo "$LOG_TYPE" | awk '{print tolower($0)}')".log + DIR_COUNT=0 + while [[ true ]]; do + DEST_DIR="$WORKDIR"/$DIR_DATE.$(printf %02d $DIR_COUNT) + DEST_FILE="$DEST_DIR"/"$LOG_BASENAME" + if [[ -e "$DEST_FILE" ]]; then + DIR_COUNT=$((DIR_COUNT+1)) + else + break + fi + done + mkdir -p "$DEST_DIR"/ + gunzip --to-stdout "$GZ_LOG_FILE" > "$DEST_FILE" + if [[ -n $VERBOSE_FLAG ]]; then + FILE_TYPE="$(file -b "$DEST_FILE")" + FILE_SIZE="$(fsize $(stat --printf="%s" "$DEST_FILE"))" + echo "$DEST_FILE: $FILE_TYPE ($FILE_SIZE)" + fi + fi + done + + # package up all of the log files in their respective directories under our temporary one + REPACKAGED_LOGS_TARBALL="$FULL_PWD"/zeek-logs-compressed-$(date +'%Y%m%d_%H%M%S').tar.gz + tar -c -z $VERBOSE_FLAG -C "$WORKDIR" -f $REPACKAGED_LOGS_TARBALL . + if [[ -n $VERBOSE_FLAG ]]; then + FILE_TYPE="$(file -b "$REPACKAGED_LOGS_TARBALL")" + FILE_SIZE="$(fsize $(stat --printf="%s" "$REPACKAGED_LOGS_TARBALL"))" + echo "$REPACKAGED_LOGS_TARBALL: $FILE_TYPE ($FILE_SIZE)" + else + echo "$REPACKAGED_LOGS_TARBALL" + fi + +fi \ No newline at end of file diff --git a/scripts/restart b/scripts/restart new file mode 120000 index 000000000..c910cf9d6 --- /dev/null +++ b/scripts/restart @@ -0,0 +1 @@ +./control.py \ No newline at end of file diff --git a/scripts/restart.sh b/scripts/restart.sh deleted file mode 100755 index decc61162..000000000 --- a/scripts/restart.sh +++ /dev/null @@ -1,42 +0,0 @@ -#!/bin/bash - -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. - -if [ -z "$BASH_VERSION" ]; then - echo "Wrong interpreter, please run \"$0\" with bash" - exit 1 -fi - -if docker-compose version >/dev/null 2>&1; then - DOCKER_COMPOSE_BIN=docker-compose -elif grep -q Microsoft /proc/version && docker-compose.exe version >/dev/null 2>&1; then - DOCKER_COMPOSE_BIN=docker-compose.exe -fi - -# if the docker-compose config file was specified, use it, otherwise -# let docker-compose figure it out -if [ "$1" ]; then - CONFIG_FILE="$1" - DOCKER_COMPOSE_COMMAND="$DOCKER_COMPOSE_BIN -f "$CONFIG_FILE"" -else - CONFIG_FILE="docker-compose.yml" - DOCKER_COMPOSE_COMMAND="$DOCKER_COMPOSE_BIN" -fi - -# force-navigate to Malcolm base directory (parent of scripts/ directory) -[[ "$(uname -s)" = 'Darwin' ]] && REALPATH=grealpath || REALPATH=realpath -[[ "$(uname -s)" = 'Darwin' ]] && DIRNAME=gdirname || DIRNAME=dirname -if ! (type "$REALPATH" && type "$DIRNAME") > /dev/null; then - echo "$(basename "${BASH_SOURCE[0]}") requires $REALPATH and $DIRNAME" - exit 1 -fi -SCRIPT_PATH="$($DIRNAME $($REALPATH -e "${BASH_SOURCE[0]}"))" -pushd "$SCRIPT_PATH/.." >/dev/null 2>&1 - -# stop Malcolm if needed -$SCRIPT_PATH/stop.sh "$CONFIG_FILE" - -# start Malcolm -$SCRIPT_PATH/start.sh "$CONFIG_FILE" - -popd >/dev/null 2>&1 diff --git a/scripts/start b/scripts/start new file mode 120000 index 000000000..c910cf9d6 --- /dev/null +++ b/scripts/start @@ -0,0 +1 @@ +./control.py \ No newline at end of file diff --git a/scripts/start.sh b/scripts/start.sh deleted file mode 100755 index 7ebac3af1..000000000 --- a/scripts/start.sh +++ /dev/null @@ -1,96 +0,0 @@ -#!/bin/bash - -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. - -if [ -z "$BASH_VERSION" ]; then - echo "Wrong interpreter, please run \"$0\" with bash" - exit 1 -fi - -if docker-compose version >/dev/null 2>&1; then - DOCKER_COMPOSE_BIN=docker-compose -elif grep -q Microsoft /proc/version && docker-compose.exe version >/dev/null 2>&1; then - DOCKER_COMPOSE_BIN=docker-compose.exe -fi - -# if the docker-compose config file was specified, use it, otherwise -# let docker-compose figure it out -if [ "$1" ]; then - CONFIG_FILE="$1" - DOCKER_COMPOSE_COMMAND="$DOCKER_COMPOSE_BIN -f "$CONFIG_FILE"" -else - CONFIG_FILE="docker-compose.yml" - DOCKER_COMPOSE_COMMAND="$DOCKER_COMPOSE_BIN" -fi - -# force-navigate to Malcolm base directory (parent of scripts/ directory) -[[ "$(uname -s)" = 'Darwin' ]] && REALPATH=grealpath || REALPATH=realpath -[[ "$(uname -s)" = 'Darwin' ]] && DIRNAME=gdirname || DIRNAME=dirname -if ! (type "$REALPATH" && type "$DIRNAME") > /dev/null; then - echo "$(basename "${BASH_SOURCE[0]}") requires $REALPATH and $DIRNAME" - exit 1 -fi -SCRIPT_PATH="$($DIRNAME $($REALPATH -e "${BASH_SOURCE[0]}"))" -pushd "$SCRIPT_PATH/.." >/dev/null 2>&1 - -# if we are in an interactive shell and we're missing any of the auth files, prompt to create them now -# ( another way to check this: [[ "${-}" =~ 'i' ]] ) -if [[ -t 1 ]] && \ - ( [[ ! -f ./nginx/htpasswd ]] || [[ ! -f ./nginx/nginx_ldap.conf ]] || [[ ! -f ./htadmin/config.ini ]] || [[ ! -f ./nginx/certs/cert.pem ]] || [[ ! -f ./nginx/certs/key.pem ]] || [[ ! -r ./auth.env ]] ) -then - echo "Malcolm administrator account authentication files are missing, running ./scripts/auth_setup.sh..." - ./scripts/auth_setup.sh -fi -# still missing? sorry charlie -if [[ ! -f ./nginx/htpasswd ]] || [[ ! -f ./nginx/nginx_ldap.conf ]] || [[ ! -f ./htadmin/config.ini ]] || [[ ! -f ./nginx/certs/cert.pem ]] || [[ ! -f ./nginx/certs/key.pem ]] || [[ ! -r ./auth.env ]]; then - echo "Malcolm administrator account authentication files are missing, please run ./scripts/auth_setup.sh to generate them" - exit 1 -fi - -[[ -f ./htadmin/metadata ]] || touch ./htadmin/metadata - -if [[ ! -f ./elastalert/config/smtp-auth.yaml ]]; then - # create a sample smtp-auth.yaml for if/when we want to do elastalert email - pushd ./elastalert/config/ >/dev/null 2>&1 - cat < smtp-auth.yaml -user: "user@gmail.com" -password: "abcdefg1234567" -EOF - chmod 600 ./smtp-auth.yaml - popd >/dev/null 2>&1 -fi - -# make sure a read permission is set correctly for the nginx worker processes -chmod 644 ./nginx/htpasswd ./nginx/nginx_ldap.conf ./htadmin/config.ini ./htadmin/metadata >/dev/null 2>&1 - -# make sure some directories exist before we start -mkdir -p ./elasticsearch/ -mkdir -p ./elasticsearch-backup/ -mkdir -p ./pcap/upload/ -mkdir -p ./pcap/processed/ -mkdir -p ./zeek-logs/current/ -mkdir -p ./zeek-logs/upload/ -mkdir -p ./zeek-logs/processed/ -mkdir -p ./zeek-logs/extract_files/ - -# start docker -if $DOCKER_COMPOSE_COMMAND up --detach ; then - echo "" - echo "In a few minutes, Malcolm services will be accessible via the following URLs:" - echo "------------------------------------------------------------------------------" - echo " - Moloch: https://localhost/" - echo " - Kibana: https://localhost/kibana/" - echo " - PCAP Upload (web): https://localhost/upload/" - echo " - PCAP Upload (sftp): sftp://username@127.0.0.1:8022/files/" - echo " - Account management: https://localhost:488/" - echo "" - - $SCRIPT_PATH/logs.sh "$CONFIG_FILE" - -else - DOCKER_ERROR=$? - echo "Malcolm failed to start" - exit $DOCKER_ERROR -fi - -popd >/dev/null 2>&1 diff --git a/scripts/stop b/scripts/stop new file mode 120000 index 000000000..c910cf9d6 --- /dev/null +++ b/scripts/stop @@ -0,0 +1 @@ +./control.py \ No newline at end of file diff --git a/scripts/stop.sh b/scripts/stop.sh deleted file mode 100755 index cc0f3037e..000000000 --- a/scripts/stop.sh +++ /dev/null @@ -1,56 +0,0 @@ -#!/bin/bash - -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. - -if [ -z "$BASH_VERSION" ]; then - echo "Wrong interpreter, please run \"$0\" with bash" - exit 1 -fi - -if docker-compose version >/dev/null 2>&1; then - DOCKER_COMPOSE_BIN=docker-compose -elif grep -q Microsoft /proc/version && docker-compose.exe version >/dev/null 2>&1; then - DOCKER_COMPOSE_BIN=docker-compose.exe -fi - -# if the docker-compose config file was specified, use it, otherwise -# let docker-compose figure it out -if [ "$1" ]; then - CONFIG_FILE="$1" - DOCKER_COMPOSE_COMMAND="$DOCKER_COMPOSE_BIN -f "$CONFIG_FILE"" -else - CONFIG_FILE="docker-compose.yml" - DOCKER_COMPOSE_COMMAND="$DOCKER_COMPOSE_BIN" -fi - -# if stop.sh is being called with wipe.sh (after the docker-compose file) -# then also remove named and anonymous volumes (not external volumes, of course) -if [ "$2" == "wipe" ]; then - VOLUMES_FLAG="--volumes" -else - VOLUMES_FLAG="" -fi - -# force-navigate to Malcolm base directory (parent of scripts/ directory) -[[ "$(uname -s)" = 'Darwin' ]] && REALPATH=grealpath || REALPATH=realpath -[[ "$(uname -s)" = 'Darwin' ]] && DIRNAME=gdirname || DIRNAME=dirname -if ! (type "$REALPATH" && type "$DIRNAME") > /dev/null; then - echo "$(basename "${BASH_SOURCE[0]}") requires $REALPATH and $DIRNAME" - exit 1 -fi -SCRIPT_PATH="$($DIRNAME $($REALPATH -e "${BASH_SOURCE[0]}"))" -pushd "$SCRIPT_PATH/.." >/dev/null 2>&1 - -# stop docker -if $DOCKER_COMPOSE_COMMAND down $VOLUMES_FLAG ; then - echo "Stopped Malcolm" - echo "" -else - DOCKER_ERROR=$? - echo "Malcolm failed to stop" - echo "" - $DOCKER_COMPOSE_COMMAND ps - exit $DOCKER_ERROR -fi - -popd >/dev/null 2>&1 diff --git a/scripts/wipe b/scripts/wipe new file mode 120000 index 000000000..c910cf9d6 --- /dev/null +++ b/scripts/wipe @@ -0,0 +1 @@ +./control.py \ No newline at end of file diff --git a/scripts/wipe.sh b/scripts/wipe.sh deleted file mode 100755 index 37f832692..000000000 --- a/scripts/wipe.sh +++ /dev/null @@ -1,50 +0,0 @@ -#!/bin/bash - -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. - -if [ -z "$BASH_VERSION" ]; then - echo "Wrong interpreter, please run \"$0\" with bash" - exit 1 -fi - -if docker-compose version >/dev/null 2>&1; then - DOCKER_COMPOSE_BIN=docker-compose -elif grep -q Microsoft /proc/version && docker-compose.exe version >/dev/null 2>&1; then - DOCKER_COMPOSE_BIN=docker-compose.exe -fi - -# if the docker-compose config file was specified, use it, otherwise -# let docker-compose figure it out -if [ "$1" ]; then - CONFIG_FILE="$1" - DOCKER_COMPOSE_COMMAND="$DOCKER_COMPOSE_BIN -f "$CONFIG_FILE"" -else - CONFIG_FILE="docker-compose.yml" - DOCKER_COMPOSE_COMMAND="$DOCKER_COMPOSE_BIN" -fi - -# force-navigate to Malcolm base directory (parent of scripts/ directory) -[[ "$(uname -s)" = 'Darwin' ]] && REALPATH=grealpath || REALPATH=realpath -[[ "$(uname -s)" = 'Darwin' ]] && DIRNAME=gdirname || DIRNAME=dirname -if ! (type "$REALPATH" && type "$DIRNAME") > /dev/null; then - echo "$(basename "${BASH_SOURCE[0]}") requires $REALPATH and $DIRNAME" - exit 1 -fi -SCRIPT_PATH="$($DIRNAME $($REALPATH -e "${BASH_SOURCE[0]}"))" -pushd "$SCRIPT_PATH/.." >/dev/null 2>&1 - -# attempt to DELETE _template/zeek_template in Elasticsearch -$DOCKER_COMPOSE_COMMAND exec moloch bash -c 'curl -fs --output /dev/null -H"Content-Type: application/json" -XDELETE "http://$ES_HOST:$ES_PORT/_template/zeek_template"' >/dev/null 2>&1 - -# stop Malcolm and remove volumes if needed -$SCRIPT_PATH/stop.sh "$CONFIG_FILE" wipe - -# completely clean out elasticsearch database and local files -rm -rf ./elasticsearch/nodes 2>/dev/null -find ./elasticsearch-backup/ ./zeek-logs/ ./moloch-logs/ ./pcap/ ./moloch-raw/ \( \( -type f -o -type l \) -a ! -name ".gitignore" \) -delete 2>/dev/null -find ./elasticsearch-backup/logs/ ./zeek-logs/processed/ ./zeek-logs/current/ -mindepth 1 -type d -delete 2>/dev/null - -echo "Malcolm has been stopped and its data cleared." -echo "" - -popd >/dev/null 2>&1 diff --git a/sensor-iso/README.md b/sensor-iso/README.md index 81a27ca73..8866ddaed 100644 --- a/sensor-iso/README.md +++ b/sensor-iso/README.md @@ -238,7 +238,7 @@ If **SSL** is chosen, you must choose whether to enable [SSL certificate verific ![Unencrypted vs. SSL encryption for Zeek log forwarding](./docs/images/filebeat_ssl_verify.png) -The last step for SSL-encrypted Zeek log forwarding is to specify the SSL certificate authority, certificate, and key files. These files must match those used by the Logstash instance receiving the Zeek logs on the aggregator. If Malcolm's `auth_setup.sh` script was used to generate these files they would be found in the `filebeat/certs/` subdirectory of the Malcolm installation and must be manually copied to the sensor (stored under `/opt/sensor/sensor_ctl/filebeat/` or in any other path accessible to the sensor account). Specify the location of the certificate authorities file (eg., `ca.crt`), the certificate file (eg., `client.crt`), and the key file (eg., `client.key`). +The last step for SSL-encrypted Zeek log forwarding is to specify the SSL certificate authority, certificate, and key files. These files must match those used by the Logstash instance receiving the Zeek logs on the aggregator. If Malcolm's `auth_setup` script was used to generate these files they would be found in the `filebeat/certs/` subdirectory of the Malcolm installation and must be manually copied to the sensor (stored under `/opt/sensor/sensor_ctl/filebeat/` or in any other path accessible to the sensor account). Specify the location of the certificate authorities file (eg., `ca.crt`), the certificate file (eg., `client.crt`), and the key file (eg., `client.key`). ![SSL certificate files](./docs/images/filebeat_certs.png) @@ -398,7 +398,7 @@ Building the ISO may take 90 minutes or more depending on your system. As the bu ``` … -Finished, created "/sensor-build/hedgehog-1.8.1.iso" +Finished, created "/sensor-build/hedgehog-2.0.0.iso" … ``` @@ -557,7 +557,7 @@ If you are interesting in developing your own network traffic capture appliance # Copyright -Hedgehog Linux - part of [Malcolm](https://github.com/idaholab/Malcolm) - is Copyright 2019 Battelle Energy Alliance, LLC, and is developed and released through the cooperation of the Cybersecurity and Infrastructure Security Agency of the U.S. Department of Homeland Security. +Hedgehog Linux - part of [Malcolm](https://github.com/idaholab/Malcolm) - is Copyright 2020 Battelle Energy Alliance, LLC, and is developed and released through the cooperation of the Cybersecurity and Infrastructure Security Agency of the U.S. Department of Homeland Security. See [`License.txt`](https://raw.githubusercontent.com/idaholab/Malcolm/master/License.txt) for the terms of its release. diff --git a/sensor-iso/beats/Dockerfile b/sensor-iso/beats/Dockerfile index 0a86b16c1..8e490c04f 100644 --- a/sensor-iso/beats/Dockerfile +++ b/sensor-iso/beats/Dockerfile @@ -28,7 +28,7 @@ RUN apt-get update && apt-get install -y \ bash -c "curl https://glide.sh/get | bash" ENV BEATS=metricbeat -ENV BEATS_VERSION=7.5.1 +ENV BEATS_VERSION=7.6.2 ADD ./build.sh /build.sh RUN [ "chmod", "+x", "/build.sh" ] diff --git a/sensor-iso/beats/beat-build.sh b/sensor-iso/beats/beat-build.sh index 0241c2e99..6a9532d21 100755 --- a/sensor-iso/beats/beat-build.sh +++ b/sensor-iso/beats/beat-build.sh @@ -2,7 +2,7 @@ # Copyright (c) 2018 Battelle Energy Alliance, LLC. All rights reserved. -VERSION="7.5.1" +VERSION="7.6.2" THIRD_PARTY_BRANCH="master" while getopts b:v:t: opts; do case ${opts} in diff --git a/sensor-iso/build.sh b/sensor-iso/build.sh index b3220fa46..0a18877f6 100755 --- a/sensor-iso/build.sh +++ b/sensor-iso/build.sh @@ -38,6 +38,7 @@ if [ -d "$WORKDIR" ]; then mkdir -p ./output "./work/$IMAGE_NAME-Live-Build" pushd "./work/$IMAGE_NAME-Live-Build" >/dev/null 2>&1 rsync -a "$SCRIPT_PATH/config" . + rsync -a "$SCRIPT_PATH/shared/vbox-guest-build" . mkdir -p ./config/hooks/live pushd ./config/hooks/live @@ -83,6 +84,17 @@ if [ -d "$WORKDIR" ]; then echo "firmware-misc-nonfree=$(dpkg -s firmware-misc-nonfree | grep ^Version: | cut -d' ' -f2)" >> ./config/package-lists/kernel.list.chroot echo "firmware-amd-graphics=$(dpkg -s firmware-amd-graphics | grep ^Version: | cut -d' ' -f2)" >> ./config/package-lists/kernel.list.chroot + # virtualbox-guest .deb package(s) in its own clean environment (rather than in hooks/) + mkdir -p ./config/packages.chroot/ + bash ./vbox-guest-build/build-docker-image.sh + docker run --rm -v "$(pwd)"/vbox-guest-build:/build vboxguest-build:latest -o /build + rm -f ./vbox-guest-build/*-source*.deb \ + ./vbox-guest-build/*-dbgsym*.deb \ + ./vbox-guest-build/virtualbox_*.deb \ + ./vbox-guest-build/virtualbox-dkms_*.deb \ + ./vbox-guest-build/virtualbox-qt_*.deb + mv ./vbox-guest-build/*.deb ./config/packages.chroot/ + # copy the interface code into place for the resultant image mkdir -p ./config/includes.chroot/opt rsync -a "$SCRIPT_PATH/interface/" ./config/includes.chroot/opt/sensor/ diff --git a/sensor-iso/config/hooks/normal/0169-pip-installs.hook.chroot b/sensor-iso/config/hooks/normal/0169-pip-installs.hook.chroot index 74fecbf06..b643f901e 100755 --- a/sensor-iso/config/hooks/normal/0169-pip-installs.hook.chroot +++ b/sensor-iso/config/hooks/normal/0169-pip-installs.hook.chroot @@ -1,6 +1,6 @@ #!/bin/sh -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. export LC_ALL=C.UTF-8 export LANG=C.UTF-8 @@ -8,6 +8,7 @@ export LANG=C.UTF-8 # python 3 pip3 install --no-compile --no-cache-dir --force-reinstall --upgrade \ beautifulsoup4 \ + colorama \ clamd \ debinterface \ ipaddress \ diff --git a/sensor-iso/config/hooks/normal/0900-setup-rc-local.hook.chroot b/sensor-iso/config/hooks/normal/0900-setup-rc-local.hook.chroot index ee7289e31..35e21e0c1 100755 --- a/sensor-iso/config/hooks/normal/0900-setup-rc-local.hook.chroot +++ b/sensor-iso/config/hooks/normal/0900-setup-rc-local.hook.chroot @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. sed -i 's/^exit 0//' /etc/rc.local 2>/dev/null diff --git a/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot b/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot index 3c4608206..067c9ba55 100755 --- a/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot +++ b/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot @@ -1,17 +1,17 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. NETSNIFF_VER="0.6.6" NETSNIFF_URL="https://github.com/netsniff-ng/netsniff-ng/archive/v$NETSNIFF_VER.tar.gz" -ZEEK_VER="3.0.1" +ZEEK_VER="3.0.3" ZEEK_URL="https://old.zeek.org/downloads/zeek-$ZEEK_VER.tar.gz" ZEEK_PATCH_URLS=( # nothing here for now ) -BEATS_VER="7.5.1" +BEATS_VER="7.6.2" BEATS_OSS="-oss" BEATS_DEB_URL_TEMPLATE_REPLACER="XXXXX" BEATS_DEB_URL_TEMPLATE="https://artifacts.elastic.co/downloads/beats/$BEATS_DEB_URL_TEMPLATE_REPLACER/$BEATS_DEB_URL_TEMPLATE_REPLACER$BEATS_OSS-$BEATS_VER-amd64.deb" @@ -88,12 +88,15 @@ redef SOCKS::default_capture_password = T; @load protocols/dhcp/software @load protocols/dns/detect-external-names @load protocols/ftp/detect +@load protocols/ftp/detect-bruteforcing.zeek @load protocols/ftp/software @load protocols/http/detect-sqli @load protocols/http/detect-webapps @load protocols/http/software @load protocols/http/software-browser-plugins @load protocols/mysql/software +@load protocols/ssl/weak-keys +@load protocols/smb/log-cmds @load protocols/smtp/software @load protocols/ssh/detect-bruteforcing @load protocols/ssh/geo-data diff --git a/sensor-iso/config/hooks/normal/0911-get-stig-scripts.hook.chroot b/sensor-iso/config/hooks/normal/0911-get-stig-scripts.hook.chroot index 9f02a6be0..ab545bd53 100755 --- a/sensor-iso/config/hooks/normal/0911-get-stig-scripts.hook.chroot +++ b/sensor-iso/config/hooks/normal/0911-get-stig-scripts.hook.chroot @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. # clone STIG-4-Debian and harbian-audit and clean up some stuff we don't need mkdir -p /opt diff --git a/sensor-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot b/sensor-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot index 16774d7f4..10461f70f 100755 --- a/sensor-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot +++ b/sensor-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot @@ -1,10 +1,10 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. # remove development packages apt-get -y --purge remove checkinstall cmake gdb git libc6-dbg ninja-build \ - $(dpkg --get-selections | grep -Pv "(^libyaml-dev|deinstall$)" | cut -f1 | grep -P -- '-dev(:\w+)?$') || true + $(dpkg --get-selections | grep -Pv "(^(libyaml-dev|dpkg|libgcc)|deinstall$)" | cut -f1 | grep -P -- '-dev(:\w+)?$') || true # remove unwanted packages apt-get -y --purge remove bluez-firmware \ @@ -13,7 +13,6 @@ apt-get -y --purge remove bluez-firmware \ enchant \ ffmpeg \ gnome-accessibility-themes \ - gnome-user-guide \ gucharmap \ libasound2-plugins \ libcupsfilters1 \ diff --git a/sensor-iso/config/hooks/normal/0991-security-performance.hook.chroot b/sensor-iso/config/hooks/normal/0991-security-performance.hook.chroot index acca9f652..a323eb0ff 100755 --- a/sensor-iso/config/hooks/normal/0991-security-performance.hook.chroot +++ b/sensor-iso/config/hooks/normal/0991-security-performance.hook.chroot @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. # enable firewall, disallow everything in except SSH /usr/sbin/ufw --force enable diff --git a/sensor-iso/config/hooks/normal/0992-login.hook.chroot b/sensor-iso/config/hooks/normal/0992-login.hook.chroot index fc60f37cd..45eea6439 100755 --- a/sensor-iso/config/hooks/normal/0992-login.hook.chroot +++ b/sensor-iso/config/hooks/normal/0992-login.hook.chroot @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. sed -i 's/^#autologin-user=.*/autologin-user=sensor/' /etc/lightdm/lightdm.conf sed -i 's/^#autologin-user-timeout=.*/autologin-user-timeout=0/' /etc/lightdm/lightdm.conf diff --git a/sensor-iso/config/hooks/normal/0998-localepurge.hook.chroot b/sensor-iso/config/hooks/normal/0998-localepurge.hook.chroot index 37680b216..48e8ea2e3 100755 --- a/sensor-iso/config/hooks/normal/0998-localepurge.hook.chroot +++ b/sensor-iso/config/hooks/normal/0998-localepurge.hook.chroot @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. # remove excess locales if [ -f /etc/localepurge-preseed.cfg ] ; then diff --git a/sensor-iso/config/includes.binary/boot/grub/grub.cfg b/sensor-iso/config/includes.binary/boot/grub/grub.cfg index 59d92e57a..7ac7ff551 100644 --- a/sensor-iso/config/includes.binary/boot/grub/grub.cfg +++ b/sensor-iso/config/includes.binary/boot/grub/grub.cfg @@ -1,4 +1,4 @@ -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. set default=0 set timeout=-1 @@ -46,6 +46,11 @@ menuentry "Install Hedgehog Linux (advanced configuration)" { initrd /install/initrd.gz } +menuentry "Install Hedgehog Linux (virtual machine single partition quick install)" { + linux /install/vmlinuz auto=true priority=critical vga=normal locales=en_US.UTF-8 keyboard-layouts=us preseed/file=/cdrom/install/preseed_vmware.cfg + initrd /install/initrd.gz +} + menuentry "Rescue system in text mode" { linux /install/vmlinuz rescue/enable=true vga=normal initrd /install/initrd.gz diff --git a/sensor-iso/config/includes.binary/install/preseed.cfg b/sensor-iso/config/includes.binary/install/preseed.cfg index fb66ffed4..d43f02ad3 100644 --- a/sensor-iso/config/includes.binary/install/preseed.cfg +++ b/sensor-iso/config/includes.binary/install/preseed.cfg @@ -1,4 +1,4 @@ -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. d-i debian-installer/locale string en_US.UTF-8 d-i console-setup/ask_detect boolean false diff --git a/sensor-iso/config/includes.binary/install/preseed_base.cfg b/sensor-iso/config/includes.binary/install/preseed_base.cfg index cfa125cf4..f4219cfe9 100644 --- a/sensor-iso/config/includes.binary/install/preseed_base.cfg +++ b/sensor-iso/config/includes.binary/install/preseed_base.cfg @@ -1,4 +1,4 @@ -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. d-i netcfg/enable boolean false d-i netcfg/choose_interface select auto @@ -19,7 +19,7 @@ d-i clock-setup/ntp-server string 0.debian.pool.ntp.org d-i passwd/username string sensor d-i passwd/user-fullname string sensor -d-i passwd/user-default-groups string audio cdrom video netdev plugdev +d-i passwd/user-default-groups string audio cdrom video netdev plugdev vboxsf d-i passwd/root-login boolean true # crypted passwords via: mkpasswd -m sha-512 -S $(pwgen -ns 16 1) @@ -37,6 +37,8 @@ d-i preseed/late_command string \ echo 'deb http://deb.debian.org/debian buster-backports main contrib non-free' >> /target/etc/apt/sources.list; \ in-target touch /etc/capture_storage_format; \ in-target bash /usr/local/bin/sensor-init.sh; \ + in-target bash -c "(dmidecode -s system-product-name | grep -q VMware) || apt-get purge -y open-vm-tools-desktop"; \ + in-target bash -c "(dmidecode -s system-product-name | grep -q VirtualBox) || apt-get purge -y virtualbox-guest*"; \ in-target sed -r -i 's@(^.+\s+/(tmp|var/tmp)\s+ext4\s+.*defaults)@\1,nosuid,nodev,noexec@g' /etc/fstab; \ in-target sed -r -i 's@(^.+/media/cdrom[0-9]*.+)(noauto)(.*)@\1\2,nosuid,nodev,noexec\3@g' /etc/fstab; \ in-target sed -r -i 's@(^.+\s+/(home)\s+ext4\s+.*defaults)@\1,nosuid,nodev@g' /etc/fstab; \ diff --git a/sensor-iso/config/includes.binary/install/preseed_vmware.cfg b/sensor-iso/config/includes.binary/install/preseed_vmware.cfg new file mode 100644 index 000000000..0a199b98c --- /dev/null +++ b/sensor-iso/config/includes.binary/install/preseed_vmware.cfg @@ -0,0 +1,90 @@ +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. + +d-i debian-installer/locale string en_US.UTF-8 +d-i console-setup/ask_detect boolean false +d-i keyboard-configuration/xkb-keymap skip-config +d-i keyboard-configuration/layout string "American English" + +d-i preseed/include string preseed_base.cfg + +################################################################################################### +# install root filesystem on smallest non-USB disk + +d-i partman/early_command string \ + SENSOR_ROOT_DISK=$(parted_devices | egrep "^($(find /sys/block -mindepth 1 -maxdepth 1 -type l \( -name '[hs]d*' -o -name 'nvme*' \) -exec ls -l '{}' ';' | grep -v "usb" | sed 's@^.*\([hs]d[a-z]\+\|nvme[0-9]\+\).*$@/dev/\1@' | sed -e :a -e '$!N; s/\n/|/; ta'))" | sort -k2n | head -1 | cut -f1); \ + pvremove -ff -y "$SENSOR_ROOT_DISK"*; \ + debconf-set partman-auto/disk "$SENSOR_ROOT_DISK"; \ + debconf-set grub-installer/bootdev "$SENSOR_ROOT_DISK"; \ + sed -i.bak 's/-f $id\/skip_erase/-d $id/g' /lib/partman/lib/crypto-base.sh; + +d-i grub-installer/only_debian boolean true +d-i grub-installer/with_other_os boolean true + +d-i partman-auto/method string lvm +d-i partman-auto-lvm/new_vg_name string main + +d-i partman-lvm/device_remove_lvm boolean true +d-i partman-lvm/confirm boolean true +d-i partman-lvm/confirm_nooverwrite boolean true + +d-i partman-md/device_remove_md boolean true +d-i partman-md/confirm boolean true +d-i partman-md/confirm_nooverwrite boolean true + +d-i partman-partitioning/confirm_write_new_label boolean true +d-i partman/choose_partition select finish +d-i partman/confirm boolean true +d-i partman/confirm_nooverwrite boolean true +d-i partman-basicmethods/method_only boolean false +d-i partman-efi/non_efi_system boolean true + +d-i partman-basicfilesystems/choose_label string gpt +d-i partman-basicfilesystems/default_label string gpt +d-i partman-partitioning/choose_label string gpt +d-i partman-partitioning/default_label string gpt +d-i partman/choose_label string gpt +d-i partman/default_label string gpt + +d-i partman/mount_style select uuid + +d-i partman-auto/choose_recipe select custom +d-i partman-auto/expert_recipe string \ + custom :: \ + 1 1 1 free \ + $bios_boot{ } \ + method{ biosgrub } \ + . \ + 256 256 256 fat32 \ + $primary{ } \ + $iflabel{ gpt } \ + $reusemethod{ } \ + method{ efi } format{ } \ + mountpoint{ /boot/efi } \ + . \ + 1024 1024 1024 ext4 \ + $primary{ } \ + $bootable{ } \ + method{ format } \ + format{ } \ + use_filesystem{ } \ + filesystem{ ext4 } \ + mountpoint{ /boot } \ + . \ + 150% 150% 150% linux-swap \ + $defaultignore{ } \ + $lvmok{ } \ + in_vg { main } lv_name{ swap } \ + method{ swap } \ + format{ } \ + . \ + 12000 16000 1000000000 ext4 \ + $defaultignore{ } \ + $lvmok{ } \ + in_vg { main } lv_name{ root } \ + method{ format } \ + format{ } \ + use_filesystem{ } \ + filesystem{ ext4 } \ + mountpoint{ / } \ + . +################################################################################################### diff --git a/sensor-iso/config/includes.chroot/etc/live/config.conf b/sensor-iso/config/includes.chroot/etc/live/config.conf index e6d47621d..0542d48fe 100644 --- a/sensor-iso/config/includes.chroot/etc/live/config.conf +++ b/sensor-iso/config/includes.chroot/etc/live/config.conf @@ -2,4 +2,4 @@ LIVE_LOCALES="en_US.UTF-8" LIVE_HOSTNAME="sensor-live" LIVE_USERNAME="sensor" LIVE_USER_FULLNAME="sensor" -LIVE_USER_DEFAULT_GROUPS="adm audio cdrom disk netdev plugdev sudo video" +LIVE_USER_DEFAULT_GROUPS="adm audio cdrom disk netdev plugdev sudo video vboxsf" diff --git a/sensor-iso/config/includes.chroot/opt/zeek/bin/zeek.sh b/sensor-iso/config/includes.chroot/opt/zeek/bin/zeek.sh index de064466d..507c9590c 100755 --- a/sensor-iso/config/includes.chroot/opt/zeek/bin/zeek.sh +++ b/sensor-iso/config/includes.chroot/opt/zeek/bin/zeek.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. # configuration variables may be specified in control_vars.conf rather than on the command line CONTROL_VARS_FILE="control_vars.conf" diff --git a/sensor-iso/config/includes.chroot/opt/zeek/bin/zeekdeploy.sh b/sensor-iso/config/includes.chroot/opt/zeek/bin/zeekdeploy.sh index e8c496490..1b7d9da2b 100755 --- a/sensor-iso/config/includes.chroot/opt/zeek/bin/zeekdeploy.sh +++ b/sensor-iso/config/includes.chroot/opt/zeek/bin/zeekdeploy.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. # get utilities for finding default zeek path and executable [[ "$(uname -s)" = 'Darwin' ]] && REALPATH=grealpath || REALPATH=realpath diff --git a/sensor-iso/config/includes.chroot/opt/zeek/share/zeek/site/extractor.zeek b/sensor-iso/config/includes.chroot/opt/zeek/share/zeek/site/extractor.zeek index d481665c8..217e91494 100644 --- a/sensor-iso/config/includes.chroot/opt/zeek/share/zeek/site/extractor.zeek +++ b/sensor-iso/config/includes.chroot/opt/zeek/share/zeek/site/extractor.zeek @@ -1,6 +1,6 @@ #!/usr/bin/env zeek -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. @load ./extractor_params diff --git a/sensor-iso/config/includes.chroot/opt/zeek/share/zeek/site/extractor_params.zeek b/sensor-iso/config/includes.chroot/opt/zeek/share/zeek/site/extractor_params.zeek index b1882f37c..9f5dd286f 100644 --- a/sensor-iso/config/includes.chroot/opt/zeek/share/zeek/site/extractor_params.zeek +++ b/sensor-iso/config/includes.chroot/opt/zeek/share/zeek/site/extractor_params.zeek @@ -1,6 +1,6 @@ #!/usr/bin/env zeek -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. export { const extractor_extract_none = "none" &redef; diff --git a/sensor-iso/config/includes.chroot/usr/share/auditbeat/kibana/7/dashboard-custom/Auditbeat-auditd-overview-custom.json b/sensor-iso/config/includes.chroot/usr/share/auditbeat/kibana/7/dashboard-custom/Auditbeat-auditd-overview-custom.json index dc292c4e9..1bb9304f7 100644 --- a/sensor-iso/config/includes.chroot/usr/share/auditbeat/kibana/7/dashboard-custom/Auditbeat-auditd-overview-custom.json +++ b/sensor-iso/config/includes.chroot/usr/share/auditbeat/kibana/7/dashboard-custom/Auditbeat-auditd-overview-custom.json @@ -1,5 +1,5 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "072befc0-ffba-11e8-a854-ad7782ef6a55", diff --git a/sensor-iso/config/includes.chroot/usr/share/filebeat/kibana/7/dashboard-custom/Filebeat-syslog-custom.json b/sensor-iso/config/includes.chroot/usr/share/filebeat/kibana/7/dashboard-custom/Filebeat-syslog-custom.json index d2afbf94f..ba4da7d03 100644 --- a/sensor-iso/config/includes.chroot/usr/share/filebeat/kibana/7/dashboard-custom/Filebeat-syslog-custom.json +++ b/sensor-iso/config/includes.chroot/usr/share/filebeat/kibana/7/dashboard-custom/Filebeat-syslog-custom.json @@ -1,5 +1,5 @@ { - "version": "7.5.1", + "version": "7.6.2", "objects": [ { "id": "1ca59220-ffb0-11e8-a854-ad7782ef6a55", diff --git a/sensor-iso/config/package-lists/desktopmanager.list.chroot b/sensor-iso/config/package-lists/desktopmanager.list.chroot index b723e3c11..7a1dc55c2 100644 --- a/sensor-iso/config/package-lists/desktopmanager.list.chroot +++ b/sensor-iso/config/package-lists/desktopmanager.list.chroot @@ -1,10 +1,12 @@ arandr dconf-cli -fonts-noto-color-emoji +fonts-symbola +libnotify-bin lightdm lxde lxpanel lxsession +open-vm-tools-desktop x11-apps x11-session-utils x11-xfs-utils @@ -13,5 +15,6 @@ xinit xorg xscreensaver xserver-xorg +xserver-xorg-core xserver-xorg-video-qxl xserver-xorg-video-vmware diff --git a/sensor-iso/config/package-lists/system.list.chroot b/sensor-iso/config/package-lists/system.list.chroot index ca08b864b..81fc4b843 100644 --- a/sensor-iso/config/package-lists/system.list.chroot +++ b/sensor-iso/config/package-lists/system.list.chroot @@ -33,6 +33,7 @@ cryptsetup-bin curl debsums dialog +dmidecode dosfstools ebtables efibootmgr diff --git a/sensor-iso/docs/Notes.md b/sensor-iso/docs/Notes.md index 15cb0cba9..7fd44f637 100644 --- a/sensor-iso/docs/Notes.md +++ b/sensor-iso/docs/Notes.md @@ -18,7 +18,7 @@ Hedgehog Linux is a trimmed-down Debian Linux with several common tools preinsta - [Compiling Zeek from source](#ZeekCompile) - [Third party plugins](#ZeekThirdParty) + [bash script to install third party plugins for Zeek](#ZeekThirdPartyBash) - + [Bro::AF_Packet configuration](#BroAfPacket) + + [Zeek::AF_Packet configuration](#ZeekAfPacket) - [`local.zeek`](#ZeekLocalPolicy) - [File carving](#ZeekFileCarving) * [Forwarding](#Forwarding) @@ -113,12 +113,12 @@ $ /usr/sbin/tcpdump \ ### Compiling Moloch from source -At the time of writing, the [current stable release](https://github.com/aol/moloch/blob/master/CHANGELOG) of Moloch is [v2.1.2](https://github.com/aol/moloch/releases/tag/v2.1.2). The following bash script was used to install Moloch's build dependencies, download Moloch, build a Debian .deb package using [fpm](https://github.com/jordansissel/fpm) and install it. In building Hedgehog Linux, the building of this .deb is done inside a Docker container dedicated to that purpose. +At the time of writing, the [current stable release](https://github.com/aol/moloch/blob/master/CHANGELOG) of Moloch is [v2.2.3](https://github.com/aol/moloch/releases/tag/v2.2.3). The following bash script was used to install Moloch's build dependencies, download Moloch, build a Debian .deb package using [fpm](https://github.com/jordansissel/fpm) and install it. In building Hedgehog Linux, the building of this .deb is done inside a Docker container dedicated to that purpose. ```bash #!/bin/bash -MOLOCH_VERSION="2.1.2" +MOLOCH_VERSION="2.2.3" MOLOCHDIR="/opt/moloch" OUTPUT_DIR="/tmp" @@ -137,10 +137,6 @@ if [[ -n $VERBOSE ]]; then fi apt-get -q update -apt-get install -q -y --no-install-recommends \ - curl iproute2 git python python-dev sudo ruby ruby-dev rubygems build-essential - -gem install --no-ri --no-rdoc fpm mkdir -p /opt curl -L -o /tmp/moloch.tar.gz "https://github.com/aol/moloch/archive/v$MOLOCH_VERSION.tar.gz" @@ -163,19 +159,17 @@ cp -r ./capture/plugins/lua/samples "$MOLOCHDIR"/lua npm install license-checker; release/notice.txt.pl $MOLOCHDIR NOTICE release/CAPTURENOTICE > $MOLOCHDIR/NOTICE.txt -curl -L -o "$MOLOCHDIR"/etc/ipv4-address-space.csv "https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.csv" -curl -L -o "$MOLOCHDIR"/etc/oui.txt "https://raw.githubusercontent.com/wireshark/wireshark/master/manuf" -curl -L -o /tmp/GeoLite2-Country.mmdb.gz "https://updates.maxmind.com/app/update_secure?edition_id=GeoLite2-Country" -curl -L -o /tmp/GeoLite2-ASN.mmdb.gz "https://updates.maxmind.com/app/update_secure?edition_id=GeoLite2-ASN" -zcat /tmp/GeoLite2-Country.mmdb.gz > "$MOLOCHDIR"/etc/GeoLite2-Country.mmdb -zcat /tmp/GeoLite2-ASN.mmdb.gz > "$MOLOCHDIR"/etc/GeoLite2-ASN.mmdb +ETC_FILES=$(shopt -s nullglob dotglob; echo /moloch-etc/*) +if (( ${#ETC_FILES} )) ; then + mkdir -p $MOLOCHDIR/etc + cp -r /moloch-etc/* $MOLOCHDIR/etc/ +fi fpm -s dir -t deb -n moloch -x opt/moloch/logs -x opt/moloch/raw -v $MOLOCH_VERSION --iteration 1 --template-scripts --after-install "release/afterinstall.sh" --url "http://molo.ch" --description "Moloch Full Packet System" -d libwww-perl -d libjson-perl -d ethtool -d libyaml-dev "$MOLOCHDIR" ls -l *.deb && mv -v *.deb "$OUTPUT_DIR"/ cd /tmp -rm -rf /tmp/moloch-$MOLOCH_VER.tar.gz /tmp/moloch-$MOLOCH_VER /tmp/GeoLite2-Country.mmdb.gz /tmp/GeoLite2-ASN.mmdb.gz if [[ -n $VERBOSE ]]; then set +x @@ -327,7 +321,7 @@ This may require opening a firewall port to the host running Moloch viewer to al # Zeek -At the time of writing, the [current stable release](https://github.com/zeek/zeek/blob/release/NEWS) of Zeek is [v3.0.1](https://github.com/zeek/zeek/releases/tag/v3.0.1). The notes in this section apply to that version, although some may apply to others as well. +At the time of writing, the [current stable release](https://github.com/zeek/zeek/blob/release/NEWS) of Zeek is [v3.0.3](https://github.com/zeek/zeek/releases/tag/v3.0.3). The notes in this section apply to that version, although some may apply to others as well. ## Compiling Zeek from source @@ -336,7 +330,7 @@ The following bash script was used to download, [build and install](https://docs ```bash #!/bin/bash -ZEEK_VER="3.0.1" +ZEEK_VER="3.0.3" ZEEK_URL="https://old.zeek.org/downloads/zeek-$ZEEK_VER.tar.gz" ZEEK_PATCH_URLS=( # nothing here for now @@ -375,7 +369,7 @@ Hedgehog Linux utilizest he following third party Zeek packages: * Amazon.com, Inc.'s [ICS protocol](https://github.com/amzn?q=zeek) analyzers * Corelight's [bro-xor-exe](https://github.com/corelight/bro-xor-exe-plugin) plugin * Corelight's [community ID](https://github.com/corelight/bro-community-id) flow hashing plugin -* J-Gras' [Bro::AF_Packet](https://github.com/J-Gras/bro-af_packet-plugin) plugin +* J-Gras' [Zeek::AF_Packet](https://github.com/J-Gras/zeek-af_packet-plugin) plugin * Lexi Brent's [EternalSafety](https://github.com/lexibrent/zeek-EternalSafety) plugin * MITRE Cyber Analytics Repository's [Bro/Zeek ATT&CK-Based Analytics (BZAR)](https://github.com/mitre-attack/car/tree/master/implementations) script * Salesforce's [gQUIC](https://github.com/salesforce/GQUIC_Protocol_Analyzer) analyzer @@ -503,7 +497,7 @@ if [[ -d "$SRC_DIR" ]]; then cd "$CWD" fi -SRC_DIR="$(clone_github_repo "https://github.com/J-Gras/bro-af_packet-plugin")" +SRC_DIR="$(clone_github_repo "https://github.com/J-Gras/zeek-af_packet-plugin")" if [[ -d "$SRC_DIR" ]]; then CWD="$(pwd)" cd "$SRC_DIR" && \ @@ -524,9 +518,9 @@ if [[ -d "$SRC_DIR" ]]; then fi ``` -### Bro::AF_Packet configuration +### Zeek::AF_Packet configuration -Of particular mention is J-Gras' [Bro::AF_Packet](https://github.com/J-Gras/bro-af_packet-plugin) plugin to allow Zeek to use the Linux kernel's AF_PACKET capabilities natively for packet capture. To determine if your Linux distribution's kernel supports AF_PACKET: +Of particular mention is J-Gras' [Zeek::AF_Packet](https://github.com/J-Gras/zeek-af_packet-plugin) plugin to allow Zeek to use the Linux kernel's AF_PACKET capabilities natively for packet capture. To determine if your Linux distribution's kernel supports AF_PACKET: ```bash $ grep -x 'CONFIG_PACKET=[ym]' "/boot/config-$(uname -r)" @@ -1769,7 +1763,7 @@ The Elastic Stack's [Beats](https://www.elastic.co/products/beats) platform is a set -e -BEATS_VER="7.5.1" +BEATS_VER="7.6.2" BEATS_OSS="-oss" BEATS_DEB_URL_TEMPLATE_REPLACER="XXXXX" BEATS_DEB_URL_TEMPLATE="https://artifacts.elastic.co/downloads/beats/$BEATS_DEB_URL_TEMPLATE_REPLACER/$BEATS_DEB_URL_TEMPLATE_REPLACER$BEATS_OSS-$BEATS_VER-amd64.deb" @@ -2181,7 +2175,7 @@ Hedgehog Linux targets the following guidelines for establishing a secure config # Copyright -Hedgehog Linux - part of [Malcolm](https://github.com/idaholab/Malcolm) - is Copyright 2019 Battelle Energy Alliance, LLC, and is developed and released through the cooperation of the Cybersecurity and Infrastructure Security Agency of the U.S. Department of Homeland Security. +Hedgehog Linux - part of [Malcolm](https://github.com/idaholab/Malcolm) - is Copyright 2020 Battelle Energy Alliance, LLC, and is developed and released through the cooperation of the Cybersecurity and Infrastructure Security Agency of the U.S. Department of Homeland Security. See [`License.txt`](https://raw.githubusercontent.com/idaholab/Malcolm/master/License.txt) for the terms of its release. diff --git a/sensor-iso/interface/sensor_ctl/auditbeat/sensor_auditbeat_local.sh b/sensor-iso/interface/sensor_ctl/auditbeat/sensor_auditbeat_local.sh index c053b3540..ba8d45e29 100755 --- a/sensor-iso/interface/sensor_ctl/auditbeat/sensor_auditbeat_local.sh +++ b/sensor-iso/interface/sensor_ctl/auditbeat/sensor_auditbeat_local.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. # force-navigate to script directory (containing config file) [[ "$(uname -s)" = 'Darwin' ]] && REALPATH=grealpath || REALPATH=realpath diff --git a/sensor-iso/interface/sensor_ctl/clean.sh b/sensor-iso/interface/sensor_ctl/clean.sh index 315332c55..32c495a3a 100755 --- a/sensor-iso/interface/sensor_ctl/clean.sh +++ b/sensor-iso/interface/sensor_ctl/clean.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. set -e diff --git a/sensor-iso/interface/sensor_ctl/control.sh b/sensor-iso/interface/sensor_ctl/control.sh index 113417739..843fd834a 100755 --- a/sensor-iso/interface/sensor_ctl/control.sh +++ b/sensor-iso/interface/sensor_ctl/control.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. set -e diff --git a/sensor-iso/interface/sensor_ctl/extractor_override.interesting.zeek b/sensor-iso/interface/sensor_ctl/extractor_override.interesting.zeek index a6a8d304b..45a92cba1 100644 --- a/sensor-iso/interface/sensor_ctl/extractor_override.interesting.zeek +++ b/sensor-iso/interface/sensor_ctl/extractor_override.interesting.zeek @@ -1,6 +1,6 @@ #!/usr/bin/env zeek -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. export { redef extractor_always_extract_unknown = F; diff --git a/sensor-iso/interface/sensor_ctl/filebeat-syslog/sensor_filebeat-syslog_local.sh b/sensor-iso/interface/sensor_ctl/filebeat-syslog/sensor_filebeat-syslog_local.sh index c0bc6d066..d6f5f59e0 100755 --- a/sensor-iso/interface/sensor_ctl/filebeat-syslog/sensor_filebeat-syslog_local.sh +++ b/sensor-iso/interface/sensor_ctl/filebeat-syslog/sensor_filebeat-syslog_local.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. # force-navigate to script directory (containing config file) [[ "$(uname -s)" = 'Darwin' ]] && REALPATH=grealpath || REALPATH=realpath diff --git a/sensor-iso/interface/sensor_ctl/filebeat/filebeat.yml b/sensor-iso/interface/sensor_ctl/filebeat/filebeat.yml index 3db0c1f31..f4ea38e31 100644 --- a/sensor-iso/interface/sensor_ctl/filebeat/filebeat.yml +++ b/sensor-iso/interface/sensor_ctl/filebeat/filebeat.yml @@ -1,4 +1,4 @@ -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. logging.metrics.enabled: false diff --git a/sensor-iso/interface/sensor_ctl/filebeat/sensor_filebeat_local.sh b/sensor-iso/interface/sensor_ctl/filebeat/sensor_filebeat_local.sh index 6f9c161e8..305df9981 100755 --- a/sensor-iso/interface/sensor_ctl/filebeat/sensor_filebeat_local.sh +++ b/sensor-iso/interface/sensor_ctl/filebeat/sensor_filebeat_local.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. if [ -z "$CAPTURE_PATH" ]; then CAPTURE_PATH="$HOME/bro_logs" diff --git a/sensor-iso/interface/sensor_ctl/heatbeat/protologbeat.template.json b/sensor-iso/interface/sensor_ctl/heatbeat/protologbeat.template.json index 5013a1251..dacd12f90 100644 --- a/sensor-iso/interface/sensor_ctl/heatbeat/protologbeat.template.json +++ b/sensor-iso/interface/sensor_ctl/heatbeat/protologbeat.template.json @@ -2,7 +2,7 @@ "index_patterns": ["protologbeat-*"], "mappings": { "_meta": { - "version": "7.5.1" + "version": "7.6.2" }, "dynamic_templates": [{ "strings_as_keyword": { diff --git a/sensor-iso/interface/sensor_ctl/heatbeat/sensor_heatbeat_local.sh b/sensor-iso/interface/sensor_ctl/heatbeat/sensor_heatbeat_local.sh index 6b7e1e6cd..9c5e566f8 100755 --- a/sensor-iso/interface/sensor_ctl/heatbeat/sensor_heatbeat_local.sh +++ b/sensor-iso/interface/sensor_ctl/heatbeat/sensor_heatbeat_local.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. # force-navigate to script directory (containing config file) [[ "$(uname -s)" = 'Darwin' ]] && REALPATH=grealpath || REALPATH=realpath diff --git a/sensor-iso/interface/sensor_ctl/metricbeat/sensor_metricbeat_local.sh b/sensor-iso/interface/sensor_ctl/metricbeat/sensor_metricbeat_local.sh index 2dd7285c2..0255838bb 100755 --- a/sensor-iso/interface/sensor_ctl/metricbeat/sensor_metricbeat_local.sh +++ b/sensor-iso/interface/sensor_ctl/metricbeat/sensor_metricbeat_local.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. # force-navigate to script directory (containing config file) [[ "$(uname -s)" = 'Darwin' ]] && REALPATH=grealpath || REALPATH=realpath diff --git a/sensor-iso/interface/sensor_ctl/scripts/log_disk_space.sh b/sensor-iso/interface/sensor_ctl/scripts/log_disk_space.sh index 1a36ef84f..6a0e7d77b 100755 --- a/sensor-iso/interface/sensor_ctl/scripts/log_disk_space.sh +++ b/sensor-iso/interface/sensor_ctl/scripts/log_disk_space.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. SPACE_STRING="$(/bin/df -lh --output=source,target,avail,size,pcent | tail -n +2 | grep '^/dev' | tr -s ' ' ',' | cut -d, -f2,3,4,5 | sed 's/^/\[/' | sed 's/$/\]/' | tr '\n' '.')" logger "${SPACE_STRING}" diff --git a/sensor-iso/interface/sensor_ctl/scripts/log_temperature.sh b/sensor-iso/interface/sensor_ctl/scripts/log_temperature.sh index 9797f5c92..e5c434f98 100755 --- a/sensor-iso/interface/sensor_ctl/scripts/log_temperature.sh +++ b/sensor-iso/interface/sensor_ctl/scripts/log_temperature.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. AVG_TEMP="$(sensors 2>/dev/null | grep '^Core\s[[:digit:]]\+:' | sed -e 's/[[:space:]]\+/,/g' | cut -d',' -f3 | sed "s/^\+//" | sed "s/°.*//" | awk '{ total += $1; count++ } END { if (count > 0) { print total/count } }')" HDD_TEMP="$(hddtemp /dev/sd? 2>/dev/null | grep -v "S\.M\.A\.R\.T\. not available" | sed 's/^/\[/' | sed 's/$/\]/' | tr '\n' ',' | sed 's/,$//')" diff --git a/sensor-iso/interface/sensor_ctl/supervisor.init/moloch_config_populate.sh b/sensor-iso/interface/sensor_ctl/supervisor.init/moloch_config_populate.sh index 10b8d6f9a..4a05a0a30 100755 --- a/sensor-iso/interface/sensor_ctl/supervisor.init/moloch_config_populate.sh +++ b/sensor-iso/interface/sensor_ctl/supervisor.init/moloch_config_populate.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. export MOLOCH_HTTPS_FLAG="" diff --git a/sensor-iso/interface/sensor_ctl/supervisor.sh b/sensor-iso/interface/sensor_ctl/supervisor.sh index a8162643e..daec446a1 100755 --- a/sensor-iso/interface/sensor_ctl/supervisor.sh +++ b/sensor-iso/interface/sensor_ctl/supervisor.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. set -e diff --git a/sensor-iso/interface/sensor_interface/routes.py b/sensor-iso/interface/sensor_interface/routes.py index d7147a51a..dd9db6dc7 100644 --- a/sensor-iso/interface/sensor_interface/routes.py +++ b/sensor-iso/interface/sensor_interface/routes.py @@ -1,4 +1,4 @@ -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. import psutil, time, json, logging, os from .sysquery import sys_service as sys_s diff --git a/sensor-iso/interface/sensor_interface/static/js/custom.js b/sensor-iso/interface/sensor_interface/static/js/custom.js index ce75e1268..1f533513b 100644 --- a/sensor-iso/interface/sensor_interface/static/js/custom.js +++ b/sensor-iso/interface/sensor_interface/static/js/custom.js @@ -1,4 +1,4 @@ -// Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +// Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. function start_all() { var xhttp = new XMLHttpRequest(); diff --git a/sensor-iso/interface/sensor_interface/sysquery/sys_service.py b/sensor-iso/interface/sensor_interface/sysquery/sys_service.py index f6484f1ec..874e43eb1 100644 --- a/sensor-iso/interface/sensor_interface/sysquery/sys_service.py +++ b/sensor-iso/interface/sensor_interface/sysquery/sys_service.py @@ -1,4 +1,4 @@ -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. import subprocess, json import os diff --git a/sensor-iso/moloch/Dockerfile b/sensor-iso/moloch/Dockerfile index 59ac2389b..2cdbccbb8 100644 --- a/sensor-iso/moloch/Dockerfile +++ b/sensor-iso/moloch/Dockerfile @@ -1,12 +1,12 @@ FROM debian:buster-slim -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm.netsec@gmail.com" ENV DEBIAN_FRONTEND noninteractive -ENV MOLOCH_VERSION "2.1.2" +ENV MOLOCH_VERSION "2.2.3" ENV MOLOCHDIR "/opt/moloch" RUN sed -i "s/buster main/buster main contrib non-free/g" /etc/apt/sources.list && \ diff --git a/sensor-iso/moloch/build-docker-image.sh b/sensor-iso/moloch/build-docker-image.sh index 734efa473..1f08a41d4 100755 --- a/sensor-iso/moloch/build-docker-image.sh +++ b/sensor-iso/moloch/build-docker-image.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. # force-navigate to script directory SCRIPT_PATH="$( cd -P "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" diff --git a/sensor-iso/moloch/build-moloch-deb.sh b/sensor-iso/moloch/build-moloch-deb.sh index cde8736bd..97ceb55e8 100755 --- a/sensor-iso/moloch/build-moloch-deb.sh +++ b/sensor-iso/moloch/build-moloch-deb.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. OUTPUT_DIR="/tmp" unset VERBOSE diff --git a/sensor-iso/moloch/etc/.gitignore b/sensor-iso/moloch/etc/.gitignore new file mode 100644 index 000000000..257e036a0 --- /dev/null +++ b/sensor-iso/moloch/etc/.gitignore @@ -0,0 +1,4 @@ +GeoLite2-* +oui.txt* +ipv4-address-space.csv* + diff --git a/sensor-iso/vagrant/Vagrantfile b/sensor-iso/vagrant/Vagrantfile index c518d7623..05b5c2cb3 100644 --- a/sensor-iso/vagrant/Vagrantfile +++ b/sensor-iso/vagrant/Vagrantfile @@ -1,9 +1,16 @@ -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. unless Vagrant.has_plugin?("vagrant-reload") raise 'vagrant-reload plugin is not installed!' end +# hack: https://github.com/hashicorp/vagrant/issues/8878#issuecomment-345112810 +class VagrantPlugins::ProviderVirtualBox::Action::Network + def dhcp_server_matches_config?(dhcp_server, config) + true + end +end + Vagrant.configure("2") do |config| config.vm.box = "bento/debian-10" @@ -18,7 +25,7 @@ Vagrant.configure("2") do |config| end config.vm.provider "virtualbox" do |vb| - vb.memory = "4096" + vb.memory = "8192" vb.cpus = 4 end diff --git a/shared/bin/agg-init.sh b/shared/bin/agg-init.sh index 9d28eae31..192a7c965 100755 --- a/shared/bin/agg-init.sh +++ b/shared/bin/agg-init.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. SCRIPT_PATH="$(dirname $(realpath -e "${BASH_SOURCE[0]}"))" diff --git a/shared/bin/beat-log-temperature.py b/shared/bin/beat-log-temperature.py index a7dc665c8..68be3e0ce 100755 --- a/shared/bin/beat-log-temperature.py +++ b/shared/bin/beat-log-temperature.py @@ -1,7 +1,7 @@ #!/usr/bin/env python3.7 # -*- coding: utf-8 -*- -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. import os import re diff --git a/shared/bin/capture-format-wait.sh b/shared/bin/capture-format-wait.sh index e98f88cff..bc0571fb6 100755 --- a/shared/bin/capture-format-wait.sh +++ b/shared/bin/capture-format-wait.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. function finish { pkill -f "zenity.*Preparing Storage" diff --git a/shared/bin/common-init.sh b/shared/bin/common-init.sh index 56669b145..00002602a 100755 --- a/shared/bin/common-init.sh +++ b/shared/bin/common-init.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. declare -A IFACES diff --git a/shared/bin/configure-capture.py b/shared/bin/configure-capture.py index 804c65120..04981a17d 100755 --- a/shared/bin/configure-capture.py +++ b/shared/bin/configure-capture.py @@ -1,7 +1,7 @@ #!/usr/bin/env python3.7 # -*- coding: utf-8 -*- -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. # script for configuring sensor capture and forwarding parameters diff --git a/shared/bin/configure-interfaces.py b/shared/bin/configure-interfaces.py index f3856db78..de4c87510 100755 --- a/shared/bin/configure-interfaces.py +++ b/shared/bin/configure-interfaces.py @@ -1,7 +1,7 @@ #!/usr/bin/env python3.7 # -*- coding: utf-8 -*- -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. # script for configuring sensor network interface controller(s) diff --git a/shared/bin/cron_env_centos.sh b/shared/bin/cron_env_centos.sh index 8d1f6405d..69fc7970d 100755 --- a/shared/bin/cron_env_centos.sh +++ b/shared/bin/cron_env_centos.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. printenv | sed -r "s/'/\\\'/gm" | sed -r "s/^([^=]+=)(.*)\$/\1'\2'/gm" > /etc/environment diff --git a/shared/bin/cron_env_deb.sh b/shared/bin/cron_env_deb.sh index f529febfe..65423c7d5 100755 --- a/shared/bin/cron_env_deb.sh +++ b/shared/bin/cron_env_deb.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. printenv | sed -r "s/'/\\\'/gm" | sed -r "s/^([^=]+=)(.*)\$/\1'\2'/gm" > /etc/environment diff --git a/shared/bin/docker-load-wait.sh b/shared/bin/docker-load-wait.sh index 2c9ef6efb..48e7fcc42 100755 --- a/shared/bin/docker-load-wait.sh +++ b/shared/bin/docker-load-wait.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. function finish { pkill -f "zenity.*Preparing Malcolm" diff --git a/shared/bin/elastic_search_status.sh b/shared/bin/elastic_search_status.sh index 286077073..14d08e35c 100755 --- a/shared/bin/elastic_search_status.sh +++ b/shared/bin/elastic_search_status.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. set -e diff --git a/shared/bin/fstab.py b/shared/bin/fstab.py index fe5c2e465..d8400caf4 100644 --- a/shared/bin/fstab.py +++ b/shared/bin/fstab.py @@ -1,7 +1,7 @@ #!/usr/bin/env python # -*- coding: utf-8 -*- -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. # fstab interpreter diff --git a/shared/bin/malass_client.py b/shared/bin/malass_client.py index bb4eca5e6..06395afc7 100644 --- a/shared/bin/malass_client.py +++ b/shared/bin/malass_client.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3.7 -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. """This script (malass_client.py) simulates the Malass 'file upload' HTML web form. The 'file upload' HTML form is used to 'upload a file', and several HTML form fields, diff --git a/shared/bin/pcap_moloch_and_zeek_processor.py b/shared/bin/pcap_moloch_and_zeek_processor.py index 678ce41b5..efab0a901 100755 --- a/shared/bin/pcap_moloch_and_zeek_processor.py +++ b/shared/bin/pcap_moloch_and_zeek_processor.py @@ -1,7 +1,7 @@ #!/usr/bin/env python3 # -*- coding: utf-8 -*- -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. ################################################################################################### # Process queued files reported by pcap_watcher.py, using either moloch-capture or zeek to process diff --git a/shared/bin/pcap_utils.py b/shared/bin/pcap_utils.py index 3271657f4..abb5a949d 100644 --- a/shared/bin/pcap_utils.py +++ b/shared/bin/pcap_utils.py @@ -1,7 +1,7 @@ #!/usr/bin/env python3 # -*- coding: utf-8 -*- -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. import os import re diff --git a/shared/bin/pcap_watcher.py b/shared/bin/pcap_watcher.py index f7fa8b653..104a19d16 100755 --- a/shared/bin/pcap_watcher.py +++ b/shared/bin/pcap_watcher.py @@ -1,7 +1,7 @@ #!/usr/bin/env python3 # -*- coding: utf-8 -*- -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. ################################################################################################### # Monitor a directory for PCAP files for processing (by publishing their filenames to a ZMQ socket) diff --git a/shared/bin/preseed_late_user_config.sh b/shared/bin/preseed_late_user_config.sh index 0edf41379..73ad4aa32 100755 --- a/shared/bin/preseed_late_user_config.sh +++ b/shared/bin/preseed_late_user_config.sh @@ -1,6 +1,6 @@ #!/bin/sh -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. ################################################################################## # prompt whether to autologin or not diff --git a/shared/bin/prune_files.sh b/shared/bin/prune_files.sh index f84747408..31af00474 100755 --- a/shared/bin/prune_files.sh +++ b/shared/bin/prune_files.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. # recursion depth (1 = not recursive) DEPTH=1 diff --git a/shared/bin/sensor-capture-disk-config.py b/shared/bin/sensor-capture-disk-config.py index 5d807ed02..34718ae8b 100755 --- a/shared/bin/sensor-capture-disk-config.py +++ b/shared/bin/sensor-capture-disk-config.py @@ -1,7 +1,7 @@ #!/usr/bin/env python3.7 # -*- coding: utf-8 -*- -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. ################################################################################################### # Detect, partition, and format devices to be used for sensor packet/log captures. diff --git a/shared/bin/sensor-init.sh b/shared/bin/sensor-init.sh index ec1d65e61..9d2db0cca 100755 --- a/shared/bin/sensor-init.sh +++ b/shared/bin/sensor-init.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. SCRIPT_PATH="$(dirname $(realpath -e "${BASH_SOURCE[0]}"))" diff --git a/shared/bin/sensorcommon.py b/shared/bin/sensorcommon.py index 12d4c75ac..9e15886c5 100644 --- a/shared/bin/sensorcommon.py +++ b/shared/bin/sensorcommon.py @@ -1,7 +1,7 @@ #!/usr/bin/env python3.7 # -*- coding: utf-8 -*- -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. import argparse import ipaddress diff --git a/shared/bin/sensormetric.py b/shared/bin/sensormetric.py index 0b7e0ca11..756675832 100644 --- a/shared/bin/sensormetric.py +++ b/shared/bin/sensormetric.py @@ -1,7 +1,7 @@ #!/usr/bin/env python3.7 # -*- coding: utf-8 -*- -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. import subprocess import socket diff --git a/shared/bin/ufw_allow_viewer.sh b/shared/bin/ufw_allow_viewer.sh index 1fdd2cfa7..39832ae25 100644 --- a/shared/bin/ufw_allow_viewer.sh +++ b/shared/bin/ufw_allow_viewer.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. # manage a UFW rule for allowing a remote Moloch viewer instance (on the same host # to which moloch-capture is forwarding session logs) to connect to and diff --git a/shared/bin/zeek_carve_logger.py b/shared/bin/zeek_carve_logger.py index 7c5950769..d306251c2 100755 --- a/shared/bin/zeek_carve_logger.py +++ b/shared/bin/zeek_carve_logger.py @@ -1,7 +1,7 @@ #!/usr/bin/env python3 # -*- coding: utf-8 -*- -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. ################################################################################################### # Monitor a directory for files extracted by zeek for processing diff --git a/shared/bin/zeek_carve_scanner.py b/shared/bin/zeek_carve_scanner.py index 2a1757221..d612a81c5 100755 --- a/shared/bin/zeek_carve_scanner.py +++ b/shared/bin/zeek_carve_scanner.py @@ -1,7 +1,7 @@ #!/usr/bin/env python3 # -*- coding: utf-8 -*- -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. ################################################################################################### # Process queued files reported by zeek_carve_watcher.py, scanning them with the specified diff --git a/shared/bin/zeek_carve_utils.py b/shared/bin/zeek_carve_utils.py index 73138c21b..6f39460ee 100644 --- a/shared/bin/zeek_carve_utils.py +++ b/shared/bin/zeek_carve_utils.py @@ -1,7 +1,7 @@ #!/usr/bin/env python3 # -*- coding: utf-8 -*- -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. import clamd import hashlib diff --git a/shared/bin/zeek_carve_watcher.py b/shared/bin/zeek_carve_watcher.py index 5fb7a8d9a..64c729d76 100755 --- a/shared/bin/zeek_carve_watcher.py +++ b/shared/bin/zeek_carve_watcher.py @@ -1,7 +1,7 @@ #!/usr/bin/env python3 # -*- coding: utf-8 -*- -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. ################################################################################################### # Monitor a directory for files extracted by zeek for processing diff --git a/shared/bin/zeek_install_plugins.sh b/shared/bin/zeek_install_plugins.sh index d2aed6f57..0c653d001 100755 --- a/shared/bin/zeek_install_plugins.sh +++ b/shared/bin/zeek_install_plugins.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. if [ -z "$BASH_VERSION" ]; then echo "Wrong interpreter, please run \"$0\" with bash" @@ -101,11 +101,11 @@ if [[ -d "$SRC_DIR" ]]; then cd "$CWD" fi -SRC_DIR="$(clone_github_repo "https://github.com/J-Gras/bro-af_packet-plugin")" +SRC_DIR="$(clone_github_repo "https://github.com/J-Gras/zeek-af_packet-plugin")" if [[ -d "$SRC_DIR" ]]; then CWD="$(pwd)" cd "$SRC_DIR" && \ - ./configure --with-kernel=/usr --bro-dist="$ZEEK_DIST_DIR" --install-root="$ZEEK_PLUGIN_DIR" && \ + ./configure --with-kernel=/usr --zeek-dist="$ZEEK_DIST_DIR" --install-root="$ZEEK_PLUGIN_DIR" && \ make && \ make install cd "$CWD" diff --git a/shared/vbox-guest-build/Dockerfile b/shared/vbox-guest-build/Dockerfile new file mode 100644 index 000000000..886b6b24c --- /dev/null +++ b/shared/vbox-guest-build/Dockerfile @@ -0,0 +1,18 @@ +FROM debian:buster-slim + +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. + +LABEL maintainer="malcolm.netsec@gmail.com" + +ENV DEBIAN_FRONTEND noninteractive + +RUN sed -i "s/buster main/buster main contrib non-free/g" /etc/apt/sources.list && \ + apt-get -q update && \ + apt-get install -q -y --no-install-recommends \ + curl devscripts build-essential debian-keyring equivs && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* + +ADD build-vboxguest-deb.sh /usr/local/bin/ + +ENTRYPOINT ["/bin/bash", "/usr/local/bin/build-vboxguest-deb.sh"] diff --git a/shared/vbox-guest-build/build-docker-image.sh b/shared/vbox-guest-build/build-docker-image.sh new file mode 100755 index 000000000..f3405fe34 --- /dev/null +++ b/shared/vbox-guest-build/build-docker-image.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. + +# force-navigate to script directory +SCRIPT_PATH="$( cd -P "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" +pushd "$SCRIPT_PATH" >/dev/null 2>&1 + +docker build -t vboxguest-build:latest . + +popd >/dev/null 2>&1 diff --git a/shared/vbox-guest-build/build-vboxguest-deb.sh b/shared/vbox-guest-build/build-vboxguest-deb.sh new file mode 100755 index 000000000..c34d0749d --- /dev/null +++ b/shared/vbox-guest-build/build-vboxguest-deb.sh @@ -0,0 +1,49 @@ +#!/bin/bash + +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. + +OUTPUT_DIR="/tmp" +unset VERBOSE + +while getopts o:v opts; do + case ${opts} in + o) OUTPUT_DIR=${OPTARG} ;; + v) VERBOSE=1 ;; + esac +done + +set -e +if [[ -n $VERBOSE ]]; then + set -x +fi + +apt-get -y -q update + +mkdir -p /tmp/vbox-guest-deb + +cd /tmp/vbox-guest-deb + +dget http://deb.debian.org/debian/pool/contrib/v/virtualbox/$(curl -fsL 'http://deb.debian.org/debian/pool/contrib/v/virtualbox/' | grep -P 'href="virtualbox_[^"]*?\.dsc' | tail -n 1 | grep -Po '"virtualbox_.+?"' | tr -d '"') + +cd virtualbox*dfsg/ + +mkdir -p /usr/share/man/man1 + +mk-build-deps -t "apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends -y" -ir + +VBOX_PKG_VERSION=$(export $(grep -P '^VBOX_VERSION_(MAJOR|MINOR|BUILD)' Version.kmk | tr -d ' ') && echo "$VBOX_VERSION_MAJOR.$VBOX_VERSION_MINOR.$VBOX_VERSION_BUILD") + +DEBFULLNAME='Seth Grover' DEBEMAIL='malcolm.netsec@gmail.com' dch -bv $VBOX_PKG_VERSION-dfsg-2~~bpo10+1 --distribution buster-backports --force-distribution 'Unofficial backport' + +dpkg-buildpackage -b + +cd /tmp/vbox-guest-deb + +ls -l *.deb && mv -v *.deb "$OUTPUT_DIR"/ + +cd /tmp + +if [[ -n $VERBOSE ]]; then + set +x +fi +set +e diff --git a/zeek/config/extractor.zeek b/zeek/config/extractor.zeek index d481665c8..217e91494 100644 --- a/zeek/config/extractor.zeek +++ b/zeek/config/extractor.zeek @@ -1,6 +1,6 @@ #!/usr/bin/env zeek -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. @load ./extractor_params diff --git a/zeek/config/extractor_override.interesting.zeek b/zeek/config/extractor_override.interesting.zeek index a6a8d304b..45a92cba1 100644 --- a/zeek/config/extractor_override.interesting.zeek +++ b/zeek/config/extractor_override.interesting.zeek @@ -1,6 +1,6 @@ #!/usr/bin/env zeek -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. export { redef extractor_always_extract_unknown = F; diff --git a/zeek/config/extractor_params.zeek b/zeek/config/extractor_params.zeek index 5adfa48dc..bc367a895 100644 --- a/zeek/config/extractor_params.zeek +++ b/zeek/config/extractor_params.zeek @@ -1,6 +1,6 @@ #!/usr/bin/env zeek -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. export { const extractor_extract_none = "none" &redef; diff --git a/zeek/config/local.zeek b/zeek/config/local.zeek index b3361c3fb..051eab2f9 100644 --- a/zeek/config/local.zeek +++ b/zeek/config/local.zeek @@ -21,12 +21,15 @@ redef SOCKS::default_capture_password = T; @load protocols/dhcp/software @load protocols/dns/detect-external-names @load protocols/ftp/detect +@load protocols/ftp/detect-bruteforcing.zeek @load protocols/ftp/software @load protocols/http/detect-sqli @load protocols/http/detect-webapps @load protocols/http/software @load protocols/http/software-browser-plugins @load protocols/mysql/software +@load protocols/ssl/weak-keys +@load protocols/smb/log-cmds @load protocols/smtp/software @load protocols/ssh/detect-bruteforcing @load protocols/ssh/geo-data diff --git a/zeek/supervisord.conf b/zeek/supervisord.conf index f5349bb28..db115cde3 100644 --- a/zeek/supervisord.conf +++ b/zeek/supervisord.conf @@ -1,4 +1,4 @@ -; Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. +; Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. [unix_http_server] file=/var/run/supervisor.sock ; (the path to the socket file)