trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Multiple bugfixes, add dashboard

Browse Source
This commit is contained in:
Chris Long
2020-03-27 14:53:04 -07:00
parent 242e1a7cf3
commit 34d8a39c43
9 changed files with 312 additions and 192 deletions
Download Patch File Download Diff File Expand all files Collapse all files

164
Vagrant/resources/splunk_server/logger_dashboard.xml Normal file
View File

@@ -0,0 +1,164 @@
<dashboard theme="dark">
<label>Logger Dashboard</label>
<row>
<panel>
<title>Events by Index per Hour</title>
<chart>
<search>
<query>| tstats count where index=* by index, _time span=4h prestats=t | timechart span=4h count by index</query>
<earliest>-7d@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">right</option>
<option name="charting.lineWidth">2</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Top Suricata Network Alerts</title>
<table>
<search>
<query>index=suricata | stats values(src_ip) count by alert.signature, alert.signature_id</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
<panel>
<title>Zeek Network Traffic by Type</title>
<chart>
<search>
<query>index=zeek | stats count by _time, tag::eventtype | timechart span=1h count by tag::eventtype</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="charting.chart">column</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.drilldown">none</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Windows Events by Host</title>
<chart>
<search>
<query>| tstats count where index=wineventlog by host, _time span=1h prestats=t | timechart span=1h count by host</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="charting.chart">line</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
<panel>
<title>osquery Events by Host</title>
<chart>
<search>
<query>| tstats count where index=osquery by host, _time span=1h prestats=t | timechart span=1h count by host</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="charting.chart">line</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
<panel>
<title>Powershell Event Preview</title>
<table>
<search>
<query>index=powershell | table _time, host, _raw, sourcetype</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="count">1</option>
<option name="drilldown">none</option>
</table>
</panel>
</row>
<row>
<panel>
<title>License Usage</title>
<chart>
<search>
<query>| rest splunk_server=local /services/licenser/pools | rename title AS Pool | search [rest splunk_server=local /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id] | eval quota=if(isnull(effective_quota),quota,effective_quota) | eval "Used"=round(used_bytes/1024/1024/1024, 3) | eval "Quota"=round(quota/1024/1024/1024, 3) | fields Pool "Used" "Quota"</query>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">bar</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">right</option>
<option name="charting.lineWidth">2</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
</chart>
</panel>
</row>
</dashboard>

8
Vagrant/resources/splunk_server/props.conf
View File

@@ -12,3 +12,11 @@ TIME_PREFIX = Start time:\s
category = Custom
pulldown_type = true
TRUNCATE = 0
[osquery:json]
TRANSFORMS-osquery_host = osquery_hostidentifier_as_host
TRANSFORMS-null = setnull
TIME_PREFIX = \"unixTime\"\:
MAX_TIMESTAMP_LOOKAHEAD = 500
TIME_FORMAT = %s
TRUNCATE = 0

10
Vagrant/resources/splunk_server/transforms.conf
View File

@@ -8,3 +8,13 @@ FORMAT = host::$1
DEST_KEY = MetaData:Host
REGEX = (?m)ComputerName=(.+)
FORMAT = host::$1
[osquery_hostidentifier_as_host]
DEST_KEY = MetaData:Host
REGEX = hostIdentifier\"\:\"([^\"]+)\"
FORMAT = host::$1
[setnull]
REGEX = Error\scasting
DEST_KEY = queue
FORMAT = nullQueue